Biztonsági figyelmeztetések (contrib)

Project: File Entity (fieldable files)Date: 2024-September-11Security risk: Moderately critical 10 ∕ 25 AC:Basic/A:User/CI:Some/II:None/E:Theoretical/TD:DefaultVulnerability: Information DisclosureDescription: 

This module enables you to store and manage both private and public files, provides the ability to add fieldable metadata for file_entity bundle types in addition to core file_managed data.

The module doesn't sufficiently ensure private destination folders exist prior to writing to them. If the folder doesn't exist, the module places the file in a publicly accessible directory.

This vulnerability only affects sites with private files.

Solution: 

Install the latest version:

• If you use the file_entity module for Drupal 7, upgrade to file_entity 7.x-2.39 or newer.

Reported By: 

• Devin Zuczek

Fixed By: 

• Devin Zuczek
• Joseph Olstad

Coordinated By: 

• Greg Knaddison of the Drupal Security Team
• Damien McKenna of the Drupal Security Team
• Juraj Nemec of the Drupal Security Team

Project: Security KitDate: 2024-September-11Security risk: Less critical 9 ∕ 25 AC:Basic/A:None/CI:None/II:None/E:Theoretical/TD:DefaultVulnerability: Denial of ServiceAffected versions: <2.0.3Description: 

This module provides Drupal with various security-hardening options, for example by emitting various configurable HTTP response headers.

The module doesn't sufficiently validate input in Content Security Policy (CSP) violation reports. This can cause errors when a logging module (e.g. dblog or syslog) attempts to parse the resulting log message which contains invalid data.

This vulnerability is mitigated by the fact that to be affected a site must have seckit's CSP reporting functionality enabled. Recent versions of Drupal 10 and 11 core are not vulnerable due to improved parsing of log messages.

Solution: 

Install the latest version:

• If you use the 7.x-1.x branch of the seckit module, upgrade to seckit 7.x-1.13
• If you use the 2.0.x branch of the seckit module, upgrade to seckit 2.0.3

Reported By: 

• _b0lli

Fixed By: 

• jweowu
• Drew Webber of the Drupal Security Team

Coordinated By: 

• Greg Knaddison of the Drupal Security Team
• Drew Webber of the Drupal Security Team
• Heine Deelstra of the Drupal Security Team

Project: Open SocialDate: 2024-September-04Security risk: Moderately critical 10∕25 AC:Basic/A:None/CI:None/II:None/E:Theoretical/TD:AllVulnerability: Denial of ServiceAffected versions: <12.3.8 || >=12.4.0 <12.4.5 || >=13.0.0 <13.0.0-alpha11Description: 

Open Social is a Drupal distribution for online communities.

The distribution didn't validate the flood control limits on the password reset form correctly resulting in a potential attacker flooding the password reset which could result in a Denial of Service. Fortunately the message does not disclose any information to the attacker.

Solution: 

Install the latest version:

• If you use Open Social 12.3.x, upgrade to Open Social 12.3.8
• If you use Open Social 12.4.x, upgrade to Open Social 12.4.5

Reported By: 

• vnech

Fixed By: 

• Ronald te Brake
• vnech

Coordinated By: 

• Greg Knaddison of the Drupal Security Team
• Juraj Nemec of the Drupal Security Team
• Heine Deelstra of the Drupal Security Team

Project: Open SocialDate: 2024-September-04Security risk: Moderately critical 13∕25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:DefaultVulnerability: Cross Site Scripting, Denial of ServiceAffected versions: <12.3.8 || >=12.4.0 <12.4.5 || >=13.0.0 <13.0.0-alpha11Description: 

Open Social is a Drupal distribution for online communities, which ships with an optional module called Social Embed.

This module allows a website to display embedded content (such as photos or videos) when a user posts a link to that resource, without having to parse the resource directly.

Added URL's were not sufficiently validated which could lead to a DoS via Blind SSRF and/or Application Takeover via Stored XSS.

This vulnerability is mitigated by the fact that social_embed submodule needs to be enabled.

Solution: 

Install the latest version:

• If you use Open Social 12.3.x, upgrade to Open Social 12.3.8
• If you use Open Social 12.4.x, upgrade to Open Social 12.4.5

Reported By: 

• Thiago Régis

Fixed By: 

• Thiago Régis
• Ronald te Brake

Coordinated By: 

• Greg Knaddison of the Drupal Security Team
• Juraj Nemec of the Drupal Security Team

Project: Paragraphs tableDate: 2024-September-04Security risk: Critical 15∕25 AC:None/A:User/CI:Some/II:Some/E:Theoretical/TD:DefaultVulnerability: Access bypass, Information DisclosureAffected versions: <1.23.0 || >=2.0.0 <2.0.2Description: 

This module enables field collections to be displayed as tables. It supports display suite and field permissions and provides operations (modify, delete, duplicate).

This module has multiple vulnerabilities due to the requirements on the routes it provides not being restrictive enough.

Information disclosure

Several routes only checked for the 'access content' permission before displaying a paragraph, and did not check whether the user should actually have access to view the paragraph in question.

Access bypass

The paragraphs_item.add_page route previously allowed anyone with the 'access content' permission to add paragraphs to any content regardless of permissions to be able to edit the host field or content, or any other hooks for adjusting access to add paragraphs of that type.

These vulnerabilities are mitigated by the fact that an attacker must have a role with the permission "access content" which is commonly assigned to all roles.

Solution: 

Install the latest version:

• If you use the paragraphs_table module 8.x-1.x, upgrade to paragraphs_table 8.x-1.23
• If you use the paragraphs_table module 2.0.x, upgrade to paragraphs_table 2.0.2 or newer

Reported By: 

• James Williams

Fixed By: 

• James Williams
• NGUYEN Bao
• Steven Jones
• Joseph Olstad

Coordinated By: 

• Greg Knaddison of the Drupal Security Team
• Jess of the Drupal Security Team
• Juraj Nemec of the Drupal Security Team

Project: Content Entity CloneDate: 2024-September-04Security risk: Moderately critical 11∕25 AC:Basic/A:User/CI:Some/II:None/E:Theoretical/TD:AllVulnerability: Information DisclosureAffected versions: <1.0.4Description: 

This module enables you to "clone" a content entity, i.e. to create a new content pre-filled with data from another entity of the same type and bundle.

The module doesn't properly check the user access to the original entity, allowing users to create a new entity (they have permission to create) pre-filled with content from another entity of the same type and bundle that they would normally not have access to.

This vulnerability is mitigated by the fact that an attacker must have the permission to create content of the type of the entity to clone.

Solution: 

Install the latest version:

• If you use the content_entity_clone module prior to version 1.0.4, upgrade to content_entity_clone 1.0.4

Reported By: 

• Vojislav Jovanovic

Fixed By: 

• orakili
• Vojislav Jovanovic

Coordinated By: 

• Greg Knaddison of the Drupal Security Team
• Juraj Nemec of the Drupal Security Team

Project: FreelinkingDate: 2024-September-04Security risk: Moderately critical 12∕25 AC:None/A:User/CI:Some/II:None/E:Theoretical/TD:DefaultVulnerability: Information DisclosureAffected versions: <4.0.1Description: 

This module enables you to configure a wiki-like input filter that allows users to create links to site and external content.

The module doesn't sufficiently check if a user has access to some URLs before rendering them as links.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission "access content" (which is commonly assigned to all roles), and the site must be configured to disallow access to certain content.

Solution: 

Install the latest version:

• If you use the freelinking module 4.0.x, upgrade to freelinking 4.0.1
• If you use the freelinking module 8.x-3.x, upgrade to freelinking 4.0.1, as the 8.x-3.x branch is now unsupported

Reported By: 

• Matthew Radcliffe

Fixed By: 

• Matthew Radcliffe
• Gisle Hannemyr

Coordinated By: 

• Greg Knaddison of the Drupal Security Team
• Damien McKenna of the Drupal Security Team
• Juraj Nemec of the Drupal Security Team

Project: Advanced VarnishDate: 2024-August-28Security risk: Moderately critical 14∕25 AC:None/A:None/CI:Some/II:None/E:Theoretical/TD:DefaultVulnerability: Access bypassAffected versions: <4.0.11Description: 

This module enables you to cache pages for logged in users at the Varnish level.

The Varnish bin names may be guessable when no hashing noise configuration is set on the module configuration page, which would ultimately allow any user to view cached pages that were intended for other roles when guessing such a bin name.

Solution: 

There are two steps. Install the latest version and update your configuration:

1. If you use the Advanced Varnish module for Drupal 4.0.x, upgrade to Advanced Varnish 4.0.11
2. Go to the module configuration page and set an appropriate value to the hashing noise configuration.

Reported By: 

• Heine Deelstra of the Drupal Security Team

Fixed By: 

• Heine Deelstra of the Drupal Security Team
• Alexander Shumenko

Coordinated By: 

• Greg Knaddison of the Drupal Security Team

Project: OpignoDate: 2024-August-21Security risk: Critical 16∕25 AC:Complex/A:User/CI:All/II:All/E:Theoretical/TD:DefaultVulnerability: Arbitrary PHP code executionDescription: 

The Opigno module is related to Opigno LMS distribution. Opigno Scorm submodule exposes an API for extracting and handling SCORM packages.

Uploaded files were not sufficiently validated to prevent arbitrary file uploads, which could lead to Remote Code Execution (RCE) and/or Cross Site Scripting (XSS).

This vulnerability is mitigated by the fact that it affected only specific activity types.

Solution: 

Install the latest version:

• If you use the opigno module, upgrade to opigno 7.x-1.23

Reported By: 

• Yurii Boichenko
• Marcin Grabias
• catch of the Drupal Security Team

Fixed By: 

• Yurii Boichenko

Coordinated By: 

• Greg Knaddison of the Drupal Security Team
• Juraj Nemec of the Drupal Security Team

Project: Opigno TinCan Question TypeDate: 2024-August-21Security risk: Critical 16∕25 AC:Complex/A:User/CI:All/II:All/E:Theoretical/TD:DefaultVulnerability: Arbitrary PHP code executionDescription: 

The Opigno TinCan Question Type module is related to Opigno LMS distribution. The module adds a new question type for the Quiz module. With this new question type, you will be able to import TinCan Packages to your Drupal instance and to use it as a question.

Uploaded files were not sufficiently validated to prevent arbitrary file uploads, which could lead to Remote Code Execution (RCE) and/or Cross Site Scripting (XSS).

This vulnerability is mitigated by the fact that it requires the attacker have a role with the permission to create or edit "TinCan Package" content type.

Solution: 

Install the latest version:

• If you use the opigno_tincan_question_type module, upgrade to opigno_tincan_question_type 7.x-1.3

Reported By: 

• Juraj Nemec of the Drupal Security Team
• Marcin Grabias
• catch of the Drupal Security Team

Fixed By: 

• Juraj Nemec of the Drupal Security Team
• Axel Minck
• Yurii Boichenko

Coordinated By: 

• Greg Knaddison of the Drupal Security Team
• Juraj Nemec of the Drupal Security Team

Project: Responsive and off-canvas menuDate: 2024-August-21Security risk: Moderately critical 13∕25 AC:None/A:None/CI:Some/II:None/E:Theoretical/TD:UncommonVulnerability: Access bypassAffected versions: <4.4.4Description: 

This module integrates the mmenu library with Drupal's menu system with the aim of having an off-canvas mobile menu and a horizontal menu at wider widths.

The module doesn't respect custom node access restrictions implemented through hook_ENTITY_TYPE_access hooks meaning the titles of restricted nodes can appear in the menu.

Only sites with modules that implement hook_ENTITY_TYPE_access to restrict access to nodes are effected.

Solution: 

Install the latest version:

• If you use the 4.x branch of the responsive_menu module upgrade to 4.4.4

Reported By: 

• collinhaines

Fixed By: 

• Stephen Cox

Coordinated By: 

• Greg Knaddison of the Drupal Security Team
• Juraj Nemec of the Drupal Security Team
• Drew Webber of the Drupal Security Team

Project: Opigno Learning pathDate: 2024-August-07Security risk: Critical 16∕25 AC:Complex/A:User/CI:All/II:All/E:Theoretical/TD:DefaultVulnerability: Arbitrary PHP code executionAffected versions: <3.1.2Description: 

The Opigno Learning Path module enables you to manage group content.

Administrative forms allow uploading malicious files which may contain arbitrary code (RCE) or cross site scriptiong (XSS). These forms were not adequately controlled with permissions that communicate the severity of the permission.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission "Manage group content in any group".

Solution: 

Install the latest version:

• If you use the opigno_learning_path module, upgrade it to opigno_learning_path >= 3.1.2

Reported By: 

• Marcin Grabias
• catch of the Drupal Security Team

Fixed By: 

• Axel Minck
• Yuriy Korzhov
• Andrii Aleksandrov
• Yurii Boichenko

Coordinated By: 

• Greg Knaddison of the Drupal Security Team

Project: Opigno moduleDate: 2024-August-07Security risk: Critical 15∕25 AC:Complex/A:User/CI:All/II:All/E:Theoretical/TD:UncommonVulnerability: Arbitrary PHP code executionAffected versions: <3.1.2Description: 

The Opigno module is related to Opigno LMS distribution. It implements the module entity, that is a sub-part of a training.

In the opigno_module module, uploaded files were not sufficiently validated to prevent arbitrary file uploads, which could lead to Remote Code Execution (RCE) and/or Cross Site Scripting (XSS).

This vulnerability is mitigated by the fact that it requires the attacker have a role with the permission "create opigno tincan activities".

Solution: 

Install the latest version:

• If you use the opigno_module module, upgrade to opigno_module >= 3.1.2

Reported By: 

• Marcin Grabias
• catch of the Drupal Security Team

Fixed By: 

• Yurii Boichenko
• Axel Minck
• Yuriy Korzhov
• Andrii Aleksandrov
• catch of the Drupal Security Team

Coordinated By: 

• Greg Knaddison of the Drupal Security Team

Project: Opigno group managerDate: 2024-August-07Security risk: Critical 16∕25 AC:Complex/A:Admin/CI:All/II:All/E:Theoretical/TD:AllVulnerability: Arbitrary PHP code executionAffected versions: <3.1.1Description: 

The Opigno group manager project is related to Opigno LMS distribution. It allows to build the contents of learning paths, by combining together modules, courses, and other activities, ordering them, and defining conditional rules for the transitions from one step to the next one.

An administration form allows execution of arbitrary code.

This issue is mitigated by several factors. First, it requires the attacker have the permission "update group learning_path". Additionally, it requires several steps and depends on other data in the system to be in place.

Solution: 

Install the latest version:

• If you use the opigno_group_manager module for Drupal 10.x, upgrade to opigno_group_manager 3.1.1

Reported By: 

• catch of the Drupal Security Team
• Marcin Grabias

Fixed By: 

• Yurii Boichenko

Coordinated By: 

• Greg Knaddison of the Drupal Security Team
• Benji Fisher of the Drupal Security Team

Project: View PasswordDate: 2024-July-31Security risk: Moderately critical 13∕25 AC:Basic/A:Admin/CI:Some/II:Some/E:Theoretical/TD:AllVulnerability: Cross Site ScriptingAffected versions: <6.0.4Description: 

The View Password module enables you to add a help icon button next to the password input field to toggle the password visibility. The administrative user is allowed to add classes to this icon for styling purposes.

The module doesn't validate the content of classes. A malicious user with access to the View Password Settings Form could add malicious code in the classes field.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer view password".

Solution: 

Install the latest version:

• If you use the View Password module upgrade to View Password 6.0.4.

Reported By: 

• Ide Braakman

Fixed By: 

• Ana Colautti
• Ide Braakman

Coordinated By: 

• Greg Knaddison of the Drupal Security Team
• Juraj Nemec of the Drupal Security Team