+ Letöltés |
Drupal 7.14 Fordítás Drupal 6.26 Fordítás |
CVE: Requested
The BrowserID module provides integration with BrowserID (also known as Mozilla Persona) -- a Mozilla project that lets users of your site quickly and easily log in without needing to remember a password specific to your site.
The module did not sufficiently validate requests for authentication to log in, potentially allowing a Cross Site Request Forgery (CSRF) attack and introducing the possibility that logging in to a malicious site with BrowserID could give that site the ability to log in to other websites using your BrowserID identity.
Versions affectedDrupal core is not affected. If you do not use the contributed BrowserID (Mozilla Persona) module, there is nothing you need to do.
SolutionInstall the latest version:
This version adds a dependency on the Session API module. Make sure you install Session API before upgrading to BrowserID 7.x-1.3.
Also see the BrowserID (Mozilla Persona) project page.
Reported byThe Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.
Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.
CVE: Requested
This module enables you to build searches using a wide range of features, data sources and backends.
The module doesn't sufficiently sanitize user input in some cases when throwing exceptions or logging errors. This enables attackers to insert arbitrary data into a page by manipulating its URL. Users would have to open such a manipulated URL to see the changed content.
This is only possible in some setups of Search API, specifically when users can manually enter field identifiers in some way – e.g., through an exposed Views sort or with the old Facets module.
Versions affectedDrupal core is not affected. If you do not use the contributed Search API module, there is nothing you need to do.
SolutionInstall the latest version:
Also see the Search API project page.
Reported by Fixed byThe Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.
Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.
CVE: Requested
This module enables you to display the terms (and optionally nodes) under categories.
The module doesn't sufficiently sanitize user supplied text in the taxonomy information.
This vulnerability is mitigated by the fact that an attacker must have a role with permissions to create or edit taxonomy terms.
Versions affectedThe 6.x-2.x branch is not affected.
Drupal core is not affected. If you do not use the contributed Taxonomy List module, there is nothing you need to do.
SolutionInstall the latest version:
Also see the Taxonomy List project page.
Reported byThe Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.
Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.
CVE: Requested.
The Zen theme provides a configurable breadcrumb which is commonly used as an additional navigation tool for users.
The theme outputs the breadcrumb, but does not provide sufficient filtering to prevent a Cross site scripting (XSS) attack.
This vulnerability is mitigated by the fact that the "Append the content title to the end of the breadcrumb" checkbox is not enabled by default and needs to be enabled for this to be exploited.
Versions affectedDrupal core is not affected. Zen versions 6.x-2.x are not affected. If you do not use the contributed Zen theme, there is nothing you need to do.
SolutionInstall the latest version:
If you copied code from the zen_breadcrumb function into a custom sub-theme's template.php file you should compare your code to the changes to ensure that menu_get_active_title() is properly wrapped in check plain like:
check_plain(menu_get_active_title());
Also see the Zen project page.
Reported byThe Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.
Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.
CVE: Requested.
The Aberdeen theme provides a configurable breadcrumb which is commonly used as an additional navigation tool for users.
The theme outputs the breadcrumb, but does not provide sufficient filtering to prevent a Cross site scripting (XSS) attack.
This vulnerability is mitigated by the fact that the "Append the content title to the end of the breadcrumb" checkbox is not enabled by default and needs to be enabled for this to be exploited.
Versions affectedDrupal core is not affected. If you do not use the contributed Aberdeen theme, there is nothing you need to do.
SolutionInstall the latest version:
If you copied code from the aberdeen_breadcrumb function into a custom sub-theme's template.php file you should compare your code to the changes to ensure that menu_get_active_title() is properly wrapped in check plain like:
check_plain(menu_get_active_title());
Also see the Aberdeen project page.
Reported byThe Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.
Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.
CVE: Requested.
Hostmaster displays a log from tasks executed in Aegir's backend component, provision. In certain circumstances these log messages were not escaped properly before being displayed to the user. This vulnerability is mitigated by the fact that people wishing to exploit this must have access to the PHP code of either provision itself or one of the sites hosted by Aegir.
Access BypassCVE: Requested.
Hostmaster doesn't allow people to edit or create certain node types that are used for the internal representation of data. The implementation of this wasn't fully complete and would still allow privileged users to edit these nodes. This can cause some data corruption in the front-end, leading to tasks that would appear to never finish running. This vulnerability is mitigated by the fact that people wishing to exploit this must have the 'edit package' or 'administer nodes' permissions, which are not given to any roles by the default Aegir install.
Versions affectedDrupal core is not affected. If you do not use the contributed Hostmaster (Aegir) module, there is nothing you need to do.
SolutionFollow the upgrade instructions in the release notes for the Aegir 1.9 release which can be found at: http://community.aegirproject.org/1.9
Also see the Hostmaster (Aegir) project page.
Reported byThe Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.
Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.
CVE: Requested.
Post Affiliate Pro (PAP) is a module providing affiliate functionality for Ubercart and Post Affiliate Pro application.
The module doesn't sufficiently filter user supplied text provided by users registering on the site and also allows unauthorized users to view other user's commission.
Drupal core is not affected. If you do not use the contributed Post Affiliate Pro module, there is nothing you need to do.
SolutionThe module is no longer supported. Users should disable it. Users interested in continuing to use it should see the project page for more information.
Also see the Post Affiliate Pro project page.
Reported by Fixed byNo fix was provided.
Coordinated byThe Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.
Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.
CVE: Requested.
The function filter_titles() incorrectly attempts to set a title to plain-text, but does not properly filter user supplied text.
This vulnerability is mitigated by the fact that an attacker must have the permission to create or edit a node to exploit the issue.
Versions affectedDrupal core is not affected. If you do not use the contributed Smart Breadcrumb module, there is nothing you need to do.
SolutionInstall the latest version:
Also see the Smart Breadcrumb project page.
Reported byThe Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.
Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.
CVE: Requested.
This module enables you to serve advertisements, define pools of ads and show certain ads on certain pages.
The module could, under certain conditions, expose limited site configuration information and a debugging mode did not sufficiently sanitize input, allowing for potential cross-site scripting (XSS).
This vulnerability is mitigated by the fact that exposed data must have been explicitly set in the $conf variable in settings.php.
Drupal core is not affected. If you do not use the contributed Advertisement module, there is nothing you need to do.
SolutionInstall the latest version:
Also see the Advertisement project page.
Reported by Fixed byThe Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.
Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.
CVE: Requested.
This module enables you to sell product keys from an Ubercart store.
Under certain circumstances, a user can view all unassigned product keys which could grant them access to the software circumventing the process of selling the key.
Versions affectedDrupal core is not affected. If you do not use the contributed Ubercart Product Keys module, there is nothing you need to do.
SolutionInstall the latest version:
Also see the Ubercart Product Keys project page.
Reported byThe Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.
Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.
This module enables you to manage your Drupal file-system from within Drupal itself.
The module does not sufficiently validate Ajax calls leading to possibility of a Cross Site Request Forgery CSRF attack.
This vulnerability is mitigated by the fact that the attacker must be able to guess your Drupal file-system root path exactly. Further, if your site follows the secure file-system permissions recommendations and the web-server account does not have write access to Drupal root, only files/folders in Drupal's "files" directory are open to manipulation.
Drupal core is not affected. If you do not use the contributed Take Control module, there is nothing you need to do.
SolutionInstall the latest version:
Also see the Take Control project page.
Reported by Fixed byThe Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.
Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.
This module expands the features of the site wide contact form. It eliminates the drop down category menu by generating a clean looking contact form (without a drop down menu) with a unique path for each of the contact form categories.
The module allowed users to edit the Contact Form settings if they have permission to 'access the site-wide contact form' instead of more appropriate 'Administer contact forms and contact form settings' permission.
This vulnerability is only mitigated by the fact that an attacker must know the correct url to access the Contact Forms settings page (though it is the same on all Drupal sites).
Drupal core is not affected. If you do not use the contributed Contact Forms module, there is nothing you need to do.
SolutionInstall the latest version:
Also see the Contact Forms project page.
Reported by Fixed byThe Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.
Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.
The glossary module scans posts for glossary terms, adding an indicator. By hovering over the indicator, users may learn the definition of that term.
The module does not sufficiently sanitize the taxonomy information. This leaves sites vulnerable to Cross-Site Scripting attacks.
This vulnerability is mitigated by the fact that an attacker must have a role with permissions to create or edit taxonomy terms.
Versions affectedDrupal core is not affected. If you do not use the contributed Glossary module, there is nothing you need to do.
SolutionInstall the latest version:
Also see the Glossary project page.
Reported byThe Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.
Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.
This module enables you to create "tag clouds" with taxonomy terms displayed in different sizes depending on how frequently they are used on a site.
The module doesn't sufficiently filter user supplied text leading to a Cross Site Scripting (XSS) vulnerability.
This vulnerability is mitigated by the fact that an attacker must have a role with the ability to create or edit vocabularies or terms.
Drupal core is not affected. If you do not use the contributed cctags module, there is nothing you need to do.
SolutionInstall the latest version:
Also see the cctags project page.
Reported byThe Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.
Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.
CVE: CVE-2012-1588
Drupal core's text filtering system provides several features including removing inappropriate HTML tags and automatically linking content that appears to be a link. A pattern in Drupal's text matching was found to be inefficient with certain specially crafted strings. This vulnerability is mitigated by the fact that users must have the ability to post content sent to the filter system such as a role with the "post comments" or "Forum topic: Create new content" permission.
Unvalidated form redirectCVE: CVE-2012-1589
Drupal core's Form API allows users to set a destination, but failed to validate that the URL was internal to the site. This weakness could be abused to redirect the login from to a remote site with a malicious script that harvests the login credentials and redirects to the live site. This vulnerability is mitigated only by the end user's ability to recognize a URL with malicious query parameters to avoid the social engineering required to exploit the problem.
Access bypass - forum listingCVE: CVE-2012-1590
Drupal core's forum lists fail to check user access to nodes when displaying them in the forum overview page. If an unpublished node was the most recently updated in a forum then users who should not have access to unpublished forum posts were still be able to see meta-data about the forum post such as the post title.
Access bypass - private imagesCVE: CVE-2012-1591
Drupal core provides the ability to have private files, including images, and Image Styles which create derivative images from an original image that may differ, for example, in size or saturation. Drupal core failed to properly terminate the page request for cached image styles allowing users to access image derivatives for images they should not be able to view. Furthermore, Drupal didn't set the right headers to prevent image styles from being cached in the browser.
Access bypass - content administrationCVE: CVE-2012-2153
Drupal core provides the ability to list nodes on a site at admin/content. Drupal core failed to confirm a user viewing that page had access to each node in the list. This vulnerability only concerns sites running a contributed node access module and is mitigated by the fact that users must have a role with the "view content overview" permission. Unpublished nodes were not displayed to users who only had the "view content overview" permission.
Versions affectedInstall the latest version:
Also see the Drupal core project page.
Reported byThe Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.
Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.
CVE: CVE-2012-1588
Drupal core's text filtering system provides several features including removing inappropriate HTML tags and automatically linking content that appears to be a link. A pattern in Drupal's text matching was found to be inefficient with certain specially crafted strings. This vulnerability is mitigated by the fact that users must have the ability to post content sent to the filter system such as a role with the "post comments" or "Forum topic: Create new content" permission.
Unvalidated form redirectCVE: CVE-2012-1589
Drupal core's Form API allows users to set a destination, but failed to validate that the URL was internal to the site. This weakness could be abused to redirect the login from to a remote site with a malicious script that harvests the login credentials and redirects to the live site. This vulnerability is mitigated only by the end user's ability to recognize a URL with malicious query parameters to avoid the social engineering required to exploit the problem.
Access bypass - forum listingCVE: CVE-2012-1590
Drupal core's forum lists fail to check user access to nodes when displaying them in the forum overview page. If an unpublished node was the most recently updated in a forum then users who should not have access to unpublished forum posts were still be able to see meta-data about the forum post such as the post title.
Access bypass - private imagesCVE: CVE-2012-1591
Drupal core provides the ability to have private files, including images, and Image Styles which create derivative images from an original image that may differ, for example, in size or saturation. Drupal core failed to properly terminate the page request for cached image styles allowing users to access image derivatives for images they should not be able to view. Furthermore, Drupal didn't set the right headers to prevent image styles from being cached in the browser.
Access bypass - content administrationCVE: Requested.
Drupal core provides the ability to list nodes on a site at admin/content. Drupal core failed to confirm a user viewing that page had access to each node in the list. This vulnerability only concerns sites running a contributed node access module and is mitigated by the fact that users must have a role with the "view content overview" permission. Unpublished nodes were not displayed to users who only had the "view content overview" permission.
Versions affectedInstall the latest version:
Also see the Drupal core project page.
Reported byThe Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.
Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.
This module generates internal node to node, node to taxonomy or node to external URL links (crosslinks) automatically - ideal for SEO of your site's pages and partner pages.
This module does not protect against an Cross Site Scripting (XSS) attack. The vulnerability is mitigated by the fact that the attacker must be able to create or edit any of: content (nodes), vocabularies, or terms.
Drupal core is not affected. If you do not use the contributed Glossify Internal Links Auto SEO module, there is nothing you need to do.
SolutionUninstall the module, it is no longer supported.
Also see the Glossify Internal Links Auto SEO project page.
Reported byThe Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.
Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.
This module provides a page where you can see each content types you've selected under terms from vocabularies you've selected.
This module does not properly filter user supplied text resulting in a Cross Site scripting bug. This vulnerability is mitigated by the fact that an attacker would need the ability to create or edit a vocabulary or term.
Drupal core is not affected. If you do not use the contributed Taxonomy Grid : Catalog module, there is nothing you need to do.
SolutionUninstall the module
Also see the Taxonomy Grid : Catalog project page.
Reported byThe Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.
Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.
This module contains a simple addressbook.
The module has multiple issues including SQL Injection and Cross Site Request Forgery.
Drupal core is not affected. If you do not use the contributed Addressbook module, there is nothing you need to do.
SolutionThis module is not supported. Uninstall the module.
Also see the Addressbook project page.
Reported byThe Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.
Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.
Node gallery enable users to create a more flexible and powerful gallery that are fully integrated with Drupal's core node system.
This module does not protect a CSRF attack when creating node galleries.
Drupal core is not affected. If you do not use the contributed Node Gallery module, there is nothing you need to do.
SolutionUninstall the module, this module is no longer supported.
Also see the Node Gallery project page.
Reported by Coordinated byThe Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.
Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.