Hírolvasó

Persistent Login - Moderately critical - Access bypass - SA-CONTRIB-2024-044

Biztonsági figyelmeztetések (contrib) - 2024. október 2. 18.27
Project: Persistent LoginDate: 2024-October-02Security risk: Moderately critical 11 ∕ 25 AC:Basic/A:User/CI:Some/II:None/E:Theoretical/TD:AllVulnerability: Access bypassAffected versions: <1.8.0 || >=2.2.0 <2.2.2 || 2.0.* || 2.1.*Description: 

This module enables users to remain logged in separately from session timeouts.

The module doesn't sufficiently check a user's disabled status when validating cookies.

This vulnerability is mitigated by the fact that an attacker must have an unexpired cookie from a previous successful login.

Solution: 

Install the latest version:

Reported By: Fixed By: Coordinated By: 

Two-factor Authentication (TFA) - Critical - Access bypass - SA-CONTRIB-2024-043

Biztonsági figyelmeztetések (contrib) - 2024. október 2. 18.20
Project: Two-factor Authentication (TFA)Date: 2024-October-02Security risk: Critical 15 ∕ 25 AC:Complex/A:None/CI:Some/II:Some/E:Theoretical/TD:AllVulnerability: Access bypassAffected versions: <1.8.0Description: 

This module enables you to allow and/or require users to use a second authentication method in addition to password authentication.

The module does not sufficiently migrate sessions before prompting for a second factor token.

This vulnerability is mitigated by the fact that an attacker must fixate a session on a victim system that is then authenticated with username and password without completing Two Factor authentication. An attacker must gather additional information regarding the entry form after authentication. An attacker must still present a valid token to complete authentication.

Solution: 

Install the latest version:

Reported By: Fixed By: Coordinated By: 

Diff - Moderately critical - Access bypass, Information Disclosure - SA-CONTRIB-2024-042

Biztonsági figyelmeztetések (contrib) - 2024. október 2. 18.15
Project: DiffDate: 2024-October-02Security risk: Moderately critical 11 ∕ 25 AC:Basic/A:User/CI:Some/II:None/E:Theoretical/TD:AllVulnerability: Access bypass, Information DisclosureAffected versions: <1.8.0 || >=2.0.0 <2.0.0-beta3Description: 

This module adds a tab for sufficiently permissioned users. The tab shows all revisions like standard Drupal but it also allows pretty viewing of all added/changed/deleted words between revisions.

The module doesn't sufficiently check revision access before rendering a diff report for 1) nodes or 2) general entities that support diff.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission from the general node permission to "view all revisions", one of the more specific node type permissions, "view %bundle revisions" or the equivalent for other general entity types.

Solution: 

Install the latest version:

  • If you use the Diff module for Drupal, upgrade to Diff 8.x-1.8
Reported By: Fixed By: Coordinated By: 

Smart IP Ban - Critical - Access bypass - SA-CONTRIB-2024-041

Biztonsági figyelmeztetések (contrib) - 2024. szeptember 18. 18.18
Project: Smart IP BanDate: 2024-September-18Security risk: Critical 18 ∕ 25 AC:None/A:None/CI:Some/II:Some/E:Theoretical/TD:AllVulnerability: Access bypassDescription: 

The Smart IP Ban module enables a site to automatically ban an IP address based upon too many failed authentications.

The module doesn't sufficiently protect access to certain paths provided by the module allowing a malicious user to view and modify the settings.

Solution: 

Install the latest version:

Reported By: Fixed By: Coordinated By: 

File Entity (fieldable files) - Moderately critical - Information Disclosure - SA-CONTRIB-2024-040

Biztonsági figyelmeztetések (contrib) - 2024. szeptember 11. 18.38
Project: File Entity (fieldable files)Date: 2024-September-11Security risk: Moderately critical 10 ∕ 25 AC:Basic/A:User/CI:Some/II:None/E:Theoretical/TD:DefaultVulnerability: Information DisclosureDescription: 

This module enables you to store and manage both private and public files, provides the ability to add fieldable metadata for file_entity bundle types in addition to core file_managed data.

The module doesn't sufficiently ensure private destination folders exist prior to writing to them. If the folder doesn't exist, the module places the file in a publicly accessible directory.

This vulnerability only affects sites with private files.

