Hírolvasó

Project: Content Moderation NotificationsDate: 2023-September-27Security risk: Moderately critical 11∕25 AC:Complex/A:User/CI:Some/II:None/E:Proof/TD:AllVulnerability: Information disclosureAffected versions: >=3.0.0 <3.6.0Description: 

This module enables notifications to be sent to all users of a particular role, or to the content's author when a piece of content is transitioned from one state to another via core's content_moderation module.

The module doesn't sufficiently check access to content when sending notifications.
This vulnerability is mitigated by the fact that an attacker must have been assigned to receive notifications for the given content. Additionally, only data sent in the email is visible, so the attacker cannot access the content on the site.

Solution: 

Install the latest version:

• If you use the Content Moderation Notifications module for Drupal 8.x, upgrade to Content Moderation Notifications 8.x-3.6.

Reported By: 

• lucasantunes

Fixed By: 

• Jonathan Hedstrom
• Luke Leber
• Rob Holmes

Coordinated By: 

• Jess of the Drupal Security Team
• Greg Knaddison of the Drupal Security Team
• Michael Hess of the Drupal Security Team

Project: Entity cacheDate: 2023-September-27Security risk: Critical 16∕25 AC:Basic/A:User/CI:All/II:All/E:Theoretical/TD:UncommonVulnerability: Information disclosureDescription: 

Entity Cache puts core entities into Drupal's cache API.

A recent release of the module does not sanitize certain inputs appropriately. This can lead to unintended behavior when wildcard characters are included in the input.

The impact of this bug should be relatively minor in most configurations, but in worst-case scenarios it could lead to significant Access Bypass.

Solution: 

Install the latest version:

• If you use the Entity cache module for Drupal 7.x, upgrade to Entity cache 7.x-1.7.

Reported By: 

• Gary Sargent

Fixed By: 

• Damien McKenna of the Drupal Security Team
• Gary Sargent
• Drew Webber of the Drupal Security Team
• xjm of the Drupal Security Team
• Lee Rowlands of the Drupal Security Team
• Juraj Nemec of the Drupal Security Team
• Linus Cash
• Neil Hodgkinson

Coordinated By: 

• Damien McKenna of the Drupal Security Team
• Drew Webber of the Drupal Security Team
• Jess of the Drupal Security Team
• Greg Knaddison of the Drupal Security Team

Project: Drupal coreDate: 2023-September-20Security risk: Critical 16∕25 AC:Complex/A:None/CI:All/II:Some/E:Theoretical/TD:DefaultVulnerability: Cache poisoningAffected versions: >=8.7.0 <9.5.11 || >=10.0 <10.0.11 || >= 10.1 <10.1.4Description: 

In certain scenarios, Drupal's JSON:API module will output error backtraces. With some configurations, this may cause sensitive information to be cached and made available to anonymous users, leading to privilege escalation.

This vulnerability only affects sites with the JSON:API module enabled, and can be mitigated by uninstalling JSON:API.

The core REST and contributed GraphQL modules are not affected.

Drupal Steward partners have been made aware of this issue. Some platforms may provide mitigations. However, not all WAF configurations can mitigate the issue, so it is still recommended to update promptly to this security release if your site uses JSON:API.

Solution: 

Install the latest version:

• If you are using Drupal 10.1, update to Drupal 10.1.4.
• If you are using Drupal 10.0, update to Drupal 10.0.11.
• If you are using Drupal 9.5, update to Drupal 9.5.11.

All versions of Drupal 9 prior to 9.5 are end-of-life and do not receive security coverage. Note that Drupal 8 has reached its end of life.

Drupal 7 is not affected.

Reported By: 

• ghostccamm

Fixed By: 

• Drew Webber of the Drupal Security Team
• Peter Wolanin of the Drupal Security Team
• Nathaniel Catchpole of the Drupal Security Team
• Alex Bronstein of the Drupal Security Team
• Lee Rowlands of the Drupal Security Team
• xjm of the Drupal Security Team
• Wim Leers
• Benji Fisher of the Drupal Security Team

Project: Mail LoginDate: 2023-September-13Security risk: Critical 16∕25 AC:Basic/A:None/CI:Some/II:Some/E:Theoretical/TD:AllVulnerability: Access bypassAffected versions: <2.8.0Description: 

This module enables users to log in by email address with minimal configurations.

Drupal core contains protection against brute force attacks via a flood control mechanism. This module's functionality did not replicate the flood control, enabling brute force attacks.

Solution: 

Install the latest version:

• If you use the mail_login module for Drupal 8 or 9, upgrade to Mail Login 8.x-2.8

Reported By: 

• Melisa Cordero

Fixed By: 

• Melisa Cordero
• Mohammad AlQanneh

Coordinated By: 

• Greg Knaddison of the Drupal Security Team
• xjm of the Drupal Security Team

Project: WebProfilerDate: 2023-September-06Security risk: Moderately critical 10∕25 AC:Complex/A:Admin/CI:Some/II:Some/E:Theoretical/TD:UncommonVulnerability: Cross Site ScriptingAffected versions: > 10.1.0 < 10.1.1Description: 

The Webprofiler module provides a way of displaying the Symfony profile debugging tool at the bottom of each page.

The abbr_class Twig filter can be used to bypass the Twig auto-escape feature.

This vulnerability is mitigated by the fact that it is only exposed when the filter is specifically used in a theme to render content that contains an attack vector.

Solution: 

Install the latest version:

• If you use the WebProfiler module for Drupal 10x, upgrade to WebProfiler 10.1.1

Reported By: 

• Pierre Rudloff

Fixed By: 

• Luca Lusso
• Pierre Rudloff

Coordinated By: 

• Damien McKenna of the Drupal Security Team
• Greg Knaddison of the Drupal Security Team

Project: highlight.phpDate: 2023-September-06Security risk: Moderately critical 13∕25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:DefaultVulnerability: Cross Site ScriptingAffected versions: < 1.0.1Description: 

Provides highlight.php integration to Drupal, allowing <code> blocks to be automatically highlighted with the correct language.

The module's Twig function doesn't sufficiently filter user-entered data.

Solution: 

Install the latest version:

• If you use the highlight.php module, upgrade to highlight.php 1.0.1

Reported By: 

• Pierre Rudloff

Fixed By: 

• Andrei Ivnitskii
• Pierre Rudloff

Coordinated By: 

• Benji Fisher of the Drupal Security Team
• Damien McKenna of the Drupal Security Team
• Greg Knaddison of the Drupal Security Team

Project: Obfuscate EmailDate: 2023-August-30Security risk: Less critical 5∕25 AC:Complex/A:User/CI:None/II:None/E:Theoretical/TD:UncommonVulnerability: Cross Site ScriptingAffected versions: <2.0.1Description: 

This module enables you to hide email addresses from bots and site scrapers by using the rot13 strategy.

The module doesn't sufficiently escape the data attribute under the scenario a user has access to manipulate that value.

This vulnerability is mitigated by the fact that an attacker must have a role with permissions to allow data attributes in content on a site.

Solution: 

Install the latest version:

• If you use the Obfuscate Email module for Drupal 2.0.0, upgrade to Obfuscate Email 2.0.1

Reported By: 

• Pierre Rudloff

Fixed By: 

• b_sharpe
• Pierre Rudloff

Coordinated By: 

• cilefen of the Drupal Security Team
• Damien McKenna of the Drupal Security Team
• Greg Knaddison of the Drupal Security Team

Project: Unified Twig ExtensionsDate: 2023-August-30Security risk: Moderately critical 13∕25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:DefaultVulnerability: Cross Site ScriptingAffected versions: <1.1.1Description: 

This module makes PatternLab's custom Twig functions available to Drupal theming.

The module's included examples don't sufficiently filter data.

This vulnerability is mitigated by the fact that the included examples must have been copied to a site's theme.

Solution: 

Install the latest version:

• If you use the Unified Twig Extensions module, upgrade to Unified Twig Extensions 1.1.1

Reported By: 

• Pierre Rudloff

Fixed By: 

• Oleksandr Kuzava
• Pierre Rudloff

Coordinated By: 

• Damien McKenna of the Drupal Security Team

Project: Data fieldVersion: 1.0.151.0.141.0.131.0.121.0.111.0.101.0.91.0.81.0.71.0.61.0.51.0.41.0.31.0.21.0.11.0.0Date: 2023-August-23Security risk: Moderately critical 12∕25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:UncommonVulnerability: Access bypassAffected versions: <1.0.16Description: 

The Data Field module provides a way of building field types that are made up of other fields, a simpler alternative to e.g. the Paragraphs system.

Access to these forms isn't properly validated, allowing a user with the "access content" permission to view and edit fields on entities.

Solution: 

Install the latest version:

• If you use the Data Field module for Drupal 1.x, upgrade to Data Field 1.0.16

Reported By: 

• Mitch Portier

Fixed By: 

• Mitch Portier
• Damien McKenna of the Drupal Security Team
• NGUYEN Bao
• Joseph Olstad

Coordinated By: 

• Damien McKenna of the Drupal Security Team
• Greg Knaddison of the Drupal Security Team
• Neil Drumm of the Drupal Security Team
• Stella Power of the Drupal Security Team

Project: SafeDeleteVersion: 1.0.431.0.421.0.411.0.401.0.391.0.381.0.361.0.351.0.341.0.331.0.321.0.311.0.301.0.291.0.281.0.271.0.261.0.251.0.241.0.231.0.221.0.211.0.201.0.191.0.181.0.171.0.161.0.151.0.141.0.131.0.121.0.111.0.101.0.91.0.81.0.71.0.51.0.41.0.31.0.21.0.11.0.0Date: 2023-August-23Security risk: Moderately critical 13∕25 AC:Basic/A:None/CI:Some/II:None/E:Theoretical/TD:AllVulnerability: Access bypassAffected versions: <1.0.44Description: 

This module aims to prevent broken content references by informing content editors either on delete or archive moderation.

The module provides an "orphaned content" report for broken references, which may reveal titles of unpublished content.

Solution: 

Install the latest version:

• If you use the SafeDelete module for Drupal 8/9 or 10, please upgrade to SafeDelete 1.0.44

Reported By: 

• Christopher Hopper

Fixed By: 

• Joseph Olstad
• Cathy Theys of the Drupal Security Team
• James Yao
• Christopher Hopper

Coordinated By: 

• Cathy Theys of the Drupal Security Team
• Damien McKenna of the Drupal Security Team
• Greg Knaddison of the Drupal Security Team

Project: ShorthandVersion: 4.0.24.0.14.0.0Date: 2023-August-23Security risk: Critical 15∕25 AC:None/A:None/CI:Some/II:None/E:Theoretical/TD:AllVulnerability: Access bypassAffected versions: <4.0.3Description: 

This module provides integration with Shorthand, an application which describes itself as "beautifully simple storytelling".

The module does not check appropriate permissions when displaying a list of all shorthand stories.

Solution: 

Install the latest version:

• If you use the Shorthand module for Drupal 8+, upgrade to Shorthand 4.0.3

Reported By: 

• Paul Martin

Fixed By: 

• Vladimir Roudakov

Coordinated By: 

• Damien McKenna of the Drupal Security Team
• Dave Long of the Drupal Security Team
• Greg Knaddison of the Drupal Security Team

Project: Config PagesVersion: 8.x-2.88.x-2.78.x-2.68.x-2.58.x-2.48.x-2.38.x-2.28.x-2.18.x-2.0Date: 2023-August-23Security risk: Moderately critical 12∕25 AC:Basic/A:None/CI:Some/II:None/E:Theoretical/TD:DefaultVulnerability: Information DisclosureAffected versions: <2.9.0Description: 

This module enables you to build administrative pages for managing configuration objects, which may then be used elsewhere in the site.

The module doesn't sufficiently validate access when the JSONAPI module is also installed.

This vulnerability is mitigated by the fact that it only affects sites when the JSONAPI module is installed.

Solution: 

Install the latest version:

• If you use the Config Pages module for Drupal 8+, upgrade to Config Pages 8.x-2.9

Reported By: 

• Nate Andersen

Fixed By: 

• Nate Andersen
• Alexander Shumenko

Coordinated By: 

• Damien McKenna of the Drupal Security Team
• Michael Hess of the Drupal Security Team

Project: Flexi AccessDate: 2023-August-23Security risk: Critical 17∕25 AC:Basic/A:Admin/CI:All/II:All/E:Theoretical/TD:AllVulnerability: Arbitrary PHP code executionDescription: 

The Flexi Access module will provide a simple and flexible interface to the ACL (Access Control List) module. It will let you set up and mange ACLs naming individual users that are allowed access to a particular node.

The module processes user input in a way that could be unsafe. This can lead to Remote Code Execution via Object Injection.

This vulnerability is mitigated by the fact that known exploit paths require an attacker to have a combination of permissions provided by the module; for example "access flexiaccess" and "flexiaccess view". See _flexiaccess_node_access() for details. The "administer flexiaccess" permission alone does not grant access to the vulnerable functionality.

This Security Advisory is being released in coordination with SA-CONTRIB-2023-034 for the ACL module, on which Flexi Access depends.

Solution: 

Install the latest version:

• If you use the Flexi Access module for Drupal 7.x, upgrade to Flexi Access 7.x-1.3.
  The ACL module (a dependency) must also be updated.

Reported By: 

• Drew Webber of the Drupal Security Team

Fixed By: 

• Drew Webber of the Drupal Security Team
• Gisle Hannemyr

Coordinated By: 

• Drew Webber of the Drupal Security Team
• Cathy Theys of the Drupal Security Team
• Damien McKenna of the Drupal Security Team

Project: Forum AccessDate: 2023-August-23Security risk: Critical 17∕25 AC:Basic/A:Admin/CI:All/II:All/E:Theoretical/TD:AllVulnerability: Arbitrary PHP code executionAffected versions: <1.0.0Description: 

This module changes your forum administration page to allow you to set forums private. You can control what user roles can view, edit, delete, and post to each forum. You can also give each forum a list of users who have administrative access on that forum (AKA moderators). This module requires the ACL module.

The module processes user input in a way that could be unsafe. This can lead to Remote Code Execution via Object Injection.

This vulnerability is mitigated by the fact that an attacker needs the "administer forums" permission.

This Security Advisory is being released in coordination with SA-CONTRIB-2023-034 for the ACL module, on which Forum Access depends.

Solution: 

Install the latest version:

• If you use the Forum Access module for Drupal 7.x, upgrade to Forum Access 7.x-1.6
• If you use the Forum Access module 8.x-1.0-beta3 or below, upgrade to Forum Access 8.x-1.0

The ACL module (a dependency) must also be updated.

Reported By: 

• Drew Webber of the Drupal Security Team

Fixed By: 

• Drew Webber of the Drupal Security Team
• Hans Salvisberg
• Jen Lampton Provisional Member of the Drupal Security Team

Coordinated By: 

• Drew Webber of the Drupal Security Team
• Damien McKenna of the Drupal Security Team
• Greg Knaddison of the Drupal Security Team
• Michael Hess of the Drupal Security Team

Project: ACLDate: 2023-August-23Security risk: Critical 17∕25 AC:Basic/A:Admin/CI:All/II:All/E:Theoretical/TD:AllVulnerability: Arbitrary PHP code executionAffected versions: <1.0.0Description: 

The ACL module, short for Access Control Lists, is an API for other modules to create lists of users and give them access to nodes.

The module processes user input in a way that could be unsafe. This can lead to Remote Code Execution via Object Injection.

As this is an API module, it is only exploitable if a "client" module exposes the vulnerability. Details of some contributed client modules are given below. Custom modules using ACL could also expose the vulnerability.

This vulnerability is mitigated by the fact that an attacker typically needs an "admin"-type permission provided by one of ACL's client modules.

Known client modules include:

• Forum Access
• Flexi Access
• Content Access

Coordinated Security Advisories are being released for those client modules that have Security coverage.

Solution: 

Install the latest version:

• If you use the ACL module for Drupal 7.x, upgrade to ACL 7.x-1.4
• If you use the ACL module 8.x-1.0-beta3 or below, upgrade to ACL 8.x-1.0

Any client modules that depend on ACL should also be updated.

Reported By: 

• Drew Webber of the Drupal Security Team
• Samuel Mortenson

Fixed By: 

• Drew Webber of the Drupal Security Team
• Hans Salvisberg
• Jen Lampton Provisional Member of the Drupal Security Team
• xeM8VfDh

Coordinated By: 

• Drew Webber of the Drupal Security Team
• Damien McKenna of the Drupal Security Team
• Greg Knaddison of the Drupal Security Team
• Michael Hess of the Drupal Security Team

Project: Matomo AnalyticsDate: 2023-August-02Security risk: Less critical 8∕25 AC:Complex/A:Admin/CI:Some/II:None/E:Theoretical/TD:DefaultVulnerability: Cross Site ScriptingAffected versions: <1.22.0Description: 

This module enables you to add the Matomo web statistics tracking system to your website.

The module does not check the Matomo JS code loaded on the website. So a user could configure the module to load JS from a malicious website.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer matomo" or "administer matomo tag manager" (D8+ only) to access the settings forms where this can be configured.

Solution: 

Install the latest version:

• If you use the Matomo Analytics module for Drupal 7, upgrade to Matomo Analytics 7.x-2.15
• If you use the Matomo Analytics module 8.x-1.21 and below, upgrade to Matomo Analytics 8.x-1.22

Sites are encouraged to review which roles have that permission and which users have that role, to ensure that only trusted users have that permission.

Reported By: 

• Pierre Rudloff

Fixed By: 

• Damien McKenna of the Drupal Security Team
• Carsten Logemann
• Florent Torregrosa
• Pierre Rudloff

Coordinated By: 

• Neil Drumm of the Drupal Security Team

Project: Minify Source HTMLDate: 2023-July-26Security risk: Moderately critical 11∕25 AC:Basic/A:None/CI:None/II:None/E:Proof/TD:AllVulnerability: Cross site scriptingAffected versions: <1.13.0 || >=2.0.0 <2.0.3Description: 

Carefully crafted input by an attacker will not be sanitized by this module, which can result in a script injection.

Solution: 

Install the latest version:

• If you use the Minify Source HTML module for Drupal 7.x, upgrade to Minify Source HTML 7.x-1.11
• If you use the Minify Source HTML module for Drupal 8.x/9.x, upgrade to Minify Source HTML 8.x-1.13
• If you use the Minify Source HTML module for Drupal 9.x/10.x, upgrade to Minify Source HTML 2.0.3

Reported By: 

• Pierre Rudloff

Fixed By: 

• Scott Joudry
• Pierre Rudloff

Project: Drupal Symfony MailerDate: 2023-July-26Security risk: Moderately critical 12∕25 AC:Basic/A:None/CI:None/II:Some/E:Theoretical/TD:DefaultVulnerability: Cross site request forgeryAffected versions: <1.2.2 || >=1.3.0 <1.3.0-rc3Description: 

The module doesn’t sufficiently protect against malicious links, which means an attacker can trick an administrator into performing unwanted actions.

This vulnerability is mitigated by the fact that the set of unwanted actions is limited to specific configurations.

Solution: 

• If you use Drupal Symfony Mailer module v1.2.x, upgrade to v1.2.2.
• If you use Drupal Symfony Mailer module v1.3.x, upgrade to v1.3.0-rc3.

Reported By: 

• Mingsong

Fixed By: 

• Mingsong
• Adam Shepherd
• Lee Rowlands of the Drupal Security Team

Project: Two-factor Authentication (TFA)Date: 2023-July-12Security risk: Critical 17∕25 AC:Basic/A:None/CI:Some/II:Some/E:Proof/TD:AllVulnerability: Access bypassAffected versions: ^1 <= 1.0.0Description: 

This module enables you to allow and/or require users to use a second authentication method in addition to password authentication.

The module doesn't sufficiently ensure all core login routes, including the password reset page, require a second factor credential.

This vulnerability is mitigated by the fact that an attacker must obtain a first-factor login credential.

Solution: 

Install the latest version:

• If you use the Two-factor Authentication (TFA) module for Drupal 8/9 please upgrade to TFA 8.x-1.1

Ensure all additional external forms of authentication, such as REST, have been disabled.

Reported By: 

• Conrad Lara
• Benji Fisher of the Drupal Security Team

Fixed By: 

• Lee Rowlands of the Drupal Security Team
• João Ventura
• Conrad Lara
• Benji Fisher of the Drupal Security Team
• Mingsong
• Jonathan Daggerhart
• Vitaliy Bogomazyuk
• Giles Birch
• N Cantrell
• Reinder Venema
• Rory Downes

Coordinated By: 

• Damien McKenna of the Drupal Security Team
• Greg Knaddison of the Drupal Security Team

Project: TacJSDate: 2023-June-28Security risk: Moderately critical 13∕25 AC:Basic/A:Admin/CI:Some/II:Some/E:Theoretical/TD:AllVulnerability: Cross site scriptingDescription: 

This module enables sites to comply with the European cookie law using tarteaucitron.js.

The module doesn't sufficiently filter user-supplied text leading to a Cross Site Scripting (XSS) vulnerability.

This vulnerability is mitigated by the fact that an attacker needs additional permissions. The vulnerability can be exploited by an attacker with a role with the permission "administer tacjs" regardless of other configurations.

Solution: 

Install the latest version:

• If you use the tacjs alert module, upgrade to tacjs 8.x-6.4

Reported By: 

• Pierre Rudloff

Fixed By: 

• Amine Boulaffas
• Frank Mably

Coordinated By: 

• Damien McKenna of the Drupal Security Team
• Cathy Theys of the Drupal Security Team
• Greg Knaddison of the Drupal Security Team