Hírolvasó

Registration role - Critical - Access bypass - SA-CONTRIB-2024-015

Biztonsági figyelmeztetések (contrib) - 2024. március 6. 18.06
Project: Registration roleDate: 2024-March-06Security risk: Critical 18∕25 AC:Basic/A:None/CI:All/II:All/E:Theoretical/TD:UncommonVulnerability: Access bypassAffected versions: <2.0.1Description: 

The Registration role module lets an administrator select a role (or multiple roles) to automatically assign to new users. The selected role (or roles) will be assigned to new registrants.

The module has a logic error when handling sites that upgraded code and did not run the Drupal update process (e.g. update.php).

This vulnerability is mitigated by the fact that the problem does not exist on sites that followed the process of updating code and running the standard updates.

Solution: 

Install the latest version:

Review user accounts registered between 2023 July 11 and now for having additional roles you did not intend for them to have. If your site missed or reverted an update to configuration in the version 2.0.0 release of Registration Role (or development branch from 2020 August 17 on), non-selected roles were not removed from configuration. Without this update, up until you re-saved the settings form or until you install the new release - whichever came first - users who registered receive all roles.

Also, upgrade to the latest version and run update hooks at update.php or with Drush, drush updb

OR: Immediately re-save the the configuration page at /admin/people/registration-role

Reported By: Fixed By: Coordinated By: 

Drupal Symfony Mailer Lite - Moderately critical - Cross Site Request Forgery - SA-CONTRIB-2024-014

Biztonsági figyelmeztetések (contrib) - 2024. február 28. 19.36
Project: Drupal Symfony Mailer LiteDate: 2024-February-28Security risk: Moderately critical 12∕25 AC:Basic/A:None/CI:None/II:Some/E:Theoretical/TD:DefaultVulnerability: Cross Site Request ForgeryAffected versions: <1.0.6Description: 

The module doesn’t sufficiently protect against malicious links, which means an attacker can trick an administrator into performing unwanted actions.

This vulnerability is mitigated by the fact that the set of unwanted actions is limited to specific configurations.

Solution: 

Upgrade to Symfony Mailer Lite 1.0.6 and rebuild Drupal's cache.

Reported By: Fixed By: Coordinated By: 

Node Access Rebuild Progressive - Less critical - Access bypass - SA-CONTRIB-2024-013

Biztonsági figyelmeztetések (contrib) - 2024. február 28. 19.27
Project: Node Access Rebuild ProgressiveDate: 2024-February-28Security risk: Less critical 9∕25 AC:Complex/A:Admin/CI:Some/II:None/E:Theoretical/TD:AllVulnerability: Access bypassDescription: 

This module provides an alternative mean of rebuilding the Content Access table.

The module doesn't sufficiently reset the state of content access when the module is uninstalled.

Solution: 

Install the latest version:

Reported By: 
  • Jen Lampton Provisional Member of the Drupal Security Team
Fixed By: Coordinated By: 

Private content - Moderately critical - Access bypass - SA-CONTRIB-2024-012

Biztonsági figyelmeztetések (contrib) - 2024. február 28. 19.19
Project: Private contentDate: 2024-February-28Security risk: Moderately critical 12∕25 AC:None/A:User/CI:Some/II:None/E:Theoretical/TD:DefaultVulnerability: Access bypassAffected versions: <2.1.0Description: 

This module gives each node a 'private' checkbox. If it's set, the node can only be seen by the node author, or users with the 'access private content' permission.

The module incorrectly grants access to private nodes under certain specific circumstances. This vulnerability is mitigated by the fact that an attacker must have a role with the permission "Access private content".

Solution: 

Install the latest version:

Reported By: Fixed By: Coordinated By: 

Coffee - Moderately critical - Cross Site Scripting - SA-CONTRIB-2024-011

Biztonsági figyelmeztetések (contrib) - 2024. február 28. 19.14
Project: CoffeeDate: 2024-February-28Security risk: Moderately critical 13∕25 AC:Basic/A:Admin/CI:Some/II:Some/E:Theoretical/TD:AllVulnerability: Cross Site ScriptingAffected versions: <1.4.0Description: 

The Coffee module helps you to navigate through the Drupal admin menus faster with a shortcut popup.

The module doesn't sufficiently escape menu names when displaying them in the popup, thereby exposing a XSS vulnerability.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission "Administer menus and menu links".

Solution: 

Install the latest version:

  • If you use the Coffee module for Drupal 10, upgrade to Coffee 8.x-1.4
Reported By: Fixed By: Coordinated By: 

Node Access Rebuild Progressive - Less critical - Access bypass - SA-CONTRIB-2024-010

Biztonsági figyelmeztetések (contrib) - 2024. február 21. 17.58
Project: Node Access Rebuild ProgressiveDate: 2024-February-21Security risk: Less critical 9∕25 AC:Complex/A:Admin/CI:Some/II:None/E:Theoretical/TD:AllVulnerability: Access bypassAffected versions: <2.0.2Description: 

This module provides an alternative mean of rebuilding the Content Access table.

The module doesn't sufficiently reset the state of content access when the module is uninstalled.

Solution: 

Install the latest version:

Reported By: Fixed By: Coordinated By: 

CKEditor 4 LTS - WYSIWYG HTML editor - Moderately critical - Cross Site Scripting - SA-CONTRIB-2024-009

Biztonsági figyelmeztetések (contrib) - 2024. február 14. 20.31
Project: CKEditor 4 LTS - WYSIWYG HTML editorDate: 2024-February-14Security risk: Moderately critical 12∕25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:UncommonVulnerability: Cross Site ScriptingAffected versions: >=1.0.0 <1.0.1Description: 

The CKEditor 4 LTS - WYSIWYG HTML editor module uses the CKEditor library for WYSIWYG editing. CKEditor has released a security update that on certain configurations may impact the Drupal module that bundles and integrates this code.

The vulnerability is mitigated by the fact it requires:

  1. full-page editing mode is enabled
  2. or CDATA elements in Advanced Content Filtering configuration (defaults to script and style elements) are enabled.
  3. An attacker must have a permission with access to the CKEditor instance.

For more information, see CKEditor's security advisory:
CVE-2024-24815: Cross-site scripting (XSS) vulnerability caused by incorrect CDATA detection

Solution: 

Install the latest version:

  • If you use the CKEditor 4 LTS - WYSIWYG HTML editor module for Drupal 9.4+, upgrade to ckeditor_lts 1.0.1
Reported By: Fixed By: Coordinated By: 

Migrate Tools - Moderately critical - Cross Site Request Forgery - SA-CONTRIB-2024-008

Biztonsági figyelmeztetések (contrib) - 2024. február 7. 18.56
Project: Migrate ToolsDate: 2024-February-07Security risk: Moderately critical 12∕25 AC:Complex/A:None/CI:None/II:Some/E:Theoretical/TD:AllVulnerability: Cross Site Request ForgeryAffected versions: <6.0.3Description: 

The Migrate Tools module provides tools for running and managing Drupal migrations.

The module doesn't sufficiently protect against Cross Site Request Forgery under specific scenarios allowing an attacker to initiate a migration.

This vulnerability is mitigated by the fact that an attacker must know the name of the migration.

Solution: 

Install the latest version:

Reported By: Fixed By: Coordinated By: 

Entity Delete Log - Moderately critical - Access bypass - SA-CONTRIB-2024-007

Biztonsági figyelmeztetések (contrib) - 2024. január 31. 18.22
Project: Entity Delete LogDate: 2024-January-31Security risk: Moderately critical 12∕25 AC:Basic/A:None/CI:Some/II:None/E:Theoretical/TD:DefaultVulnerability: Access bypassAffected versions: <1.1.1Description: 

The Entity Delete Log module tracks the deletion of configured entity types, such as node or comments.

It does not add sufficient permission to the log report page, allowing an attacker to view information from deleted entities.

Solution: 

Install the latest version:

Note: This release updates the default permissions for the entity_delete_log view. After the update, you may want to review that permission if you already changed it from the default.

Reported By: Fixed By: Coordinated By: 

Swift Mailer - Moderately critical - Access bypass - SA-CONTRIB-2024-006

Biztonsági figyelmeztetések (contrib) - 2024. január 24. 16.54
Project: Swift MailerDate: 2024-January-24Security risk: Moderately critical 12∕25 AC:Basic/A:None/CI:Some/II:None/E:Theoretical/TD:DefaultVulnerability: Access bypassDescription: 

The Drupal Swift Mailer module extends the basic e-mail sending functionality provided by Drupal by delegating all e-mail handling to the Swift Mailer library. This enables your site to take advantage of the many features which the Swift Mailer library provides.

The module could allow an attacker to gain widespread access to a Drupal site. This vulnerability is mitigated by the fact that an attacker must have a means to trigger sending an email with a body that they can control, which would requires either another contributed module or custom integration.

Solution: 

Uninstall this module immediately. The swiftmailer library has been unsupported for a year, and this module is now also unsupported.

Changing to a replacement module is suggested, the following were specifically suggested by the module maintainers:

Reported By: Fixed By: Coordinated By: 

Open Social - Moderately critical - Information Disclosure - SA-CONTRIB-2024-005

Biztonsági figyelmeztetések (contrib) - 2024. január 24. 16.47
Project: Open SocialDate: 2024-January-24Security risk: Moderately critical 13∕25 AC:None/A:User/CI:Some/II:None/E:Proof/TD:DefaultVulnerability: Information DisclosureAffected versions: <12.0.5Description: 

Open Social is a Drupal distribution for online communities.

The included optional social_group_flexible_group module doesn't sufficiently validate group updates. The lack of validation makes it possible to have content inside the group changing it's visibility, which could lead to that content being shown to a broader audience than intended.

This vulnerability is mitigated by the fact the module social_group_flexible_group needs to be enabled.

Solution: 

Install the latest version of Open Social:

Reported By: Fixed By: Coordinated By: 

Open Social - Moderately critical - Access bypass - SA-CONTRIB-2024-004

Biztonsági figyelmeztetések (contrib) - 2024. január 24. 16.45
Project: Open SocialDate: 2024-January-24Security risk: Moderately critical 10∕25 AC:Basic/A:User/CI:Some/II:None/E:Theoretical/TD:DefaultVulnerability: Access bypassAffected versions: <12.05Description: 

Content within Open Social can have different visibilities. It is possible for a user to create public content even when this should not be allowed.
This vulnerability is mitigated by the fact that the site must have public visibility disabled on a global level.

Solution: 

Install the latest version of Open Social:

Reported By: Fixed By: Coordinated By: 

Two-factor Authentication (TFA) - Moderately critical - Access bypass - SA-CONTRIB-2024-003

Biztonsági figyelmeztetések (contrib) - 2024. január 24. 16.42
Project: Two-factor Authentication (TFA)Date: 2024-January-24Security risk: Moderately critical 14∕25 AC:Complex/A:None/CI:Some/II:Some/E:Proof/TD:UncommonVulnerability: Access bypassAffected versions: <1.5.0Description: 

This module enables you to allow and/or require users to use a second authentication method in addition to password authentication.

In some cases, the module allows users to log in with an authentication plugin that an administrator has disabled.

This vulnerability is mitigated by the fact that an attacker must obtain a valid first-factor login credential, that an administrator must enable and then disable an authentication plugin, and that an attacker must obtain the valid second factor credential for the disabled plugin.

Solution: 

Install the latest 8.x-1.2 version:

  • If you use the Two-factor Authentication (TFA) for Drupal 8, 9, or 10 upgrade to TFA 8.x-1.5

After installing this update disabled plugins will no longer be offered or accepted as a second factor option.

If an account is configured with only disabled plugins login will be prohibited and the the configured TFA "Help text" displayed instead of a second factor prompt.

To allow access for a locked out user site owners may consider enabling the plugin (admin/config/people/tfa) or may use their existing procedures for granting access to accounts where the user has forgotten/lost their second factor tokens.

Accounts with both enabled and disabled plugins will prompt the account owner with one of the remaining enabled plugins.

Reported By: Fixed By: Coordinated By: 

Drupal core - Moderately critical - Denial of Service - SA-CORE-2024-001

Biztonsági figyelmeztetések (core) - 2024. január 17. 18.04
Project: Drupal coreDate: 2024-January-17Security risk: Moderately critical 11∕25 AC:None/A:None/CI:None/II:None/E:Theoretical/TD:DefaultVulnerability: Denial of ServiceAffected versions: >=8.0 <10.1.8 || >=10.2 <10.2.2Description: 

The Comment module allows users to reply to comments. In certain cases, an attacker could make comment reply requests that would trigger a denial of service (DOS).

Sites that do not use the Comment module are not affected.

Solution: 

Install the latest version:

All versions of Drupal 10 prior to 10.1 are end-of-life and do not receive security coverage. (Drupal 8 and Drupal 9 have both reached end-of-life.)

Drupal 7 is not affected.

Reported By: Fixed By: 

Typogrify - Moderately critical - Cross Site Scripting - SA-CONTRIB-2024-002

Biztonsági figyelmeztetések (contrib) - 2024. január 10. 19.00
Project: TypogrifyDate: 2024-January-10Security risk: Moderately critical 12∕25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:UncommonVulnerability: Cross Site ScriptingAffected versions: <1.3.0Description: 

The Typogrify module brings the typographic refinements of Typogrify to Drupal. It provides a text filter and a Twig filter.

The typogrify Twig filter can be used to bypass the Twig auto-escape feature, leading to a persistent Cross Site Scripting (XSS) vulnerability.

This vulnerability is mitigated by the fact that it is only exposed when the twig filter is specifically used in a template to render content.

Solution: 

Install the latest version:

If you use the typogrify Twig filter provided by this module, then this update may cause double-encoding of text. See the updated README for best practices.

Reported By: Fixed By: Coordinated By: 

File Entity (fieldable files) - Moderately critical - Cross Site Scripting, Access bypass - SA-CONTRIB-2024-001

Biztonsági figyelmeztetések (contrib) - 2024. január 10. 18.01
Project: File Entity (fieldable files)Date: 2024-January-10Security risk: Moderately critical 14∕25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:AllVulnerability: Cross Site Scripting, Access bypassDescription: 

File entity provides interfaces for managing files. It also extends the core file entity, allowing files to be fieldable, grouped into types, viewed (using display modes) and formatted using field formatters.

The module previously did not sufficiently validate files under the scenario of a file replacement leading to multiple exploit paths including persistent Cross Site Scripting.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission to edit files.

Solution: 

Install the latest version:

Reported By: Fixed By: Coordinated By: 

Data Visualisation Framework - Moderately critical - Cross Site Scripting - SA-CONTRIB-2023-055

Biztonsági figyelmeztetések (contrib) - 2023. december 20. 18.02
Project: Data Visualisation FrameworkDate: 2023-December-20Security risk: Moderately critical 14∕25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:AllVulnerability: Cross Site ScriptingAffected versions: < 2.0.2Description: 

This module allows you to turn various data sources (Eg CSV or JSON file) into interactive visualisation. The DVF module provides a field (storage, widget & formatter) that can be added to any entity.

This module uses two third-party JS libraries having from low to medium vulnerabilities. One of the vulnerabilities is a Cross Site Scripting vulnerability that may affect Drupal sites as a Persistent Cross Site Scripting vulnerability (i.e. not reflected). This release updates the libraries.

The issue is mitigated by the fact an attacker needs the permission to create or edit content that is displayed using the Data Visualization Framework.

Solution: 

Install the latest version:

  • If you use the Data Visualisation Framework for Drupal module (DVF for short), upgrade to dvf 2.0.2
Reported By: Fixed By: Coordinated By: 

Group - Less critical - Access bypass - SA-CONTRIB-2023-054

Biztonsági figyelmeztetések (contrib) - 2023. december 6. 17.16
Project: GroupDate: 2023-December-06Security risk: Less critical 8∕25 AC:Complex/A:User/CI:Some/II:None/E:Theoretical/TD:UncommonVulnerability: Access bypassAffected versions: >=2.0.0 <2.2.2 || >=3.0.0 <3.2.2Description: 

The Group module has the ability to make content private to specific groups. When viewing a list of entities, e.g. nodes, a visitor should only see those entities that are either not attached to a group or that they have group access to.

The module doesn't sufficiently enforce list access under the scenario where two users have the same outsider and insider permissions, but are members of different groups without any individual roles being assigned to said memberships. In such a scenario, the permissions hash for both will be the same even though it should differ.

This vulnerability is mitigated by the fact that an attacker must have the same hash as someone else, which is quite rare yet not unthinkable.

Solution: 

Install the latest version:

Reported By: Fixed By: Coordinated By: 

Xsendfile - Moderately critical - Access bypass - SA-CONTRIB-2023-053

Biztonsági figyelmeztetések (contrib) - 2023. november 29. 16.27
Project: XsendfileDate: 2023-November-29Security risk: Moderately critical 13∕25 AC:Basic/A:None/CI:Some/II:None/E:Theoretical/TD:AllVulnerability: Access bypassAffected versions: <1.2.0Description: 

The Xsendfile module enables fast transfer for private files in Drupal.

In order to control private file downloads, the module overrides ImageStyleDownloadController, for which a vulnerability was disclosed in SA-CORE-2023-005. The Xsendfile module was still based on an insecure version of ImageStyleDownloadController.

Solution: 

Install the latest version:

Reported By: Fixed By: Coordinated By: