Biztonsági figyelmeztetések (contrib)

Feliratkozás Biztonsági figyelmeztetések (contrib) hírcsatorna csatornájára
Frissítve: 47 perc 7 másodperc

Menu Item Extras - Moderately critical - Cross Site Request Forgery - SA-CONTRIB-2019-050

2019. május 22. 18.29
Project: Menu Item ExtrasDate: 2019-May-22Security risk: Moderately critical 10∕25 AC:Basic/A:User/CI:None/II:Some/E:Theoretical/TD:DefaultVulnerability: Cross Site Request ForgeryDescription: 

This module enables you to handle fields for Custom Menu Links.
The module doesn't sufficiently check requests to one of the module controllers if the user has permission 'administer menu'.
This vulnerability is mitigated by the fact that an attacker must have a role with the permission to create content.

Solution: 

Install the latest version:

Reported By: Fixed By: Coordinated By: 

Workflow - Moderately critical - Cross Site Scripting - SA-CONTRIB-2019-049

2019. május 22. 18.27
Project: WorkflowDate: 2019-May-22Security risk: Moderately critical 13∕25 AC:Basic/A:Admin/CI:Some/II:Some/E:Theoretical/TD:AllVulnerability: Cross Site ScriptingDescription: 

The Workflow module enables you to create arbitrary Workflows, and assign them to Entities.
The module doesn't sufficiently escape HTML in the field settings leading to a Cross Site Scripting (XSS) vulnerability.
This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer nodes" and "administer workflow".

Solution: 

Install the latest version:

Reported By: Fixed By: Coordinated By: 

Multiple Registration - Critical - Access bypass - SA-CONTRIB-2019-048

2019. május 15. 19.13
Project: Multiple RegistrationDate: 2019-May-15Security risk: Critical 19∕25 AC:Basic/A:None/CI:All/II:All/E:Theoretical/TD:DefaultVulnerability: Access bypassDescription: 

This module enables you to use special routes for user registration with special roles and custom field sets defined for the role.

The module doesn't sufficiently check which user roles can be registered under the scenario when the user tries to register the user with the administrator role.

This vulnerability is mitigated on sites where account approval is required as the user starts as blocked but still gets the "Administrator" role.

Solution: 

Install the latest version:

Reported By: Fixed By: Coordinated By: 
  • Cash Williams of the Drupal Security Team
  • Opigno Learning path - Moderately critical - Access bypass - SA-CONTRIB-2019-047

    2019. május 15. 19.09
    Project: Opigno Learning pathDate: 2019-May-15Security risk: Moderately critical 10∕25 AC:Basic/A:User/CI:Some/II:None/E:Theoretical/TD:DefaultVulnerability: Access bypassDescription: 

    In certain configuration cases, when a learning path is configured as semi-private, anonymous users are allowed to join a learning path when they should not.

    Solution: 

    Install the latest version:

    Also see the Opigno Learning path project page.

    Reported By: Fixed By: Coordinated By: 

    Opigno forum - Less critical - Access bypass - SA-CONTRIB-2019-046

    2019. május 15. 19.07
    Project: Opigno forumDate: 2019-May-15Security risk: Less critical 9∕25 AC:Basic/A:User/CI:Some/II:None/E:Theoretical/TD:UncommonVulnerability: Access bypassDescription: 

    In certain circumstances it is possible that certain forum information is available to unprivileged users because the access check is done with node access instead of grants.

    This vulnerability is mitigated by the fact that the module itself does not disclose information but only if there are listings such as views where the site builder / developer has not taken this into account.

    Solution: 

    Install the latest version:

    Also see the Opigno forum project page.

    Reported By: Fixed By: Coordinated By: 

    TableField - Critical - Remote Code Execution - SA-CONTRIB-2019-045

    2019. április 17. 20.21
    Project: TableFieldDate: 2019-April-17Security risk: Critical 16∕25 AC:Complex/A:User/CI:All/II:All/E:Theoretical/TD:DefaultVulnerability: Remote Code ExecutionDescription: 

    This module allows you to attach tabular data to an entity.

    The module doesn't sufficiently determine that the data being unserialized is the contents of a tablefield when users request a CSV export, which could lead to Remote Code Execution via Object Injection.

    This vulnerability is mitigated by the fact that an attacker must have a role with the permission 'export tablefield', and be able to insert a payload into an entity's field.

    Solution: 

    Install the latest version:

    • If you use the Tablefield module 7.x-3.x branch for Drupal 7.x, upgrade to tablefield 7.x-3.4

    Reported By: Fixed By: Coordinated By: 

    Stage File Proxy - Less critical - Denial of Service - SA-CONTRIB-2019-044

    2019. április 17. 17.46
    Project: Stage File ProxyVersion: 7.x-1.x-devDate: 2019-April-17Security risk: Less critical 9∕25 AC:Basic/A:None/CI:None/II:None/E:Theoretical/TD:DefaultVulnerability: Denial of ServiceDescription: 

    Stage File Proxy is a general solution for getting production files on a development server on demand.

    The module doesn't sufficiently validate requested urls, allowing an attacker to send repeated requests for files that do not exist which could exhaust resources on the server where Stage File Proxy is installed.

    This vulnerability is mitigated by the fact that an attacker must make repeated requests. The vulnerability only exists on environments where Stage File Proxy is installed (it generally is not installed on production). It only affects sites where the "Hot Link" option is disabled (disabled is the default configuration).

    Solution: 

    Install the latest version:

    Also see the Stage File Proxy project page.

    Reported By: Fixed By: Coordinated By: 

    Services - Less critical - Access bypass - SA-CONTRIB-2019-043

    2019. április 3. 19.46
    Project: ServicesVersion: 7.x-3.x-devDate: 2019-April-03Security risk: Less critical 9∕25 AC:Complex/A:User/CI:Some/II:None/E:Theoretical/TD:DefaultVulnerability: Access bypassDescription: 

    This module provides a standardized solution for building API's so that external clients can communicate with Drupal.

    The Services module has an access bypass vulnerability in its "attach_file" resource that allows users who have access to create or update nodes that include file fields to arbitrarily reference files they do not have access to, which can expose private files.

    This vulnerability is mitigated by the fact that an attacker must have a role with permission to create or edit a node.

    Solution: 

    Install the latest version:

    Also see the Services project page.

    Reported By: Fixed By: Coordinated By: 

    Module Filter - Moderately critical - Cross site scripting - SA-CONTRIB-2019-042

    2019. március 27. 18.12
    Project: Module FilterVersion: 7.x-2.x-devDate: 2019-March-27Security risk: Moderately critical 12∕25 AC:Basic/A:Admin/CI:Some/II:Some/E:Theoretical/TD:DefaultVulnerability: Cross site scriptingDescription: 

    This module enables you to filter the list of modules on the admin modules page, and organizes packages into vertical tabs.

    The module doesn't sufficiently escape HTML under the scenario leading to a Cross Site Scripting (XSS) vulnerability.

    This vulnerability is mitigated by the fact that the attacker must have access to input filtered html that will be included on the modules administration page e.g. in a block (this configuration is not common). Further, the Module Filter vertical tabs setting must be enabled.

    Solution: 

    Install the latest version:

    Also see the Module Filter project page.

    Reported By: Fixed By: Coordinated By: 

    RESTful - Critical - Remote code execution - SA-CONTRIB-2019-041

    2019. március 20. 14.31
    Project: RESTfulVersion: 7.x-2.x-dev7.x-1.x-devDate: 2019-March-20Security risk: Critical 18∕25 AC:Complex/A:User/CI:All/II:All/E:Exploit/TD:UncommonVulnerability: Remote code executionDescription: 

    This resolves issues described in SA-CORE-2019-003 for this module.

    Solution: 

    Back To Top - Moderately critical - Cross Site Scripting - SA-CONTRIB-2019-040

    2019. március 20. 14.28
    Project: Back To TopVersion: 7.x-1.x-devDate: 2019-March-20Security risk: Moderately critical 13∕25 AC:Basic/A:Admin/CI:Some/II:Some/E:Theoretical/TD:AllVulnerability: Cross Site ScriptingDescription: 

    This module enables you to add a button that hovers in the bottom of your screen and allows users to smoothly scroll up the page using jQuery.

    The module doesn't sufficiently sanitize the code that gets printed on pages leading to a Cross Site Scripting (XSS) issue.

    This vulnerability is mitigated by the fact that an attacker must have a role with the permission "access backtotop settings".

    Solution: 

    Install the latest version:

    Reported By: Fixed By: Coordinated By: 

    AddToAny Share Buttons - Moderately critical - Cross Site Scripting - SA-CONTRIB-2019-039

    2019. március 20. 14.26
    Project: AddToAny Share ButtonsVersion: 7.x-4.x-devDate: 2019-March-20Security risk: Moderately critical 13∕25 AC:Basic/A:Admin/CI:Some/II:Some/E:Theoretical/TD:AllVulnerability: Cross Site ScriptingDescription: 

    This module enables you to add social media share buttons on your website to its content and pages.

    The module doesn't sufficiently mark its administration permission restricted, allowing cross site scripting vulnerabilities to users who have access to its admin settings.

    This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer addtoany".

    Solution: Reported By: Fixed By: Coordinated By: 

    Simple hierarchical select - Moderately critical - Cross site request forgery - SA-CONTRIB-2019-038

    2019. március 13. 17.49
    Project: Simple hierarchical selectDate: 2019-March-13Security risk: Moderately critical 10∕25 AC:Basic/A:User/CI:None/II:Some/E:Theoretical/TD:DefaultVulnerability: Cross site request forgeryDescription: 

    Simple hierarchical select defines a new form widget for taxonomy fields to select a term by "browsing" through the vocabularies hierarchy. It also allows users to create new taxonomy terms using its widget directly in the node form.

    Version 7.x of Simple hierarchical select doesn't sufficiently checks permission when creating new terms so attackers can create arbitrary taxonomy terms in any vocabularies the victim has access to..
    This vulnerability is mitigated by the fact that an attacker must trick a user with permission to create terms to visit a specially prepared web page controlled by the attacker.

    Solution: 

    Install the latest version:

    • If you use Simple hierarchical select prior to 7.x-1.7 update to 7.x-1.8
    • If you are unable to update, simply deactivate the option to allow creating new terms in the widget settings.

    Note that the Drupal 8 version of this module is unaffected.

    Reported By: Fixed By: Coordinated By: 
  • Greg Knaddison of the Drupal Security Team
  • Video - Critical - Remote Code Execution - SA-CONTRIB-2019-037

    2019. március 13. 17.44
    Project: VideoDate: 2019-March-13Security risk: Critical 19∕25 AC:None/A:Admin/CI:All/II:All/E:Theoretical/TD:AllVulnerability: Remote Code ExecutionDescription: 

    This module provides a field where editors can add videos to their content and this module offers functionality to transcode these videos to different sizes and formats.

    The module doesn't sufficiently sanitize some user input on administrative forms.

    Solution: 
    • If you use the Video module for Drupal 7.x, upgrade to Video 7.x-2.14

    Also see the Video project page

    Note that the Drupal 8 version of this module is unaffected.

    Reported By: Fixed By: Coordinated By: 

    Views - Less critical - Cross site scripting - SA-CONTRIB-2019-036

    2019. március 13. 15.05
    Project: ViewsVersion: 7.x-3.x-devDate: 2019-March-13Security risk: Less critical 7∕25 AC:Complex/A:None/CI:None/II:None/E:Theoretical/TD:UncommonVulnerability: Cross site scriptingDescription: 

    This module enables you to create customized lists of data.

    The module doesn't sufficiently sanitize certain field types, leading to a Cross Site Scripting (XSS) vulnerability.

    This vulnerability is mitigated by the fact that a view must display a field with the format "Full data (serialized)" and an attacker must have the ability to store malicious markup in that field.

    Solution: 

    Install the latest version:

    • If you use the Views module for Drupal 7.x, upgrade to Views 7.x-3.21

    Also see the Views project page.

    Reported By: Fixed By: Coordinated By:  Additional information

    Note: Drupal issues individual security advisories for separate vulnerabilities included in a release, rather than lumping "multiple vulnerabilities" into a single advisory. All advisories released today for Views:

    Views - Moderately critical - Information disclosure - SA-CONTRIB-2019-035

    2019. március 13. 15.02
    Project: ViewsVersion: 7.x-3.x-devDate: 2019-March-13Security risk: Moderately critical 10∕25 AC:Complex/A:None/CI:Some/II:None/E:Theoretical/TD:UncommonVulnerability: Information disclosureDescription: 

    This module enables you to create customized lists of data.

    The module doesn't sufficiently build queries when used with exposed filters, leading to a possible information disclosure vulnerability in certain rare circumstances.

    This vulnerability is mitigated by the fact that a view must have an exposed filter on a field that is used on multiple entity types, both of which are included in the view.

    Solution: 

    Install the latest version:

    • If you use the Views module for Drupal 7.x, upgrade to Views 7.x-3.21

    Also see the Views project page.

    Reported By: Fixed By: Coordinated By:  Additional information

    Note: Drupal issues individual security advisories for separate vulnerabilities included in a release, rather than lumping "multiple vulnerabilities" into a single advisory. All advisories released today for Views:

    Views - Moderately critical - Information Disclosure - SA-CONTRIB-2019-034

    2019. március 13. 14.57
    Project: ViewsVersion: 7.x-3.x-devDate: 2019-March-13Security risk: Moderately critical 10∕25 AC:Complex/A:None/CI:Some/II:None/E:Theoretical/TD:UncommonVulnerability: Information DisclosureDescription: 

    This module enables you to create customized lists of data.

    The module doesn't sufficiently protect against argument definitions failing.

    This vulnerability is mitigated by the fact that a view must have custom PHP code used as a field validator.

    Solution: 

    Install the latest version:

    • If you use the Views module for Drupal 7.x, upgrade to Views 7.x-3.21

    Also see the Views project page.

    Reported By: Fixed By: Coordinated By:  Additional information

    Note: Drupal issues individual security advisories for separate vulnerabilities included in a release, rather than lumping "multiple vulnerabilities" into a single advisory. All advisories released today for Views:

    EU Cookie Compliance - Critical - Cross site scripting - SA-CONTRIB-2019-033

    2019. március 6. 19.16
    Project: EU Cookie ComplianceVersion: 7.x-1.x-dev8.x-1.x-devDate: 2019-March-06Security risk: Critical 15∕25 AC:None/A:Admin/CI:Some/II:Some/E:Theoretical/TD:AllVulnerability: Cross site scriptingDescription: 

    This module addresses the General Data Protection Regulation (GDPR) that came into effect 25th May 2018, and the EU Directive on Privacy and Electronic Communications from 2012. It provides a banner where you can gather consent from the user when the website stores cookies on their computer or otherwise handles their personal information.

    The module doesn't sufficiently sanitize data for some interface labels and strings shown in the cookie policy banner, opening up possibility of Cross Site Scripting exploits that can be created by somebody that has access to the admin interface of the module.

    This vulnerability is mitigated by the fact that an attacker must have a role with the permission "Administer EU Cookie Compliance banner". For Drupal 8, the vulnerability also requires access to a text format that doesn't sanitize data.

    Solution: 

    Install the latest version:

    Also see the EU Cookie Compliance project page.

    Reported By: Fixed By: Coordinated By: 

    Ubercart - Moderately critical - Cross Site Request Forgery - SA-CONTRIB-2019-032

    2019. március 6. 15.56
    Project: UbercartDate: 2019-March-06Security risk: Moderately critical 12∕25 AC:None/A:Admin/CI:None/II:Some/E:Proof/TD:DefaultVulnerability: Cross Site Request ForgeryDescription: 

    The Ubercart module provides a shopping cart and e-commerce features for Drupal.

    The taxes module doesn't sufficiently protect the tax rate cloning feature. A malicious user could trick a store administrator into duplicating an existing tax rate by getting them to visit a specially-crafted URL.

    Solution: 

    Install the latest version:

    Reported By: Fixed By: Coordinated By: 

    Drupal voor Gemeenten - Moderately critical - Access Bypass - SA-CONTRIB-2019-031

    2019. március 6. 15.51
    Project: Drupal voor GemeentenDate: 2019-March-06Security risk: Moderately critical 13∕25 AC:None/A:None/CI:None/II:Some/E:Theoretical/TD:UncommonVulnerability: Access BypassDescription: 

    The DvG distrubition contains the feature module dvg_domains to support multiple domains.

    When the dvg_domains feature module is enabled, anonymous users are able to access some administration pages and change the settings exposed on those pages.

    This issue can be mitigated by disabling the dvg_domains module.

    Solution: 

    Install the latest version:

    • If you use the module dvg_domains from the DvG distribution upgrade to DvG 7.x-1.9
    Reported By: Fixed By: Coordinated By: