Hírolvasó

Custom Permissions - Critical - Access bypass - SA-CONTRIB-2019-055

Biztonsági figyelmeztetések (contrib) - 2019. július 10. 18.30
Project: Custom PermissionsVersion: 8.x-1.x-devDate: 2019-July-10Security risk: Critical 16∕25 AC:Basic/A:None/CI:Some/II:Some/E:Theoretical/TD:AllVulnerability: Access bypassDescription: 

This module enables you to add and manage additional custom permissions through the administration UI.

The module doesn't sufficiently check for the proper access permissions to this page.

This vulnerability is mitigated by the fact that an attacker must know the route of the Custom Permissions administration form though this is easily known.

Solution: 

Install the latest version:

Also see the Custom Permissions project page.

Reported By: Fixed By: Coordinated By: 

Advanced Forum - Critical - Cross Site Scripting - SA-CONTRIB-2019-054

Biztonsági figyelmeztetések (contrib) - 2019. június 26. 15.42
Project: Advanced ForumVersion: 7.x-2.x-devDate: 2019-June-26Security risk: Critical 16∕25 AC:Basic/A:None/CI:Some/II:Some/E:Theoretical/TD:AllVulnerability: Cross Site ScriptingDescription: 

Advanced Forum builds on and enhances Drupal's core forum module. When used in combination with other Drupal contributed modules, many of which are automatically used by Advanced Forum, you can achieve much of what stand alone software provides.

The module doesn't sufficiently sanitise user input in specific circumstances. It is not possible to disable the vulnerable functionality.

This vulnerability is mitigated by the fact that an attacker must have a role with permission to create forum content.

Solution: 

Install the latest version:

Also see the Advanced Forum project page.

Reported By: Fixed By: Coordinated By: 

Easy Breadcrumb - Critical - Cross Site Scripting - SA-CONTRIB-2019-053

Biztonsági figyelmeztetések (contrib) - 2019. június 19. 19.08
Project: Easy BreadcrumbVersion: 7.x-2.x-devDate: 2019-June-19Security risk: Critical 18∕25 AC:Basic/A:None/CI:Some/II:Some/E:Exploit/TD:DefaultVulnerability: Cross Site ScriptingDescription: 

This module enables you to use the current URL (path alias) and the current page's title to automatically extract the breadcrumb's segments and its respective links then show them as breadcrumbs on your website.

The module doesn't sufficiently sanitise user input in certain circumstances.

This vulnerability does not require any permissions but can be mitigated by un-checking the 'Allow HTML tags in breadcrumb text' setting (enabled by default). In some cases browsers' built-in XSS protection may prevent exploitation.

Solution: 

Install the latest version:

Also see the Easy Breadcrumb project page.

Reported By: Fixed By: Coordinated By: 

Universally Unique IDentifier - Moderately critical - Access bypass - SA-CONTRIB-2019-052

Biztonsági figyelmeztetések (contrib) - 2019. május 29. 19.27
Project: Universally Unique IDentifierDate: 2019-May-29Security risk: Moderately critical 14∕25 AC:Complex/A:User/CI:All/II:Some/E:Theoretical/TD:DefaultVulnerability: Access bypassDescription: 

This module provides an API for adding universally unique identifiers (UUID) to Drupal objects, most notably entities.

The module has a privilege escalation vulnerability when it's used in combination with Services+REST server.

This vulnerability is mitigated by the fact that an attacker must authenticate to the site, services module must be configured on the site and the user update resource enabled.

Solution: 

Install the latest version:

  • If you use the Universally Unique IDentifier module for Drupal 7.x, upgrade to UUID 7.x-1.3

Also see the Universally Unique IDentifier project page.

Reported By: Fixed By: Coordinated By: 

TableField - Moderately critical - Access bypass and Cross Site Scripting - SA-CONTRIB-2019-051

Biztonsági figyelmeztetések (contrib) - 2019. május 29. 19.11
Project: TableFieldVersion: 7.x-3.x-dev7.x-2.x-devDate: 2019-May-29Security risk: Moderately critical 13∕25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:DefaultVulnerability: Access bypass and Cross Site ScriptingDescription: 

This module allows you to attach tabular data to an entity.

Access bypass

There's no access check for users with an "Export Tablefield Data as CSV". They can export data from unpublished nodes or otherwise inaccessible entities.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission 'Export Tablefield Data as CSV'.

XSS

When "Raw data (JSON or XML)" is used in the field's Display settings, it doesn't sanitize JSON output before passing it on to be rendered.

This vulnerability is mitigated by the fact that an attacker must have a role with Edit permissions.

Solution: 

Install the latest version:

Also see the TableField project page.

Reported By: Fixed By: Coordinated By: 

Menu Item Extras - Moderately critical - Cross Site Request Forgery - SA-CONTRIB-2019-050

Biztonsági figyelmeztetések (contrib) - 2019. május 22. 18.29
Project: Menu Item ExtrasDate: 2019-May-22Security risk: Moderately critical 10∕25 AC:Basic/A:User/CI:None/II:Some/E:Theoretical/TD:DefaultVulnerability: Cross Site Request ForgeryDescription: 

This module enables you to handle fields for Custom Menu Links.
The module doesn't sufficiently check requests to one of the module controllers if the user has permission 'administer menu'.
This vulnerability is mitigated by the fact that an attacker must have a role with the permission to create content.

Solution: 

Install the latest version:

Reported By: Fixed By: Coordinated By: 

Workflow - Moderately critical - Cross Site Scripting - SA-CONTRIB-2019-049

Biztonsági figyelmeztetések (contrib) - 2019. május 22. 18.27
Project: WorkflowDate: 2019-May-22Security risk: Moderately critical 13∕25 AC:Basic/A:Admin/CI:Some/II:Some/E:Theoretical/TD:AllVulnerability: Cross Site ScriptingDescription: 

The Workflow module enables you to create arbitrary Workflows, and assign them to Entities.
The module doesn't sufficiently escape HTML in the field settings leading to a Cross Site Scripting (XSS) vulnerability.
This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer nodes" and "administer workflow".

Solution: 

Install the latest version:

Reported By: Fixed By: Coordinated By: 

Multiple Registration - Critical - Access bypass - SA-CONTRIB-2019-048

Biztonsági figyelmeztetések (contrib) - 2019. május 15. 19.13
Project: Multiple RegistrationDate: 2019-May-15Security risk: Critical 19∕25 AC:Basic/A:None/CI:All/II:All/E:Theoretical/TD:DefaultVulnerability: Access bypassDescription: 

This module enables you to use special routes for user registration with special roles and custom field sets defined for the role.

The module doesn't sufficiently check which user roles can be registered under the scenario when the user tries to register the user with the administrator role.

This vulnerability is mitigated on sites where account approval is required as the user starts as blocked but still gets the "Administrator" role.

Solution: 

Install the latest version:

Reported By: Fixed By: Coordinated By: 
  • Cash Williams of the Drupal Security Team
  • Opigno Learning path - Moderately critical - Access bypass - SA-CONTRIB-2019-047

    Biztonsági figyelmeztetések (contrib) - 2019. május 15. 19.09
    Project: Opigno Learning pathDate: 2019-May-15Security risk: Moderately critical 10∕25 AC:Basic/A:User/CI:Some/II:None/E:Theoretical/TD:DefaultVulnerability: Access bypassDescription: 

    In certain configuration cases, when a learning path is configured as semi-private, anonymous users are allowed to join a learning path when they should not.

    Solution: 

    Install the latest version:

    Also see the Opigno Learning path project page.

    Reported By: Fixed By: Coordinated By: 

    Opigno forum - Less critical - Access bypass - SA-CONTRIB-2019-046

    Biztonsági figyelmeztetések (contrib) - 2019. május 15. 19.07
    Project: Opigno forumDate: 2019-May-15Security risk: Less critical 9∕25 AC:Basic/A:User/CI:Some/II:None/E:Theoretical/TD:UncommonVulnerability: Access bypassDescription: 

    In certain circumstances it is possible that certain forum information is available to unprivileged users because the access check is done with node access instead of grants.

    This vulnerability is mitigated by the fact that the module itself does not disclose information but only if there are listings such as views where the site builder / developer has not taken this into account.

    Solution: 

    Install the latest version:

    Also see the Opigno forum project page.

    Reported By: Fixed By: Coordinated By: 

    Drupal core - Moderately critical - Third-party libraries - SA-CORE-2019-007

    Biztonsági figyelmeztetések (core) - 2019. május 8. 18.56
    Project: Drupal coreDate: 2019-May-08Security risk: Moderately critical 14∕25 AC:Complex/A:Admin/CI:All/II:All/E:Theoretical/TD:UncommonVulnerability: Third-party librariesDescription: 

    This security release fixes third-party dependencies included in or required by Drupal core. As described in TYPO3-PSA-2019-007: By-passing protection of Phar Stream Wrapper Interceptor:

    In order to intercept file invocations like file_exists or stat on compromised Phar archives the base name has to be determined and checked before allowing to be handled by PHP Phar stream handling. [...]

    The current implementation is vulnerable to path traversal leading to scenarios where the Phar archive to be assessed is not the actual (compromised) file.

    Solution: 

    Install the latest version:

    Versions of Drupal 8 prior to 8.6.x are end-of-life and do not receive security coverage.

    Also see the Drupal core project page.

    Reported By: Fixed By: 

    Drupal core - Moderately critical - Cross Site Scripting - SA-CORE-2019-006

    Biztonsági figyelmeztetések (core) - 2019. április 17. 22.30
    Project: Drupal coreDate: 2019-April-17Security risk: Moderately critical 10∕25 AC:Complex/A:Admin/CI:Some/II:Some/E:Theoretical/TD:UncommonVulnerability: Cross Site ScriptingDescription: 

    The jQuery project released version 3.4.0, and as part of that, disclosed a security vulnerability that affects all prior versions. As described in their release notes:

    jQuery 3.4.0 includes a fix for some unintended behavior when using jQuery.extend(true, {}, ...). If an unsanitized source object contained an enumerable __proto__ property, it could extend the native Object.prototype. This fix is included in jQuery 3.4.0, but patch diffs exist to patch previous jQuery versions.

    It's possible that this vulnerability is exploitable with some Drupal modules. As a precaution, this Drupal security release backports the fix to jQuery.extend(), without making any other changes to the jQuery version that is included in Drupal core (3.2.1 for Drupal 8 and 1.4.4 for Drupal 7) or running on the site via some other module such as jQuery Update.

    Solution: 

    Install the latest version:

    Versions of Drupal 8 prior to 8.5.x are end-of-life and do not receive security coverage.

    Also see the Drupal core project page.

    Additional information

    All advisories released today:

    Updating to the latest Drupal core release will apply the fixes for all the above advisories.

    Reported By: Fixed By: 

    Drupal core - Moderately critical - Multiple Vulnerabilities - SA-CORE-2019-005

    Biztonsági figyelmeztetések (core) - 2019. április 17. 22.29
    Project: Drupal coreDate: 2019-April-17Security risk: Moderately critical 14∕25 AC:Basic/A:User/CI:Some/II:Some/E:Proof/TD:DefaultVulnerability: Multiple Vulnerabilities Description: 

    This security release fixes third-party dependencies included in or required by Drupal core.

    • CVE-2019-10909: Escape validation messages in the PHP templating engine. From that advisory:

      Validation messages were not escaped when using the form theme of the PHP templating engine which, when validation messages may contain user input, could result in an XSS.

    • CVE-2019-10910: Check service IDs are valid. From that advisory:

      Service IDs derived from unfiltered user input could result in the execution of any arbitrary code, resulting in possible remote code execution.

    • CVE-2019-10911: Add a separator in the remember me cookie hash. From that advisory:

      This fixes situations where part of an expiry time in a cookie could be considered part of the username, or part of the username could be considered part of the expiry time. An attacker could modify the remember me cookie and authenticate as a different user. This attack is only possible if remember me functionality is enabled and the two users share a password hash or the password hashes (e.g. UserInterface::getPassword()) are null for all users (which is valid if passwords are checked by an external system, e.g. an SSO).

    Solution: 

    Install the latest version:

    Versions of Drupal 8 prior to 8.5.x are end-of-life and do not receive security coverage.

    Also see the Drupal core project page.

    Additional information

    All advisories released today:

    Updating to the latest Drupal core release will apply the fixes for all the above advisories.

    Reported By: Fixed By: 

    TableField - Critical - Remote Code Execution - SA-CONTRIB-2019-045

    Biztonsági figyelmeztetések (contrib) - 2019. április 17. 20.21
    Project: TableFieldDate: 2019-April-17Security risk: Critical 16∕25 AC:Complex/A:User/CI:All/II:All/E:Theoretical/TD:DefaultVulnerability: Remote Code ExecutionDescription: 

    This module allows you to attach tabular data to an entity.

    The module doesn't sufficiently determine that the data being unserialized is the contents of a tablefield when users request a CSV export, which could lead to Remote Code Execution via Object Injection.

    This vulnerability is mitigated by the fact that an attacker must have a role with the permission 'export tablefield', and be able to insert a payload into an entity's field.

    Solution: 

    Install the latest version:

    • If you use the Tablefield module 7.x-3.x branch for Drupal 7.x, upgrade to tablefield 7.x-3.4

    Reported By: Fixed By: Coordinated By: 

    Stage File Proxy - Less critical - Denial of Service - SA-CONTRIB-2019-044

    Biztonsági figyelmeztetések (contrib) - 2019. április 17. 17.46
    Project: Stage File ProxyVersion: 7.x-1.x-devDate: 2019-April-17Security risk: Less critical 9∕25 AC:Basic/A:None/CI:None/II:None/E:Theoretical/TD:DefaultVulnerability: Denial of ServiceDescription: 

    Stage File Proxy is a general solution for getting production files on a development server on demand.

    The module doesn't sufficiently validate requested urls, allowing an attacker to send repeated requests for files that do not exist which could exhaust resources on the server where Stage File Proxy is installed.

    This vulnerability is mitigated by the fact that an attacker must make repeated requests. The vulnerability only exists on environments where Stage File Proxy is installed (it generally is not installed on production). It only affects sites where the "Hot Link" option is disabled (disabled is the default configuration).

    Solution: 

    Install the latest version:

    Also see the Stage File Proxy project page.

    Reported By: Fixed By: Coordinated By: 

    Services - Less critical - Access bypass - SA-CONTRIB-2019-043

    Biztonsági figyelmeztetések (contrib) - 2019. április 3. 19.46
    Project: ServicesVersion: 7.x-3.x-devDate: 2019-April-03Security risk: Less critical 9∕25 AC:Complex/A:User/CI:Some/II:None/E:Theoretical/TD:DefaultVulnerability: Access bypassDescription: 

    This module provides a standardized solution for building API's so that external clients can communicate with Drupal.

    The Services module has an access bypass vulnerability in its "attach_file" resource that allows users who have access to create or update nodes that include file fields to arbitrarily reference files they do not have access to, which can expose private files.

    This vulnerability is mitigated by the fact that an attacker must have a role with permission to create or edit a node.

    Solution: 

    Install the latest version:

    Also see the Services project page.

    Reported By: Fixed By: Coordinated By: 

    Module Filter - Moderately critical - Cross site scripting - SA-CONTRIB-2019-042

    Biztonsági figyelmeztetések (contrib) - 2019. március 27. 18.12
    Project: Module FilterVersion: 7.x-2.x-devDate: 2019-March-27Security risk: Moderately critical 12∕25 AC:Basic/A:Admin/CI:Some/II:Some/E:Theoretical/TD:DefaultVulnerability: Cross site scriptingDescription: 

    This module enables you to filter the list of modules on the admin modules page, and organizes packages into vertical tabs.

    The module doesn't sufficiently escape HTML under the scenario leading to a Cross Site Scripting (XSS) vulnerability.

    This vulnerability is mitigated by the fact that the attacker must have access to input filtered html that will be included on the modules administration page e.g. in a block (this configuration is not common). Further, the Module Filter vertical tabs setting must be enabled.

    Solution: 

    Install the latest version:

    Also see the Module Filter project page.

    Reported By: Fixed By: Coordinated By: