Hírolvasó

Views - Moderately critical - Information Disclosure - SA-CONTRIB-2019-034

Biztonsági figyelmeztetések (contrib) - 2019. március 13. 14.57
Project: ViewsVersion: 7.x-3.x-devDate: 2019-March-13Security risk: Moderately critical 10∕25 AC:Complex/A:None/CI:Some/II:None/E:Theoretical/TD:UncommonVulnerability: Information DisclosureDescription: 

This module enables you to create customized lists of data.

The module doesn't sufficiently protect against argument definitions failing.

This vulnerability is mitigated by the fact that a view must have custom PHP code used as a field validator.

Solution: 

Install the latest version:

  • If you use the Views module for Drupal 7.x, upgrade to Views 7.x-3.21

Also see the Views project page.

Reported By: Fixed By: Coordinated By:  Additional information

Note: Drupal issues individual security advisories for separate vulnerabilities included in a release, rather than lumping "multiple vulnerabilities" into a single advisory. All advisories released today for Views:

EU Cookie Compliance - Critical - Cross site scripting - SA-CONTRIB-2019-033

Biztonsági figyelmeztetések (contrib) - 2019. március 6. 19.16
Project: EU Cookie ComplianceVersion: 7.x-1.x-dev8.x-1.x-devDate: 2019-March-06Security risk: Critical 15∕25 AC:None/A:Admin/CI:Some/II:Some/E:Theoretical/TD:AllVulnerability: Cross site scriptingDescription: 

This module addresses the General Data Protection Regulation (GDPR) that came into effect 25th May 2018, and the EU Directive on Privacy and Electronic Communications from 2012. It provides a banner where you can gather consent from the user when the website stores cookies on their computer or otherwise handles their personal information.

The module doesn't sufficiently sanitize data for some interface labels and strings shown in the cookie policy banner, opening up possibility of Cross Site Scripting exploits that can be created by somebody that has access to the admin interface of the module.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission "Administer EU Cookie Compliance banner". For Drupal 8, the vulnerability also requires access to a text format that doesn't sanitize data.

Solution: 

Install the latest version:

Also see the EU Cookie Compliance project page.

Reported By: Fixed By: Coordinated By: 

Ubercart - Moderately critical - Cross Site Request Forgery - SA-CONTRIB-2019-032

Biztonsági figyelmeztetések (contrib) - 2019. március 6. 15.56
Project: UbercartDate: 2019-March-06Security risk: Moderately critical 12∕25 AC:None/A:Admin/CI:None/II:Some/E:Proof/TD:DefaultVulnerability: Cross Site Request ForgeryDescription: 

The Ubercart module provides a shopping cart and e-commerce features for Drupal.

The taxes module doesn't sufficiently protect the tax rate cloning feature. A malicious user could trick a store administrator into duplicating an existing tax rate by getting them to visit a specially-crafted URL.

Solution: 

Install the latest version:

Reported By: Fixed By: Coordinated By: 

Drupal voor Gemeenten - Moderately critical - Access Bypass - SA-CONTRIB-2019-031

Biztonsági figyelmeztetések (contrib) - 2019. március 6. 15.51
Project: Drupal voor GemeentenDate: 2019-March-06Security risk: Moderately critical 13∕25 AC:None/A:None/CI:None/II:Some/E:Theoretical/TD:UncommonVulnerability: Access BypassDescription: 

The DvG distrubition contains the feature module dvg_domains to support multiple domains.

When the dvg_domains feature module is enabled, anonymous users are able to access some administration pages and change the settings exposed on those pages.

This issue can be mitigated by disabling the dvg_domains module.

Solution: 

Install the latest version:

  • If you use the module dvg_domains from the DvG distribution upgrade to DvG 7.x-1.9
Reported By: Fixed By: Coordinated By: 

Facets - Moderately critical - Cross site scripting - SA-CONTRIB-2019-030

Biztonsági figyelmeztetések (contrib) - 2019. február 27. 18.28
Project: FacetsVersion: 8.x-1.x-devDate: 2019-February-27Security risk: Moderately critical 13∕25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:DefaultVulnerability: Cross site scriptingDescription: 

This module enables you to create facet-filters for results of a search query and exposes them as blocks

The module doesn't sufficiently escape HTML under the scenario leading to a Cross Site Scripting (XSS) vulnerability.

This vulnerability is mitigated by two factors. First, an attacker must have a way to insert results in the dataset that is exposed as a facet before this can happen. The permission to inject malicious strings depends on the site's search configuration but could be available to any user who can create content in a site. Second, the site must be using the Javascript-based dropdown widget.

Solution: 

An effective mitigation is to change the widget to use links instead of the dropdown widget.

Reported By: Fixed By: Coordinated By: 

Rabbit Hole - Moderately critical - Access bypass - SA-CONTRIB-2019-029

Biztonsági figyelmeztetések (contrib) - 2019. február 27. 18.01
Project: Rabbit HoleVersion: 7.x-2.x-devDate: 2019-February-27Security risk: Moderately critical 14∕25 AC:None/A:None/CI:Some/II:None/E:Theoretical/TD:DefaultVulnerability: Access bypassDescription: 

The Rabbit Hole module allows administrators to control what should happen when a regular user tries to view an entity at its own page; for example, it may deliver a 403 Access Denied or 404 Page Not Found response, or redirect the user to another path.

The module doesn't respect the Rabbit Hole settings when an entity is being requested with a certain header. This could lead to certain data being exposed even if it shouldn't be. The vulnerability is mitigated by the fact that the user also needs permission to view the content being requested.

Solution: 

Install version 7.x-2.25, available at https://www.drupal.org/project/rabbit_hole/releases/7.x-2.25.

Reported By: Fixed By: Coordinated By: 

Context - Moderately critical - Cross site scripting - SA-CONTRIB-2019-028

Biztonsági figyelmeztetések (contrib) - 2019. február 27. 17.56
Project: ContextVersion: 7.x-3.x-devDate: 2019-February-27Security risk: Moderately critical 14∕25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:AllVulnerability: Cross site scriptingDescription: 

This module enables you to manage contextual conditions and reactions for different portions of your site.

The module doesn't sufficiently sanitize user output when displayed leading to a Cross Site Scripting (XSS) vulnerability.

This vulnerability is mitigated by the fact that an attacker must have the ability to store malicious markup in the site (e.g. permission to create a node with a field that accepts "filtered html").

Solution: 

Install the latest version:

Also see the Context project page.

Reported By: Fixed By: Coordinated By: 

Path Breadcrumbs - Moderately critical - Cross site scripting - SA-CONTRIB-2019-027

Biztonsági figyelmeztetések (contrib) - 2019. február 27. 17.08
Project: Path BreadcrumbsVersion: 7.x-3.x-devDate: 2019-February-27Security risk: Moderately critical 13∕25 AC:Basic/A:Admin/CI:Some/II:Some/E:Theoretical/TD:AllVulnerability: Cross site scriptingDescription: 

This module enables you to configure breadcrumbs for any Drupal page.

This module doesn't properly sanitize custom breadcrumb configuration in all cases, leading to an XSS vulnerability.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission "Administer Path Breadcrumbs".

Solution: 

Install the latest version:

Also see the Path Breadcrumbs project page.

Reported By: Fixed By: Coordinated By: 

Services - Critical - SQL Injection - SA-CONTRIB-2019-026

Biztonsági figyelmeztetések (contrib) - 2019. február 27. 16.55
Project: ServicesVersion: 7.x-3.x-devDate: 2019-February-27Security risk: Critical 19∕25 AC:None/A:None/CI:All/II:Some/E:Theoretical/TD:DefaultVulnerability: SQL InjectionDescription: 

This module provides a standardized solution for building API's so that external clients can communicate with Drupal.

The module doesn't sufficiently sanitize user input for entity index resources thus allowing SQL Injection attacks.

This vulnerability is mitigated by the fact that the Drupal 7 site must have an "index" resource(s) enabled under the Services endpoint configuration (admin/structure/services/list/MY-ENDPOINT/resources) and an attacker must know the endpoint's machine name.

Install the 7.x-3.22 version of the Services module for the fix, or simply disable any "index" resources to stop the attack vector.

Solution: 

Install the latest version:

Reported By: Fixed By: Coordinated By: 

Drupal core - Highly critical - Remote Code Execution - SA-CORE-2019-003

Biztonsági figyelmeztetések (core) - 2019. február 20. 20.18
Project: Drupal coreDate: 2019-February-20Security risk: Highly critical 20∕25 AC:None/A:None/CI:All/II:All/E:Theoretical/TD:UncommonVulnerability: Remote Code ExecutionCVE IDs: CVE-2019-6340Description: 

Some field types do not properly sanitize data from non-form sources. This can lead to arbitrary PHP code execution in some cases.

A site is only affected by this if one of the following conditions is met:

  • The site has the Drupal 8 core RESTful Web Services (rest) module enabled and allows PATCH or POST requests, or
  • the site has another web services module enabled (like JSON:API in Drupal 8, or Services or RESTful Web Services in Drupal 7).
Solution: 

Versions of Drupal 8 prior to 8.5.x are end-of-life and do not receive security coverage.

To immediately mitigate the vulnerability, you can disable all web services modules, or configure your web server(s) to not allow PUT/PATCH/POST requests to web services resources. Note that web services resources may be available on multiple paths depending on the configuration of your server(s). For Drupal 7, resources are for example typically available via paths (clean URLs) and via arguments to the "q" query argument. For Drupal 8, paths may still function when prefixed with index.php/.

Reported By: Fixed By: 

Font Awesome Icons - Critical - Remote Code Execution - SA-CONTRIB-2019-025

Biztonsági figyelmeztetések (contrib) - 2019. február 20. 18.56
Project: Font Awesome IconsDate: 2019-February-20Security risk: Critical 18∕25 AC:None/A:User/CI:All/II:All/E:Theoretical/TD:UncommonVulnerability: Remote Code ExecutionDescription: 

This resolves issues described in SA-CORE-2019-003 for this module. Not all configurations are affected. See SA-CORE-2019-003 for details.

Solution: 

Translation Management Tool - Critical - Remote Code Execution - SA-CONTRIB-2019-024

Biztonsági figyelmeztetések (contrib) - 2019. február 20. 18.49
Project: Translation Management ToolDate: 2019-February-20Security risk: Critical 16∕25 AC:Basic/A:User/CI:All/II:All/E:Theoretical/TD:UncommonVulnerability: Remote Code ExecutionDescription: 

This resolves issues described in SA-CORE-2019-003 for this module. Not all configurations are affected. See SA-CORE-2019-003 for details.

Solution: 
  • If you use the TMGMT module for Drupal 8.x, upgrade to TMGMT 8.x-1.7.

Paragraphs - Critical - Remote Code Execution - SA-CONTRIB-2019-023

Biztonsági figyelmeztetések (contrib) - 2019. február 20. 18.47
Project: ParagraphsDate: 2019-February-20Security risk: Critical 18∕25 AC:None/A:User/CI:All/II:All/E:Theoretical/TD:UncommonVulnerability: Remote Code ExecutionDescription: 

This resolves issues described in SA-CORE-2019-003 for this module. Not all configurations are affected. See SA-CORE-2019-003 for details.

Solution: 

Video - Critical - Remote Code Execution - SA-CONTRIB-2019-022

Biztonsági figyelmeztetések (contrib) - 2019. február 20. 18.44
Project: VideoDate: 2019-February-20Security risk: Critical 18∕25 AC:None/A:User/CI:All/II:All/E:Theoretical/TD:UncommonVulnerability: Remote Code ExecutionDescription: 

This resolves issues described in SA-CORE-2019-003 for this module. Not all configurations are affected. See SA-CORE-2019-003 for details.

Solution: 

Install the latest version:

  • If you use the Video module for Drupal 8, upgrade to Video 8.x-1.4

Metatag - Critical - Remote code execution - SA-CONTRIB-2019-021

Biztonsági figyelmeztetések (contrib) - 2019. február 20. 18.39
Project: MetatagDate: 2019-February-20Security risk: Critical 18∕25 AC:None/A:User/CI:All/II:All/E:Theoretical/TD:UncommonVulnerability: Remote code executionDescription: 

This resolves issues described in SA-CORE-2019-003 for this module. Not all configurations are affected. See SA-CORE-2019-003 for details.

Solution: 

Link - Critical - Remote Code Execution - SA-CONTRIB-2019-020

Biztonsági figyelmeztetések (contrib) - 2019. február 20. 18.38
Project: LinkDate: 2019-February-20Security risk: Critical 18∕25 AC:None/A:User/CI:All/II:All/E:Theoretical/TD:UncommonVulnerability: Remote Code ExecutionDescription: 

This resolves issues described in SA-CORE-2019-003 for this module. Not all configurations are affected. See SA-CORE-2019-003 for details.

Solution: 

Install the latest version:

  • If you use the Link module for Drupal 7.x, upgrade to Link 7.x-1.6

JSON:API - Highly critical - Remote code execution - SA-CONTRIB-2019-019

Biztonsági figyelmeztetések (contrib) - 2019. február 20. 18.37
Project: JSON:APIDate: 2019-February-20Security risk: Highly critical 22∕25 AC:None/A:None/CI:All/II:All/E:Theoretical/TD:AllVulnerability: Remote code executionDescription: 

This resolves issues described in SA-CORE-2019-003 for this module.

Solution: 

Install the latest version:

  • If you use the 2.x version of the JSON:API module for Drupal 8.x, upgrade to JSON:API 8.x-2.3
  • If you use the 1.x version of the JSON:API module for Drupal 8.x, upgrade to JSON:API 8.x-1.25

RESTful Web Services - Critical - Access bypass - SA-CONTRIB-2019-018

Biztonsági figyelmeztetések (contrib) - 2019. február 20. 18.35
Project: RESTful Web ServicesDate: 2019-February-20Security risk: Critical 19∕25 AC:None/A:User/CI:All/II:All/E:Theoretical/TD:DefaultVulnerability: Access bypassDescription: 

This resolves issues described in SA-CORE-2019-003 for this module. Not all configurations are affected. See SA-CORE-2019-003 for details.

Solution: 

Install the latest version:

  • If you use the RESTful Web Services module for Drupal 7.x, upgrade to restws 7.x-2.8

Entity Registration - Critical - Multiple Vulnerabilities - SA-CONTRIB-2019-017

Biztonsági figyelmeztetések (contrib) - 2019. február 13. 19.31
Project: Entity RegistrationDate: 2019-February-13Security risk: Critical 18∕25 AC:Basic/A:None/CI:Some/II:Some/E:Exploit/TD:DefaultVulnerability: Multiple Vulnerabilities Description: 

This module enables you to take registrations for events, gathering information from registrants including email address and any other questions you wish to configure.

In some cases, an anonymous user may view, edit, or delete other anonymous registrations by guessing the URL of that registration based on a simple pattern.
If anonymous users are allowed to register and:

  • anonymous users have the "View" permission, information included in the registration can be accessed.
  • anonymous users have the "Edit" permission, information included in the registration can be altered.
  • anonymous users have the "Delete" permission, the registration itself can be deleted.

This vulnerability is mitigated by the fact that it only applies to cases where the anonymous user role has specifically been given View, Edit, or Delete access to the specific Registration Type.

Solution: 

Install the latest version:

Reported By: Fixed By: Coordinated By: 

OAuth 2.0 Client Login (Single Sign-On) - Critical - Multiple Vulnerabilities - SA-CONTRIB-2019-016

Biztonsági figyelmeztetések (contrib) - 2019. február 13. 19.25
Project: OAuth 2.0 Client Login (Single Sign-On)Date: 2019-February-13Security risk: Critical 17∕25 AC:Basic/A:None/CI:Some/II:Some/E:Proof/TD:AllVulnerability: Multiple Vulnerabilities Description: 

This module enables you to allow login into the Drupal websites through an external provider over the OAuth 2.0 protocol.

The module sets a Drupal variable used for redirection based on unsanitised user input, leading to an Open Redirect vulnerability. It also fails to sanitise user input which is displayed as part of an error message by a test authentication endpoint which is accessible by anonymous users, leading to an XSS vulnerability.

Solution: 

Install the latest version:

Reported By: Fixed By: Coordinated By: