Hírolvasó

Project: Two-factor Authentication (TFA)Date: 2024-October-02Security risk: Critical 15 ∕ 25 AC:Complex/A:None/CI:Some/II:Some/E:Theoretical/TD:AllVulnerability: Access bypassAffected versions: <1.8.0Description: 

This module enables you to allow and/or require users to use a second authentication method in addition to password authentication.

The module does not sufficiently migrate sessions before prompting for a second factor token.

This vulnerability is mitigated by the fact that an attacker must fixate a session on a victim system that is then authenticated with username and password without completing Two Factor authentication. An attacker must gather additional information regarding the entry form after authentication. An attacker must still present a valid token to complete authentication.

Solution: 

Install the latest version:

• If you use the Two-factor Authentication (TFA) module for Drupal 8+ upgrade to Two-factor Authentication (TFA) 8.x-1.8
• If you use the Two-factor Authentication (TFA) module for Drupal 7 upgrade to Two-factor Authentication (TFA) 7.x-2.4

Reported By: 

• Francesco Placella

Fixed By: 

• Francesco Placella
• Juraj Nemec of the Drupal Security Team
• Conrad Lara

Coordinated By: 

• Greg Knaddison of the Drupal Security Team
• Juraj Nemec of the Drupal Security Team

Project: DiffDate: 2024-October-02Security risk: Moderately critical 11 ∕ 25 AC:Basic/A:User/CI:Some/II:None/E:Theoretical/TD:AllVulnerability: Access bypass, Information DisclosureAffected versions: <1.8.0 || >=2.0.0 <2.0.0-beta3Description: 

This module adds a tab for sufficiently permissioned users. The tab shows all revisions like standard Drupal but it also allows pretty viewing of all added/changed/deleted words between revisions.

The module doesn't sufficiently check revision access before rendering a diff report for 1) nodes or 2) general entities that support diff.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission from the general node permission to "view all revisions", one of the more specific node type permissions, "view %bundle revisions" or the equivalent for other general entity types.

Solution: 

Install the latest version:

• If you use the Diff module for Drupal, upgrade to Diff 8.x-1.8

Reported By: 

• Matthias Vogel

Fixed By: 

• Matthias Vogel
• Lucas Hedding
• Adam Bramley

Coordinated By: 

• Greg Knaddison of the Drupal Security Team
• Juraj Nemec of the Drupal Security Team

Project: Smart IP BanDate: 2024-September-18Security risk: Critical 18 ∕ 25 AC:None/A:None/CI:Some/II:Some/E:Theoretical/TD:AllVulnerability: Access bypassDescription: 

The Smart IP Ban module enables a site to automatically ban an IP address based upon too many failed authentications.

The module doesn't sufficiently protect access to certain paths provided by the module allowing a malicious user to view and modify the settings.

Solution: 

Install the latest version:

• If you use the Smart IP Ban module for Drupal 7.x, upgrade to Smart IP Ban 7.x-1.1

Reported By: 

• Shawn Gants

Fixed By: 

• Sivaji Ganesh Jojodae

Coordinated By: 

• Greg Knaddison of the Drupal Security Team
• Damien McKenna of the Drupal Security Team
• Juraj Nemec of the Drupal Security Team