Hírolvasó
Acquia DAM - Moderately critical - Access bypass, Denial of Service - SA-CONTRIB-2024-025
Acquia DAM provides a connection to a third-party asset management system, allowing for images to be managed, linked to, and viewed from Drupal. In order for assets to be managed in Drupal, a site administrator must first authenticate the site to their DAM instance.
The module doesn't sufficiently protect the ability to disconnect a site from DAM. While disconnected sites do not lose asset data in Drupal, it will prevent site editors from accessing the DAM until a site administrator re-authenticates the site. Some uncached media images may also fail to be fetched while disconnected.
Solution:Install the latest version:
- If you use the acquia_dam module for Drupal 9.4 or above, upgrade to Acquia DAM 1.0.13.
- If you use a pre-release version of acquia_dam 1.1, upgrade to Acquia DAM 1.1.0-beta3. (Note: beta releases generally do not receive security coverage.)
- Matt Glaman
- Greg Knaddison of the Drupal Security Team
- Balázs Ertl-Bakos
- Jakob Perry
- Greg Knaddison of the Drupal Security Team
- xjm of the Drupal Security Team
Migrate queue importer - Moderately critical - Cross Site Request Forgery - SA-CONTRIB-2024-024
The Migrate queue importer module enables you to create cron migrations(configuration entities) with a reference towards migration entities in order to import them during cron runs.
The module doesn't sufficiently protect against Cross Site Request Forgery
under specific scenarios allowing an attacker to enable/disable a cron migration.
This vulnerability is mitigated by the fact that an attacker must know the
id of the migration.
Install the latest version:
- If you use Migrate queue importer module for Drupal 10, upgrade to Migrate queue importer 2.1.1
- Greg Knaddison of the Drupal Security Team
- Juraj Nemec of the Drupal Security Team
- Michael Hess of the Drupal Security Team
Image Sizes - Moderately critical - Access bypass - SA-CONTRIB-2024-023
This module enables you to create responsive image styles that depend on the parent element's width.
The module doesn't sufficiently check access to rendered images, resulting in access bypass vulnerabilities in specific scenarios.
Solution:Install the latest version.
- If you use the Image Sizes module for Drupal 10, upgrade to Image Sizes 3.0.2
- Dezső Biczó
- Pascal Crott
- Juraj Nemec of the Drupal Security Team
- Juraj Nemec of the Drupal Security Team
- Neil Drumm of the Drupal Security Team
- Michael Hess of the Drupal Security Team
Drupal REST & JSON API Authentication - Moderately critical - Access bypass - SA-CONTRIB-2024-022
Drupal REST & JSON API Authentication module restricts and secures unauthorized access to your Drupal site APIs using different authentication methods including Basic Authentication , API Key Authentication , JWT Authentication , OAuth Authentication , External / Third-Party Provider Authentication, etc.
The module doesn't sufficiently control user access when using Basic Authentication.
Solution:Install the latest version:
- If you use the 2.0.x branch, upgrade to Drupal REST & JSON API Authentication 2.0.13
- If you use the 8.x-1.x branch, upgrade to Drupal REST & JSON API Authentication 2.0.13, as the 8.x-1.x branch is now unsupported.
- solideogloria
- Shashank Thigale
- Arek Suchecki
- Greg Knaddison of the Drupal Security Team
- Greg Knaddison of the Drupal Security Team
- Juraj Nemec of the Drupal Security Team
- David Rothstein of the Drupal Security Team
- Michael Hess of the Drupal Security Team
Commerce View Receipt - Moderately critical - Access bypass - SA-CONTRIB-2024-021
The Commerce View Receipts module enables you to view commerce order receipts in the browser.
The module doesn't sufficiently check access permissions, allowing a malicious to view the private information of other customers.
Solution:Install the latest version.
- If you use the Commerce View Receipts module for Drupal, upgrade to Commerce View Receipts 1.0.3.
Sites may wish to temporarily revoke the "view receipts" permission from most roles until the site can be upgraded to the latest version.
Reported By: Fixed By:- Norman Kämper-Leymann
- Greg Mack
- Greg Knaddison of the Drupal Security Team
- Drew Webber of the Drupal Security Team
- Greg Knaddison of the Drupal Security Team
- Juraj Nemec of the Drupal Security Team
- xjm of the Drupal Security Team
Email Contact - Moderately critical - Access bypass - SA-CONTRIB-2024-020
The Email Contact module provides email field display formatters that can display the field as a link to the contact form, or as an inline contact form.
The module does not sufficiently handle restricted entity or field access to the mail sending form, when the "Email contact link" formatter is used.
This vulnerability is mitigated by the fact that it requires the "Email contact link" formatter to be used.
Solution:Install the latest version:
- If you use the 2.0.x branch, upgrade to email_contact 2.0.4.
- If you use the 8.x-1.x branch, upgrade to email_contact 2.0.4, as the 8.x-1.x branch is now unsupported.
- Claudiu Cristea
- Bálint Nagy
- Greg Knaddison of the Drupal Security Team
- Juraj Nemec of the Drupal Security Team
- xjm of the Drupal Security Team
- Greg Knaddison of the Drupal Security Team
- xjm of the Drupal Security Team
- Juraj Nemec of the Drupal Security Team
RESTful Web Services - Critical - Access bypass - SA-CONTRIB-2024-019
This module exposes Drupal resources (e.g. entities) as RESTful web services.
The module doesn't sufficiently restrict access for user resources.
Solution:Install the latest version:
- If you use the RESTful Web Services module for Drupal 7, upgrade to RESTful Web Services 7.x-2.10
- Neil Drumm of the Drupal Security Team
- Fran Garcia-Linares
- Neil Drumm of the Drupal Security Team
REST Views - Moderately critical - Information Disclosure - SA-CONTRIB-2024-018
The Rest views module lets site admins create rest exports in views with additional options for serializing data.
This module does not accurately check access and may expose paths to unpublished content.
This vulnerability is mitigated by the fact that there must be a specific content structure to expose.
Paths to unpublished entities (such as nodes) will be exposed if those entities are referenced from other entities listed in a REST display, and the reference field on those listed entities is displayed with the "Entity path" formatter.
Solution:Install the latest version:
- REST Views 8.x-1.x versions are unsupported.
- REST Views 2.x versions upgrade to Rest Views 3.0.1
- REST Views 3.x versions prior to 3.0.1 upgrade to Rest Views 3.0.1
- Benji Fisher of the Drupal Security Team
- Greg Knaddison of the Drupal Security Team
- Cathy Theys of the Drupal Security Team
Advanced PWA - Critical - Access bypass - SA-CONTRIB-2024-017
Progressive web applications are web applications that load like regular web pages or websites but can offer the user functionality such as working offline, push notifications, and device hardware access traditionally available only to native applications.
This module doesn't sufficiently protect access to the settings form, allowing an unauthorized malicious user to view and modify the module settings.
Solution:Install the latest version:
- If you use the Advanced Progressive Web App module for Drupal 8.x, upgrade to Advanced Progressive Web App 8.x-1.5
- Greg Knaddison of the Drupal Security Team
- Michael Hess of the Drupal Security Team
- cilefen of the Drupal Security Team
- Cathy Theys of the Drupal Security Team