Solution: 

Install the latest version:

Reported By: Fixed By: Coordinated By: 

Security Kit - Less critical - Denial of Service - SA-CONTRIB-2024-039

Biztonsági figyelmeztetések (contrib) - 2024. szeptember 11. 18.21
Project: Security KitDate: 2024-September-11Security risk: Less critical 9 ∕ 25 AC:Basic/A:None/CI:None/II:None/E:Theoretical/TD:DefaultVulnerability: Denial of ServiceAffected versions: <2.0.3Description: 

This module provides Drupal with various security-hardening options, for example by emitting various configurable HTTP response headers.

The module doesn't sufficiently validate input in Content Security Policy (CSP) violation reports. This can cause errors when a logging module (e.g. dblog or syslog) attempts to parse the resulting log message which contains invalid data.

This vulnerability is mitigated by the fact that to be affected a site must have seckit's CSP reporting functionality enabled. Recent versions of Drupal 10 and 11 core are not vulnerable due to improved parsing of log messages.

Solution: 

Install the latest version:

  • If you use the 7.x-1.x branch of the seckit module, upgrade to seckit 7.x-1.13
  • If you use the 2.0.x branch of the seckit module, upgrade to seckit 2.0.3
Reported By: Fixed By: Coordinated By: 

Open Social - Moderately critical - Denial of Service - SA-CONTRIB-2024-038

Biztonsági figyelmeztetések (contrib) - 2024. szeptember 4. 18.20
Project: Open SocialDate: 2024-September-04Security risk: Moderately critical 10∕25 AC:Basic/A:None/CI:None/II:None/E:Theoretical/TD:AllVulnerability: Denial of ServiceAffected versions: <12.3.8 || >=12.4.0 <12.4.5 || >=13.0.0 <13.0.0-alpha11Description: 

Open Social is a Drupal distribution for online communities.

The distribution didn't validate the flood control limits on the password reset form correctly resulting in a potential attacker flooding the password reset which could result in a Denial of Service. Fortunately the message does not disclose any information to the attacker.

Solution: 

Install the latest version:

Reported By: Fixed By: Coordinated By: 

Open Social - Moderately critical - Cross Site Scripting, Denial of Service - SA-CONTRIB-2024-037

Biztonsági figyelmeztetések (contrib) - 2024. szeptember 4. 18.15
Project: Open SocialDate: 2024-September-04Security risk: Moderately critical 13∕25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:DefaultVulnerability: Cross Site Scripting, Denial of ServiceAffected versions: <12.3.8 || >=12.4.0 <12.4.5 || >=13.0.0 <13.0.0-alpha11Description: 

Open Social is a Drupal distribution for online communities, which ships with an optional module called Social Embed.

This module allows a website to display embedded content (such as photos or videos) when a user posts a link to that resource, without having to parse the resource directly.

Added URL's were not sufficiently validated which could lead to a DoS via Blind SSRF and/or Application Takeover via Stored XSS.

This vulnerability is mitigated by the fact that social_embed submodule needs to be enabled.

Solution: 

Install the latest version:

Reported By: Fixed By: Coordinated By: 

Paragraphs table - Critical - Access bypass, Information Disclosure - SA-CONTRIB-2024-036

Biztonsági figyelmeztetések (contrib) - 2024. szeptember 4. 17.42
Project: Paragraphs tableDate: 2024-September-04Security risk: Critical 15∕25 AC:None/A:User/CI:Some/II:Some/E:Theoretical/TD:DefaultVulnerability: Access bypass, Information DisclosureAffected versions: <1.23.0 || >=2.0.0 <2.0.2Description: 

This module enables field collections to be displayed as tables. It supports display suite and field permissions and provides operations (modify, delete, duplicate).

This module has multiple vulnerabilities due to the requirements on the routes it provides not being restrictive enough.

Information disclosure

Several routes only checked for the 'access content' permission before displaying a paragraph, and did not check whether the user should actually have access to view the paragraph in question.

Access bypass

The paragraphs_item.add_page route previously allowed anyone with the 'access content' permission to add paragraphs to any content regardless of permissions to be able to edit the host field or content, or any other hooks for adjusting access to add paragraphs of that type.

These vulnerabilities are mitigated by the fact that an attacker must have a role with the permission "access content" which is commonly assigned to all roles.

Solution: 

Install the latest version:

Reported By: Fixed By: Coordinated By: 

Content Entity Clone - Moderately critical - Information Disclosure - SA-CONTRIB-2024-035

Biztonsági figyelmeztetések (contrib) - 2024. szeptember 4. 17.40
Project: Content Entity CloneDate: 2024-September-04Security risk: Moderately critical 11∕25 AC:Basic/A:User/CI:Some/II:None/E:Theoretical/TD:AllVulnerability: Information DisclosureAffected versions: <1.0.4Description: 

This module enables you to "clone" a content entity, i.e. to create a new content pre-filled with data from another entity of the same type and bundle.

