Biztonsági figyelmeztetések

SA-CONTRIB-2015-060 - Custom Sitemap - Cross Site Request Forgery (CSRF) - Unsupported

Biztonsági figyelmeztetések (contrib) - 2015. február 25. 17.28
Description

The Custom Sitemap module enables you to add custom sitemaps to a site.

The module doesn't sufficiently protect some URLs against CSRF. A malicious user could trick an administrator into deleting sitemaps by getting their browser to make a request to a specially-crafted URL.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected

All versions of Custom Sitemap module.

Drupal core is not affected. If you do not use the contributed Custom Sitemap module, there is nothing you need to do.

Solution

If you use the Custom Sitemap module you should uninstall it.

Also see the Custom Sitemap project page.

Reported by Fixed by

Not applicable.

Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 7.x

SA-CONTRIB-2015-059 - Spider Video Player - Multiple vulnerabilities - Unsupported

Biztonsági figyelmeztetések (contrib) - 2015. február 25. 17.25
Description

Spider Video Player module enables you to add HTML5 and Flash videos to your site.

The module doesn't sufficiently check user input when deleting files. A malicious user could delete arbitrary files by making a request to a specially-crafted URL. This vulnerability is mitigated by the fact that the attacker must have a role with the permission "access Spider Video Player administration".

Additionally, the module doesn't sufficiently protect some URLs against CSRF. A malicious user could trick an administrator into deleting videos by getting their browser to make a request to a specially-crafted URL.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected

All versions of Spider Video Player module.

Drupal core is not affected. If you do not use the contributed Spider Video Player module, there is nothing you need to do.

Solution

If you use the Spider Video Player module you should uninstall it.

Also see the Spider Video Player project page.

Reported by Fixed by

Not applicable.

Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 6.xDrupal 7.x

SA-CONTRIB-2015-058 - Spider Catalog - Cross Site Request Forgery (CSRF) - Unsupported

Biztonsági figyelmeztetések (contrib) - 2015. február 25. 17.22
Description

Spider Catalog module enables you to build product catalogs.

The module doesn't sufficiently protect some URLs against CSRF. A malicious user can cause an administrator to delete products, ratings and categories by getting their browser to make a request to a specially-crafted URL.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected

All versions of Spider Catalog module.

Drupal core is not affected. If you do not use the contributed Spider Catalog module, there is nothing you need to do.

Solution

If you use the Spider Catalog module you should uninstall it.

Also see the Spider Catalog project page.

Reported by Fixed by

Not applicable.

Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 6.xDrupal 7.x

SA-CONTRIB-2015-057 - Spider Contacts - Multiple vulnerabilities - Unsupported

Biztonsági figyelmeztetések (contrib) - 2015. február 25. 17.17
Description

Spider Contacts module provides a user-friendly way to manage and display contacts.

The module doesn't use Drupal's Database API properly, not sanitizing user input on SQL queries and thereby exposing a SQL Injection vulnerability. This vulnerability is mitigated by the fact that the attacker must have a role with the permission "access Spider Contacts category administration".

Additionally, the module doesn't sufficiently protect some URLs against CSRF. A malicious user could trick an administrator into deleting contact categories by getting their browser to make a request to a specially-crafted URL.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected

All versions of Spider Contacts module.

Drupal core is not affected. If you do not use the contributed Spider Contacts module, there is nothing you need to do.

Solution

If you use the Spider Contacts module you should uninstall it.

Also see the Spider Contacts project page.

Reported by Fixed by

Not applicable.

Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 6.xDrupal 7.x

SA-CONTRIB-2015-056 - inLinks Integration - Cross Site Scripting (XSS) - Unsupported

Biztonsági figyelmeztetések (contrib) - 2015. február 25. 17.14
Description

inLinks Integration module enables you to use inLinks product from Text Link Ads third-party service.

The module doesn't sufficiently sanitize user input in some path arguments, thereby exposing a Cross Site Scripting vulnerability.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected

All versions of inLinks Integration module.

Drupal core is not affected. If you do not use the contributed inLinks Integration module, there is nothing you need to do.

Solution

If you use the inLinks Integration module you should uninstall it.

Also see the inLinks Integration project page.

Reported by Fixed by

Not applicable.

Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 6.xDrupal 7.x

SA-CONTRIB-2015-055 - Services single sign-on server helper - Open Redirect - Unsupported

Biztonsági figyelmeztetések (contrib) - 2015. február 25. 17.07
Description

Services single sign-on server helper module provides functionality to facilitate account information editing on a remote SSO site.

The module doesn't validate some user supplied URLs in parameters used for page redirection. An attacker could trick users to visit malicious sites without realizing it.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected

All versions of Services single sign-on server helper module.

Drupal core is not affected. If you do not use the contributed Services single sign-on server helper module, there is nothing you need to do.

Solution

If you use the Services single sign-on server helper module you should uninstall it.

Also see the Services single sign-on server helper project page.

Reported by Fixed by

Not applicable.

Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 7.x

SA-CONTRIB-2015-054 - SMS Framework - Cross Site Scripting (XSS)

Biztonsági figyelmeztetések (contrib) - 2015. február 25. 16.44
Description

SMS Framework module enables you to send and receive SMS messages from and into Drupal.

The module doesn't sufficiently sanitize user supplied text in message previews, thereby exposing a reflected Cross Site Scripting vulnerability. An attacker could exploit this vulnerability by getting the victim to visit a specially-crafted URL.

This vulnerability is mitigated by the fact that the "Send to phone" submodule must be enabled.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • SMS Framework 6.x-1.x versions prior to 6.x-1.1.

Drupal core is not affected. If you do not use the contributed SMS Framework module, there is nothing you need to do.

Solution

Install the latest version:

Also see the SMS Framework project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 6.x

SA-CONTRIB-2015-053 - Entity API - Cross Site Scripting (XSS)

Biztonsági figyelmeztetések (contrib) - 2015. február 25. 16.17
Description

The Entity API module extends the entity API of Drupal core in order to provide a unified way to deal with entities and their properties.

The module doesn't sufficiently sanitize field labels when exposing them through the Token API thereby exposing a Cross Site Scripting (XSS) vulnerability.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission to administer fields such as "administer taxonomy".

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance
    with Drupal Security Team processes.
Versions affected
  • Entity API 7.x-1.x versions prior to 7.x-1.6.

Drupal core is not affected. If you do not use the contributed Entity API module,
there is nothing you need to do.

Solution

Install the latest version:

Also see the Entity API project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 7.x

SA-CONTRIB-2015-052 - RESTful Web Services - Access Bypass

Biztonsági figyelmeztetések (contrib) - 2015. február 18. 17.17
Description

This module enables you to expose Drupal entities as RESTful web services. It provides a machine-readable interface to exchange resources in JSON, XML and RDF.

The RESTWS Basic Auth submodule doesn't sufficiently disable page caching for authenticated requests thereby leaking potentially confidential data to unauthorized users.

This vulnerability is mitigated by the fact that the RESTWS Basic Auth submodule must be enabled, page caching must be enabled and permissions for a resource containing sensitive data must be enabled (for example the User resource).

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance
    with Drupal Security Team processes.
Versions affected
  • RESTWS 7.x-1.x versions prior to 7.x-1.5.
  • RESTWS 7.x-2.x versions prior to 7.x-2.3.

Drupal core is not affected. If you do not use the contributed RESTful Web Services module,
there is nothing you need to do.

Solution

Install the latest version:

Also see the RESTful Web Services project page.

Reported by Fixed by
  • Klaus Purer the module maintainer and member of the Drupal Security Team
Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 7.x

SA-CONTRIB-2015-051 - Term Queue - Cross Site Scripting (XSS)

Biztonsági figyelmeztetések (contrib) - 2015. február 18. 17.11
Description

Term Queue module allows you to create lists of taxonomy terms and display them in a block.

The module doesn't sufficiently sanitize user supplied text in some administration pages, thereby exposing a Cross Site Scripting vulnerability.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer taxonomy".

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • Term Queue 6.x-1.0

Drupal core is not affected. If you do not use the contributed Term Queue module, there is nothing you need to do.

Solution

Install the latest version:

Also see the Term Queue project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 6.x

SA-CONTRIB-2015-050 - Services Basic Authentication - Access bypass - Unsupported

Biztonsági figyelmeztetések (contrib) - 2015. február 18. 17.05
Description

Services Basic Authentication module adds HTTP basic authentication for Services module.

A user could get unauthorized access to resources under some circumstances.

This vulnerability is mitigated by the fact that the authentication works correctly when page caching is disabled.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • All versions of Services Basic Authentication module.

Drupal core is not affected. If you do not use the contributed Services Basic Authentication module, there is nothing you need to do.

Solution

If you use the Services Basic Authentication module you should uninstall it

Also see the Services Basic Authentication project page.

Reported by Fixed by

Not applicable.

Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 7.x

SA-CONTRIB-2015-049 - Navigate - Cross Site Scripting (XSS)

Biztonsági figyelmeztetések (contrib) - 2015. február 18. 16.24
Description

Navigate is a customizable navigation bar for Drupal.

The module doesn't sufficiently sanitize user input when displaying the Navigate bar.

Because the vulnerability is a Reflected Cross Site Scripting, the only mitigating factor is that the victim must be tricked into visiting a specially crafted malicious url.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance
    with Drupal Security Team processes.
Versions affected
  • Navigate 6.x-1.x versions prior to 6.x-1.1.
  • Navigate 7.x-1.x versions prior to 7.x-1.1.

Drupal core is not affected. If you do not use the contributed Navigate module,
there is nothing you need to do.

Solution

Install the latest version:

Also see the Navigate project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 6.xDrupal 7.x

SA-CONTRIB-2015-048 - Avatar Uploader - Arbitrary PHP code execution

Biztonsági figyelmeztetések (contrib) - 2015. február 18. 16.09
Description

Avatar Uploader module provides an alternative way to upload user pictures.

The module doesn't sufficiently enforce file extensions when an avatar is uploaded, allowing users to bypass Drupal's normal file upload protections to install malicious HTML or executable code to the server.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission "upload avatar file", and that the fix for SA-2006-006 - Drupal Core - Execution of arbitrary files in certain Apache configurations should prevent code execution in typical Apache configurations.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance
    with Drupal Security Team processes.
Versions affected
  • Avatar Uploader 6.x-1.x versions prior to 6.x-1.3.

Drupal core is not affected. If you do not use the contributed Avatar Uploader module,
there is nothing you need to do.

Solution

Install the latest version:

Also see the Avatar Uploader project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 7.x

SA-CONTRIB-2015-047 - Panopoly Magic - Cross Site Scripting (XSS)

Biztonsági figyelmeztetések (contrib) - 2015. február 18. 16.08
Description

This module enables live previews of Panels panes in the modal dialog for adding or editing them.

The module doesn't sufficiently filter the pane title when re-rendering the live preview.

This vulnerability is mitigated by the fact that an attacker must have permission to add or edit Panels panes.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance
    with Drupal Security Team processes.
Versions affected
  • Panopoly Magic 7.x-1.x versions prior to 7.x-1.17.

Drupal core is not affected. If you do not use the contributed Panopoly Magic module,
there is nothing you need to do.

Solution

Install the latest version:

Also see the Panopoly Magic project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 7.x

SA-CONTRIB-2015-044 - Taxonomy Path - Cross Site Scripting (XSS)

Biztonsági figyelmeztetések (contrib) - 2015. február 11. 17.21
Description

Taxonomy Path module enables you to create custom links to taxonomy terms within a display mode.

The module doesn't sufficiently sanitize user provided text in the provided "Link to path" field formatter, thereby exposing a Cross Site Scripting vulnerability.

This vulnerability is mitigated by the fact that an attacker must have a role with permission to create/edit taxonomy terms.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • Taxonomy Path 7.x-1.x versions prior to 7.x-1.2.

Drupal core is not affected. If you do not use the contributed Taxonomy Path module, there is nothing you need to do.

Solution

Install the latest version:

Also see the Taxonomy Path project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 7.x

SA-CONTRIB-2015-043 - Commerce Balanced Payments - Multiple vulnerabilities

Biztonsági figyelmeztetések (contrib) - 2015. február 11. 17.18
Description

Commerce Balanced Payments module integrates Drupal Commerce with the Balanced Payments third-party service.

The module doesn't sufficiently sanitize user supplied text in the Bank Account Listing Page, thereby exposing a Cross Site Scripting vulnerability.

Also, some URLs were not protected against CSRF. A malicious user can cause another user to delete their configured bank accounts by getting their browser to make a request to a specially-crafted URL.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • All versions of Commerce Balanced Payments.

Drupal core is not affected. If you do not use the contributed Commerce Balanced Payments module, there is nothing you need to do.

Solution

If you use the Commerce Balanced Payments module you should uninstall it.

Also see the Commerce Balanced Payments project page.

Reported by Fixed by

Not applicable.

Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 7.x

SA-CONTRIB-2015-042 - Node basket - Multiple vulnerabilities - Unsupported

Biztonsági figyelmeztetések (contrib) - 2015. február 11. 17.09
Description

Node basket module enables you to pick up nodes in a basket.

The module doesn't sufficiently sanitize user supplied text in some pages, thereby exposing a Cross Site Scripting (XSS) vulnerability. This vulnerability is mitigated by the fact that an attacker must have a user with permission to create/edit nodes.

Also, the module has CSRF vulnerabilities. A malicious user can cause another user to add/remove nodes of the basket by getting his browser to make a request to a specially-crafted URL.

Also, the module has an Open Redirect vulnerability.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • All versions of Node basket module.

Drupal core is not affected. If you do not use the contributed Node basket module, there is nothing you need to do.

Solution

If you use the Node basket module you should uninstall it.

Also see the Node basket project page.

Reported by Fixed by

Not applicable.

Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 6.x

SA-CONTRIB-2015-041 - Feature Set - Cross Site Request Forgery (CSRF) - Unsupported

Biztonsági figyelmeztetések (contrib) - 2015. február 11. 17.00
Description

Feature Set module enables you to enable or disable sets of features or modules.

The module doesn't sufficiently protect some URLs against CSRF. A malicious user can cause an administrator to enable and disable modules by getting the administrator's browser to make a request to a specially-crafted URL.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance
    with Drupal Security Team processes.
Versions affected
  • All versions of Feature Set module.

Drupal core is not affected. If you do not use the contributed Feature Set module, there is nothing you need to do.

Solution

If you use the Feature Set module you should uninstall it.

Also see the Feature Set project page.

Reported by Fixed by

Not applicable.

Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 7.x

SA-CONTRIB-2015-040 - Webform prepopulate block - Cross Site Scripting (XSS)

Biztonsági figyelmeztetések (contrib) - 2015. február 11. 16.55
Description

Webform prepopulate block module enables you to set a webform component to display in a separated block.

The module doesn't sufficiently sanitize user supplied text when displaying the block, thereby exposing a Cross Site Scripting vulnerability.

This vulnerability is mitigated by the fact that an attacker must have a role with permission to create or edit nodes.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance
    with Drupal Security Team processes.
Versions affected
  • Webform prepopulate block 7.x-3.0

Drupal core is not affected. If you do not use the contributed Webform prepopulate block module, there is nothing you need to do.

Solution

Install the latest version:

Also see the Webform prepopulate block project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 7.x

SA-CONTRIB-2015-039 - Views - Multiple vulnerabilities

Biztonsági figyelmeztetések (contrib) - 2015. február 11. 16.53
Description

The Views module provides a flexible method for Drupal site designers to control how lists and tables of content, users, taxonomy terms and other data are presented.

Open redirect vulnerability

The module does not sanitize user provided URLs when processing the page to break the lock on Views being edited, thereby exposing an open redirect attack vector.

This vulnerability is mitigated by the fact that the Views UI submodule must be enabled.

Access bypass vulnerability

The module does not protect the default Views configurations that ship with the module sufficiently, thereby exposing possibly protected information to unprivileged users.

This vulnerability is mitigated by the fact that it only affects sites that have not granted the common "access content" or "access comments" permission to untrusted users. Furthermore, these default views configurations are disabled by default and must be enabled by an administrator.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance
    with Drupal Security Team processes.
Versions affected
  • Views 6.x-2.x versions prior to 6.x-2.18.
  • Views 6.x-3.x versions prior to 6.x-3.2.
  • Views 7.x-3.x versions prior to 7.x-3.10.

Drupal core is not affected. If you do not use the contributed Views module,
there is nothing you need to do.

Solution

Install the latest version:

Also see the Views project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 6.xDrupal 7.x

Oldalak

Feliratkozás drupal.hu hírolvasó - Biztonsági figyelmeztetések csatornájára