Biztonsági figyelmeztetések

SA-CONTRIB-2014-059 - Touch Theme - Cross Site Scripting (XSS)

Biztonsági figyelmeztetések (contrib) - 2014. június 11. 17.31
  • Advisory ID: DRUPAL-SA-CONTRIB-2014-059
  • Project: Touch (third-party module)
  • Version: 7.x
  • Date: 2014-June-11
  • Security risk: Moderately critical
  • Exploitable from: Remote
  • Vulnerability: Cross Site Scripting
Description

Touch Theme is a light weight theme with modern look and feel.

The theme does not sufficiently sanitize theme settings input for Twitter and Facebook username.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission "Administer themes".

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • Touch 7.x-1.x versions prior to 7.x-1.9.

Drupal core is not affected. If you do not use the contributed Touch module, there is nothing you need to do.

Solution

Install the latest version:

  • If you use the Touch theme for Drupal 7.x, upgrade to Touch 7.x-1.9

Also see the Touch project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 7.x

SA-CONTRIB-2014-059 - Touch Theme - Cross Site Scripting (XSS)

Biztonsági figyelmeztetések (contrib) - 2014. június 11. 17.31
  • Advisory ID: DRUPAL-SA-CONTRIB-2014-059
  • Project: Touch (third-party module)
  • Version: 7.x
  • Date: 2014-June-11
  • Security risk: Moderately critical
  • Exploitable from: Remote
  • Vulnerability: Cross Site Scripting
Description

Touch Theme is a light weight theme with modern look and feel.

The theme does not sufficiently sanitize theme settings input for Twitter and Facebook username.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission "Administer themes".

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • Touch 7.x-1.x versions prior to 7.x-1.9.

Drupal core is not affected. If you do not use the contributed Touch module, there is nothing you need to do.

Solution

Install the latest version:

  • If you use the Touch theme for Drupal 7.x, upgrade to Touch 7.x-1.9

Also see the Touch project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 7.x

SA-CONTRIB-2014-058 - Webserver Auth - Access Bypass

Biztonsági figyelmeztetések (contrib) - 2014. május 28. 16.26
  • Advisory ID: DRUPAL-SA-CONTRIB-2014-058
  • Project: Webserver authentication (third-party module)
  • Version: 7.x
  • Date: 2014-May-28
  • Security risk: Less critical
  • Exploitable from: Remote
  • Vulnerability: Access bypass
Description

This module allows you to delegate user authentication to the web server. The module can be configured to automatically create users that have been authenticated by the web server.
There was an issue where a configuration variable did not have consistent default values in the code meaning that in a new install users would be created by default even though the config screen would suggest otherwise.
This vulnerability is mitigated by the fact that the issue is only present if the site owner has not saved the configuration page and it is very common to configure a module after installing it.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • Webserver authentication before version 7.x-1.4

Drupal core is not affected. If you do not use the contributed Webserver authentication module, there is nothing you need to do.

Solution

Install the latest version:

Also see the Webserver authentication project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.


Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

SA-CONTRIB-2014-058 - Webserver Auth - Access Bypass

Biztonsági figyelmeztetések (contrib) - 2014. május 28. 16.26
  • Advisory ID: DRUPAL-SA-CONTRIB-2014-058
  • Project: Webserver authentication (third-party module)
  • Version: 7.x
  • Date: 2014-May-28
  • Security risk: Less critical
  • Exploitable from: Remote
  • Vulnerability: Access bypass
Description

This module allows you to delegate user authentication to the web server. The module can be configured to automatically create users that have been authenticated by the web server.
There was an issue where a configuration variable did not have consistent default values in the code meaning that in a new install users would be created by default even though the config screen would suggest otherwise.
This vulnerability is mitigated by the fact that the issue is only present if the site owner has not saved the configuration page and it is very common to configure a module after installing it.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • Webserver authentication before version 7.x-1.4

Drupal core is not affected. If you do not use the contributed Webserver authentication module, there is nothing you need to do.

Solution

Install the latest version:

Also see the Webserver authentication project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.


Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

SA-CONTRIB-2014-057 - Password policy - General logic error

Biztonsági figyelmeztetések (contrib) - 2014. május 21. 17.15
  • Advisory ID: DRUPAL-SA-CONTRIB-2014-057
  • Project: Password policy (third-party module)
  • Version: 7.x
  • Date: 2014-May-21
  • Security risk: Moderately critical
  • Exploitable from: Remote
  • Vulnerability: General logic error
Description

This module enables you to define password policies with various constraints on allowable user passwords. The history constraint, when enabled, disallows a user's password from being changed to match a specified number of their previous passwords.

Beginning with Password Policy 7.x-1.4, the history constraint had no effect when enabled, and user passwords could be changed to match any previous passwords beyond the most recent. Therefore, passwords of users that were changed since Password Policy 7.x-1.4 or later was installed may match previous passwords in violation of the history constraint.

This vulnerability is mitigated by the fact that it only affects users covered by a password policy with the history constraint enabled.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • Password policy 7.x-1.x versions prior to 7.x-1.6.

Drupal core is not affected. If you do not use the contributed Password policy module, there is nothing you need to do.

Solution
  1. Install the latest version:
  2. Force a password change for all users covered by a password policy with the history constraint enabled.

Also see the Password policy project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.


Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 7.x

SA-CONTRIB-2014-057 - Password policy - General logic error

Biztonsági figyelmeztetések (contrib) - 2014. május 21. 17.15
  • Advisory ID: DRUPAL-SA-CONTRIB-2014-057
  • Project: Password policy (third-party module)
  • Version: 7.x
  • Date: 2014-May-21
  • Security risk: Moderately critical
  • Exploitable from: Remote
  • Vulnerability: General logic error
Description

This module enables you to define password policies with various constraints on allowable user passwords. The history constraint, when enabled, disallows a user's password from being changed to match a specified number of their previous passwords.

Beginning with Password Policy 7.x-1.4, the history constraint had no effect when enabled, and user passwords could be changed to match any previous passwords beyond the most recent. Therefore, passwords of users that were changed since Password Policy 7.x-1.4 or later was installed may match previous passwords in violation of the history constraint.

This vulnerability is mitigated by the fact that it only affects users covered by a password policy with the history constraint enabled.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • Password policy 7.x-1.x versions prior to 7.x-1.6.

Drupal core is not affected. If you do not use the contributed Password policy module, there is nothing you need to do.

Solution
  1. Install the latest version:
  2. Force a password change for all users covered by a password policy with the history constraint enabled.

Also see the Password policy project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.


Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 7.x

SA-CONTRIB-2014-056 - Commerce Moneris - Information Disclosure

Biztonsági figyelmeztetések (contrib) - 2014. május 21. 17.07
  • Advisory ID: DRUPAL-SA-CONTRIB-2014-056
  • Project: Commerce Moneris (third-party module)
  • Version: 7.x
  • Date: 2014-May-21
  • Security risk: Critical
  • Exploitable from: Remote
  • Vulnerability: Information Disclosure
Description

Commerce Moneris is a payment module that integrates the Moneris payment system with Drupal Commerce.

The module stores credit card data in a commerce order object unnecessarily for the purpose of passing the credit card information to the payment gateway. The credit card information is never removed from the order object and is later saved in the clear as serialized data in the database.

This vulnerability is mitigated by the fact that an attacker must have access to the database or the ability to execute PHP to output the raw or unserialized data from the commerce order.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • Commerce Moneris 7.x-1.x versions prior to 7.x-1.4.

Drupal core is not affected. If you do not use the contributed Commerce Moneris module, there is nothing you need to do.

Solution

Install the latest version:

Also see the Commerce Moneris project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

SA-CONTRIB-2014-055 - Require Login - Access bypass

Biztonsági figyelmeztetések (contrib) - 2014. május 21. 17.07
  • Advisory ID: DRUPAL-SA-CONTRIB-2014-055
  • Project: Require Login (third-party module)
  • Version: 7.x
  • Date: 2014-May-21
  • Security risk: Moderately critical
  • Exploitable from: Remote
  • Vulnerability: Access bypass
Description

This module enables you to restrict access to a site for all non-authenticated users.

The module does not protect the front page, thereby exposing any sensitive information on the front page to anonymous users.

This vulnerability is mitigated by the fact that private/sensitive information must be on the site's front page.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • Login Redirect 7.x-1.x versions prior to 7.x-1.1.

Drupal core is not affected. If you do not use the contributed Require Login module, there is nothing you need to do.

Solution

Install the latest version:

Also see the Require Login project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 7.x

SA-CONTRIB-2014-056 - Commerce Moneris - Information Disclosure

Biztonsági figyelmeztetések (contrib) - 2014. május 21. 16.54
  • Advisory ID: DRUPAL-SA-CONTRIB-2014-056
  • Project: Commerce Moneris (third-party module)
  • Version: 7.x
  • Date: 2014-May-21
  • Security risk: Critical
  • Exploitable from: Remote
  • Vulnerability: Information Disclosure
Description

Commerce Moneris is a payment module that integrates the Moneris payment system with Drupal Commerce.

The module stores credit card data in a commerce order object unnecessarily for the purpose of passing the credit card information to the payment gateway. The credit card information is never removed from the order object and is later saved in the clear as serialized data in the database.

This vulnerability is mitigated by the fact that an attacker must have access to the database or the ability to execute PHP to output the raw or unserialized data from the commerce order.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • Commerce Moneris 7.x-1.x versions prior to 7.x-1.4.

Drupal core is not affected. If you do not use the contributed Commerce Moneris module, there is nothing you need to do.

Solution

Install the latest version:

Also see the Commerce Moneris project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

SA-CONTRIB-2014-054 - Views - Access Bypass

Biztonsági figyelmeztetések (contrib) - 2014. május 21. 16.38
  • Advisory ID: DRUPAL-SA-CONTRIB-2014-054
  • Project: Views (third-party module)
  • Version: 7.x
  • Date: 2014-May-21
  • Security risk: Moderately critical
  • Exploitable from: Remote
  • Vulnerability: Access bypass
Description

The Views module provides a flexible method for Drupal site designers to control how lists and tables of content, users, taxonomy terms and other data are presented.

The module doesn't sufficiently check handler access when returning the list of handlers from view_plugin_display::get_handlers(). The most critical code (access plugins and field output) is unaffected - only area handlers, the get_field_labels() method, token replacement, and some relationship handling are susceptible.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • Views 7.x-3.x versions prior to 7.x-3.8.

Drupal core is not affected. If you do not use the contributed Views module, there is nothing you need to do.

Solution

Install the latest version:

  • If you use the Views module for Drupal 7.x, upgrade to Views 7.x-3.8

Also see the Views project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 7.x

SA-CONTRIB-2014-053 - Field API Tab Editor (FATE) - Access bypass

Biztonsági figyelmeztetések (contrib) - 2014. május 14. 18.44
  • Advisory ID: DRUPAL-SA-CONTRIB-2014-053
  • Project: Field API Tab Editor (third-party module)
  • Version: 7.x
  • Date: 2014-May-14
  • Security risk: Critical
  • Exploitable from: Remote
  • Vulnerability: Access bypass
Description

This module allows each entity field to be individually edited via its own custom page, accessible via a tab on the entity's page.

The module returns an incorrect value to hook_menu if the current user does not have access to edit the entity. This allows users who would not normally have access to edit the entity to edit any fields that are enabled via this module.

The problem is mitigated by the fact that a site builder must enable the custom edit page for the fields. That configuration is not the default nor automatic.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • Field API Tab Editor (FATE) 7.x-1.x versions prior to 7.x-1.1.

Drupal core is not affected. If you do not use the contributed Field API Tab Editor module, there is nothing you need to do.

Solution

Install the latest version:

Also see the Field API Tab Editor project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.


Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 7.x

SA-CONTRIB-2014-052 - AddressField Tokens - Cross Site Scripting (XSS)

Biztonsági figyelmeztetések (contrib) - 2014. május 14. 17.34
  • Advisory ID: DRUPAL-SA-CONTRIB-2014-052
  • Project: Addressfield Tokens (third-party module)
  • Version: 7.x
  • Date: 2014-May-14
  • Security risk: Moderately critical
  • Exploitable from: Remote
  • Vulnerability: Cross Site Scripting
Description

The AddressField Tokens module extends the addressfield module by adding token support. It also adds some convenient addressfield formatters and provides Webform addressfield integration.

The module does not properly filter address field values, resulting in a Cross Site Scripting (XSS) vulnerability which can be leveraged by any user that can edit an addressfield on a site displaying that field using the "address components" field formatter.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission to create or edit an AddressField field (e.g. create or edit a node).

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • AddressField Tokens 7.x-1.x versions prior to 7.x-1.4.

Drupal core is not affected. If you do not use the contributed Addressfield Tokens module, there is nothing you need to do.

Solution

Install the latest version:

Also see the Addressfield Tokens project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 7.x

SA-CONTRIB-2014-51 - Realname Registration - Information Disclosure

Biztonsági figyelmeztetések (contrib) - 2014. május 14. 17.28
  • Advisory ID: DRUPAL-SA-CONTRIB-2014-051
  • Project: Realname registration (third-party module)
  • Version: 6.x, 7.x
  • Date: 2014-05-14
  • Security risk: Moderately critical
  • Exploitable from: Remote
  • Vulnerability: Information Disclosure
Description

This module enables you to generate usernames based on fields filled out by the user during registration. The module doesn't sufficiently restrict access to the settings for determining which user fields are incorporated into usernames, and doesn't properly validate generated user names.

Any user with the "access administration pages" permission can change which fields are used to generate this name. This may publicly expose user profile fields intended to be kept private. This vulnerability is mitigated by the fact that an attacker must have a role with the permission "access administration pages".

In addition, generated user names are not passed through the core function user_validate_name(). This vulnerability is mitigated by the fact that it only impacts custom modules or themes which do not properly filter usernames through check_plain() before displaying them.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • Realname Registration 6.x-2.x versions 6.x-2.0-rc5 and prior.
  • Realname Registration 7.x-1.x and 7.x-2.x versions 7.x-2.0-rc2 and prior.

Drupal core is not affected. If you do not use the contributed Realname registration module, there is nothing you need to do.

Solution

Also see the Realname registration project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 6.xDrupal 7.x

SA-CONTRIB-2014-050 - Commerce Postfinance ePayment - Access Bypass

Biztonsági figyelmeztetések (contrib) - 2014. május 14. 15.47
  • Advisory ID: DRUPAL-SA-CONTRIB-2014-050
  • Project: Commerce Postfinance ePayment (third-party module)
  • Version: 7.x
  • Date: 2014-May-14
  • Security risk: Critical
  • Exploitable from: Remote
  • Vulnerability: Access bypass
Description

The Commerce Postfinance ePayment module provides commerce payment methods for the Postfinance e-Payment service provider.

The module doesn't sufficiently validate incoming payment notification (IPN) messages. Sending a specifically crafted IPN message to an affected site allows an attacker to create transactions and manipulate the status of an order. This has the potential to allow an attacker to complete the purchase of items without actually paying for them.

This vulnerability is partially mitigated by the fact that an attack is identifiable by comparing the transaction log from the payment service provider with commerce orders on an affected site.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • Commerce Postfinance ePayment 7.x-1.x versions prior to 7.x-1.5.

Drupal core is not affected. If you do not use the contributed Commerce Postfinance ePayment module, there is nothing you need to do.

Solution

Install the latest version:

Also see the Commerce Postfinance ePayment project page.

Reported by Fixed by
  • Rémy the module maintainer
Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 7.x

SA-CONTRIB-2014-049 - Organic Groups (OG) - Access Bypass

Biztonsági figyelmeztetések (contrib) - 2014. május 7. 20.26
  • Advisory ID: DRUPAL-SA-CONTRIB-2014-049
  • Project: Organic groups (third-party module)
  • Version: 7.x
  • Date: 2014-May-07
  • Security risk: Moderately critical
  • Exploitable from: Remote
  • Vulnerability: Access bypass
Description

Organic groups (OG) enables users to create and manage their own 'groups'. Each group can have subscribers, and maintains a group home page where subscribers communicate amongst themselves.

OG doesn't sufficiently check the permissions when a group member is pending or blocked status within the group and tries to access information in a site.

This vulnerability only affects sites using the "Organic groups access control" sub-module available within the Organic Groups package. It's further mitigated by the fact that an attacker must be a group member with pending or blocked status within the group.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • Organic Groups 7.x-2.x versions prior to 7.x-2.7.

Drupal core is not affected. If you do not use the contributed Organic groups module, there is nothing you need to do.

Solution

Install the latest version:

Also see the Organic groups project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 7.x

SA-CONTRIB-2014-048 - Field API Pane Editor (FAPE) - Access bypass

Biztonsági figyelmeztetések (contrib) - 2014. április 30. 17.24
  • Advisory ID: DRUPAL-SA-CONTRIB-2014-048
  • Project: Field API Pane Editor (FAPE) (third-party module)
  • Version: 7.x
  • Date: 2014-April-30
  • Security risk: Highly critical
  • Exploitable from: Remote
  • Vulnerability: Access bypass
Description

This module adds a contextual menu to fields which are added to an entity display in Panels, allowing individual fields to be directly edited via a separate page or, if it is enabled, the Overlay module.

The module doesn't sufficiently verify the user has access to modify the entity the field is attached to. Unless another module was installed which restricted access to edit the fields, any user can edit any field on any entity on the site.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • Field API Pane Editor (FAPE) 7.x-1.x versions prior to 7.x-1.2.

Drupal core is not affected. If you do not use the contributed Field API Pane Editor (FAPE) module, there is nothing you need to do.

Solution

Install the latest version:

Also see the Field API Pane Editor (FAPE) project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 7.x

SA-CONTRIB-2014-047 - Zen - Cross Site Scripting

Biztonsági figyelmeztetések (contrib) - 2014. április 30. 17.14
  • Advisory ID: DRUPAL-SA-CONTRIB-2014-047
  • Project: Zen (third-party theme)
  • Version: 7.x
  • Date: 2014-April-30
  • Security risk: Moderately critical
  • Exploitable from: Remote
  • Vulnerability: Cross Site Scripting
Description

The Zen theme is a powerful, yet simple, HTML5 starting theme with a responsive, mobile-first grid design.

The theme does not properly sanitize theme settings before they are used in the output of a page. Custom themes that have copied Zen's template files (e.g. subthemes) may suffer from this same issue. If your theme creates variables in a preprocess using text from a custom theme setting, like this:

$variables['skip_link_text'] = theme_get_setting('skip_link_text');

you can prevent malicious XSS attacks by modifying the code to look like this:

$variables['skip_link_text'] = check_plain(theme_get_setting('skip_link_text'));

This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer theme".

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • Zen 7.x-5.x versions prior to 7.x-5.5.
  • Zen 7.x-3.x versions prior to 7.x-3.3.

Drupal core is not affected. If you do not use the contributed Zen theme, there is nothing you need to do.

Solution

Install the latest version:

Also see the Zen project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 7.x

SA-CONTRIB-2014-046 - Context Form Alteration - Cross Site Scripting (XSS)

Biztonsági figyelmeztetések (contrib) - 2014. április 30. 15.52
  • Advisory ID: DRUPAL-SA-CONTRIB-2014-046
  • Project: Context Form Alteration (third-party module)
  • Version: 7.x
  • Date: 2014-April-30
  • Security risk: Moderately critical
  • Exploitable from: Remote
  • Vulnerability: Cross Site Scripting
Description

The Context Form Alteration module enables admins to alter forms via Context reactions.

The module doesn't sufficiently sanitize user input entered within the Context configuration UI.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer contexts".

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • Context Form Alteration 7.x-1.x versions prior to 7.x-1.2.

Drupal core is not affected. If you do not use the contributed Context Form Alteration module, there is nothing you need to do.

Solution

Install the latest version:

Also see the Context Form Alteration project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.


Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 7.x

SA-CONTRIB-2014-045 - Drupal Commons - Multiple Vulnerabilities

Biztonsági figyelmeztetések (contrib) - 2014. április 23. 20.14
  • Advisory ID: DRUPAL-SA-CONTRIB-2014-045
  • Project: Drupal Commons (third-party module)
  • Version: 7.x
  • Date: 2014-April-23
  • Security risk: Moderately critical
  • Exploitable from: Remote
  • Vulnerability: Access bypass
Description

This SA contains two patches against Drupal Commons

Views Bulk Operations Access Bypass

Drupal commons comes with a view to moderate reported content, which is intended for authenticated users to view which content has been reported.

Since it has hard coded VBO operations within the view, and Drupal Commons doesn't come with the VBO 'access_permissions' submodule enabled, all views bulk operations can be performed by anyone with access to the view. In its default setting, this allows users to delete content from other users and potentially ban other users from the site.

Anonymous Users can view Wiki revisions regardless of group privacy

Commons allows users of a group to edit a wiki created by anyone, regardless of edit permissions. It is supposed to refer back to the group permissions when creating this edit permission. However, the revisions permission hook allows anyone (anonymous or authenticated) to view revisions and diffs between revisions. This can potentially leak hidden data from groups a user does not otherwise have access to.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • Drupal Commons 7.x-3.x versions prior to 7.x-3.10.

Drupal core is not affected. If you do not use the contributed Drupal Commons module, there is nothing you need to do.

Solution

Install the latest version:

Also see the Drupal Commons project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 7.x

SA-CONTRIB-2014-044 - Professional Theme - Cross Site Scripting (XSS)

Biztonsági figyelmeztetések (contrib) - 2014. április 23. 19.19
  • Advisory ID: DRUPAL-SA-CONTRIB-2014-044
  • Project: Professional Theme (third-party module)
  • Version: 7.x
  • Date: 2014-April-23
  • Security risk: Moderately critical
  • Exploitable from: Remote
  • Vulnerability: Cross Site Scripting
Description

Professional Theme is a modern and professional Drupal theme.

The theme does not sufficiently sanitize theme settings input for custom copyright information

This vulnerability is mitigated by the fact that an attacker must have a role with the permission "Administer themes".

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • Professional Theme for 7.x prior to 7.x-2.04

Drupal core is not affected. If you do not use the contributed Professional Theme module, there is nothing you need to do.

Solution

Install the latest version:

  • If you use the Professional Theme for Drupal 7.x, upgrade to 7.x-2.04

Also see the Professional Theme project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.


Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 7.x

Oldalak

Subscribe to drupal.hu hírolvasó - Biztonsági figyelmeztetések