The module doesn't properly check the user access to the original entity, allowing users to create a new entity (they have permission to create) pre-filled with content from another entity of the same type and bundle that they would normally not have access to.

This vulnerability is mitigated by the fact that an attacker must have the permission to create content of the type of the entity to clone.

Solution: 

Install the latest version:

Reported By: Fixed By: Coordinated By: 

Freelinking - Moderately critical - Information Disclosure - SA-CONTRIB-2024-034

Biztonsági figyelmeztetések (contrib) - 2024. szeptember 4. 17.35
Project: FreelinkingDate: 2024-September-04Security risk: Moderately critical 12∕25 AC:None/A:User/CI:Some/II:None/E:Theoretical/TD:DefaultVulnerability: Information DisclosureAffected versions: <4.0.1Description: 

This module enables you to configure a wiki-like input filter that allows users to create links to site and external content.

The module doesn't sufficiently check if a user has access to some URLs before rendering them as links.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission "access content" (which is commonly assigned to all roles), and the site must be configured to disallow access to certain content.

Solution: 

Install the latest version:

  • If you use the freelinking module 4.0.x, upgrade to freelinking 4.0.1
  • If you use the freelinking module 8.x-3.x, upgrade to freelinking 4.0.1, as the 8.x-3.x branch is now unsupported
Reported By: Fixed By: Coordinated By: 

Advanced Varnish - Moderately critical - Access bypass - SA-CONTRIB-2024-033

Biztonsági figyelmeztetések (contrib) - 2024. augusztus 28. 17.32
Project: Advanced VarnishDate: 2024-August-28Security risk: Moderately critical 14∕25 AC:None/A:None/CI:Some/II:None/E:Theoretical/TD:DefaultVulnerability: Access bypassAffected versions: <4.0.11Description: 

This module enables you to cache pages for logged in users at the Varnish level.

The Varnish bin names may be guessable when no hashing noise configuration is set on the module configuration page, which would ultimately allow any user to view cached pages that were intended for other roles when guessing such a bin name.

Solution: 

There are two steps. Install the latest version and update your configuration:

  1. If you use the Advanced Varnish module for Drupal 4.0.x, upgrade to Advanced Varnish 4.0.11
  2. Go to the module configuration page and set an appropriate value to the hashing noise configuration.
Reported By: Fixed By: Coordinated By: 

Opigno - Critical - Arbitrary PHP code execution - SA-CONTRIB-2024-032

Biztonsági figyelmeztetések (contrib) - 2024. augusztus 21. 18.34
Project: OpignoDate: 2024-August-21Security risk: Critical 16∕25 AC:Complex/A:User/CI:All/II:All/E:Theoretical/TD:DefaultVulnerability: Arbitrary PHP code executionDescription: 

The Opigno module is related to Opigno LMS distribution. Opigno Scorm submodule exposes an API for extracting and handling SCORM packages.

Uploaded files were not sufficiently validated to prevent arbitrary file uploads, which could lead to Remote Code Execution (RCE) and/or Cross Site Scripting (XSS).

This vulnerability is mitigated by the fact that it affected only specific activity types.

Solution: 

Install the latest version:

Reported By: Fixed By: Coordinated By: 

Opigno TinCan Question Type - Critical - Arbitrary PHP code execution - SA-CONTRIB-2024-031

Biztonsági figyelmeztetések (contrib) - 2024. augusztus 21. 18.28
Project: Opigno TinCan Question TypeDate: 2024-August-21Security risk: Critical 16∕25 AC:Complex/A:User/CI:All/II:All/E:Theoretical/TD:DefaultVulnerability: Arbitrary PHP code executionDescription: 

The Opigno TinCan Question Type module is related to Opigno LMS distribution. The module adds a new question type for the Quiz module. With this new question type, you will be able to import TinCan Packages to your Drupal instance and to use it as a question.

Uploaded files were not sufficiently validated to prevent arbitrary file uploads, which could lead to Remote Code Execution (RCE) and/or Cross Site Scripting (XSS).

This vulnerability is mitigated by the fact that it requires the attacker have a role with the permission to create or edit "TinCan Package" content type.

Solution: 

Install the latest version:

Reported By: Fixed By: Coordinated By: 

Responsive and off-canvas menu - Moderately critical - Access bypass - SA-CONTRIB-2024-030

Biztonsági figyelmeztetések (contrib) - 2024. augusztus 21. 18.23
Project: Responsive and off-canvas menuDate: 2024-August-21Security risk: Moderately critical 13∕25 AC:None/A:None/CI:Some/II:None/E:Theoretical/TD:UncommonVulnerability: Access bypassAffected versions: <4.4.4Description: 

This module integrates the mmenu library with Drupal's menu system with the aim of having an off-canvas mobile menu and a horizontal menu at wider widths.

The module doesn't respect custom node access restrictions implemented through hook_ENTITY_TYPE_access hooks meaning the titles of restricted nodes can appear in the menu.

Only sites with modules that implement hook_ENTITY_TYPE_access to restrict access to nodes are effected.

Solution: 

Install the latest version:

  • If you use the 4.x branch of the responsive_menu module upgrade to 4.4.4
Reported By: Fixed By: Coordinated By: 

Opigno Learning path - Critical - Arbitrary PHP code execution - SA-CONTRIB-2024-029

Biztonsági figyelmeztetések (contrib) - 2024. augusztus 7. 19.36
Project: Opigno Learning pathDate: 2024-August-07Security risk: Critical 16∕25 AC:Complex/A:User/CI:All/II:All/E:Theoretical/TD:DefaultVulnerability: Arbitrary PHP code executionAffected versions: <3.1.2Description: 

The Opigno Learning Path module enables you to manage group content.

Administrative forms allow uploading malicious files which may contain arbitrary code (RCE) or cross site scriptiong (XSS). These forms were not adequately controlled with permissions that communicate the severity of the permission.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission "Manage group content in any group".

Solution: 

Install the latest version:

Reported By: Fixed By: Coordinated By: 

Opigno module - Critical - Arbitrary PHP code execution - SA-CONTRIB-2024-028

Biztonsági figyelmeztetések (contrib) - 2024. augusztus 7. 19.30
Project: Opigno moduleDate: 2024-August-07Security risk: Critical 15∕25 AC:Complex/A:User/CI:All/II:All/E:Theoretical/TD:UncommonVulnerability: Arbitrary PHP code executionAffected versions: <3.1.2Description: 

The Opigno module is related to Opigno LMS distribution. It implements the module entity, that is a sub-part of a training.

In the opigno_module module, uploaded files were not sufficiently validated to prevent arbitrary file uploads, which could lead to Remote Code Execution (RCE) and/or Cross Site Scripting (XSS).

This vulnerability is mitigated by the fact that it requires the attacker have a role with the permission "create opigno tincan activities".

Solution: 

Install the latest version:

Reported By: Fixed By: Coordinated By: 

Opigno group manager - Critical - Arbitrary PHP code execution - SA-CONTRIB-2024-027

Biztonsági figyelmeztetések (contrib) - 2024. augusztus 7. 19.19
Project: Opigno group managerDate: 2024-August-07Security risk: Critical 16∕25 AC:Complex/A:Admin/CI:All/II:All/E:Theoretical/TD:AllVulnerability: Arbitrary PHP code executionAffected versions: <3.1.1Description: 

The Opigno group manager project is related to Opigno LMS distribution. It allows to build the contents of learning paths, by combining together modules, courses, and other activities, ordering them, and defining conditional rules for the transitions from one step to the next one.

An administration form allows execution of arbitrary code.

This issue is mitigated by several factors. First, it requires the attacker have the permission "update group learning_path". Additionally, it requires several steps and depends on other data in the system to be in place.

Solution: 

Install the latest version:

Reported By: Fixed By: Coordinated By: 

View Password - Moderately critical - Cross Site Scripting - SA-CONTRIB-2024-026

Biztonsági figyelmeztetések (contrib) - 2024. július 31. 17.59
Project: View PasswordDate: 2024-July-31Security risk: Moderately critical 13∕25 AC:Basic/A:Admin/CI:Some/II:Some/E:Theoretical/TD:AllVulnerability: Cross Site ScriptingAffected versions: <6.0.4Description: 

The View Password module enables you to add a help icon button next to the password input field to toggle the password visibility. The administrative user is allowed to add classes to this icon for styling purposes.

The module doesn't validate the content of classes. A malicious user with access to the View Password Settings Form could add malicious code in the classes field.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer view password".

Solution: 

Install the latest version:

Reported By: Fixed By: Coordinated By: