Biztonsági figyelmeztetések (contrib)

Project: jQuery UI CheckboxradioVersion: 8.x-1.38.x-1.28.x-1.18.x-1.0Date: 2022-August-10Security risk: Moderately critical 13∕25 AC:Basic/A:User/CI:Some/II:Some/E:Proof/TD:UncommonVulnerability: Cross site scriptingDescription: 

jQuery UI is a third-party library used by Drupal. The jQuery UI Checkboxradio module provides the jQuery UI Checkboxradio library (which was previously in Drupal 8 core, but has since been removed from core and moved to this module).

As part of the jQuery UI 1.13.2 update, the jQuery UI project disclosed following security issue that may affect sites using the jQuery UI Checkboxradio module:

• CVE-2022-31160: XSS when refreshing a checkboxradio with an HTML-like initial text label
  

Solution: 

Install the latest version. If you use the jQuery UI Checkboxradio module for Drupal 9, upgrade to:

• jQuery UI Checkboxradio 8.x-1.4.

Reported By: 

• Benji Fisher, provisional member of the Drupal Security Team

Fixed By: 

• Benji Fisher, provisional member of the Drupal Security Team
• xjm of the Drupal Security Team
• Lauri Eskola, provisional member of the Drupal Security Team
• Greg Knaddison of the Drupal Security Team

Coordinated By: 

• xjm of the Drupal Security Team

Project: TagifyVersion: 1.0.41.0.31.0.2-beta11.0.1-beta11.0.0-beta1Date: 2022-July-27Security risk: Moderately critical 11∕25 AC:Complex/A:User/CI:None/II:Some/E:Exploit/TD:UncommonVulnerability: Access bypassDescription: 

This module provides a widget to transform entity reference fields into a more user-friendly tags input component with a great performance.

The module doesn't sufficiently check access for the add operation. Users with permission to edit content can view and reference unpublished terms. The edit form may expose term data that users could not otherwise see, since there is no term view route by default.

This vulnerability is slightly mitigated by the fact that an attacker must have a role with the permission "access content", so may not be accessible to anonymous users on all sites.

Solution: 

Install the latest version:

• If you use the Tagify module for Drupal 9.x, upgrade to Tagify 1.0.5

Reported By: 

• Conrad Lara

Fixed By: 

• David Galeano
• Conrad Lara

Coordinated By: 

• Damien McKenna of the Drupal Security Team
• Greg Knaddison of the Drupal Security Team

Project: PDF generator APIVersion: 2.2.12.2.02.1.02.0.0Date: 2022-July-27Security risk: Moderately critical 12∕25 AC:Complex/A:User/CI:Some/II:Some/E:Theoretical/TD:DefaultVulnerability: Remote Code ExecutionDescription: 

This module enables you to generate PDF versions of content.

Some installations of the module make use of the dompdf/dompdf third-party dependency.

Security vulnerabilities exist for versions of dompdf/dompdf before 2.0.0 as described in the 2.0.0 release notes.

Solution: 

Install the latest version:

• If you use the pdf_api module for Drupal 2.x, upgrade to pdf_api 2.2.2

Reported By: 

• tedfordgif
• David Archuleta

Fixed By: 

• tedfordgif
• Nigel Cunningham

Coordinated By: 

• Damien McKenna of the Drupal Security Team
• Greg Knaddison of the Drupal Security Team

Project: ContextVersion: 7.x-3.107.x-3.97.x-3.87.x-3.77.x-3.67.x-3.57.x-3.47.x-3.37.x-3.27.x-3.17.x-3.07.x-3.0-rc17.x-3.0-beta77.x-3.0-beta67.x-3.0-beta57.x-3.0-beta47.x-3.0-beta37.x-3.0-beta27.x-3.0-beta17.x-3.0-alpha37.x-3.0-alpha27.x-3.0-alpha1Date: 2022-July-27Security risk: Moderately critical 12∕25 AC:Basic/A:Admin/CI:Some/II:Some/E:Theoretical/TD:DefaultVulnerability: Cross Site ScriptingDescription: 

This module enables you to conditionally display blocks in particular theme regions.

