Hírolvasó
Persistent Login - Moderately critical - Access bypass - SA-CONTRIB-2024-044
This module enables users to remain logged in separately from session timeouts.
The module doesn't sufficiently check a user's disabled status when validating cookies.
This vulnerability is mitigated by the fact that an attacker must have an unexpired cookie from a previous successful login.
Solution:Install the latest version:
- If you use the Persistent Login 8.x-1.x, upgrade to Persistent Login 8.x-1.8
- If you use the Persistent Login 2.x, upgrade to Persistent Login 2.2.2
- Greg Knaddison of the Drupal Security Team
- Juraj Nemec of the Drupal Security Team
- Drew Webber of the Drupal Security Team
Two-factor Authentication (TFA) - Critical - Access bypass - SA-CONTRIB-2024-043
This module enables you to allow and/or require users to use a second authentication method in addition to password authentication.
The module does not sufficiently migrate sessions before prompting for a second factor token.
This vulnerability is mitigated by the fact that an attacker must fixate a session on a victim system that is then authenticated with username and password without completing Two Factor authentication. An attacker must gather additional information regarding the entry form after authentication. An attacker must still present a valid token to complete authentication.
Solution:Install the latest version:
- If you use the Two-factor Authentication (TFA) module for Drupal 8+ upgrade to Two-factor Authentication (TFA) 8.x-1.8
- If you use the Two-factor Authentication (TFA) module for Drupal 7 upgrade to Two-factor Authentication (TFA) 7.x-2.4
- Francesco Placella
- Juraj Nemec of the Drupal Security Team
- Conrad Lara
- Greg Knaddison of the Drupal Security Team
- Juraj Nemec of the Drupal Security Team
Diff - Moderately critical - Access bypass, Information Disclosure - SA-CONTRIB-2024-042
This module adds a tab for sufficiently permissioned users. The tab shows all revisions like standard Drupal but it also allows pretty viewing of all added/changed/deleted words between revisions.
The module doesn't sufficiently check revision access before rendering a diff report for 1) nodes or 2) general entities that support diff.
This vulnerability is mitigated by the fact that an attacker must have a role with the permission from the general node permission to "view all revisions", one of the more specific node type permissions, "view %bundle revisions" or the equivalent for other general entity types.
Solution:Install the latest version:
- If you use the Diff module for Drupal, upgrade to Diff 8.x-1.8
- Greg Knaddison of the Drupal Security Team
- Juraj Nemec of the Drupal Security Team
Smart IP Ban - Critical - Access bypass - SA-CONTRIB-2024-041
The Smart IP Ban module enables a site to automatically ban an IP address based upon too many failed authentications.
The module doesn't sufficiently protect access to certain paths provided by the module allowing a malicious user to view and modify the settings.
Solution:Install the latest version:
- If you use the Smart IP Ban module for Drupal 7.x, upgrade to Smart IP Ban 7.x-1.1
- Greg Knaddison of the Drupal Security Team
- Damien McKenna of the Drupal Security Team
- Juraj Nemec of the Drupal Security Team
File Entity (fieldable files) - Moderately critical - Information Disclosure - SA-CONTRIB-2024-040
This module enables you to store and manage both private and public files, provides the ability to add fieldable metadata for file_entity bundle types in addition to core file_managed data.
The module doesn't sufficiently ensure private destination folders exist prior to writing to them. If the folder doesn't exist, the module places the file in a publicly accessible directory.
This vulnerability only affects sites with private files.
Solution:Install the latest version:
- If you use the file_entity module for Drupal 7, upgrade to file_entity 7.x-2.39 or newer.
- Greg Knaddison of the Drupal Security Team
- Damien McKenna of the Drupal Security Team
- Juraj Nemec of the Drupal Security Team
Security Kit - Less critical - Denial of Service - SA-CONTRIB-2024-039
This module provides Drupal with various security-hardening options, for example by emitting various configurable HTTP response headers.
The module doesn't sufficiently validate input in Content Security Policy (CSP) violation reports. This can cause errors when a logging module (e.g. dblog or syslog) attempts to parse the resulting log message which contains invalid data.
This vulnerability is mitigated by the fact that to be affected a site must have seckit's CSP reporting functionality enabled. Recent versions of Drupal 10 and 11 core are not vulnerable due to improved parsing of log messages.
Solution:Install the latest version:
- If you use the 7.x-1.x branch of the seckit module, upgrade to seckit 7.x-1.13
- If you use the 2.0.x branch of the seckit module, upgrade to seckit 2.0.3
- jweowu
- Drew Webber of the Drupal Security Team
- Greg Knaddison of the Drupal Security Team
- Drew Webber of the Drupal Security Team
- Heine Deelstra of the Drupal Security Team
Open Social - Moderately critical - Denial of Service - SA-CONTRIB-2024-038
Open Social is a Drupal distribution for online communities.
The distribution didn't validate the flood control limits on the password reset form correctly resulting in a potential attacker flooding the password reset which could result in a Denial of Service. Fortunately the message does not disclose any information to the attacker.
Solution:Install the latest version:
- If you use Open Social 12.3.x, upgrade to Open Social 12.3.8
- If you use Open Social 12.4.x, upgrade to Open Social 12.4.5
- Greg Knaddison of the Drupal Security Team
- Juraj Nemec of the Drupal Security Team
- Heine Deelstra of the Drupal Security Team
Open Social - Moderately critical - Cross Site Scripting, Denial of Service - SA-CONTRIB-2024-037
Open Social is a Drupal distribution for online communities, which ships with an optional module called Social Embed.
This module allows a website to display embedded content (such as photos or videos) when a user posts a link to that resource, without having to parse the resource directly.
Added URL's were not sufficiently validated which could lead to a DoS via Blind SSRF and/or Application Takeover via Stored XSS.
This vulnerability is mitigated by the fact that social_embed submodule needs to be enabled.
Solution:Install the latest version:
- If you use Open Social 12.3.x, upgrade to Open Social 12.3.8
- If you use Open Social 12.4.x, upgrade to Open Social 12.4.5
- Greg Knaddison of the Drupal Security Team
- Juraj Nemec of the Drupal Security Team
Paragraphs table - Critical - Access bypass, Information Disclosure - SA-CONTRIB-2024-036
This module enables field collections to be displayed as tables. It supports display suite and field permissions and provides operations (modify, delete, duplicate).
This module has multiple vulnerabilities due to the requirements on the routes it provides not being restrictive enough.
Information disclosureSeveral routes only checked for the 'access content' permission before displaying a paragraph, and did not check whether the user should actually have access to view the paragraph in question.
Access bypassThe paragraphs_item.add_page route previously allowed anyone with the 'access content' permission to add paragraphs to any content regardless of permissions to be able to edit the host field or content, or any other hooks for adjusting access to add paragraphs of that type.
These vulnerabilities are mitigated by the fact that an attacker must have a role with the permission "access content" which is commonly assigned to all roles.
Solution:Install the latest version:
- If you use the paragraphs_table module 8.x-1.x, upgrade to paragraphs_table 8.x-1.23
- If you use the paragraphs_table module 2.0.x, upgrade to paragraphs_table 2.0.2 or newer
- Greg Knaddison of the Drupal Security Team
- Jess of the Drupal Security Team
- Juraj Nemec of the Drupal Security Team
Content Entity Clone - Moderately critical - Information Disclosure - SA-CONTRIB-2024-035
This module enables you to "clone" a content entity, i.e. to create a new content pre-filled with data from another entity of the same type and bundle.
The module doesn't properly check the user access to the original entity, allowing users to create a new entity (they have permission to create) pre-filled with content from another entity of the same type and bundle that they would normally not have access to.
This vulnerability is mitigated by the fact that an attacker must have the permission to create content of the type of the entity to clone.
Solution:Install the latest version:
- If you use the content_entity_clone module prior to version 1.0.4, upgrade to content_entity_clone 1.0.4
- Greg Knaddison of the Drupal Security Team
- Juraj Nemec of the Drupal Security Team
Freelinking - Moderately critical - Information Disclosure - SA-CONTRIB-2024-034
This module enables you to configure a wiki-like input filter that allows users to create links to site and external content.
The module doesn't sufficiently check if a user has access to some URLs before rendering them as links.
This vulnerability is mitigated by the fact that an attacker must have a role with the permission "access content" (which is commonly assigned to all roles), and the site must be configured to disallow access to certain content.
Solution:Install the latest version:
- If you use the freelinking module 4.0.x, upgrade to freelinking 4.0.1
- If you use the freelinking module 8.x-3.x, upgrade to freelinking 4.0.1, as the 8.x-3.x branch is now unsupported
- Greg Knaddison of the Drupal Security Team
- Damien McKenna of the Drupal Security Team
- Juraj Nemec of the Drupal Security Team
Advanced Varnish - Moderately critical - Access bypass - SA-CONTRIB-2024-033
This module enables you to cache pages for logged in users at the Varnish level.
The Varnish bin names may be guessable when no hashing noise configuration is set on the module configuration page, which would ultimately allow any user to view cached pages that were intended for other roles when guessing such a bin name.
Solution:There are two steps. Install the latest version and update your configuration:
- If you use the Advanced Varnish module for Drupal 4.0.x, upgrade to Advanced Varnish 4.0.11
- Go to the module configuration page and set an appropriate value to the hashing noise configuration.
- Heine Deelstra of the Drupal Security Team
- Heine Deelstra of the Drupal Security Team
- Alexander Shumenko
- Greg Knaddison of the Drupal Security Team
Opigno - Critical - Arbitrary PHP code execution - SA-CONTRIB-2024-032
The Opigno module is related to Opigno LMS distribution. Opigno Scorm submodule exposes an API for extracting and handling SCORM packages.
Uploaded files were not sufficiently validated to prevent arbitrary file uploads, which could lead to Remote Code Execution (RCE) and/or Cross Site Scripting (XSS).
This vulnerability is mitigated by the fact that it affected only specific activity types.
Solution:Install the latest version:
- If you use the opigno module, upgrade to opigno 7.x-1.23
- Yurii Boichenko
- Marcin Grabias
- catch of the Drupal Security Team
- Greg Knaddison of the Drupal Security Team
- Juraj Nemec of the Drupal Security Team
Opigno TinCan Question Type - Critical - Arbitrary PHP code execution - SA-CONTRIB-2024-031
The Opigno TinCan Question Type module is related to Opigno LMS distribution. The module adds a new question type for the Quiz module. With this new question type, you will be able to import TinCan Packages to your Drupal instance and to use it as a question.
Uploaded files were not sufficiently validated to prevent arbitrary file uploads, which could lead to Remote Code Execution (RCE) and/or Cross Site Scripting (XSS).
This vulnerability is mitigated by the fact that it requires the attacker have a role with the permission to create or edit "TinCan Package" content type.
Solution:Install the latest version:
- If you use the opigno_tincan_question_type module, upgrade to opigno_tincan_question_type 7.x-1.3
- Juraj Nemec of the Drupal Security Team
- Marcin Grabias
- catch of the Drupal Security Team
- Juraj Nemec of the Drupal Security Team
- Axel Minck
- Yurii Boichenko
- Greg Knaddison of the Drupal Security Team
- Juraj Nemec of the Drupal Security Team
Responsive and off-canvas menu - Moderately critical - Access bypass - SA-CONTRIB-2024-030
This module integrates the mmenu library with Drupal's menu system with the aim of having an off-canvas mobile menu and a horizontal menu at wider widths.
The module doesn't respect custom node access restrictions implemented through hook_ENTITY_TYPE_access hooks meaning the titles of restricted nodes can appear in the menu.
Only sites with modules that implement hook_ENTITY_TYPE_access to restrict access to nodes are effected.
Solution:Install the latest version:
- If you use the 4.x branch of the responsive_menu module upgrade to 4.4.4
- Greg Knaddison of the Drupal Security Team
- Juraj Nemec of the Drupal Security Team
- Drew Webber of the Drupal Security Team
Opigno Learning path - Critical - Arbitrary PHP code execution - SA-CONTRIB-2024-029
The Opigno Learning Path module enables you to manage group content.
Administrative forms allow uploading malicious files which may contain arbitrary code (RCE) or cross site scriptiong (XSS). These forms were not adequately controlled with permissions that communicate the severity of the permission.
This vulnerability is mitigated by the fact that an attacker must have a role with the permission "Manage group content in any group".
Solution:Install the latest version:
- If you use the opigno_learning_path module, upgrade it to opigno_learning_path >= 3.1.2
- Marcin Grabias
- catch of the Drupal Security Team
- Greg Knaddison of the Drupal Security Team
Opigno module - Critical - Arbitrary PHP code execution - SA-CONTRIB-2024-028
The Opigno module is related to Opigno LMS distribution. It implements the module entity, that is a sub-part of a training.
In the opigno_module module, uploaded files were not sufficiently validated to prevent arbitrary file uploads, which could lead to Remote Code Execution (RCE) and/or Cross Site Scripting (XSS).
This vulnerability is mitigated by the fact that it requires the attacker have a role with the permission "create opigno tincan activities".
Solution:Install the latest version:
- If you use the opigno_module module, upgrade to opigno_module >= 3.1.2
- Marcin Grabias
- catch of the Drupal Security Team
- Yurii Boichenko
- Axel Minck
- Yuriy Korzhov
- Andrii Aleksandrov
- catch of the Drupal Security Team
- Greg Knaddison of the Drupal Security Team
Opigno group manager - Critical - Arbitrary PHP code execution - SA-CONTRIB-2024-027
The Opigno group manager project is related to Opigno LMS distribution. It allows to build the contents of learning paths, by combining together modules, courses, and other activities, ordering them, and defining conditional rules for the transitions from one step to the next one.
An administration form allows execution of arbitrary code.
This issue is mitigated by several factors. First, it requires the attacker have the permission "update group learning_path". Additionally, it requires several steps and depends on other data in the system to be in place.
Solution:Install the latest version:
- If you use the opigno_group_manager module for Drupal 10.x, upgrade to opigno_group_manager 3.1.1
- catch of the Drupal Security Team
- Marcin Grabias
- Greg Knaddison of the Drupal Security Team
- Benji Fisher of the Drupal Security Team
View Password - Moderately critical - Cross Site Scripting - SA-CONTRIB-2024-026
The View Password module enables you to add a help icon button next to the password input field to toggle the password visibility. The administrative user is allowed to add classes to this icon for styling purposes.
The module doesn't validate the content of classes. A malicious user with access to the View Password Settings Form could add malicious code in the classes field.
This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer view password".
Solution:Install the latest version:
- If you use the View Password module upgrade to View Password 6.0.4.
- Greg Knaddison of the Drupal Security Team
- Juraj Nemec of the Drupal Security Team