Biztonsági figyelmeztetések (contrib)

Project: POST FileDate: 2024-November-13Security risk: Critical 17 ∕ 25 AC:Basic/A:User/CI:All/II:All/E:Theoretical/TD:DefaultVulnerability: Cross Site Scripting, Arbitrary PHP code executionAffected versions: <1.0.2Description: 

The module creates an endpoint on the site at /postfile/upload that accepts a POST request for uploading a single file into a specified file system (public, private, etc).

This module accepts any uploaded file extension, including dangerous file formats so it can be used to bypass the allow_insecure_uploads config.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission "postfile upload".

Solution: 

Install the latest version:

• If you use the POST File module for Drupal 10.3.x/11.x, upgrade to POST File 1.0.2

Reported By: 

• Pierre Rudloff

Fixed By: 

• Scott Joudry

Coordinated By: 

• Greg Knaddison of the Drupal Security Team
• Juraj Nemec of the Drupal Security Team

Project: POST FileDate: 2024-November-13Security risk: Moderately critical 12 ∕ 25 AC:Complex/A:None/CI:None/II:Some/E:Theoretical/TD:AllVulnerability: Cross Site Request ForgeryAffected versions: <1.0.2Description: 

The module creates an endpoint on the site at /postfile/upload that accepts a POST request for uploading a single file into a specified file system (public, private, etc).

The module doesn't sufficiently protect against Cross Site Request Forgery
under allowing an attacker to trick a site user into uploading a file.

Solution: 

Install the latest version:

• If you use the POST File module for Drupal 10.3.x/11.x, upgrade to Post File 1.0.2

Reported By: 

• Pierre Rudloff

Fixed By: 

• Scott Joudry

Coordinated By: 

• Greg Knaddison of the Drupal Security Team
• Juraj Nemec of the Drupal Security Team

Project: TooltipDate: 2024-November-06Security risk: Moderately critical 13 ∕ 25 AC:Basic/A:Admin/CI:Some/II:Some/E:Theoretical/TD:AllVulnerability: Cross site scriptingAffected versions: <1.1.2Description: 

This module enables you to add any HTML content you want in a tooltip displayed on mouse hover.

The module does not sufficiently escape the markup inserted in the tooltip block.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer blocks".

Solution: 

Install the latest version:

• If you use the Tooltip module for Drupal 8.x, 9.x or 10.x, upgrade to Tooltip 1.1.2

Reported By: 

• Pierre Rudloff

Fixed By: 

• Matthieu Scarset

Coordinated By: 

• Greg Knaddison of the Drupal Security Team
• Juraj Nemec of the Drupal Security Team
• Ivo Van Geertruyen of the Drupal Security Team

Project: Basic HTTP AuthenticationDate: 2024-November-06Security risk: Critical 16 ∕ 25 AC:None/A:None/CI:Some/II:Some/E:Theoretical/TD:UncommonVulnerability: Access bypassDescription: 

The module provides a possibility to restrict access to specific paths using
basic HTTP authentication, in addition to standard Drupal access checks.

In some cases, the module removes existing access checks from some paths, resulting in an access bypass vulnerability.

Solution: 

Install the latest version:

• If you use the Basic HTTP Authentication module for Drupal 7.x, upgrade to Basic Authentication 7.x-1.4

Reported By: 

• Roderik Muit

Fixed By: 

• Roderik Muit
• Ivo Van Geertruyen of the Drupal Security Team

Coordinated By: 

• Ivo Van Geertruyen of the Drupal Security Team

Project: OhDear IntegrationDate: 2024-October-30Security risk: Moderately critical 13 ∕ 25 AC:None/A:None/CI:Some/II:None/E:Theoretical/TD:UncommonVulnerability: Access bypassAffected versions: <2.0.4Description: 

Integrates your Drupal website with the Oh Dear monitoring app.

Cached data of monitoring results is accessible to non-logged in users when caching is enabled on the module.

This vulnerability is mitigated by the fact that it only affects sites where caching is enabled for OhDear report healthcheck endpoint. It is not enabled by default and there's no UI option to do it. It has to be done directly in the ohdear_integration.settings.yml.

Solution: 

Install the latest version:

• If you use the OhDear Integration module, upgrade to 2.0.4 version.

Reported By: 

• casey

Fixed By: 

• casey
• Lio Novelli

Coordinated By: 

• Greg Knaddison of the Drupal Security Team
• Juraj Nemec of the Drupal Security Team

Project: Cookiebot + GTMDate: 2024-October-30Security risk: Moderately critical 14 ∕ 25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:AllVulnerability: Cross Site ScriptingAffected versions: <1.0.18Description: 

This module makes it possible for you to integrate Cookiebot and Google Tag Manager in a fast and simple way.

The module doesn't sufficiently filter for malicious script leading to a persistent cross site scripting (XSS) vulnerability.

Solution: 

Install the latest version and review settings:

1. If you use the Cookiebot + GTM module for Drupal, upgrade to Cookiebot + GTM 1.0.18
2. Additionally, the new codebase adds validation and permission changes so admins should re-save the configuration form at /admin/config/cookiebot_gtm and confirm which roles have permission to configure the module at /admin/people/permissions.

Reported By: 

• Pierre Rudloff

Fixed By: 

• Fabian de Rijk

Coordinated By: 

• Greg Knaddison of the Drupal Security Team
• Juraj Nemec of the Drupal Security Team
• Cathy Theys of the Drupal Security Team

Project: Loft Data GridsDate: 2024-October-23Security risk: Moderately critical 11 ∕ 25 AC:Complex/A:User/CI:Some/II:Some/E:Theoretical/TD:UncommonVulnerability: Multiple vulnerabilitiesDescription: 

This module provides serialization formats for use by other modules.

The module includes a version of phpoffice/phpspreadsheet which has multiple known security vulnerabilities.

Solution: 

If you use the Loft Data Grids module for Drupal 7.x, install one of:

• Loft Data Grids 7.x-2.7 - which removes support for the XLSX format, as the patched version requires PHP 8.
• Loft Data Grids 7.x-3.0 - which includes XLSX support, by requiring PHP 8 and Composer installation. See the module's README-file for more information.

Reported By: 

• Juraj Nemec of the Drupal Security Team

Fixed By: 

• Aaron Klump

Coordinated By: 

• Greg Knaddison
• Juraj Nemec

Project: Smartling ConnectorDate: 2024-October-23Security risk: Less critical 9 ∕ 25 AC:Complex/A:Admin/CI:Some/II:None/E:Theoretical/TD:AllVulnerability: Multiple vulnerabilitiesDescription: 

Smartling module allows you to translate content in Drupal 7 using the Smartling Translation Management Platform.

The module includes an outdated version of the Guzzle package (guzzlehttp/guzzle 6.3.3), which has known security vulnerabilities.

Solution: 

Install the latest version:

• If you use Smartling module for Drupal 7.x-4.x, upgrade to smartling 7.x-4.19
• If you use Smartling module for Drupal 7.x-3.x, upgrade to smartling 7.x-3.8

Reported By: 

• Pierre Rudloff

Fixed By: 

• Pavel Loparev

Coordinated By: 

• Juraj Nemec of the Drupal Security Team

Project: Monster MenusDate: 2024-October-23Security risk: Critical 19 ∕ 25 AC:Complex/A:None/CI:All/II:All/E:Theoretical/TD:AllVulnerability: Arbitrary PHP code executionAffected versions: <9.3.4 || >=9.4.0 <9.4.2Description: 

This module enables you to group nodes within pages that have a highly-granular, distributed permissions structure.

In certain cases the module doesn't sufficiently sanitize data before passing it to PHP's unserialize() function, which can result in arbitrary code execution.

Solution: 

Install the latest version:

• If you use Monster Menus branch 9.4.x, upgrade to monster_menus 9.4.2
• If you use Monster Menus branch 9.3.x, upgrade to monster_menus 9.3.4

Reported By: 

• Drew Webber of the Drupal Security Team

Fixed By: 

• Drew Webber of the Drupal Security Team
• Dan Wilga

Coordinated By: 

• Greg Knaddison of the Drupal Security Team
• Juraj Nemec of the Drupal Security Team
• Drew Webber of the Drupal Security Team

Project: Views SVG AnimationDate: 2024-October-23Security risk: Moderately critical 13 ∕ 25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:DefaultVulnerability: Cross Site ScriptingAffected versions: <1.0.1Description: 

This module enables you to animate an SVG graphic by selecting certain rows in a view.

The module doesn't sufficiently sanitize the SVG file before embedding it into the html.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission to upload SVG files.

Solution: 

Install the latest version:

• If you use the views_svg_animation module for Drupal 10 or 11, upgrade to views_svg_animation 1.0.1

Reported By: 

• Pierre Rudloff

Fixed By: 

• Jürgen Haas

Coordinated By: 

• Juraj Nemec of the Drupal Security Team

Project: SVG EmbedDate: 2024-October-23Security risk: Moderately critical 13 ∕ 25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:DefaultVulnerability: Cross site scriptingAffected versions: <2.1.2Description: 

This module enables you to embed the content of an SVG file into the body html of a node and optionally allows to translate text contained within the image.

The module doesn't sufficiently sanitize the SVG file before embedding it into the html.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission to upload SVG files, and the permission to use a text format that includes the SVG embed filter.

Solution: 

Install the latest version:

• If you use the svg_embed module for Drupal 7.x, upgrade to svg_embed 7.x-1.3
• If you use the svg_embed module for Drupal 10 or 11, upgrade to svg_embed 2.1.2

Reported By: 

• Pierre Rudloff

Fixed By: 

• Ivo Van Geertruyen of the Drupal Security Team
• Jürgen Haas

Coordinated By: 

• Ivo Van Geertruyen of the Drupal Security Team

Project: wkhtmltopdfDate: 2024-October-09Security risk: Highly critical 23 ∕ 25 AC:None/A:None/CI:All/II:All/E:Proof/TD:AllVulnerability: UnsupportedAffected versions: *Description: 

The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: https://www.drupal.org/node/251466#procedure---own-project---unsupported

Solution: 

If you use this project, you should uninstall it. To take over maintainership, please read https://www.drupal.org/node/251466#procedure---own-project---unsupported in full.

Project: GutenbergDate: 2024-October-09Security risk: Moderately critical 12 ∕ 25 AC:Basic/A:None/CI:None/II:Some/E:Theoretical/TD:DefaultVulnerability: Cross Site Request ForgeryAffected versions: <2.13.0 || >=3.0.0 <3.0.5Description: 

This module provides a new UI experience for node editing using the Gutenberg Editor library.

The module did not sufficiently protect some routes against a Cross Site Request Forgery attack.

This vulnerability is mitigated by the fact that the tricked user needs to have an active session with the "use gutenberg" permission.

Solution: 

Install the latest version:

• If you use the Gutenberg module versions 8.x-2.x, upgrade to Gutenberg 8.x-2.13
• If you use the Gutenberg module versions 3.0.x, upgrade to Gutenberg 3.0.5

Reported By: 

• Mingsong

Fixed By: 

• Mingsong
• Lee Rowlands of the Drupal Security Team
• Eirik Morland
• Stephan Zeidler
• Cathy Theys of the Drupal Security Team
• codebymikey
• Marco Fernandes

Coordinated By: 

• Greg Knaddison of the Drupal Security Team
• Juraj Nemec of the Drupal Security Team

Project: FacetsDate: 2024-October-09Security risk: Critical 15 ∕ 25 AC:Basic/A:None/CI:Some/II:Some/E:Theoretical/TD:DefaultVulnerability: Cross Site ScriptingAffected versions: <2.0.9Description: 

This module enables you to to easily create and manage faceted search interfaces.

The module doesn't sufficiently filter for malicious script leading to a reflected cross site scripting (XSS) vulnerability.

Solution: 

Install the latest version:

• If you use the Facets module, upgrade to Facets 2.0.9

Reported By: 

• Andrea Racco

Fixed By: 

• Andrea Racco
• Markus Kalkbrenner
• Joris Vercammen
• Jimmy Henderickx

Coordinated By: 

• Greg Knaddison of the Drupal Security Team
• Juraj Nemec of the Drupal Security Team

Project: Block permissionsDate: 2024-October-09Security risk: Moderately critical 13 ∕ 25 AC:Basic/A:Admin/CI:Some/II:Some/E:Theoretical/TD:AllVulnerability: Access bypassAffected versions: >=1.0.0 <1.2.0Description: 

This module enables you to manage blocks from specific modules in the specific themes.

The module doesn't sufficiently check permissions under the scenario when a block is added using the form "/admin/structure/block/add/{plugin_id}/{theme}" (route "block.admin_add"). The attacker can add the block to the theme where they can't manage blocks.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer blocks provided by [provider]".

Solution: 

Install the latest version:

• If you use the block_permissions module for Drupal 8.x, upgrade to block_permissions version at least 8.x-1.2 or the more recent 8.x-1.3

Reported By: 

• Francesco Sardara

Fixed By: 

• Francesco Sardara
• Evgenii Nikitin

Coordinated By: 

• Greg Knaddison of the Drupal Security Team
• Juraj Nemec of the Drupal Security Team

Project: Monster MenusDate: 2024-October-09Security risk: Moderately critical 13 ∕ 25 AC:None/A:None/CI:Some/II:None/E:Theoretical/TD:UncommonVulnerability: Access bypass, Information DisclosureAffected versions: <9.3.2Description: 

This module enables you to group nodes within pages that have a highly-granular, distributed permissions structure.

A function which can be used by third-party code does not return valid data under certain rare circumstances. If the third-party code relies on this data to decide whether to grant access to content, it may grant more access than was intended.

This vulnerability is only present in sites that have custom code calling the mm_content_get_uids_in_group() function with a single UID of zero (0) in the second parameter.

Solution: 

Install the latest version:

• If you use the monster_menus module for Drupal 7.x, upgrade to monster_menus 7.x-1.34.
• If you use the monster_menus module version 9.3.x, upgrade to monster_menus 9.3.2.
• If you use the monster_menus module version 9.4.0 or newer, no change is needed.

Reported By: 

• Dan Wilga

Fixed By: 

• Dan Wilga
• Ian McBride

Coordinated By: 

• Greg Knaddison of the Drupal Security Team
• Juraj Nemec of the Drupal Security Team
• Damien McKenna of the Drupal Security Team

Project: Persistent LoginDate: 2024-October-02Security risk: Moderately critical 11 ∕ 25 AC:Basic/A:User/CI:Some/II:None/E:Theoretical/TD:AllVulnerability: Access bypassAffected versions: <1.8.0 || >=2.2.0 <2.2.2 || 2.0.* || 2.1.*Description: 

This module enables users to remain logged in separately from session timeouts.

The module doesn't sufficiently check a user's disabled status when validating cookies.

This vulnerability is mitigated by the fact that an attacker must have an unexpired cookie from a previous successful login.

Solution: 

Install the latest version:

• If you use the Persistent Login 8.x-1.x, upgrade to Persistent Login 8.x-1.8
• If you use the Persistent Login 2.x, upgrade to Persistent Login 2.2.2

Reported By: 

• Geoff Appleby

Fixed By: 

• Geoff Appleby

Coordinated By: 

• Greg Knaddison of the Drupal Security Team
• Juraj Nemec of the Drupal Security Team
• Drew Webber of the Drupal Security Team

Project: Two-factor Authentication (TFA)Date: 2024-October-02Security risk: Critical 15 ∕ 25 AC:Complex/A:None/CI:Some/II:Some/E:Theoretical/TD:AllVulnerability: Access bypassAffected versions: <1.8.0Description: 

This module enables you to allow and/or require users to use a second authentication method in addition to password authentication.

The module does not sufficiently migrate sessions before prompting for a second factor token.

This vulnerability is mitigated by the fact that an attacker must fixate a session on a victim system that is then authenticated with username and password without completing Two Factor authentication. An attacker must gather additional information regarding the entry form after authentication. An attacker must still present a valid token to complete authentication.

Solution: 

Install the latest version:

• If you use the Two-factor Authentication (TFA) module for Drupal 8+ upgrade to Two-factor Authentication (TFA) 8.x-1.8
• If you use the Two-factor Authentication (TFA) module for Drupal 7 upgrade to Two-factor Authentication (TFA) 7.x-2.4

Reported By: 

• Francesco Placella

Fixed By: 

• Francesco Placella
• Juraj Nemec of the Drupal Security Team
• Conrad Lara

Coordinated By: 

• Greg Knaddison of the Drupal Security Team
• Juraj Nemec of the Drupal Security Team

Project: DiffDate: 2024-October-02Security risk: Moderately critical 11 ∕ 25 AC:Basic/A:User/CI:Some/II:None/E:Theoretical/TD:AllVulnerability: Access bypass, Information DisclosureAffected versions: <1.8.0 || >=2.0.0 <2.0.0-beta3Description: 

This module adds a tab for sufficiently permissioned users. The tab shows all revisions like standard Drupal but it also allows pretty viewing of all added/changed/deleted words between revisions.

The module doesn't sufficiently check revision access before rendering a diff report for 1) nodes or 2) general entities that support diff.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission from the general node permission to "view all revisions", one of the more specific node type permissions, "view %bundle revisions" or the equivalent for other general entity types.

Solution: 

Install the latest version:

• If you use the Diff module for Drupal, upgrade to Diff 8.x-1.8

Reported By: 

• Matthias Vogel

Fixed By: 

• Matthias Vogel
• Lucas Hedding
• Adam Bramley

Coordinated By: 

• Greg Knaddison of the Drupal Security Team
• Juraj Nemec of the Drupal Security Team

Project: Smart IP BanDate: 2024-September-18Security risk: Critical 18 ∕ 25 AC:None/A:None/CI:Some/II:Some/E:Theoretical/TD:AllVulnerability: Access bypassDescription: 

The Smart IP Ban module enables a site to automatically ban an IP address based upon too many failed authentications.

The module doesn't sufficiently protect access to certain paths provided by the module allowing a malicious user to view and modify the settings.

Solution: 

Install the latest version:

• If you use the Smart IP Ban module for Drupal 7.x, upgrade to Smart IP Ban 7.x-1.1

Reported By: 

• Shawn Gants

Fixed By: 

• Sivaji Ganesh Jojodae

Coordinated By: 

• Greg Knaddison of the Drupal Security Team
• Damien McKenna of the Drupal Security Team
• Juraj Nemec of the Drupal Security Team