Hírolvasó

Project: Acquia DAMDate: 2024-June-05Security risk: Moderately critical 13∕25 AC:Basic/A:None/CI:None/II:Some/E:Theoretical/TD:AllVulnerability: Access bypass, Denial of ServiceAffected versions: <1.0.13 || >=1.1.0 <1.1.0-beta3Description: 

Acquia DAM provides a connection to a third-party asset management system, allowing for images to be managed, linked to, and viewed from Drupal. In order for assets to be managed in Drupal, a site administrator must first authenticate the site to their DAM instance.

The module doesn't sufficiently protect the ability to disconnect a site from DAM. While disconnected sites do not lose asset data in Drupal, it will prevent site editors from accessing the DAM until a site administrator re-authenticates the site. Some uncached media images may also fail to be fetched while disconnected.

Solution: 

Install the latest version:

• If you use the acquia_dam module for Drupal 9.4 or above, upgrade to Acquia DAM 1.0.13.
• If you use a pre-release version of acquia_dam 1.1, upgrade to Acquia DAM 1.1.0-beta3. (Note: beta releases generally do not receive security coverage.)

Reported By: 

• Matt Glaman

Fixed By: 

• Matt Glaman
• Greg Knaddison of the Drupal Security Team
• Balázs Ertl-Bakos
• Jakob Perry

Coordinated By: 

• Greg Knaddison of the Drupal Security Team
• xjm of the Drupal Security Team

Project: Migrate queue importerDate: 2024-May-29Security risk: Moderately critical 10∕25 AC:Basic/A:Admin/CI:None/II:Some/E:Theoretical/TD:AllVulnerability: Cross Site Request ForgeryAffected versions: <2.1.1Description: 

The Migrate queue importer module enables you to create cron migrations(configuration entities) with a reference towards migration entities in order to import them during cron runs.

The module doesn't sufficiently protect against Cross Site Request Forgery
under specific scenarios allowing an attacker to enable/disable a cron migration.

This vulnerability is mitigated by the fact that an attacker must know the
id of the migration.

Solution: 

Install the latest version:

• If you use Migrate queue importer module for Drupal 10, upgrade to Migrate queue importer 2.1.1

Reported By: 

• Pierre Rudloff

Fixed By: 

• David Bätge
• Pierre Rudloff

Coordinated By: 

• Greg Knaddison of the Drupal Security Team
• Juraj Nemec of the Drupal Security Team
• Michael Hess of the Drupal Security Team

Project: Image SizesDate: 2024-May-29Security risk: Moderately critical 14∕25 AC:None/A:None/CI:Some/II:None/E:Theoretical/TD:DefaultVulnerability: Access bypassAffected versions: <3.0.2Description: 

This module enables you to create responsive image styles that depend on the parent element's width.

The module doesn't sufficiently check access to rendered images, resulting in access bypass vulnerabilities in specific scenarios.

Solution: 

Install the latest version.

• If you use the Image Sizes module for Drupal 10, upgrade to Image Sizes 3.0.2

Reported By: 

• Dezső Biczó

Fixed By: 

• Dezső Biczó
• Pascal Crott
• Juraj Nemec of the Drupal Security Team

Coordinated By: 

• Juraj Nemec of the Drupal Security Team
• Neil Drumm of the Drupal Security Team
• Michael Hess of the Drupal Security Team

Project: Drupal REST & JSON API AuthenticationDate: 2024-May-29Security risk: Moderately critical 11∕25 AC:Basic/A:User/CI:Some/II:None/E:Theoretical/TD:AllVulnerability: Access bypassAffected versions: <2.0.13Description: 

Drupal REST & JSON API Authentication module restricts and secures unauthorized access to your Drupal site APIs using different authentication methods including Basic Authentication , API Key Authentication , JWT Authentication , OAuth Authentication , External / Third-Party Provider Authentication, etc.

The module doesn't sufficiently control user access when using Basic Authentication.

Solution: 

Install the latest version:

• If you use the 2.0.x branch, upgrade to Drupal REST & JSON API Authentication 2.0.13
• If you use the 8.x-1.x branch, upgrade to Drupal REST & JSON API Authentication 2.0.13, as the 8.x-1.x branch is now unsupported.

Reported By: 

• Arek Suchecki

Fixed By: 

• solideogloria
• Shashank Thigale
• Arek Suchecki
• Greg Knaddison of the Drupal Security Team

Coordinated By: 

• Greg Knaddison of the Drupal Security Team
• Juraj Nemec of the Drupal Security Team
• David Rothstein of the Drupal Security Team
• Michael Hess of the Drupal Security Team

Project: Commerce View ReceiptDate: 2024-May-22Security risk: Moderately critical 13∕25 AC:None/A:User/CI:Some/II:None/E:Theoretical/TD:AllVulnerability: Access bypassAffected versions: <1.0.3Description: 

The Commerce View Receipts module enables you to view commerce order receipts in the browser.

The module doesn't sufficiently check access permissions, allowing a malicious to view the private information of other customers.

Solution: 

Install the latest version.

• If you use the Commerce View Receipts module for Drupal, upgrade to Commerce View Receipts 1.0.3.

Sites may wish to temporarily revoke the "view receipts" permission from most roles until the site can be upgraded to the latest version.

Reported By: 

• Norman Kämper-Leymann

Fixed By: 

• Norman Kämper-Leymann
• Greg Mack
• Greg Knaddison of the Drupal Security Team
• Drew Webber of the Drupal Security Team

Coordinated By: 

• Greg Knaddison of the Drupal Security Team
• Juraj Nemec of the Drupal Security Team
• xjm of the Drupal Security Team

Project: Email ContactDate: 2024-May-22Security risk: Moderately critical 12∕25 AC:Basic/A:None/CI:Some/II:None/E:Theoretical/TD:DefaultVulnerability: Access bypassAffected versions: <2.0.4Description: 

The Email Contact module provides email field display formatters that can display the field as a link to the contact form, or as an inline contact form.

The module does not sufficiently handle restricted entity or field access to the mail sending form, when the "Email contact link" formatter is used.

This vulnerability is mitigated by the fact that it requires the "Email contact link" formatter to be used.

Solution: 

Install the latest version:

• If you use the 2.0.x branch, upgrade to email_contact 2.0.4.
• If you use the 8.x-1.x branch, upgrade to email_contact 2.0.4, as the 8.x-1.x branch is now unsupported.

Reported By: 

• Claudiu Cristea

Fixed By: 

• Claudiu Cristea
• Bálint Nagy
• Greg Knaddison of the Drupal Security Team
• Juraj Nemec of the Drupal Security Team
• xjm of the Drupal Security Team

Coordinated By: 

• Greg Knaddison of the Drupal Security Team
• xjm of the Drupal Security Team
• Juraj Nemec of the Drupal Security Team

Project: RESTful Web ServicesDate: 2024-May-15Security risk: Critical 16∕25 AC:None/A:None/CI:Some/II:None/E:Proof/TD:AllVulnerability: Access bypassDescription: 

This module exposes Drupal resources (e.g. entities) as RESTful web services.

The module doesn't sufficiently restrict access for user resources.

Solution: 

Install the latest version:

• If you use the RESTful Web Services module for Drupal 7, upgrade to RESTful Web Services 7.x-2.10

Reported By: 

• Fran Garcia-Linares

Fixed By: 

• Neil Drumm of the Drupal Security Team
• Fran Garcia-Linares

Coordinated By: 

• Neil Drumm of the Drupal Security Team

Project: REST ViewsDate: 2024-April-24Security risk: Moderately critical 14∕25 AC:None/A:None/CI:Some/II:None/E:Theoretical/TD:DefaultVulnerability: Information DisclosureAffected versions: <3.0.1Description: 

The Rest views module lets site admins create rest exports in views with additional options for serializing data.

This module does not accurately check access and may expose paths to unpublished content.

This vulnerability is mitigated by the fact that there must be a specific content structure to expose.

Paths to unpublished entities (such as nodes) will be exposed if those entities are referenced from other entities listed in a REST display, and the reference field on those listed entities is displayed with the "Entity path" formatter.

Solution: 

Install the latest version:

• REST Views 8.x-1.x versions are unsupported.
• REST Views 2.x versions upgrade to Rest Views 3.0.1
• REST Views 3.x versions prior to 3.0.1 upgrade to Rest Views 3.0.1

Reported By: 

• nicxvan

Fixed By: 

• nicxvan

Coordinated By: 

• Benji Fisher of the Drupal Security Team
• Greg Knaddison of the Drupal Security Team
• Cathy Theys of the Drupal Security Team

Project: Advanced PWADate: 2024-April-24Security risk: Critical 16∕25 AC:None/A:User/CI:Some/II:Some/E:Theoretical/TD:AllVulnerability: Access bypassAffected versions: <1.5.0Description: 

Progressive web applications are web applications that load like regular web pages or websites but can offer the user functionality such as working offline, push notifications, and device hardware access traditionally available only to native applications.

This module doesn't sufficiently protect access to the settings form, allowing an unauthorized malicious user to view and modify the module settings.

Solution: 

Install the latest version:

• If you use the Advanced Progressive Web App module for Drupal 8.x, upgrade to Advanced Progressive Web App 8.x-1.5

Reported By: 

• Matthew Grasmick

Fixed By: 

• gMaximus

Coordinated By: 

• Greg Knaddison of the Drupal Security Team
• Michael Hess of the Drupal Security Team
• cilefen of the Drupal Security Team
• Cathy Theys of the Drupal Security Team