The module doesn't sufficiently sanitize the title of a block as displayed in the admin UI when a site administrator edits a context block reaction.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer blocks".

Solution: 

Install the latest version:

• If you use the Context module for Drupal 7.x, upgrade to Context 7.x-3.11.

Reported By: 

• Harold Aling

Fixed By: 

• Harold Aling
• Bostjan Kovac
• Nedjo Rogers

Coordinated By: 

• Damien McKenna of the Drupal Security Team
• Greg Knaddison of the Drupal Security Team
• Michael Hess of the Drupal Security Team

Project: Entity PrintDate: 2022-July-13Security risk: Moderately critical 13∕25 AC:Complex/A:User/CI:Some/II:Some/E:Proof/TD:DefaultVulnerability: Multiple: Remote Code Execution, Information disclosureDescription: 

This module enables you to generate print versions of content.
Some installations of the module make use of the dompdf/dompdf third-party dependency.
Security vulnerabilities exist for versions of dompdf/dompdf < 2.0.0

See the library release notes for more detail: https://github.com/dompdf/dompdf/releases/tag/v2.0.0

Note on 3rd party vulnerabilities

This security advisory corresponds to a 3rd party vulnerability. Normally the Drupal Security Team would not issue advisories related to 3rd party code that is shipped separately from a module per our policy (most recent update is PSA-2019-09-04). In this case, because the module required a specific version and could not be updated without a change to the Drupal module we do issue an advisory.

Solution: 

Install the latest version (8.x-2.6) of this module and update dompdf/dompdf at the same time. It is recommended to use composer to do the update using commands similar to the following:

composer update drupal/entity_print
composer require dompdf/dompdf:~2 Reported By: 

• szato
• Munavir P k

Fixed By: 

• Lee Rowlands of the Drupal Security Team
• Carlos Santana
• Manoj Selvan

Coordinated By: 

• Lee Rowlands of the Drupal Security Team
• Greg Knaddison of the Drupal Security Team

Project: Config TermsDate: 2022-June-29Security risk: Critical 15∕25 AC:Basic/A:User/CI:Some/II:Some/E:Proof/TD:AllVulnerability: Access bypassDescription: 

This module enables you to create and manage a version of taxonomy based on configuration entities instead of content. This allows the terms, vocabularies, and their structure to be exported, imported, and managed as site configuration.

The module doesn't sufficiently check access for the edit and delete operations. Users with "access content" permission can edit or delete any term. The edit form may expose term data that users could not otherwise see, since there is no term view route by default.

This vulnerability is slightly mitigated by the fact that an attacker must have a role with the permission "access content", so may not be accessible to anonymous users on all sites.

Solution: 

Install the latest version:

• If you use the Config Terms module for Drupal 9.x, upgrade to Config Terms 8.x-1.6 or later

Reported By: 

• Emil Johnsson

Fixed By: 

• Emil Johnsson
• Justin Ludwig

Project: Lottiefiles FieldDate: 2022-June-29Security risk: Moderately critical 14∕25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:AllVulnerability: Cross Site ScriptingDescription: 

The Lottiefiles Field module enables you to integrate the lottiefiles features into your page.

The module does not sufficiently filter user-provided text on output, resulting in a Cross-Site Scripting (XSS) vulnerability.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission to create or edit content that has lottiefiles fields.

Solution: 

Install the latest version:

• If you use the lottifiles_field module for Drupal 8.x or 9.x, upgrade to Lottiefiles Field 1.0.3.

Reported By: 

• Conrad Lara

Fixed By: 

• Hari Venu
• Conrad Lara

Coordinated By: 

• Greg Knaddison of the Drupal Security Team

Project: Apigee EdgeDate: 2022-May-25Security risk: Moderately critical 13∕25 AC:None/A:User/CI:Some/II:None/E:Theoretical/TD:AllVulnerability: Access bypassDescription: 

The Apigee Edge module allows connecting a Drupal site to Apigee X / Edge in order to build a developer portal. The developers (user) can view API keys for their respective Apps.

The module discloses information by allowing attackers to view cached information of API Keys from the browser cache for a limited time frame after the user login on the same computer.

Solution: 

Install the latest version:

• If you use the Apigee Edge module version 2.0.x for Drupal 9.x, upgrade to Apigee Edge 2.0.3
• If you use the Apigee Edge module version 8.x-1.x for Drupal 9.x, upgrade to Apigee Edge 8.x-1.26

Reported By: 

• Dezső BICZÓ

Fixed By: 

• Dezső BICZÓ

Coordinated By: 

• Greg Knaddison of the Drupal Security Team

Project: Entity Browser BlockDate: 2022-May-25Security risk: Moderately critical 13∕25 AC:None/A:User/CI:Some/II:None/E:Theoretical/TD:AllVulnerability: Access bypassDescription: 

Entity Browser Block provides a Block Plugin for every Entity Browser on your site.

The module didn't sufficiently check entity view access in the block form.

This vulnerability is mitigated by the fact that an attacker must be able to place a block - either through the core "Block Layout" page or via a module like Layout Builder.

Solution: 

Install the latest version:

• If you use the entity_browser_block module for Drupal 8+, upgrade to entity_browser_block 8.x-1.2

Reported By: 

• Dan Flanagan

Fixed By: 

• Dan Flanagan
• Samuel Mortenson

Coordinated By: 

• Greg Knaddison of the Drupal Security Team

Project: Open SocialDate: 2022-May-25Security risk: Moderately critical 14∕25 AC:None/A:None/CI:Some/II:None/E:Theoretical/TD:DefaultVulnerability: Access bypassDescription: 

Open Social is a Drupal distribution for online communities.

Group entities created within Open Social did not sufficiently check entity access in group overviews, allowing users to see information in the overviews they should not have access to. Visiting the entity directly resulted in correct access checks applied.

This vulnerability is mitigated by the fact that an attacker must be able to view Group entities in an overview and have certain common permissions revoked.

Please note the affected versions were already unsupported, this advisory is released additionally as there are still reported installs for the affected versions.

Solution: 

Install the latest versions:

• If you use Open Social versions prior to 11.0.0, upgrade to at least Open Social 11.0.0 where this issue is resolved

Preferably use one of the supported versions:

• Open Social 11.3.0
• Open Social 11.2.3
• Open Social 11.1.7

Reported By: 

• Dmitry Kiselev

Fixed By: 

A variety of people as part of upgrading to version 11.

Coordinated By: 

• Greg Knaddison of the Drupal Security Team
• Damien McKenna of the Drupal Security Team
• Alex Bronstein of the Drupal Security Team

Project: EmbedDate: 2022-May-25Security risk: Moderately critical 13∕25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:DefaultVulnerability: Cross Site ScriptingDescription: 

The Drupal Embed module provides a filter to allow embedding various embeddable items like entities in content fields.

In certain circumstances, the filter could allow an unprivileged user to inject HTML into a page when it is accessed by a trusted user with permission to embed items. In some cases, this could lead to cross-site scripting (XSS).

Solution: 

Install the latest version:

• If you use the Embed module for Drupal 8.x or 9.x, upgrade to Embed 8.x-1.5

Reported By: 

• Aaron Zinck

Fixed By: 

• Dave Reid of the Drupal Security Team
• Drew Webber of the Drupal Security Team
• Adam G-H

Coordinated By: 

• Dave Reid of the Drupal Security Team

Project: Wingsuit - Storybook for UI PatternsVersion: 8.x-2.x-dev8.x-1.x-devDate: 2022-May-18Security risk: Critical 16∕25 AC:Basic/A:None/CI:Some/II:Some/E:Theoretical/TD:AllVulnerability: Access bypassDescription: 

The Wingsuit module enables site builders to build UI Patterns (and|or) Twig Components with Storybook and use them without any mapping code in Drupal.

The module doesn't have an access check for the admin form allowing an attacker to view and modify the Wingsuit configuration.

Solution: 

Install the latest version:

• If you use the wingsuit_companion 8.x-1.x module for Drupal 8.x, upgrade to Wingsuit 8.x-1.1

Reported By: 

• Christian.wiedemann

Fixed By: 

• Christian.wiedemann

Coordinated By: 

• Greg Knaddison of the Drupal Security Team

Project: Duo Two-Factor AuthenticationDate: 2022-May-04Security risk: Critical 15∕25 AC:Basic/A:User/CI:Some/II:Some/E:Proof/TD:AllVulnerability: UnsupportedDescription: 

The security team is marking this project unsupported. If you would like to maintain this project, please read: https://www.drupal.org/node/251466#procedure---own-project---unsupported.

Project: Quick Node CloneDate: 2022-May-04Security risk: Moderately critical 10∕25 AC:Complex/A:Admin/CI:None/II:Some/E:Proof/TD:AllVulnerability: Access bypassDescription: 

The module adds a "Clone" tab to a node. When clicked, a new node is created and fields from the previous node are populated into the new fields. This module supports paragraphs, groups, and other referenced entities.

The module has a vulnerability which allows attackers to bypass the protection to clone any group content with an access check. Users are allowed to copy other group's nodes, and if they do that, the node gets added to groups they don't have access to.

This vulnerability is mitigated by the fact it only affects sites that also use the Groups contributed module.

Solution: 

Install the latest version:

• If you use the Quick Node Clone module for Drupal 8.x, upgrade to Quick Node Clone 8.x-1.15

Reported By: 

• Benjamin Rasmussen

Fixed By: 

• Benjamin Rasmussen
• Neslee Canil Pinto

Coordinated By: 

• Greg Knaddison of the Drupal Security Team
• Damien McKenna of the Drupal Security Team

Project: Image Field CaptionVersion: 8.x-1.1Date: 2022-May-04Security risk: Moderately critical 13∕25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:DefaultVulnerability: Cross Site ScriptingDescription: 

Image Field Caption (image_field_caption) adds an extra text area for captions on image fields.

The module doesn't sanitize user input in certain cases, which leads to a Cross-Site-Scripting (XSS) vulnerability.

The vulnerability is mitigated by several permissions, of which at least some are commonly only assigned to either editors, site builders or administrators.

Solution: 

Install the latest version:

• If you use the image_field_caption module for Drupal 9.x, upgrade to image_field_caption 8.x-1.2

Reported By: 

• Patrick Fey

Fixed By: 

• Patrick Fey
• Tyler Struyk

Coordinated By: 

• Greg Knaddison of the Drupal Security Team
• Damien McKenna of the Drupal Security Team

Project: Doubleclick for Publishers (DFP)Date: 2022-May-04Security risk: Moderately critical 13∕25 AC:Basic/A:Admin/CI:Some/II:Some/E:Theoretical/TD:AllVulnerability: Cross site scriptingDescription: 

Doubleclick for Publishers (DFP) module enables a site to place ads from Doubleclick For Publishers.

The module doesn't sanitize user input in certain cases, which leads to Cross-Site-Scripting (XSS) vulnerabilities. An attacker that can create or edit certain entities may be able to exploit a Cross-Site-Scripting (XSS) vulnerability to target visitors of the site, including site admins with privileged access.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer DFP".

Solution: 

Install the latest version:

• If you use the Doubleclick for Publishers module for Drupal 9.x, upgrade to DFP 8.x-1.2

Note that the Drupal 7 version of this module is unaffected.

Reported By: 

• John Herreño

Fixed By: 

• John Herreño
• Marcelo Vani

Coordinated By: 

• Lee Rowlands of the Drupal Security Team
• Greg Knaddison of the Drupal Security Team
• Damien McKenna of the Drupal Security Team

Project: LinkDate: 2022-May-04Security risk: Moderately critical 13∕25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:DefaultVulnerability: Cross site scriptingDescription: 

This module enables you to add URL fields to entity types with a variety of options.

The module doesn't sufficiently filter output when token processing is disabled on an individual field.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission to create content and the token processing option must be disabled.

Solution: 

Install the latest version:

• If you use the Link module for Drupal 7.x, upgrade to Link 7.x-1.11

Reported By: 

• Brad Bulger

Fixed By: 

• Damien McKenna of the Drupal Security Team
• Brad Bulger
• Greg Knaddison of the Drupal Security Team

Coordinated By: 

• Greg Knaddison of the Drupal Security Team
• Damien McKenna of the Drupal Security Team