Hírolvasó

Block Content Revision UI - Moderately critical - Access bypass - SA-CONTRIB-2021-017

Biztonsági figyelmeztetések (contrib) - 2021. június 16. 18.15
Project: Block Content Revision UIDate: 2021-June-16Security risk: Moderately critical 11∕25 AC:Complex/A:User/CI:Some/II:Some/E:Theoretical/TD:UncommonVulnerability: Access bypassDescription: 

This module provides a revision UI to Block Content entities.

The module doesn't sufficiently respect access restrictions to certain entities when used in conjunction with specific modules.

This vulnerability is mitigated by the fact that an attacker must have a role with any of the permissions provided by Block Content Revision UI, and another affected module must be enabled.

Solution: 

Install the latest version:

Reported By: Fixed By: Coordinated By: 

Linky Revision UI - Moderately critical - Access bypass - SA-CONTRIB-2021-016

Biztonsági figyelmeztetések (contrib) - 2021. június 16. 18.05
Project: Linky Revision UIDate: 2021-June-16Security risk: Moderately critical 11∕25 AC:Complex/A:User/CI:Some/II:Some/E:Theoretical/TD:UncommonVulnerability: Access bypassDescription: 

This module provides a revision UI to Linky entities.

The module doesn't sufficiently respect access restrictions to certain entities when used in conjunction with specific modules.

This vulnerability is mitigated by the fact that an attacker must have a role with any of the permissions provided by Linky Revision UI, and another affected module must be enabled.

Solution: 

Install the latest version:

Reported By: Fixed By: Coordinated By: 

Chaos Tool Suite (ctools) - Moderately critical - Access bypass - SA-CONTRIB-2021-015

Biztonsági figyelmeztetések (contrib) - 2021. június 16. 17.58
Project: Chaos Tool Suite (ctools)Date: 2021-June-16Security risk: Moderately critical 13∕25 AC:None/A:None/CI:Some/II:None/E:Theoretical/TD:UncommonVulnerability: Access bypassDescription: 

Chaos tool suite (ctools) module provides a number of APIs and extensions for Drupal, its 8.x-3.x branch is a start from scratch to evaluate the features of ctools that didn't make it into Drupal Core 8.0.x and port them.

The module doesn't sufficiently handle block access control on its EntityView plugin. This is a followup to more fully implement the fixes from SA-CONTRIB-2021-009

This vulnerability is mitigated by the fact that successful exploitation requires special conditions in place such as custom blockAccess() method that differs from the default return value of 'AccessResult::allowed()' and extending from EntityView.

Solution: 

Install the latest version:

  • If you use the CTools module for Drupal 8.x, upgrade to CTools 8.x-3.7
Reported By: Fixed By: Coordinated By: 

OpenID Connect / OAuth client - Moderately critical - Access bypass - SA-CONTRIB-2021-014

Biztonsági figyelmeztetések (contrib) - 2021. június 2. 18.59
Project: OpenID Connect / OAuth clientDate: 2021-June-02Security risk: Moderately critical 14∕25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:AllVulnerability: Access bypassDescription: 

This module allows users to authenticate against an Oauth 2.0 / OpenID Connect identity provider to login to your Drupal site.

The module doesn't sufficiently protect against unauthorized local access, by way of using the 'password reset' facility, for users who are supposed to only be able to log in through the identity provider. This creates a scenario where after such a user is blocked from logging in through the identity provider but not explicitly blocked in Drupal, they are still able to log in by sending themselves a Drupal 'password reset' e-mail.

Solution: 

Install the latest version:

Reported By: Fixed By: Coordinated By: 

GraphQL - Moderately critical - Information Disclosure - SA-CONTRIB-2021-013

Biztonsági figyelmeztetések (contrib) - 2021. június 2. 18.56
Project: GraphQLDate: 2021-June-02Security risk: Moderately critical 11∕25 AC:Basic/A:None/CI:Some/II:None/E:Theoretical/TD:UncommonVulnerability: Information DisclosureDescription: 

This module lets you craft and expose a GraphQL web service API.

The module does not sufficiently protect arbitrary exception and error messages thereby exposing an information disclosure vulnerability.

This vulnerability is mitigated by the fact that a GraphQL server must be enabled and a data producer be configured that throws exceptions with confidential error messages that must not be exposed over the GraphQL API.

Solution: 

Install the latest version:

Reported By: Fixed By: Coordinated By: 

Frequently Asked Questions - Moderately critical - Cross Site Scripting - SA-CONTRIB-2021-012

Biztonsági figyelmeztetések (contrib) - 2021. június 2. 18.54
Project: Frequently Asked QuestionsDate: 2021-June-02Security risk: Moderately critical 11∕25 AC:Basic/A:User/CI:None/II:Some/E:Theoretical/TD:AllVulnerability: Cross Site ScriptingDescription: 

The Frequently Asked Questions (faq) module allows users, with appropriate permissions, to create question and answer pairs which they want displayed on the 'faq' page. The 'faq' page is automatically generated from the FAQ nodes configured. Basic Views layouts are also provided and can be customised via the Views UI (rather than via the module settings page).

The module doesn't sufficiently sanitize editor input leading to a Cross Site Scripting (XSS) vulnerability.

This vulnerability is mitigated by the fact that an attacker must have a role with the "create faq content" permission.

Solution: 

Install the latest version:

Reported By: Fixed By: Coordinated By: 

Open Social - Critical - Authentication Bypass - SA-CONTRIB-2021-011

Biztonsági figyelmeztetések (contrib) - 2021. június 2. 18.51
Project: Open SocialDate: 2021-June-02Security risk: Critical 15∕25 AC:Basic/A:None/CI:Some/II:Some/E:Theoretical/TD:DefaultVulnerability: Authentication BypassDescription: 

Open Social is a Drupal distribution for online communities.

The included social_magic_login module doesn't sufficiently validate magic login URLs for user accounts. The lack of validation makes it possible for an adversary to forge valid login URLs and login to such an account.

This vulnerability is mitigated by the fact the module social_magic_login needs to be enabled.

Solution: 

Install the latest version of Open Social:

Alternatively, disable the module social_magic_login.

Reported By: Fixed By: Coordinated By: 

Open Social - Moderately critical - SQL Injection - SA-CONTRIB-2021-010

Biztonsági figyelmeztetések (contrib) - 2021. június 2. 18.49
Project: Open SocialDate: 2021-June-02Security risk: Moderately critical 11∕25 AC:Complex/A:User/CI:All/II:None/E:Theoretical/TD:DefaultVulnerability: SQL InjectionDescription: 

This Open Social distribution provides a turn-key system for building customized social networks.

The module doesn't sufficiently process data in certain circumstances.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission "access mentions".

Solution: 

Install the latest version:

  • If you use Open Social 9.x, upgrade to 8.x-9.17
  • If you use Open Social 10.0.x, upgrade to 10.0.13
  • If you use Open Social 10.1.x, upgrade to 10.1.6
Reported By: Fixed By: Coordinated By: 

Drupal core - Moderately critical - Cross Site Scripting - SA-CORE-2021-003

Biztonsági figyelmeztetések (core) - 2021. május 26. 20.33
Project: Drupal coreDate: 2021-May-26Security risk: Moderately critical 14∕25 AC:Basic/A:User/CI:Some/II:Some/E:Proof/TD:DefaultVulnerability: Cross Site ScriptingDescription: 

Drupal core uses the third-party CKEditor library. This library has an error in parsing HTML that could lead to an XSS attack. CKEditor 4.16.1 and later include the fix.

Users of the CKEditor library via means other than Drupal core should update their 3rd party code (e.g. the WYSIWYG module for Drupal 7). The Drupal Security Team policy is not to alert for issues affecting 3rd party libraries unless those are shipped with Drupal core. See DRUPAL-SA-PSA-2016-004 for more details.

This issue is mitigated by the fact that it only affects sites with CKEditor enabled.

Solution: 

Install the latest version:

Versions of Drupal 8 prior to 8.9.x are end-of-life and do not receive security coverage.

Reported By: Fixed By: 

Chaos Tool Suite (ctools) - Moderately critical - Information disclosure - SA-CONTRIB-2021-009

Biztonsági figyelmeztetések (contrib) - 2021. május 12. 18.23
Project: Chaos Tool Suite (ctools)Version: 8.x-3.58.x-3.48.x-3.38.x-3.28.x-3.18.x-3.0Date: 2021-May-12Security risk: Moderately critical 12∕25 AC:Complex/A:None/CI:Some/II:None/E:Theoretical/TD:AllVulnerability: Information disclosureDescription: 

Chaos tool suite (ctools) module provides a number of APIs and extensions for Drupal, it's 8.x-3.x branch is a start from scratch to evaluate the features of ctools that didn't make it into Drupal Core 8.0.x and port them.

The module doesn't sufficiently handle access control on its EntityView plugin.

This vulnerability is mitigated by the fact that successful exploitation requires special conditions in place such as custom solutions that allow injecting the context by means other than the route.

Solution: 

Install the latest version:

Reported By: Fixed By: Coordinated By: 

Facets - Moderately critical - Cross site scripting - SA-CONTRIB-2021-008

Biztonsági figyelmeztetések (contrib) - 2021. május 12. 18.14
Project: FacetsVersion: 8.x-1.x-devDate: 2021-May-12Security risk: Moderately critical 11∕25 AC:Complex/A:Admin/CI:Some/II:Some/E:Theoretical/TD:DefaultVulnerability: Cross site scriptingDescription: 

This module enables you to add customizable facets on search pages, from core search or searches provided by Search API.

The module doesn't sufficiently filter all output in certain circumstances.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer facets".

Solution: 

Install the latest version:

  • If you use the Facets module for Drupal 8.x/9.x, upgrade to Facets 8.x-1.8
Reported By: Fixed By: Coordinated By: 

Gutenberg - Critical - Access bypass - SA-CONTRIB-2021-007

Biztonsági figyelmeztetések (contrib) - 2021. május 12. 18.08
Project: GutenbergVersion: 8.x-2.x-dev8.x-1.x-devDate: 2021-May-12Security risk: Critical 18∕25 AC:None/A:None/CI:Some/II:Some/E:Theoretical/TD:AllVulnerability: Access bypassDescription: 

This module provides a new UI experience for node editing using the Gutenberg Editor library.

The module did not correctly validate access rules in certain situations allowing anonymous users to delete blocks.

Solution: 

Install the latest version:

  • If you use the Gutenberg module 8.x-1.x, upgrade to 8.x-1.12
  • If you use the Gutenberg module 8.x-2.x, upgrade to 8.x-2.0
  • For roles other than administrator, the "Administer Gutenberg" (8.x-1.x) or the "Use Gutenberg" (8.x-2.x) permission must be given to view and delete reusable blocks.
Reported By: Fixed By: Coordinated By: 

SAML Authentication - Moderately critical - Access bypass - SA-CONTRIB-2021-006

Biztonsági figyelmeztetések (contrib) - 2021. április 28. 18.47
Project: SAML AuthenticationDate: 2021-April-28Security risk: Moderately critical 14∕25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:AllVulnerability: Access bypassDescription: 

The SAML Authentication module allows users to authenticate against a SAML identity provider to login to your Drupal site.

The module doesn't sufficiently protect against unauthorized local access, by way of using the 'password reset' facility, for users who are supposed to only be able to log in through the identity provider. This creates a scenario where after such a user is blocked from logging in through the identity provider but not explicitly blocked in Drupal, they are still able to log in by sending themselves a Drupal 'password reset' e-mail.

Solution: 

Install the latest version:

Reported By: Fixed By: Coordinated By: 

Drupal core - Critical - Cross-site scripting - SA-CORE-2021-002

Biztonsági figyelmeztetések (core) - 2021. április 21. 17.58
Project: Drupal coreDate: 2021-April-21Security risk: Critical 15∕25 AC:Basic/A:None/CI:Some/II:Some/E:Theoretical/TD:DefaultVulnerability: Cross-site scriptingDescription: 

Drupal core's sanitization API fails to properly filter cross-site scripting under certain circumstances.

Not all sites and users are affected, but configuration changes to prevent the exploit might be impractical and will vary between sites. Therefore, we recommend all sites update to this release as soon as possible.

Solution: 

Install the latest version:

Versions of Drupal 8 prior to 8.9.x are end-of-life and do not receive security coverage.

Reported By: Fixed By: 

Fast Autocomplete - Moderately critical - Access bypass - SA-CONTRIB-2021-005

Biztonsági figyelmeztetések (contrib) - 2021. március 17. 19.36
Project: Fast AutocompleteVersion: 8.x-1.78.x-1.68.x-1.58.x-1.48.x-1.38.x-1.28.x-1.18.x-1.0Date: 2021-March-17Security risk: Moderately critical 12∕25 AC:Basic/A:None/CI:Some/II:None/E:Theoretical/TD:DefaultVulnerability: Access bypassDescription: 

The Fast Autocomplete module provides fast IMDB-like suggestions below a text input field. Suggestions are stored as JSON files in the public files folder so that they can be provided to the browser relatively fast without the need for Drupal to be bootstrapped.

The module doesn't correctly generate certain hashes when the configuration option "Perform search as anonymous user only" is switched from the default on value to off.

This enables a malicious user to read search results generated by users with other roles, disclosing search results the user normally has no access to.

Solution: 

Install the latest version:

Alternatively, re-enable the setting "Perform search as anonymous user only" to only display anonymous search results and delete the generated files by using the "Delete json files" option in all Fast Autocomplete configurations.

Fast Autocomplete for Drupal 7.x is not affected.

Reported By: Fixed By: Coordinated By: 

Webform - Moderately critical - Access bypass - SA-CONTRIB-2021-004

Biztonsági figyelmeztetések (contrib) - 2021. március 3. 17.49
Project: WebformDate: 2021-March-03Security risk: Moderately critical 12∕25 AC:Basic/A:None/CI:None/II:None/E:Exploit/TD:DefaultVulnerability: Access bypassDescription: 

The Webform module for Drupal 8/9 includes a default Contact webform, which sends a notification email to the site owner and a confirmation email to the email address supplied via the form.

The confirmation email can be used as an open mail relay to send an email to any email address.

This vulnerability is mitigated by the fact that the site owner's email address is also receiving a notification email, which should alert the site owner to the exploitation. If the site owner's mailbox is not monitored, the open mail relay can be more easily exploited.

With the Webform module's latest release, the default Contact's confirmation email will only be sent to an authenticated user's email address. Anonymous users will no longer receive a confirmation email.

If anonymous users need to receive a confirmation email, we recommend you add SPAM protection to the form and update the email handler.

Solution: 

Install the latest version:

If you are using a previous release of the Webform module you can immediately do one of several options.

  1. Delete the default Contact form. (/form/contact)
  2. Delete the default Contact form's confirmation email handler.(/admin/structure/webform/manage/contact/handlers)
  3. Update the default Contact form's confirmation email to only email the current user's email address using the [current-user:mail] token. (/admin/structure/webform/manage/contact/handlers/email_confirmation/edit)
  4. Add SPAM protection to the default Contact form.
Reported By: Fixed By: Coordinated By: