Hírolvasó

Responsive media Image Formatter - Critical - Unsupported - SA-CONTRIB-2023-011

Biztonsági figyelmeztetések (contrib) - 2023. március 15. 18.40
Project: Responsive media Image FormatterDate: 2023-March-15Security risk: Critical 15∕25 AC:Basic/A:User/CI:Some/II:Some/E:Proof/TD:AllVulnerability: UnsupportedDescription: 

The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: https://www.drupal.org/node/251466#procedure---own-project---unsupported

Solution: 

If you use this project, you should uninstall it. To take over maintainership, please read https://www.drupal.org/node/251466#procedure---own-project---unsupported in full.

Media Responsive Thumbnail - Moderately critical - Information disclosure - SA-CONTRIB-2023-010

Biztonsági figyelmeztetések (contrib) - 2023. március 15. 18.22
Project: Media Responsive ThumbnailDate: 2023-March-15Security risk: Moderately critical 14∕25 AC:None/A:None/CI:Some/II:None/E:Theoretical/TD:DefaultVulnerability: Information disclosureDescription: 

The Media Responsive Thumbnail module allows media reference fields to be rendered as a responsive image.

This module does not properly check entity access prior to rendering media. This may result in users seeing thumbnails of media items they do not have access to.

This release was coordinated with SA-CORE-2023-002.

Solution: 

Install the latest version:

Reported By: Fixed By: Coordinated By: 

Drupal core - Moderately critical - Access bypass - SA-CORE-2023-004

Biztonsági figyelmeztetések (core) - 2023. március 15. 17.26
Project: Drupal coreDate: 2023-March-15Security risk: Moderately critical 14∕25 AC:Complex/A:Admin/CI:All/II:All/E:Theoretical/TD:UncommonVulnerability: Access bypassAffected versions: <7.95 || >=8.0.0 <9.4.12 || >=9.5.0 <9.5.5 || >=10.0.0 <10.0.5Description: 

Drupal core provides a page that outputs the markup from phpinfo() to assist with diagnosing PHP configuration.

If an attacker was able to achieve an XSS exploit against a privileged user, they may be able to use the phpinfo page to access sensitive information that could be used to escalate the attack.

This vulnerability is mitigated by the fact that a successful XSS exploit is required in order to exploit it.

Solution: 

Install the latest version:

All versions of Drupal 9 prior to 9.4.x are end-of-life and do not receive security coverage. Note that Drupal 8 has reached its end of life.

Reported By: Fixed By: 

Drupal core - Moderately critical - Information Disclosure - SA-CORE-2023-003

Biztonsági figyelmeztetések (core) - 2023. március 15. 17.24
Project: Drupal coreDate: 2023-March-15Security risk: Moderately critical 13∕25 AC:None/A:None/CI:Some/II:None/E:Theoretical/TD:UncommonVulnerability: Information DisclosureAffected versions: >=8.0.0 <9.4.12 || >=9.5.0 <9.5.5 || >=10.0.0 <10.0.5Description: 

The language module provides a Language switcher block which can be placed to provide links to quickly switch between different languages.

The URL of unpublished translations may be disclosed. When used in conjunction with a module like Pathauto, this may reveal the title of unpublished content.

This advisory is not covered by Drupal Steward.

Solution: 

Install the latest version:

All versions of Drupal 9 prior to 9.4.x are end-of-life and do not receive security coverage. Note that Drupal 8 has reached its end of life.

Drupal 7 core does not include the Language module and therefore is not affected. The contributed modules for translation do not have the same code for language-switching links, so they are not affected, either.

Reported By: Fixed By: 

Drupal core - Moderately critical - Information Disclosure - SA-CORE-2023-002

Biztonsági figyelmeztetések (core) - 2023. március 15. 17.21
Project: Drupal coreDate: 2023-March-15Security risk: Moderately critical 14∕25 AC:None/A:None/CI:Some/II:None/E:Theoretical/TD:DefaultVulnerability: Information DisclosureAffected versions: >=8.0.0 <9.4.12 || >=9.5.0 <9.5.5 || >=10.0.0 <10.0.5Description: 

The Media module does not properly check entity access in some circumstances. This may result in users seeing thumbnails of media items they do not have access to, including for private files.

This release was coordinated with SA-CONTRIB-2023-010.

This advisory is not covered by Drupal Steward.

Solution: 

Install the latest version:

All versions of Drupal 9 prior to 9.4.x are end-of-life and do not receive security coverage. Note that Drupal 8 has reached its end of life.

Drupal 7 core does not include the Media Library module and therefore is not affected.

Reported By: Fixed By: 

Gutenberg - Less critical - Denial of Service - SA-CONTRIB-2023-009

Biztonsági figyelmeztetések (contrib) - 2023. március 8. 18.46
Project: GutenbergDate: 2023-March-08Security risk: Less critical 8∕25 AC:Basic/A:User/CI:None/II:None/E:Theoretical/TD:AllVulnerability: Denial of ServiceDescription: 

This module provides a new UI experience for node editing - Gutenberg editor.

This vulnerability can cause DoS by using reusable blocks improperly.

This vulnerability is mitigated by the fact an attacker must have "use gutenberg" permission to exploit it.

Solution: 

Install the latest version:

Reported By: Fixed By: Coordinated By: 

Group control for forums - Critical - Access bypass - SA-CONTRIB-2023-008

Biztonsági figyelmeztetések (contrib) - 2023. március 1. 18.38
Project: Group control for forumsDate: 2023-March-01Security risk: Critical 15∕25 AC:None/A:None/CI:Some/II:None/E:Theoretical/TD:AllVulnerability: Access bypassAffected versions: >=2.0.0 <2.0.2Description: 

This module enables you to associate Forums as Group 1.x content and use Group access permissions.

Previous versions of the module incorrectly set node access on creation, and did not correctly restrict access to lists of forum topics.

Solution: 

Install the latest version:

Reported By: Fixed By: Coordinated By: 

Thunder - Moderately critical - Access bypass - SA-CONTRIB-2023-007

Biztonsági figyelmeztetések (contrib) - 2023. március 1. 18.11
Project: ThunderDate: 2023-March-01Security risk: Moderately critical 13∕25 AC:None/A:None/CI:Some/II:None/E:Theoretical/TD:UncommonVulnerability: Access bypassAffected versions: >=6.4.0 <6.4.6 || >=6.5.0 <6.5.3Description: 

Thunder is a Drupal distribution for professional publishing. The thunder distribution ships the thunder_gqls module which provides a graphql interface.

The module doesn't sufficiently check access when serving user data via graphql leading to an access bypass vulnerability potentially exposing email addresses.

Solution: 

Install the latest version:

  • If you use the thunder distribution for Drupal 9.x and have the thunder_gqls module enabled, upgrade to thunder 6.4.6 or thunder 6.5.3 respectively.
Reported By: Fixed By: Coordinated By: 

Better Social Sharing Buttons - Less critical - Cross Site Scripting - SA-CONTRIB-2023-006

Biztonsági figyelmeztetések (contrib) - 2023. március 1. 16.15
Project: Better Social Sharing ButtonsDate: 2023-March-01Security risk: Less critical 8∕25 AC:Basic/A:User/CI:None/II:None/E:Theoretical/TD:AllVulnerability: Cross Site ScriptingDescription: 

This module enables you to add social sharing buttons to a site.

The module doesn't sufficiently sanitize the weight and ratio values entered in the module or block configuration.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer blocks".

Solution: 

Install the latest version:

Reported By: Fixed By: Coordinated By: 

Apigee Edge - Moderately critical - Access bypass - SA-CONTRIB-2023-005

Biztonsági figyelmeztetések (contrib) - 2023. február 1. 17.13
Project: Apigee EdgeDate: 2023-February-01Security risk: Moderately critical 13∕25 AC:None/A:User/CI:Some/II:None/E:Theoretical/TD:AllVulnerability: Access bypassDescription: 

The Apigee Edge module allows connecting a Drupal site to Apigee X / Edge in order to build a developer portal.

Previous module versions did not support entity query level access checking, which could have led to information disclosure or access bypass in various places.

Solution: 

Install the latest version:

  • If you use the Apigee Edge module version 2.0.x for Drupal 9.x, upgrade to Apigee Edge 2.0.8
  • If you use the Apigee Edge module version 8.x-1.x for Drupal 9.x, upgrade to Apigee Edge 8.x-1.27
Reported By: Fixed By: Coordinated By: 

Media Library Form API Element - Moderately critical - Information Disclosure - SA-CONTRIB-2023-004

Biztonsági figyelmeztetések (contrib) - 2023. január 18. 18.49
Project: Media Library Form API ElementVersion: 8.x-1.38.x-1.28.x-1.1Date: 2023-January-18Security risk: Moderately critical 13∕25 AC:None/A:User/CI:Some/II:None/E:Theoretical/TD:AllVulnerability: Information DisclosureAffected versions: >=2.0 <2.0.6Description: 

This module enables you to use the media library in custom forms without the Media Library Widget.

The module does not properly check entity access in some circumstances. This may result in users with access to edit content seeing metadata about media items they are not authorized to access.

The vulnerability is mitigated by the fact that the inaccessible media will only be visible to users who can already edit content that includes a media reference field.

Solution: 

Install the latest version:

  • If you use the Media Library Form API Element module versions 2.x for Drupal 9 or 10, upgrade to 2.0.6.
  • If you use the Media Library Form API Element module version 8.x-1.* they are all affected and are no longer supported. You should upgrade to 2.0.6.
Reported By: Fixed By: Coordinated By: 

Drupal core - Moderately critical - Information Disclosure - SA-CORE-2023-001

Biztonsági figyelmeztetések (core) - 2023. január 18. 18.40
Project: Drupal coreDate: 2023-January-18Security risk: Moderately critical 12∕25 AC:None/A:User/CI:Some/II:None/E:Theoretical/TD:DefaultVulnerability: Information DisclosureAffected versions: >=8.0.0 <9.4.10 || >=9.5.0 <9.5.2 || >=10.0.0 <10.0.2Description: 

The Media Library module does not properly check entity access in some circumstances. This may result in users with access to edit content seeing metadata about media items they are not authorized to access.

The vulnerability is mitigated by the fact that the inaccessible media will only be visible to users who can already edit content that includes a media reference field.

This advisory is not covered by Drupal Steward.

Solution: 

Install the latest version:

All versions of Drupal 9 prior to 9.4.x are end-of-life and do not receive security coverage. Note that Drupal 8 has reached its end of life.

Drupal 7 core does not include the Media Library module and therefore is not affected.

Reported By: Fixed By: 

Media Library Block - Moderately critical - Information Disclosure - SA-CONTRIB-2023-003

Biztonsági figyelmeztetések (contrib) - 2023. január 18. 18.36
Project: Media Library BlockDate: 2023-January-18Security risk: Moderately critical 14∕25 AC:None/A:None/CI:Some/II:None/E:Theoretical/TD:DefaultVulnerability: Information DisclosureAffected versions: >=1.0 <1.0.4Description: 

The Media Library Block module allows you to render a media entity in a block.

The module does not properly check media access in some circumstances. This may result in unauthorized users (including anonymous users) seeing media items they are not authorized to access if a block containing a restricted media item is placed on the page.

Administrators may mitigate this vulnerability by removing blocks referencing media items that have access restrictions.

Solution: 

Install the latest version:

Reported By: Fixed By: Coordinated By: 

Entity Browser - Moderately critical - Information Disclosure - SA-CONTRIB-2023-002

Biztonsági figyelmeztetések (contrib) - 2023. január 18. 18.28
Project: Entity BrowserDate: 2023-January-18Security risk: Moderately critical 12∕25 AC:None/A:User/CI:Some/II:None/E:Theoretical/TD:DefaultVulnerability: Information DisclosureDescription: 

The Entity Browser module allows you to select entities from entity reference fields using a custom entity browser widget.

Entity Browser does not properly check entity access in some circumstances. This may result in users with access to edit content seeing metadata about entities they are not authorized to access.

The vulnerability is mitigated by the fact that the inaccessible entities will only be visible to users who can already edit content using Entity Browser.

Solution: 

Install the latest version:

Reported By: Fixed By: Coordinated By: 

Private Taxonomy Terms - Moderately critical - Access bypass - SA-CONTRIB-2023-001

Biztonsági figyelmeztetések (contrib) - 2023. január 11. 18.15
Project: Private Taxonomy TermsDate: 2023-January-11Security risk: Moderately critical 10∕25 AC:Basic/A:User/CI:Some/II:None/E:Theoretical/TD:DefaultVulnerability: Access bypassDescription: 

This module enables users to create 'private' vocabularies.

The module doesn't enforce permissions appropriately for the taxonomy overview page and overview form.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission "Administer own taxonomy" or "View private taxonomies"

Solution: 

Install the latest version:

Reported By: Fixed By: Coordinated By: 

File (Field) Paths - Moderately critical - Access bypass - SA-CONTRIB-2022-065

Biztonsági figyelmeztetések (contrib) - 2022. december 14. 16.47
Project: File (Field) PathsDate: 2022-December-14Security risk: Moderately critical 12∕25 AC:Basic/A:None/CI:Some/II:None/E:Theoretical/TD:DefaultVulnerability: Access bypassDescription: 

The File (Field) Paths module extends the default functionality of Drupal's core File module, by adding the ability to use entity-based tokens in destination paths and file names.

The module's default configuration could temporarily expose private files to anonymous visitors.

Important note: to fix the problem, database updates must be run in addition to updating the module.

It's possible to make a configuration change to mitigate this problem in the admin UI at /admin/config/media/file-system/filefield-paths - the temp file location should use either the temporary:// or private:// stream wrapper if uploaded files should not be exposed publicly.

This vulnerability is mitigated by the fact that an attacker must be able to guess the temporary path used for file upload.

Solution: 

Install the latest version:

Reported By: Fixed By: Coordinated By: 

H5P - Create and Share Rich Content and Applications - Moderately critical - Remote Code Execution - SA-CONTRIB-2022-064

Biztonsági figyelmeztetések (contrib) - 2022. december 14. 16.34
Project: H5P - Create and Share Rich Content and ApplicationsDate: 2022-December-14Security risk: Moderately critical 12∕25 AC:Complex/A:User/CI:Some/II:Some/E:Theoretical/TD:DefaultVulnerability: Remote Code ExecutionDescription: 

This module enables you to create interactive content.

The module doesn't sufficiently stop path traversal attacks through zipped filenames for the uploadable .h5p files.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission "update h5p libraries". In addition, it is only exploitable on Windows servers.

Solution: 

Install the latest version:

  • If you use the H5P module for Drupal 7.x, upgrade to H5P 7.x-1.51
Reported By: 

Disclosed publicly.

Fixed By: Coordinated By: 

Entity Registration - Moderately critical - Access bypass - SA-CONTRIB-2022-063

Biztonsági figyelmeztetések (contrib) - 2022. december 7. 20.12
Project: Entity RegistrationDate: 2022-December-07Security risk: Moderately critical 13∕25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:DefaultVulnerability: Access bypassAffected versions: >=7.1.0 <7.1.9Description: 

This module enables you to create registration entities related to nodes.

The module doesn't sufficiently restrict update access to a user's own registrations.

This vulnerability is mitigated by the fact that an attacker must have the "update own [registration type]" permission.

Solution: 

Install the latest version:

Note: Sites that allow non-administrative users to manage registrations because the users can update the registration host entity and have "update own registration" permission for a given registration type, may need to give those users the "administer own registration" permission for them to retain the ability to manage registrations after installing this upgrade.

Reported By: Fixed By: Coordinated By: Reported at: 20 November 2022