Hírolvasó

Acquia DAM - Moderately critical - Access bypass, Denial of Service - SA-CONTRIB-2024-025

Biztonsági figyelmeztetések (contrib) - 2024. június 5. 18.45
Project: Acquia DAMDate: 2024-June-05Security risk: Moderately critical 13∕25 AC:Basic/A:None/CI:None/II:Some/E:Theoretical/TD:AllVulnerability: Access bypass, Denial of ServiceAffected versions: <1.0.13 || >=1.1.0 <1.1.0-beta3Description: 

Acquia DAM provides a connection to a third-party asset management system, allowing for images to be managed, linked to, and viewed from Drupal. In order for assets to be managed in Drupal, a site administrator must first authenticate the site to their DAM instance.

The module doesn't sufficiently protect the ability to disconnect a site from DAM. While disconnected sites do not lose asset data in Drupal, it will prevent site editors from accessing the DAM until a site administrator re-authenticates the site. Some uncached media images may also fail to be fetched while disconnected.

Solution: 

Install the latest version:

  • If you use the acquia_dam module for Drupal 9.4 or above, upgrade to Acquia DAM 1.0.13.
  • If you use a pre-release version of acquia_dam 1.1, upgrade to Acquia DAM 1.1.0-beta3. (Note: beta releases generally do not receive security coverage.)
Reported By: Fixed By: Coordinated By: 

Migrate queue importer - Moderately critical - Cross Site Request Forgery - SA-CONTRIB-2024-024

Biztonsági figyelmeztetések (contrib) - 2024. május 29. 18.58
Project: Migrate queue importerDate: 2024-May-29Security risk: Moderately critical 10∕25 AC:Basic/A:Admin/CI:None/II:Some/E:Theoretical/TD:AllVulnerability: Cross Site Request ForgeryAffected versions: <2.1.1Description: 

The Migrate queue importer module enables you to create cron migrations(configuration entities) with a reference towards migration entities in order to import them during cron runs.

The module doesn't sufficiently protect against Cross Site Request Forgery
under specific scenarios allowing an attacker to enable/disable a cron migration.

This vulnerability is mitigated by the fact that an attacker must know the
id of the migration.

Solution: 

Install the latest version:

Reported By: Fixed By: Coordinated By: 

Image Sizes - Moderately critical - Access bypass - SA-CONTRIB-2024-023

Biztonsági figyelmeztetések (contrib) - 2024. május 29. 18.52
Project: Image SizesDate: 2024-May-29Security risk: Moderately critical 14∕25 AC:None/A:None/CI:Some/II:None/E:Theoretical/TD:DefaultVulnerability: Access bypassAffected versions: <3.0.2Description: 

This module enables you to create responsive image styles that depend on the parent element's width.

The module doesn't sufficiently check access to rendered images, resulting in access bypass vulnerabilities in specific scenarios.

Solution: 

Install the latest version.

Reported By: Fixed By: Coordinated By: 

Drupal REST & JSON API Authentication - Moderately critical - Access bypass - SA-CONTRIB-2024-022

Biztonsági figyelmeztetések (contrib) - 2024. május 29. 18.44
Project: Drupal REST & JSON API AuthenticationDate: 2024-May-29Security risk: Moderately critical 11∕25 AC:Basic/A:User/CI:Some/II:None/E:Theoretical/TD:AllVulnerability: Access bypassAffected versions: <2.0.13Description: 

Drupal REST & JSON API Authentication module restricts and secures unauthorized access to your Drupal site APIs using different authentication methods including Basic Authentication , API Key Authentication , JWT Authentication , OAuth Authentication , External / Third-Party Provider Authentication, etc.

The module doesn't sufficiently control user access when using Basic Authentication.

Solution: 

Install the latest version:

Reported By: Fixed By: Coordinated By: 

Commerce View Receipt - Moderately critical - Access bypass - SA-CONTRIB-2024-021

Biztonsági figyelmeztetések (contrib) - 2024. május 22. 18.21
Project: Commerce View ReceiptDate: 2024-May-22Security risk: Moderately critical 13∕25 AC:None/A:User/CI:Some/II:None/E:Theoretical/TD:AllVulnerability: Access bypassAffected versions: <1.0.3Description: 

The Commerce View Receipts module enables you to view commerce order receipts in the browser.

The module doesn't sufficiently check access permissions, allowing a malicious to view the private information of other customers.

Solution: 

Install the latest version.

Sites may wish to temporarily revoke the "view receipts" permission from most roles until the site can be upgraded to the latest version.

Reported By: Fixed By: Coordinated By: 

Email Contact - Moderately critical - Access bypass - SA-CONTRIB-2024-020

Biztonsági figyelmeztetések (contrib) - 2024. május 22. 18.03
Project: Email ContactDate: 2024-May-22Security risk: Moderately critical 12∕25 AC:Basic/A:None/CI:Some/II:None/E:Theoretical/TD:DefaultVulnerability: Access bypassAffected versions: <2.0.4Description: 

The Email Contact module provides email field display formatters that can display the field as a link to the contact form, or as an inline contact form.

The module does not sufficiently handle restricted entity or field access to the mail sending form, when the "Email contact link" formatter is used.

This vulnerability is mitigated by the fact that it requires the "Email contact link" formatter to be used.

Solution: 

Install the latest version:

Reported By: Fixed By: Coordinated By: 

RESTful Web Services - Critical - Access bypass - SA-CONTRIB-2024-019

Biztonsági figyelmeztetések (contrib) - 2024. május 15. 17.42
Project: RESTful Web ServicesDate: 2024-May-15Security risk: Critical 16∕25 AC:None/A:None/CI:Some/II:None/E:Proof/TD:AllVulnerability: Access bypassDescription: 

This module exposes Drupal resources (e.g. entities) as RESTful web services.

The module doesn't sufficiently restrict access for user resources.

Solution: 

Install the latest version:

Reported By: Fixed By: Coordinated By: 

REST Views - Moderately critical - Information Disclosure - SA-CONTRIB-2024-018

Biztonsági figyelmeztetések (contrib) - 2024. április 24. 16.23
Project: REST ViewsDate: 2024-April-24Security risk: Moderately critical 14∕25 AC:None/A:None/CI:Some/II:None/E:Theoretical/TD:DefaultVulnerability: Information DisclosureAffected versions: <3.0.1Description: 

The Rest views module lets site admins create rest exports in views with additional options for serializing data.

This module does not accurately check access and may expose paths to unpublished content.

This vulnerability is mitigated by the fact that there must be a specific content structure to expose.

Paths to unpublished entities (such as nodes) will be exposed if those entities are referenced from other entities listed in a REST display, and the reference field on those listed entities is displayed with the "Entity path" formatter.

Solution: 

Install the latest version:

  • REST Views 8.x-1.x versions are unsupported.
  • REST Views 2.x versions upgrade to Rest Views 3.0.1
  • REST Views 3.x versions prior to 3.0.1 upgrade to Rest Views 3.0.1
Reported By: Fixed By: Coordinated By: 

Advanced PWA - Critical - Access bypass - SA-CONTRIB-2024-017

Biztonsági figyelmeztetések (contrib) - 2024. április 24. 15.16
Project: Advanced PWADate: 2024-April-24Security risk: Critical 16∕25 AC:None/A:User/CI:Some/II:Some/E:Theoretical/TD:AllVulnerability: Access bypassAffected versions: <1.5.0Description: 

Progressive web applications are web applications that load like regular web pages or websites but can offer the user functionality such as working offline, push notifications, and device hardware access traditionally available only to native applications.

This module doesn't sufficiently protect access to the settings form, allowing an unauthorized malicious user to view and modify the module settings.

Solution: 

Install the latest version:

Reported By: Fixed By: Coordinated By: 

TacJS - Moderately critical - Cross Site Scripting - SA-CONTRIB-2024-016

Biztonsági figyelmeztetések (contrib) - 2024. március 27. 18.16
Project: TacJSDate: 2024-March-27Security risk: Moderately critical 14∕25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:AllVulnerability: Cross Site ScriptingAffected versions: <6.5.0Description: 

This module enables sites to comply with the European cookie law using tarteaucitron.js.

The module doesn't sufficiently filter user-supplied markup inside of content leading to a persistent Cross Site Scripting (XSS) vulnerability. More details are available in CVE-2023-3620.

This vulnerability is mitigated by the fact that an attacker needs to be able to write content in the page, a feature commonly available on Drupal sites.

Solution: 

Install the latest version:

  • If you use the tacjs module for Drupal 8.x, upgrade to tacjs 8.x-6.5
Reported By: Fixed By: Coordinated By: 

Registration role - Critical - Access bypass - SA-CONTRIB-2024-015

Biztonsági figyelmeztetések (contrib) - 2024. március 6. 18.06
Project: Registration roleDate: 2024-March-06Security risk: Critical 18∕25 AC:Basic/A:None/CI:All/II:All/E:Theoretical/TD:UncommonVulnerability: Access bypassAffected versions: <2.0.1Description: 

The Registration role module lets an administrator select a role (or multiple roles) to automatically assign to new users. The selected role (or roles) will be assigned to new registrants.

The module has a logic error when handling sites that upgraded code and did not run the Drupal update process (e.g. update.php).

This vulnerability is mitigated by the fact that the problem does not exist on sites that followed the process of updating code and running the standard updates.

Solution: 

Install the latest version:

Review user accounts registered between 2023 July 11 and now for having additional roles you did not intend for them to have. If your site missed or reverted an update to configuration in the version 2.0.0 release of Registration Role (or development branch from 2020 August 17 on), non-selected roles were not removed from configuration. Without this update, up until you re-saved the settings form or until you install the new release - whichever came first - users who registered receive all roles.

Also, upgrade to the latest version and run update hooks at update.php or with Drush, drush updb

OR: Immediately re-save the the configuration page at /admin/people/registration-role

Reported By: Fixed By: Coordinated By: