Biztonsági figyelmeztetések

Xsendfile - Moderately critical - Access bypass - SA-CONTRIB-2023-053

Biztonsági figyelmeztetések (contrib) - 2023. november 29. 16.27
Project: XsendfileDate: 2023-November-29Security risk: Moderately critical 13∕25 AC:Basic/A:None/CI:Some/II:None/E:Theoretical/TD:AllVulnerability: Access bypassAffected versions: <1.2.0Description: 

The Xsendfile module enables fast transfer for private files in Drupal.

In order to control private file downloads, the module overrides ImageStyleDownloadController, for which a vulnerability was disclosed in SA-CORE-2023-005. The Xsendfile module was still based on an insecure version of ImageStyleDownloadController.

Solution: 

Install the latest version:

Reported By: Fixed By: Coordinated By: 

Mollie for Drupal - Moderately critical - Faulty payment confirmation logic - SA-CONTRIB-2023-052

Biztonsági figyelmeztetések (contrib) - 2023. november 15. 15.24
Project: Mollie for DrupalDate: 2023-November-15Security risk: Moderately critical 12∕25 AC:Complex/A:None/CI:None/II:Some/E:Theoretical/TD:AllVulnerability: Faulty payment confirmation logicAffected versions: <2.2.1Description: 

This module enables you to pay online via Mollie.

The module might not properly load the correct order to update the payment status when Mollie redirects to the redirect URL. This can allow an attacker to apply other people's orders to their own, getting credit without paying.

This vulnerability is mitigated by the fact that an attacker must have some knowledge about the module's internal functionality. The issue only affects installations that use the Mollie for Drupal Commerce submodule.

Solution: 

Install the latest version:

Reported By: Fixed By: Coordinated By: 

GraphQL - Moderately critical - Cross Site Request Forgery - SA-CONTRIB-2023-051

Biztonsági figyelmeztetések (contrib) - 2023. november 8. 16.33
Project: GraphQLDate: 2023-November-08Security risk: Moderately critical 12∕25 AC:Basic/A:None/CI:None/II:Some/E:Theoretical/TD:DefaultVulnerability: Cross Site Request ForgeryAffected versions: <3.4.0 || >=4.0.0 <4.6.0Description: 

The GraphQL module enables you to build GraphQL APIs which can include data fetching through Queries and data updates (create, update, delete) through mutations.

The module does not sufficiently validate incoming requests that are made from domains other than the one serving the GraphQL endpoint. In case a user visits a malicious site, that site may make requests on the users behalf which can lead to the execution of mutations, exposing a CSRF vulnerability. Whether data is returned to the malicious site depends on your sites CORS configuration.

This vulnerability is mitigated by the fact that a user with access to the API must have an active session cookie while visiting a malicious site. This vulnerability is also mitigated by restricting session cookies with the SameSite attribute (see solution below).

Solution: 

Install the latest version:

This vulnerability can also be mitigated by setting the SameSite attribute on session cookies to Lax (recommended) or Strict. This might not be suitable for sites that need to share the Drupal session cookie in some way with other sites. Set the following in your site's services.yml file:

parameters: session.storage.options: # Session cookies are only used for backend admin accounts, so we restrict # the cookies to be used only from the backend origin. We don't use "Strict" # because that also removes cookies whenever an admin navigates from an # email or chat app, which is inconvenient. See # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie#samesitesamesite-value cookie_samesite: Lax Reported By: Fixed By: Coordinated By: 

GraphQL - Moderately critical - Access bypass - SA-CONTRIB-2023-050

Biztonsági figyelmeztetések (contrib) - 2023. november 8. 16.30
Project: GraphQLDate: 2023-November-08Security risk: Moderately critical 11∕25 AC:Basic/A:None/CI:Some/II:None/E:Theoretical/TD:UncommonVulnerability: Access bypassAffected versions: <3.4.0 || >=4.0.0 <4.6.0Description: 

This module lets you craft and expose a GraphQL schema for Drupal 9 and 10.

The module currently does not adequately verify whether a given user has the necessary permissions to access an entity's label creating an access bypass vulnerability.

This vulnerability is mitigated by the fact that entity view and entity label access are usually handled by the same access check; developers have to opt-in for supporting different logic on entity types. Additionally your schema must make use of the EntityLabel DataProducer to be affected.

Solution: 

Install the latest version:

Reported By: Fixed By: Coordinated By: 

Paragraphs admin - Moderately critical - - SA-CONTRIB-2023-049

Biztonsági figyelmeztetések (contrib) - 2023. november 1. 17.56
Project: Paragraphs adminDate: 2023-November-01Security risk: Moderately critical 14∕25 AC:None/A:None/CI:Some/II:None/E:Theoretical/TD:DefaultAffected versions: <1.5.0Description: 

This module enables you to view all paragraph entities in an admin view.
The module contains an access bypass that allows non admin users to access the view.
The vulnerability can be mitigated by editing the view to change the permission required to access the page.

Solution: 

Install the latest version:

Reported By: Fixed By: Coordinated By: 

Mail Login - Moderately critical - Access bypass - SA-CONTRIB-2023-048

Biztonsági figyelmeztetések (contrib) - 2023. október 4. 17.41
Project: Mail LoginDate: 2023-October-04Security risk: Moderately critical 13∕25 AC:Basic/A:None/CI:None/II:Some/E:Theoretical/TD:AllVulnerability: Access bypassAffected versions: <2.9.0Description: 

This module enables users to log in by email address with minimal configurations.

Drupal core contains protection against brute force attacks via a flood control mechanism. This module's functionality did not replicate the flood control, enabling brute force attacks.

A previous security advisory, SA-CONTRIB-2023-45, was released for this issue, but that release did not successfully address the vulnerability. This security advisory and updated module version supersede the previous one.

Solution: 

Install the latest version:

Reported By: Fixed By: Coordinated By: 

Content Moderation Notifications - Moderately critical - Information disclosure - SA-CONTRIB-2023-047

Biztonsági figyelmeztetések (contrib) - 2023. szeptember 27. 18.33
Project: Content Moderation NotificationsDate: 2023-September-27Security risk: Moderately critical 11∕25 AC:Complex/A:User/CI:Some/II:None/E:Proof/TD:AllVulnerability: Information disclosureAffected versions: >=3.0.0 <3.6.0Description: 

This module enables notifications to be sent to all users of a particular role, or to the content's author when a piece of content is transitioned from one state to another via core's content_moderation module.

The module doesn't sufficiently check access to content when sending notifications.
This vulnerability is mitigated by the fact that an attacker must have been assigned to receive notifications for the given content. Additionally, only data sent in the email is visible, so the attacker cannot access the content on the site.

Solution: 

Install the latest version:

Reported By: Fixed By: Coordinated By: 

Entity cache - Critical - Information disclosure - SA-CONTRIB-2023-046

Biztonsági figyelmeztetések (contrib) - 2023. szeptember 27. 18.16
Project: Entity cacheDate: 2023-September-27Security risk: Critical 16∕25 AC:Basic/A:User/CI:All/II:All/E:Theoretical/TD:UncommonVulnerability: Information disclosureDescription: 

Entity Cache puts core entities into Drupal's cache API.

A recent release of the module does not sanitize certain inputs appropriately. This can lead to unintended behavior when wildcard characters are included in the input.

The impact of this bug should be relatively minor in most configurations, but in worst-case scenarios it could lead to significant Access Bypass.

Solution: 

Install the latest version:

Reported By: Fixed By: Coordinated By: 

Drupal core - Critical - Cache poisoning - SA-CORE-2023-006

Biztonsági figyelmeztetések (core) - 2023. szeptember 20. 18.23
Project: Drupal coreDate: 2023-September-20Security risk: Critical 16∕25 AC:Complex/A:None/CI:All/II:Some/E:Theoretical/TD:DefaultVulnerability: Cache poisoningAffected versions: >=8.7.0 <9.5.11 || >=10.0 <10.0.11 || >= 10.1 <10.1.4Description: 

In certain scenarios, Drupal's JSON:API module will output error backtraces. With some configurations, this may cause sensitive information to be cached and made available to anonymous users, leading to privilege escalation.

This vulnerability only affects sites with the JSON:API module enabled, and can be mitigated by uninstalling JSON:API.

The core REST and contributed GraphQL modules are not affected.

Drupal Steward partners have been made aware of this issue. Some platforms may provide mitigations. However, not all WAF configurations can mitigate the issue, so it is still recommended to update promptly to this security release if your site uses JSON:API.

Solution: 

Install the latest version:

All versions of Drupal 9 prior to 9.5 are end-of-life and do not receive security coverage. Note that Drupal 8 has reached its end of life.

Drupal 7 is not affected.

Reported By: Fixed By: 

Mail Login - Critical - Access bypass - SA-CONTRIB-2023-045

Biztonsági figyelmeztetések (contrib) - 2023. szeptember 13. 17.47
Project: Mail LoginDate: 2023-September-13Security risk: Critical 16∕25 AC:Basic/A:None/CI:Some/II:Some/E:Theoretical/TD:AllVulnerability: Access bypassAffected versions: <2.8.0Description: 

This module enables users to log in by email address with minimal configurations.

Drupal core contains protection against brute force attacks via a flood control mechanism. This module's functionality did not replicate the flood control, enabling brute force attacks.

Solution: 

Install the latest version:

Reported By: Fixed By: Coordinated By: 

WebProfiler - Moderately critical - Cross Site Scripting - SA-CONTRIB-2023-044

Biztonsági figyelmeztetések (contrib) - 2023. szeptember 6. 18.33
Project: WebProfilerDate: 2023-September-06Security risk: Moderately critical 10∕25 AC:Complex/A:Admin/CI:Some/II:Some/E:Theoretical/TD:UncommonVulnerability: Cross Site ScriptingAffected versions: > 10.1.0 < 10.1.1Description: 

The Webprofiler module provides a way of displaying the Symfony profile debugging tool at the bottom of each page.

The abbr_class Twig filter can be used to bypass the Twig auto-escape feature.

This vulnerability is mitigated by the fact that it is only exposed when the filter is specifically used in a theme to render content that contains an attack vector.

Solution: 

Install the latest version:

Reported By: Fixed By: Coordinated By: 

highlight.php - Moderately critical - Cross Site Scripting - SA-CONTRIB-2023-043

Biztonsági figyelmeztetések (contrib) - 2023. szeptember 6. 17.23
Project: highlight.phpDate: 2023-September-06Security risk: Moderately critical 13∕25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:DefaultVulnerability: Cross Site ScriptingAffected versions: < 1.0.1Description: 

Provides highlight.php integration to Drupal, allowing <code> blocks to be automatically highlighted with the correct language.

The module's Twig function doesn't sufficiently filter user-entered data.

Solution: 

Install the latest version:

Reported By: Fixed By: Coordinated By: 

Obfuscate Email - Less critical - Cross Site Scripting - SA-CONTRIB-2023-042

Biztonsági figyelmeztetések (contrib) - 2023. augusztus 30. 18.23
Project: Obfuscate EmailDate: 2023-August-30Security risk: Less critical 5∕25 AC:Complex/A:User/CI:None/II:None/E:Theoretical/TD:UncommonVulnerability: Cross Site ScriptingAffected versions: <2.0.1Description: 

This module enables you to hide email addresses from bots and site scrapers by using the rot13 strategy.

The module doesn't sufficiently escape the data attribute under the scenario a user has access to manipulate that value.

This vulnerability is mitigated by the fact that an attacker must have a role with permissions to allow data attributes in content on a site.

Solution: 

Install the latest version:

Reported By: Fixed By: Coordinated By: 

Unified Twig Extensions - Moderately critical - Cross Site Scripting - SA-CONTRIB-2023-041

Biztonsági figyelmeztetések (contrib) - 2023. augusztus 30. 18.22
Project: Unified Twig ExtensionsDate: 2023-August-30Security risk: Moderately critical 13∕25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:DefaultVulnerability: Cross Site ScriptingAffected versions: <1.1.1Description: 

This module makes PatternLab's custom Twig functions available to Drupal theming.

The module's included examples don't sufficiently filter data.

This vulnerability is mitigated by the fact that the included examples must have been copied to a site's theme.

Solution: 

Install the latest version:

Reported By: Fixed By: Coordinated By: 

Data field - Moderately critical - Access bypass - SA-CONTRIB-2023-040

Biztonsági figyelmeztetések (contrib) - 2023. augusztus 23. 19.24
Project: Data fieldVersion: 1.0.151.0.141.0.131.0.121.0.111.0.101.0.91.0.81.0.71.0.61.0.51.0.41.0.31.0.21.0.11.0.0Date: 2023-August-23Security risk: Moderately critical 12∕25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:UncommonVulnerability: Access bypassAffected versions: <1.0.16Description: 

The Data Field module provides a way of building field types that are made up of other fields, a simpler alternative to e.g. the Paragraphs system.

Access to these forms isn't properly validated, allowing a user with the "access content" permission to view and edit fields on entities.

Solution: 

Install the latest version:

Reported By: Fixed By: Coordinated By: 

SafeDelete - Moderately critical - Access bypass - SA-CONTRIB-2023-039

Biztonsági figyelmeztetések (contrib) - 2023. augusztus 23. 19.06
Project: SafeDeleteVersion: 1.0.431.0.421.0.411.0.401.0.391.0.381.0.361.0.351.0.341.0.331.0.321.0.311.0.301.0.291.0.281.0.271.0.261.0.251.0.241.0.231.0.221.0.211.0.201.0.191.0.181.0.171.0.161.0.151.0.141.0.131.0.121.0.111.0.101.0.91.0.81.0.71.0.51.0.41.0.31.0.21.0.11.0.0Date: 2023-August-23Security risk: Moderately critical 13∕25 AC:Basic/A:None/CI:Some/II:None/E:Theoretical/TD:AllVulnerability: Access bypassAffected versions: <1.0.44Description: 

This module aims to prevent broken content references by informing content editors either on delete or archive moderation.

The module provides an "orphaned content" report for broken references, which may reveal titles of unpublished content.

Solution: 

Install the latest version:

  • If you use the SafeDelete module for Drupal 8/9 or 10, please upgrade to SafeDelete 1.0.44
Reported By: Fixed By: Coordinated By: 

Shorthand - Critical - Access bypass - SA-CONTRIB-2023-038

Biztonsági figyelmeztetések (contrib) - 2023. augusztus 23. 19.00
Project: ShorthandVersion: 4.0.24.0.14.0.0Date: 2023-August-23Security risk: Critical 15∕25 AC:None/A:None/CI:Some/II:None/E:Theoretical/TD:AllVulnerability: Access bypassAffected versions: <4.0.3Description: 

This module provides integration with Shorthand, an application which describes itself as "beautifully simple storytelling".

The module does not check appropriate permissions when displaying a list of all shorthand stories.

Solution: 

Install the latest version:

  • If you use the Shorthand module for Drupal 8+, upgrade to Shorthand 4.0.3
Reported By: Fixed By: Coordinated By: 

Config Pages - Moderately critical - Information Disclosure - SA-CONTRIB-2023-037

Biztonsági figyelmeztetések (contrib) - 2023. augusztus 23. 18.54
Project: Config PagesVersion: 8.x-2.88.x-2.78.x-2.68.x-2.58.x-2.48.x-2.38.x-2.28.x-2.18.x-2.0Date: 2023-August-23Security risk: Moderately critical 12∕25 AC:Basic/A:None/CI:Some/II:None/E:Theoretical/TD:DefaultVulnerability: Information DisclosureAffected versions: <2.9.0Description: 

This module enables you to build administrative pages for managing configuration objects, which may then be used elsewhere in the site.

The module doesn't sufficiently validate access when the JSONAPI module is also installed.

This vulnerability is mitigated by the fact that it only affects sites when the JSONAPI module is installed.

Solution: 

Install the latest version:

Reported By: Fixed By: Coordinated By: 

Flexi Access - Critical - Arbitrary PHP code execution - SA-CONTRIB-2023-036

Biztonsági figyelmeztetések (contrib) - 2023. augusztus 23. 17.04
Project: Flexi AccessDate: 2023-August-23Security risk: Critical 17∕25 AC:Basic/A:Admin/CI:All/II:All/E:Theoretical/TD:AllVulnerability: Arbitrary PHP code executionDescription: 

The Flexi Access module will provide a simple and flexible interface to the ACL (Access Control List) module. It will let you set up and mange ACLs naming individual users that are allowed access to a particular node.

The module processes user input in a way that could be unsafe. This can lead to Remote Code Execution via Object Injection.

This vulnerability is mitigated by the fact that known exploit paths require an attacker to have a combination of permissions provided by the module; for example "access flexiaccess" and "flexiaccess view". See _flexiaccess_node_access() for details. The "administer flexiaccess" permission alone does not grant access to the vulnerable functionality.

This Security Advisory is being released in coordination with SA-CONTRIB-2023-034 for the ACL module, on which Flexi Access depends.

Solution: 

Install the latest version:

  • If you use the Flexi Access module for Drupal 7.x, upgrade to Flexi Access 7.x-1.3.
    The ACL module (a dependency) must also be updated.
Reported By: Fixed By: Coordinated By: 

Forum Access - Critical - Arbitrary PHP code execution - SA-CONTRIB-2023-035

Biztonsági figyelmeztetések (contrib) - 2023. augusztus 23. 16.54
Project: Forum AccessDate: 2023-August-23Security risk: Critical 17∕25 AC:Basic/A:Admin/CI:All/II:All/E:Theoretical/TD:AllVulnerability: Arbitrary PHP code executionAffected versions: <1.0.0Description: 

This module changes your forum administration page to allow you to set forums private. You can control what user roles can view, edit, delete, and post to each forum. You can also give each forum a list of users who have administrative access on that forum (AKA moderators). This module requires the ACL module.

The module processes user input in a way that could be unsafe. This can lead to Remote Code Execution via Object Injection.

This vulnerability is mitigated by the fact that an attacker needs the "administer forums" permission.

This Security Advisory is being released in coordination with SA-CONTRIB-2023-034 for the ACL module, on which Forum Access depends.

Solution: 

Install the latest version:

The ACL module (a dependency) must also be updated.

Reported By: Fixed By: Coordinated By: