Hírolvasó

Open Social - Critical - Insecure Session Management - SA-CONTRIB-2019-075

Biztonsági figyelmeztetések (contrib) - 2019. november 6. 17.10
Project: Open SocialDate: 2019-November-06Security risk: Critical 15∕25 AC:Basic/A:None/CI:Some/II:Some/E:Theoretical/TD:DefaultVulnerability: Insecure Session ManagementDescription: 

Open Social is a Drupal distribution for online communities. The included social_magic_login module doesn't sufficiently validate magic login URLs for user accounts that do not have a local password, but login via external systems. The lack of validation makes it possible for an adversary to forge valid login URLs and login to such an account.

This vulnerability is mitigated by the fact the module social_magic_login needs to be enabled.

Solution: 

Install the latest version:

Alternatively, disable the module social_magic_login.

Also see the Open Social project page.

Reported By: 
  • Heine of the Drupal Security Team
Fixed By: Coordinated By: 
  • Heine of the Drupal Security Team

Booking and Availability Management Tools for Drupal - Moderately critical - Access Bypass - SA-CONTRIB-2019-074

Biztonsági figyelmeztetések (contrib) - 2019. október 16. 18.09
Project: Booking and Availability Management Tools for DrupalDate: 2019-October-16Security risk: Moderately critical 11∕25 AC:Basic/A:User/CI:Some/II:None/E:Theoretical/TD:AllVulnerability: Access BypassDescription: 

The Bat module provides a foundation through which a wide range of availability management, reservation and booking use cases can be addressed.

The routes used to view events don't sufficiently guard access for non-privileged users. Specifically, a user with the 'View own' permission for bat events can view others' events as well.

Solution: 

Install the latest version:

  • If you use the bat module for Drupal 8.x, upgrade to bat 8.x-1.2

Also see the Booking and Availability Management Tools for Drupal project page.

Reported By: Fixed By: Coordinated By: 

Maxlength - Moderately critical - Cross Site Scripting - SA-CONTRIB-2019-073

Biztonsági figyelmeztetések (contrib) - 2019. október 9. 17.54
Project: MaxlengthDate: 2019-October-09Security risk: Moderately critical 13∕25 AC:Basic/A:Admin/CI:Some/II:Some/E:Theoretical/TD:AllVulnerability: Cross Site ScriptingDescription: 

This module enables you to set a maximum length allowed on text fields and indicate how many characters are left.

The module doesn't sufficiently filter strings leading to a Cross Site Scripting (XSS) vulnerability.

This vulnerability is mitigated by the fact the malicious script will not be triggered in the browser of UID 1 nor any user with "Bypass maxlength setting".

Solution: 

Install the latest version:

Also see the Maxlength project page.

Reported By: Fixed By: Coordinated By: 

Localization update - Moderately critical - Insecure server configuration - SA-CONTRIB-2019-072

Biztonsági figyelmeztetések (contrib) - 2019. október 2. 19.24
Project: Localization updateDate: 2019-October-02Security risk: Moderately critical 10∕25 AC:Complex/A:Admin/CI:Some/II:Some/E:Theoretical/TD:UncommonVulnerability: Insecure server configurationDescription: 

This module enables you to automatically download and update the site's interface translation by fetching them from localize.drupal.org or any other Localization server.

The module doesn't sufficiently protect the directory it stores translation files in. It's conventional for directories which may be writeable to be protected by a .htaccess file to prevent malicious PHP files placed within them being executed by the webserver. This vulnerability is mitigated by the fact that an attacker typically wouldn't be able to place a malicious file in the module's storage directory.

Solution: 

Install the latest version:

Also see the Localization update project page.

Reported By: Fixed By: Coordinated By: 

Simple AMP (Accelerated Mobile Pages) - Moderately critical - Access bypass - SA-CONTRIB-2019-071

Biztonsági figyelmeztetések (contrib) - 2019. október 2. 18.29
Project: Simple AMP (Accelerated Mobile Pages)Date: 2019-October-02Security risk: Moderately critical 13∕25 AC:Basic/A:None/CI:Some/II:None/E:Theoretical/TD:AllVulnerability: Access bypassDescription: 

This module allows display of a site's content in AMP format.

The module doesn't sufficiently check access on unpublished or restricted content.

Solution: 

Install the latest version of the module.

Also see the Simple AMP (Accelerated Mobile Pages) project page.

Reported By: Fixed By: Coordinated By: 

Ubercart - Moderately critical - Cross site scripting - SA-CONTRIB-2019-070

Biztonsági figyelmeztetések (contrib) - 2019. október 2. 18.09
Project: UbercartDate: 2019-October-02Security risk: Moderately critical 11∕25 AC:Basic/A:Admin/CI:Some/II:Some/E:Theoretical/TD:UncommonVulnerability: Cross site scriptingDescription: 

The Ubercart module provides a shopping cart and e-commerce features for Drupal.

The order module doesn't sufficiently sanitize user input when displayed on an invoice leading to a Cross Site Scripting (XSS) vulnerability.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission "edit orders".

Solution: 

Install the latest version:

Also see the Ubercart project page.

Reported By: Fixed By: Coordinated By: 

Gutenberg - Critical - Access bypass - SA-CONTRIB-2019-069

Biztonsági figyelmeztetések (contrib) - 2019. szeptember 25. 16.55
Project: GutenbergDate: 2019-September-25Security risk: Critical 16∕25 AC:Basic/A:None/CI:Some/II:Some/E:Theoretical/TD:AllVulnerability: Access bypassDescription: 

This module provides a new UI experience for node editing - Gutenberg editor.

The routes used by the Gutenberg editor lack proper permissions allowing untrusted users to view and modify some content they should not be able to view or modify.

Solution: 

Install the latest version:

  • If you use the Gutenberg module 8.x-1.x, upgrade to 8.x-1.8
  • For roles other than administrator, the Administer Gutenberg permission must be given to handle media files on the Gutenberg editor.

Also see the Gutenberg project page.

Reported By: Fixed By: Coordinated By: 

Permissions by Term - Moderately critical - Access bypass - SA-CONTRIB-2019-068

Biztonsági figyelmeztetések (contrib) - 2019. szeptember 25. 16.43
Project: Permissions by TermVersion: 8.x-1.x-devDate: 2019-September-25Security risk: Moderately critical 14∕25 AC:None/A:None/CI:Some/II:None/E:Theoretical/TD:DefaultVulnerability: Access bypassDescription: 

This module enables you to control access to content based on taxonomy terms. The module doesn't sufficiently check if a given entity should be access controlled, defaulting to allowing access even to unpublished nodes.

The vulnerability is mitigated by the fact that the submodule Permissions by Entity must also be enabled.

Solution: 

Install the latest version:

Also see the Permissions by Term project page.

Reported By: Fixed By: Coordinated By: 

TableField - Moderately critical - Access bypass - SA-CONTRIB-2019-067

Biztonsági figyelmeztetések (contrib) - 2019. szeptember 18. 17.17
Project: TableFieldVersion: 8.x-2.x-devDate: 2019-September-18Security risk: Moderately critical 12∕25 AC:None/A:User/CI:Some/II:None/E:Theoretical/TD:DefaultVulnerability: Access bypassDescription: 

This module allows you to attach tabular data to an entity.

There is insufficient access checking for users with the ability to "Export Tablefield Data as CSV". They can export data from unpublished nodes or otherwise inaccessible entities.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission "Export Tablefield Data as CSV".

Solution: 

Install the latest version:

Also see the TableField project page.

Reported By: Fixed By: Coordinated By: 

Create user permission - Critical - Access bypass - SA-CONTRIB-2019-066

Biztonsági figyelmeztetések (contrib) - 2019. szeptember 18. 17.07
Project: Create user permissionVersion: 8.x-1.x-devDate: 2019-September-18Security risk: Critical 15∕25 AC:Basic/A:None/CI:Some/II:Some/E:Theoretical/TD:DefaultVulnerability: Access bypassDescription: 

This module enables you to have a separate permission only for creating users.

The module doesn't respect Drupal's setting for "Who can register accounts?" when set to "Visitors, but administrator approval is required".

When this option is chosen, the module overrides the setting, and makes it possible to register accounts with no approval.

This vulnerability can be mitigated by having other settings in place for account registration, such as requiring email verification for new accounts, or permitting account creation for "Administrators only".

Solution: 

Install the latest version:

Also see the Create user permission project page.

Reported By: Fixed By: Coordinated By: 

Imagecache External - Critical - Insecure session token management - SA-CONTRIB-2019-065

Biztonsági figyelmeztetések (contrib) - 2019. augusztus 21. 16.52
Project: Imagecache ExternalDate: 2019-August-21Security risk: Critical 15∕25 AC:Complex/A:None/CI:Some/II:Some/E:Theoretical/TD:AllVulnerability: Insecure session token managementDescription: 

This module that allows you to store external images on your server and apply your own Image Styles.

The module exposes cookies to external sites when making external image requests.

This vulnerability is mitigated by using the whitelisted host feature to restrict external image requests from trusted sources.

Solution: 

Install the latest version:

Also see the Imagecache External project page.

Reported By: Fixed By: Coordinated By: 

Forms Steps - Critical - Access bypass - SA-CONTRIB-2019-064

Biztonsági figyelmeztetések (contrib) - 2019. augusztus 14. 19.33
Project: Forms StepsDate: 2019-August-14Security risk: Critical 16∕25 AC:Basic/A:None/CI:Some/II:Some/E:Theoretical/TD:AllVulnerability: Access bypassDescription: 

Forms Steps provides an UI to create form workflows using form modes. It creates quick and configurable multisteps forms.

The module doesn't sufficiently check user permissions to access its workflows entities that allows to see any entities that have been created through the different steps of its multistep forms.

This vulnerability is mitigated by the fact that you have to know the Forms Steps URL to create a content linked to the flow. Also, all created content is very hard to edit through the same flow as you have to know the URL and the linked hash to the content.

Solution: 

Install the latest version:

Also see the Forms Steps project page.

Reported By: Fixed By: Coordinated By: 

External Links Filter - Moderately critical - Open Redirect Vulnerability - SA-CONTRIB-2019-063

Biztonsági figyelmeztetések (contrib) - 2019. augusztus 14. 19.26
Project: External Links FilterDate: 2019-August-14Security risk: Moderately critical 10∕25 AC:Basic/A:None/CI:None/II:None/E:Theoretical/TD:AllVulnerability: Open Redirect VulnerabilityDescription: 

The External Link Filter module provides an input filter that replaces external links by a local link that redirects to the target URL.

The module did not have protection for the Redirect URL to go where content authors intended.

Solution: 

Install the latest version:

Also see the External Links Filter project page.

Reported By: Fixed By: Coordinated By: 

Super Login - Moderately critical - Cross site scripting - SA-CONTRIB-2019-062

Biztonsági figyelmeztetések (contrib) - 2019. augusztus 14. 19.14
Project: Super LoginDate: 2019-August-14Security risk: Moderately critical 13∕25 AC:Basic/A:Admin/CI:Some/II:Some/E:Theoretical/TD:AllVulnerability: Cross site scriptingDescription: 

This module improves the Drupal login page with the new features and layout.

The module doesn't sufficiently filter input text in the administration pages text configuration inputs. For example, the login text field.

The vulnerability is mitigated by the fact it can only be exploited by a user with the "Administer super login" permission.

Solution: 

Install the latest version:

Also see the Super Login project page.

Reported By: Fixed By: Coordinated By: 

scroll to top - Moderately critical - Cross site scripting - SA-CONTRIB-2019-061

Biztonsági figyelmeztetések (contrib) - 2019. augusztus 14. 19.01
Project: scroll to topDate: 2019-August-14Security risk: Moderately critical 13∕25 AC:Basic/A:Admin/CI:Some/II:Some/E:Theoretical/TD:AllVulnerability: Cross site scriptingDescription: 

The Scroll To Top module enables you to have an animated scroll to top link in the bottom of the node.

The module does not sufficiently filter configuration text leading to a Cross Site Scripting (XSS) vulnerability.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer scroll to top".

Solution: 

Install the latest version of the module.

Also see the scroll to top project page.

Reported By: Fixed By: Coordinated By: 

Existing Values Autocomplete Widget - Critical - Access bypass - SA-CONTRIB-2019-060

Biztonsági figyelmeztetések (contrib) - 2019. július 24. 19.36
Project: Existing Values Autocomplete WidgetDate: 2019-July-24Security risk: Critical 17∕25 AC:None/A:None/CI:All/II:None/E:Theoretical/TD:AllVulnerability: Access bypassDescription: 

This module provides an autocomplete widget for text fields that suggests all existing (previously entered) values for that field.

The module doesn't sufficiently check for proper access permission before returning autocomplete results.

This vulnerability is mitigated by the fact that an attacker must know the route to the autocomplete callback controller though this is easily known.

Solution: 

Install the latest version:

Also see the Existing Values Autocomplete Widget project page.

Reported By: Fixed By: Coordinated By: 

Facebook Messenger Customer Chat Plugin - Critical - Access bypass - SA-CONTRIB-2019-059

Biztonsági figyelmeztetések (contrib) - 2019. július 24. 18.49
Project: Facebook Messenger Customer Chat PluginDate: 2019-July-24Security risk: Critical 16∕25 AC:Basic/A:None/CI:Some/II:Some/E:Theoretical/TD:AllVulnerability: Access bypassDescription: 

The Facebook Messenger Customer Chat Plugin module enables you to add the Facebook Messenger Customer Chat Plugin to your Drupal site.

The module doesn't require user permissions on the admin page.

Solution: 

Install the latest version:

Also see the Facebook Messenger Customer Chat Plugin project page.

Reported By: Reported by Fixed By: Coordinated By: 

Metatag - Moderately critical - Information disclosure - SA-CONTRIB-2019-058

Biztonsági figyelmeztetések (contrib) - 2019. július 24. 18.31
Project: MetatagDate: 2019-July-24Security risk: Moderately critical 13∕25 AC:None/A:None/CI:Some/II:None/E:Theoretical/TD:UncommonVulnerability: Information disclosureDescription: 

This module enables you to customize meta tags to help with a site's search engine ranking and improve the display of page summaries when shared on social networks.

The module doesn't sufficiently check for a site being in maintenance mode.

This vulnerability is mitigated by the fact that the site must be configured to disallow access to certain content, and must be put into maintenance mode.

Solution: 

Install the latest version:

Also see the Metatag project page.

Reported By: Fixed By: Coordinated By: