Hírolvasó

Project: Responsive media Image FormatterDate: 2023-March-15Security risk: Critical 15∕25 AC:Basic/A:User/CI:Some/II:Some/E:Proof/TD:AllVulnerability: UnsupportedDescription: 

The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: https://www.drupal.org/node/251466#procedure---own-project---unsupported

Solution: 

If you use this project, you should uninstall it. To take over maintainership, please read https://www.drupal.org/node/251466#procedure---own-project---unsupported in full.

Project: Media Responsive ThumbnailDate: 2023-March-15Security risk: Moderately critical 14∕25 AC:None/A:None/CI:Some/II:None/E:Theoretical/TD:DefaultVulnerability: Information disclosureDescription: 

The Media Responsive Thumbnail module allows media reference fields to be rendered as a responsive image.

This module does not properly check entity access prior to rendering media. This may result in users seeing thumbnails of media items they do not have access to.

This release was coordinated with SA-CORE-2023-002.

Solution: 

Install the latest version:

• If you use the Media Responsive Thumbnail module, upgrade to Media Responsive Thumbnail 8.x-1.5

Reported By: 

• Dan Flanagan

Fixed By: 

• Ivan Vidusenko
• Benji Fisher of the Drupal Security Team

Coordinated By: 

• Benji Fisher of the Drupal Security Team
• Lee Rowlands of the Drupal Security Team
• Joseph Zhao Provisional Member of the Drupal Security Team
• Greg Knaddison of the Drupal Security Team
• Dave Long of the Drupal Security Team

Project: Drupal coreDate: 2023-March-15Security risk: Moderately critical 14∕25 AC:Complex/A:Admin/CI:All/II:All/E:Theoretical/TD:UncommonVulnerability: Access bypassAffected versions: <7.95 || >=8.0.0 <9.4.12 || >=9.5.0 <9.5.5 || >=10.0.0 <10.0.5Description: 

Drupal core provides a page that outputs the markup from phpinfo() to assist with diagnosing PHP configuration.

If an attacker was able to achieve an XSS exploit against a privileged user, they may be able to use the phpinfo page to access sensitive information that could be used to escalate the attack.

This vulnerability is mitigated by the fact that a successful XSS exploit is required in order to exploit it.

Solution: 

Install the latest version:

• If you are using Drupal 10.0, update to Drupal 10.0.5.
• If you are using Drupal 9.5, update to Drupal 9.5.5.
• If you are using Drupal 9.4, update to Drupal 9.4.12.
• If you are using Drupal 7, update to Drupal 7.95.

All versions of Drupal 9 prior to 9.4.x are end-of-life and do not receive security coverage. Note that Drupal 8 has reached its end of life.

Reported By: 

• Elar Lang

Fixed By: 

• Damien McKenna of the Drupal Security Team
• Elar Lang
• Lee Rowlands of the Drupal Security Team
• Alex Bronstein of the Drupal Security Team
• Joseph Zhao Provisional Member of the Drupal Security Team
• Drew Webber of the Drupal Security Team
• Jen Lampton Provisional Member of the Drupal Security Team
• Nate Lampton
• Greg Knaddison of the Drupal Security Team

Project: Drupal coreDate: 2023-March-15Security risk: Moderately critical 13∕25 AC:None/A:None/CI:Some/II:None/E:Theoretical/TD:UncommonVulnerability: Information DisclosureAffected versions: >=8.0.0 <9.4.12 || >=9.5.0 <9.5.5 || >=10.0.0 <10.0.5Description: 

The language module provides a Language switcher block which can be placed to provide links to quickly switch between different languages.

The URL of unpublished translations may be disclosed. When used in conjunction with a module like Pathauto, this may reveal the title of unpublished content.

This advisory is not covered by Drupal Steward.

Solution: 

Install the latest version:

• If you are using Drupal 10.0, update to Drupal 10.0.5.
• If you are using Drupal 9.5, update to Drupal 9.5.5.
• If you are using Drupal 9.4, update to Drupal 9.4.12.

All versions of Drupal 9 prior to 9.4.x are end-of-life and do not receive security coverage. Note that Drupal 8 has reached its end of life.

Drupal 7 core does not include the Language module and therefore is not affected. The contributed modules for translation do not have the same code for language-switching links, so they are not affected, either.

Reported By: 

• Jan Kellermann

Fixed By: 

• Jan Kellermann
• Lee Rowlands of the Drupal Security Team
• Greg Knaddison of the Drupal Security Team
• Benji Fisher of the Drupal Security Team
• Jess of the Drupal Security Team
• Sascha Grossenbacher
• Neil Drumm of the Drupal Security Team
• Dave Long of the Drupal Security Team

Project: Drupal coreDate: 2023-March-15Security risk: Moderately critical 14∕25 AC:None/A:None/CI:Some/II:None/E:Theoretical/TD:DefaultVulnerability: Information DisclosureAffected versions: >=8.0.0 <9.4.12 || >=9.5.0 <9.5.5 || >=10.0.0 <10.0.5Description: 

The Media module does not properly check entity access in some circumstances. This may result in users seeing thumbnails of media items they do not have access to, including for private files.

This release was coordinated with SA-CONTRIB-2023-010.

This advisory is not covered by Drupal Steward.

Solution: 

Install the latest version:

• If you are using Drupal 10.0, update to Drupal 10.0.5.
• If you are using Drupal 9.5, update to Drupal 9.5.5.
• If you are using Drupal 9.4, update to Drupal 9.4.12.

All versions of Drupal 9 prior to 9.4.x are end-of-life and do not receive security coverage. Note that Drupal 8 has reached its end of life.

Drupal 7 core does not include the Media Library module and therefore is not affected.

Reported By: 

• James Williams
• Dan Flanagan

Fixed By: 

• Lee Rowlands of the Drupal Security Team
• James Williams
• Jess of the Drupal Security Team
• Dave Long of the Drupal Security Team
• Dan Flanagan
• Jen Lampton Provisional Member of the Drupal Security Team
• Joseph Zhao Provisional Member of the Drupal Security Team
• Benji Fisher of the Drupal Security Team

Project: GutenbergDate: 2023-March-08Security risk: Less critical 8∕25 AC:Basic/A:User/CI:None/II:None/E:Theoretical/TD:AllVulnerability: Denial of ServiceDescription: 

This module provides a new UI experience for node editing - Gutenberg editor.

This vulnerability can cause DoS by using reusable blocks improperly.

This vulnerability is mitigated by the fact an attacker must have "use gutenberg" permission to exploit it.

Solution: 

Install the latest version:

• If you use the Gutenberg module versions 8.x-2.x, upgrade to Gutenberg 8.x-2.7

Reported By: 

• Eirik Morland

Fixed By: 

• Eirik Morland
• Marco Fernandes
• Stephan Zeidler

Coordinated By: 

• Damien McKenna of the Drupal Security Team
• Greg Knaddison of the Drupal Security Team

Project: Group control for forumsDate: 2023-March-01Security risk: Critical 15∕25 AC:None/A:None/CI:Some/II:None/E:Theoretical/TD:AllVulnerability: Access bypassAffected versions: >=2.0.0 <2.0.2Description: 

This module enables you to associate Forums as Group 1.x content and use Group access permissions.

Previous versions of the module incorrectly set node access on creation, and did not correctly restrict access to lists of forum topics.

Solution: 

Install the latest version:

• If you use the Group control for forums module for Drupal 9.x or 10.x, upgrade to Group control for forums 2.0.2

Reported By: 

• ekes

Fixed By: 

• Jürgen Haas
• ekes

Coordinated By: 

• Damien McKenna of the Drupal Security Team
• Greg Knaddison of the Drupal Security Team

Project: ThunderDate: 2023-March-01Security risk: Moderately critical 13∕25 AC:None/A:None/CI:Some/II:None/E:Theoretical/TD:UncommonVulnerability: Access bypassAffected versions: >=6.4.0 <6.4.6 || >=6.5.0 <6.5.3Description: 

Thunder is a Drupal distribution for professional publishing. The thunder distribution ships the thunder_gqls module which provides a graphql interface.

The module doesn't sufficiently check access when serving user data via graphql leading to an access bypass vulnerability potentially exposing email addresses.

Solution: 

Install the latest version:

• If you use the thunder distribution for Drupal 9.x and have the thunder_gqls module enabled, upgrade to thunder 6.4.6 or thunder 6.5.3 respectively.

Reported By: 

• Steffen Schlaer

Fixed By: 

• Volker Killesreiter
• Alexander Varwijk
• Steffen Schlaer
• Klaus Purer
• Daniel Bosen

Coordinated By: 

• Greg Knaddison of the Drupal Security Team

Project: Better Social Sharing ButtonsDate: 2023-March-01Security risk: Less critical 8∕25 AC:Basic/A:User/CI:None/II:None/E:Theoretical/TD:AllVulnerability: Cross Site ScriptingDescription: 

This module enables you to add social sharing buttons to a site.

The module doesn't sufficiently sanitize the weight and ratio values entered in the module or block configuration.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer blocks".

Solution: 

Install the latest version:

• If you use the Better Social Sharing Buttons module for Drupal 9 or 10, upgrade to Better Social Sharing Buttons 4.0.3

Reported By: 

• cydave

Fixed By: 

• cydave
• Shelane French

Coordinated By: 

• Damien McKenna of the Drupal Security Team

Project: Apigee EdgeDate: 2023-February-01Security risk: Moderately critical 13∕25 AC:None/A:User/CI:Some/II:None/E:Theoretical/TD:AllVulnerability: Access bypassDescription: 

The Apigee Edge module allows connecting a Drupal site to Apigee X / Edge in order to build a developer portal.

Previous module versions did not support entity query level access checking, which could have led to information disclosure or access bypass in various places.

Solution: 

Install the latest version:

• If you use the Apigee Edge module version 2.0.x for Drupal 9.x, upgrade to Apigee Edge 2.0.8
• If you use the Apigee Edge module version 8.x-1.x for Drupal 9.x, upgrade to Apigee Edge 8.x-1.27

Reported By: 

• Dezső Biczó

Fixed By: 

• Dezső Biczó
• Shishir Suvarna

Coordinated By: 

• Greg Knaddison of the Drupal Security Team

Project: Media Library Form API ElementVersion: 8.x-1.38.x-1.28.x-1.1Date: 2023-January-18Security risk: Moderately critical 13∕25 AC:None/A:User/CI:Some/II:None/E:Theoretical/TD:AllVulnerability: Information DisclosureAffected versions: >=2.0 <2.0.6Description: 

This module enables you to use the media library in custom forms without the Media Library Widget.

The module does not properly check entity access in some circumstances. This may result in users with access to edit content seeing metadata about media items they are not authorized to access.

The vulnerability is mitigated by the fact that the inaccessible media will only be visible to users who can already edit content that includes a media reference field.

Solution: 

Install the latest version:

• If you use the Media Library Form API Element module versions 2.x for Drupal 9 or 10, upgrade to 2.0.6.
• If you use the Media Library Form API Element module version 8.x-1.* they are all affected and are no longer supported. You should upgrade to 2.0.6.

Reported By: 

• Benji Fisher of the Drupal Security Team
• Dan Flanagan

Fixed By: 

• Kim Kennof
• Lauri Eskola
• Alex Bronstein of the Drupal Security Team
• Luke Leber
• Lee Rowlands of the Drupal Security Team

Coordinated By: 

• xjm of the Drupal Security Team
• Lee Rowlands of the Drupal Security Team
• Benji Fisher of the Drupal Security Team

Project: Drupal coreDate: 2023-January-18Security risk: Moderately critical 12∕25 AC:None/A:User/CI:Some/II:None/E:Theoretical/TD:DefaultVulnerability: Information DisclosureAffected versions: >=8.0.0 <9.4.10 || >=9.5.0 <9.5.2 || >=10.0.0 <10.0.2Description: 

The Media Library module does not properly check entity access in some circumstances. This may result in users with access to edit content seeing metadata about media items they are not authorized to access.

The vulnerability is mitigated by the fact that the inaccessible media will only be visible to users who can already edit content that includes a media reference field.

This advisory is not covered by Drupal Steward.

Solution: 

Install the latest version:

• If you are using Drupal 10.0, update to Drupal 10.0.2.
• If you are using Drupal 9.5, update to Drupal 9.5.2.
• If you are using Drupal 9.4, update to Drupal 9.4.10.

All versions of Drupal 9 prior to 9.4.x are end-of-life and do not receive security coverage. Note that Drupal 8 has reached its end of life.

Drupal 7 core does not include the Media Library module and therefore is not affected.

Reported By: 

• Dan Flanagan

Fixed By: 

• Lee Rowlands of the Drupal Security Team
• Dan Flanagan
• Sean Blommaert
• xjm of the Drupal Security Team
• Benji Fisher of the Drupal Security Team
• Dave Long of the Drupal Security Team
• Jen Lampton, provisional member of the Drupal Security Team
• Sascha Grossenbacher
• Lauri Eskola, provisional member of the Drupal Security Team

Project: Media Library BlockDate: 2023-January-18Security risk: Moderately critical 14∕25 AC:None/A:None/CI:Some/II:None/E:Theoretical/TD:DefaultVulnerability: Information DisclosureAffected versions: >=1.0 <1.0.4Description: 

The Media Library Block module allows you to render a media entity in a block.

The module does not properly check media access in some circumstances. This may result in unauthorized users (including anonymous users) seeing media items they are not authorized to access if a block containing a restricted media item is placed on the page.

Administrators may mitigate this vulnerability by removing blocks referencing media items that have access restrictions.

Solution: 

Install the latest version:

• If you use the Media Library Block module for Drupal 9 or 10, upgrade to Media Library Block 1.0.4.

Reported By: 

• Lee Rowlands of the Drupal Security Team
• Dan Flanagan

Fixed By: 

• ayalon
• xjm of the Drupal Security Team
• Jan Hug
• Dan Flanagan

Coordinated By: 

• Dave Reid of the Drupal Security Team
• Damien McKenna of the Drupal Security Team

Project: Entity BrowserDate: 2023-January-18Security risk: Moderately critical 12∕25 AC:None/A:User/CI:Some/II:None/E:Theoretical/TD:DefaultVulnerability: Information DisclosureDescription: 

The Entity Browser module allows you to select entities from entity reference fields using a custom entity browser widget.

Entity Browser does not properly check entity access in some circumstances. This may result in users with access to edit content seeing metadata about entities they are not authorized to access.

The vulnerability is mitigated by the fact that the inaccessible entities will only be visible to users who can already edit content using Entity Browser.

Solution: 

Install the latest version:

• If you use the Entity Browser module for Drupal 9 or 10, upgrade to Entity Browser 8.x-2.9.

Reported By: 

• Lee Rowlands of the Drupal Security Team

Fixed By: 

• Lee Rowlands of the Drupal Security Team
• Sascha Grossenbacher
• Benji Fisher of the Drupal Security Team
• xjm of the Drupal Security Team
• Lauri Eskola, provisional member of the Drupal Security Team
• Dan Flanagan

Coordinated By: 

• xjm of the Drupal Security Team
• Lee Rowlands of the Drupal Security Team
• Benji Fisher of the Drupal Security Team

Project: Private Taxonomy TermsDate: 2023-January-11Security risk: Moderately critical 10∕25 AC:Basic/A:User/CI:Some/II:None/E:Theoretical/TD:DefaultVulnerability: Access bypassDescription: 

This module enables users to create 'private' vocabularies.

The module doesn't enforce permissions appropriately for the taxonomy overview page and overview form.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission "Administer own taxonomy" or "View private taxonomies"

Solution: 

Install the latest version:

• If you use the Private Taxonomy Terms module for Drupal 8.x, upgrade to Private Taxonomy Terms 8.x-2.6

Reported By: 

• Giuseppe

Fixed By: 

• Conrad Lara
• Giuseppe

Coordinated By: 

• Damien McKenna of the Drupal Security Team
• Jess of the Drupal Security Team
• Greg Knaddison of the Drupal Security Team

Project: File (Field) PathsDate: 2022-December-14Security risk: Moderately critical 12∕25 AC:Basic/A:None/CI:Some/II:None/E:Theoretical/TD:DefaultVulnerability: Access bypassDescription: 

The File (Field) Paths module extends the default functionality of Drupal's core File module, by adding the ability to use entity-based tokens in destination paths and file names.

The module's default configuration could temporarily expose private files to anonymous visitors.

Important note: to fix the problem, database updates must be run in addition to updating the module.

It's possible to make a configuration change to mitigate this problem in the admin UI at /admin/config/media/file-system/filefield-paths - the temp file location should use either the temporary:// or private:// stream wrapper if uploaded files should not be exposed publicly.

This vulnerability is mitigated by the fact that an attacker must be able to guess the temporary path used for file upload.

Solution: 

Install the latest version:

• If you use the File (Field) Paths module for Drupal 7.x, upgrade to File (Field) Paths 7.x-1.2

Reported By: 

• Hayato Goto
• Drew Webber of the Drupal Security Team
• Steve Bink

Fixed By: 

• Hayato Goto
• David Snopek of the Drupal Security Team
• Vijay Mani provisional member of the Drupal Security Team
• Drew Webber of the Drupal Security Team
• Oleh Vehera
• Damien McKenna of the Drupal Security Team

Coordinated By: 

• David Snopek of the Drupal Security Team
• Drew Webber of the Drupal Security Team
• Greg Knaddison of the Drupal Security Team

Project: H5P - Create and Share Rich Content and ApplicationsDate: 2022-December-14Security risk: Moderately critical 12∕25 AC:Complex/A:User/CI:Some/II:Some/E:Theoretical/TD:DefaultVulnerability: Remote Code ExecutionDescription: 

This module enables you to create interactive content.

The module doesn't sufficiently stop path traversal attacks through zipped filenames for the uploadable .h5p files.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission "update h5p libraries". In addition, it is only exploitable on Windows servers.

Solution: 

Install the latest version:

• If you use the H5P module for Drupal 7.x, upgrade to H5P 7.x-1.51

Reported By: 

Disclosed publicly.

Fixed By: 

• Frode Petterson
• paalj

Coordinated By: 

• Greg Knaddison of the Drupal Security Team

Project: Entity RegistrationDate: 2022-December-07Security risk: Moderately critical 13∕25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:DefaultVulnerability: Access bypassAffected versions: >=7.1.0 <7.1.9Description: 

This module enables you to create registration entities related to nodes.

The module doesn't sufficiently restrict update access to a user's own registrations.

This vulnerability is mitigated by the fact that an attacker must have the "update own [registration type]" permission.

Solution: 

Install the latest version:

• If you use the Entity Registration module for Drupal 7.x, upgrade to Entity Registration 7.x-1.9 release

Note: Sites that allow non-administrative users to manage registrations because the users can update the registration host entity and have "update own registration" permission for a given registration type, may need to give those users the "administer own registration" permission for them to retain the ability to manage registrations after installing this upgrade.

Reported By: 

• Joël Pittet

Fixed By: 

• Joël Pittet
• Maria Fisher
• john.oltman

Coordinated By: 

• James Gilliland of the Drupal Security Team

Reported at: 20 November 2022