View online: http://drupal.org/node/1890538
* Advisory ID: DRUPAL-SA-CONTRIB-2013-005
* Project: Mark Complete [1] (third-party module)
* Version: 7.x
* Date: 2013-January-16
* Security risk: Moderately critical [2]
* Exploitable from: Remote
* Vulnerability: Cross Site Request Forgery
-------- DESCRIPTION
---------------------------------------------------------
This module enables you to update a date field on a node via an AJAX link on
the node view page.
The module doesn't sufficiently guard against Cross Site Request Forgery
(CSRF).
-------- CVE IDENTIFIER(S) ISSUED
--------------------------------------------
* /A CVE identifier [3] will be requested, and added upon issuance, in
accordance with Drupal Security Team processes./
-------- VERSIONS AFFECTED
---------------------------------------------------
* Mark Complete 7.x-1.x versions prior to 7.x-1.1.
Drupal core is not affected. If you do not use the contributed Mark Complete
[4] module, there is nothing you need to do.
-------- SOLUTION
------------------------------------------------------------
Install the latest version:
* If you use the Mark Complete module for Drupal 7.x, upgrade to Mark
Complete 7.x-1.1 [5]
Also see the Mark Complete [6] project page.
-------- REPORTED BY
---------------------------------------------------------
* Lee Rowlands [7] of the Drupal Security Team
-------- FIXED BY
------------------------------------------------------------
* Leighton Whiting [8] the module maintainer
* Lee Rowlands [9] of the Drupal Security Team
* Fox [10] of the Drupal Security Team
-------- COORDINATED BY
------------------------------------------------------
* Greg Knaddison [11] of the Drupal Security Team
-------- CONTACT AND MORE INFORMATION
----------------------------------------
The Drupal security team can be reached at security at drupal.org or via the
contact form at http://drupal.org/contact [12].
Learn more about the Drupal Security team and their policies [13], writing
secure code for Drupal [14], and securing your site [15].
[1] http://drupal.org/project/mark_complete
[2] http://drupal.org/security-team/risk-levels
[3] http://cve.mitre.org/
[4] http://drupal.org/project/mark_complete
[5] http://drupal.org/node/1890566
[6] http://drupal.org/project/mark_complete
[7] http://drupal.org/user/395439
[8] http://drupal.org/user/307704
[9] http://drupal.org/user/395439
[10] http://drupal.org/user/426416
[11] http://drupal.org/user/36762
[12] http://drupal.org/contact
[13] http://drupal.org/security-team
[14] http://drupal.org/writing-secure-code
[15] http://drupal.org/security/secure-configuration
View online: http://drupal.org/node/1890318
* Advisory ID: DRUPAL-SA-CONTRIB-2013-004
* Project: Live CSS [1] (third-party module)
* Version: 6.x, 7.x
* Date: 2012-January-16
* Security risk: Highly critical [2]
* Exploitable from: Remote
* Vulnerability: Arbitrary PHP code execution
-------- DESCRIPTION
---------------------------------------------------------
This module enables you to save CSS and LESS files on the server via your
browser.
The module doesn't check that the file being saved isn't a script or
executable.
This vulnerability is mitigated by the fact that an attacker must have a role
with the permission "administer CSS".
-------- CVE IDENTIFIER(S) ISSUED
--------------------------------------------
* /A CVE identifier [3] will be requested, and added upon issuance, in
accordance with Drupal Security Team processes./
-------- VERSIONS AFFECTED
---------------------------------------------------
* Live CSS 6.x-2.x versions prior to 6.x-2.1 [4].
* Live CSS 7.x-2.x versions prior to 7.x-2.7 [5].
Drupal core is not affected. If you do not use the contributed Live CSS [6]
module, there is nothing you need to do.
-------- SOLUTION
------------------------------------------------------------
Install the latest version:
* If you use the Live CSS module for Drupal 6.x, upgrade to 6.x-2.1 [7].
* If you use the Live CSS module for Drupal 7.x, upgrade to 7.x-2.7 [8].
Also see the Live CSS [9] project page.
-------- REPORTED BY
---------------------------------------------------------
* Ryan Garrett [10]
-------- FIXED BY
------------------------------------------------------------
* Guy Bedford [11] the module maintainer
-------- COORDINATED BY
------------------------------------------------------
* Greg Knaddison [12] of the Drupal Security Team
-------- CONTACT AND MORE INFORMATION
----------------------------------------
The Drupal security team can be reached at security at drupal.org or via the
contact form at http://drupal.org/contact [13].
Learn more about the Drupal Security team and their policies [14], writing
secure code for Drupal [15], and securing your site [16].
[1] http://drupal.org/project/live_css
[2] http://drupal.org/security-team/risk-levels
[3] http://cve.mitre.org/
[4] http://drupal.org/node/1883978
[5] http://drupal.org/node/1883976
[6] http://drupal.org/project/live_css
[7] http://drupal.org/node/1883978
[8] http://drupal.org/node/1883976
[9] http://drupal.org/project/live_css
[10] http://drupal.org/user/2392210
[11] http://drupal.org/user/746802
[12] http://drupal.org/user/27
[13] http://drupal.org/contact
[14] http://drupal.org/security-team
[15] http://drupal.org/writing-secure-code
[16] http://drupal.org/security/secure-configuration
View online: http://drupal.org/node/1890222
* Advisory ID: DRUPAL-SA-CONTRIB-2013-003
* Project: RESTful Web Services [1] (third-party module)
* Version: 7.x
* Date: 2013-January-16
* Security risk: Moderately critical [2]
* Exploitable from: Remote
* Vulnerability: Cross Site Request Forgery
-------- DESCRIPTION
---------------------------------------------------------
This module enables you to expose Drupal entities as RESTful web services. It
provides a machine-readable interface to exchange resources in JSON, XML and
RDF.
The module doesn't sufficiently verify POST requests thereby exposing a Cross
Site Request Forgery vulnerability.
This vulnerability is mitigated by the fact that an attacker must trick an
authenticated user onto a prepared page that leverages a weakness in certain
browser plugins.
-------- CVE IDENTIFIER(S) ISSUED
--------------------------------------------
* /A CVE identifier [3] will be requested, and added upon issuance, in
accordance with Drupal Security Team processes./
-------- VERSIONS AFFECTED
---------------------------------------------------
* RESTWS 7.x-1.x versions prior to 7.x-1.2.
* RESTWS 7.x-2.x versions prior to 7.x-2.0-alpha4.
Drupal core is not affected. If you do not use the contributed RESTful Web
Services [4] module, there is nothing you need to do.
-------- SOLUTION
------------------------------------------------------------
Install the latest version:
* If you use the RESTWS 1.x module for Drupal 7.x, upgrade to RESTWS 7.x-1.2
[5]
* If you use the RESTWS 2.x module for Drupal 7.x, upgrade to RESTWS
7.x-2.0-alpha4 [6]
Also see the RESTful Web Services [7] project page.
-------- REPORTED BY
---------------------------------------------------------
* Fredrik Lassen [8]
* Klaus Purer [9] of the Drupal Security Team
-------- FIXED BY
------------------------------------------------------------
* Klaus Purer [10] the module maintainer
-------- COORDINATED BY
------------------------------------------------------
* Klaus Purer [11] of the Drupal Security Team
-------- CONTACT AND MORE INFORMATION
----------------------------------------
The Drupal security team can be reached at security at drupal.org or via the
contact form at http://drupal.org/contact [12].
Learn more about the Drupal Security team and their policies [13], writing
secure code for Drupal [14], and securing your site [15].
[1] http://drupal.org/project/restws
[2] http://drupal.org/security-team/risk-levels
[3] http://cve.mitre.org/
[4] http://drupal.org/project/restws
[5] http://drupal.org/node/1890212
[6] http://drupal.org/node/1890216
[7] http://drupal.org/project/restws
[8] http://drupal.org/user/243377
[9] http://drupal.org/user/262198
[10] http://drupal.org/user/262198
[11] http://drupal.org/user/262198
[12] http://drupal.org/contact
[13] http://drupal.org/security-team
[14] http://drupal.org/writing-secure-code
[15] http://drupal.org/security/secure-configuration
View online: http://drupal.org/node/1884360
* Advisory ID: DRUPAL-SA-CONTRIB-2013-002
* Project: Payment [1] (third-party module)
* Version: 7.x
* Date: 2013-January-09
* Security risk: Moderately critical [2]
* Exploitable from: Remote
* Vulnerability: Access bypass
-------- DESCRIPTION
---------------------------------------------------------
Payment enables other modules to make payments using a variety of payment
processing services.
The module incorrectly grants access when checking if a user can view
payments, allowing a user to access the payments of other users.
-------- CVE IDENTIFIER(S) ISSUED
--------------------------------------------
* /A CVE identifier [3] will be requested, and added upon issuance, in
accordance with Drupal Security Team processes./
-------- VERSIONS AFFECTED
---------------------------------------------------
* Payment 7.x-1.x versions prior to 7.x-1.3.
Drupal core is not affected. If you do not use the contributed Payment [4]
module, there is nothing you need to do.
-------- SOLUTION
------------------------------------------------------------
Update to Payment 7.x-1.3 [5] or later.
Also see the Payment [6] project page.
-------- REPORTED BY
---------------------------------------------------------
* Dario Emmanuel Godoy Rojas [7]
-------- FIXED BY
------------------------------------------------------------
* Bart Feenstra [8] (the module maintainer)
-------- COORDINATED BY
------------------------------------------------------
* Greg Knaddison [9] of the Drupal Security Team
-------- CONTACT AND MORE INFORMATION
----------------------------------------
The Drupal security team can be reached at security at drupal.org or via the
contact form at http://drupal.org/contact [10].
Learn more about the Drupal Security team and their policies [11], writing
secure code for Drupal [12], and securing your site [13].
[1] http://drupal.org/project/payment
[2] http://drupal.org/security-team/risk-levels
[3] http://cve.mitre.org/
[4] http://drupal.org/project/payment
[5] http://drupal.org/node/1883830
[6] http://drupal.org/project/payment
[7] http://drupal.org/user/186754
[8] http://drupal.org/user/62965
[9] http://drupal.org/user/36762
[10] http://drupal.org/contact
[11] http://drupal.org/security-team
[12] http://drupal.org/writing-secure-code
[13] http://drupal.org/security/secure-configuration
View online: http://drupal.org/node/1884332
* Advisory ID: DRUPAL-SA-CONTRIB-2013-001
* Project: Search API [1] (third-party module)
* Version: 7.x
* Date: 2013-January-09
* Security risk: Moderately critical [2]
* Exploitable from: Remote
* Vulnerability: Cross Site Scripting
-------- DESCRIPTION
---------------------------------------------------------
This module enables you to build searches using a wide range of features,
data sources and backends.
The module doesn't sufficiently sanitize user input when displaying errors in
a view with certain backends, including the database backend. This enables
attackers to create a Reflected Cross Site Scripting attack by manipulating
the URL.
This is mitigated by the fact that the vulnerability only occurs with some
backends (the Solr backend, e.g., is safe) and for certain common
configurations of facets.
The module also doesn't sufficiently sanitize output field names in the admin
view.
This is mitigated by the fact that an attacker would have to have the
necessary permissions to change the field names of an indexed entity type.
-------- CVE IDENTIFIER(S) ISSUED
--------------------------------------------
* /A CVE identifier [3] will be requested, and added upon issuance, in
accordance with Drupal Security Team processes./
-------- VERSIONS AFFECTED
---------------------------------------------------
* Search API 7.x-1.x versions prior to 7.x-1.4.
Drupal core is not affected. If you do not use the contributed Search API [4]
module, there is nothing you need to do.
-------- SOLUTION
------------------------------------------------------------
Install the latest version:
* If you use the Search API module for Drupal 7.x, upgrade to Search API
7.x-1.4 [5]
Also see the Search API [6] project page.
-------- REPORTED BY
---------------------------------------------------------
* XSS in Views error messages was reported by Josh Stroschein [7].
* XSS in field names was reported by Francisco José Cruz Romanos [8].
-------- FIXED BY
------------------------------------------------------------
* XSS in Views error messages was fixed by Lee Rowlands [9] of the Drupal
Security Team and Bojan Živanović [10].
* XSS in field names was fixed by Francisco José Cruz Romanos [11].
-------- COORDINATED BY
------------------------------------------------------
* Lee Rowlands [12] of the Drupal Security Team
* Greg Knaddison [13] of the Drupal Security Team
-------- CONTACT AND MORE INFORMATION
----------------------------------------
The Drupal security team can be reached at security at drupal.org or via the
contact form at http://drupal.org/contact [14].
Learn more about the Drupal Security team and their policies [15], writing
secure code for Drupal [16], and securing your site [17].
[1] http://drupal.org/project/search_api
[2] http://drupal.org/security-team/risk-levels
[3] http://cve.mitre.org/
[4] http://drupal.org/project/search_api
[5] http://drupal.org/node/1884076
[6] http://drupal.org/project/search_api
[7] http://drupal.org/user/2198458
[8] http://drupal.org/user/848238
[9] http://drupal.org/user/395439
[10] http://drupal.org/user/86106
[11] http://drupal.org/user/848238
[12] http://drupal.org/user/395439
[13] http://drupal.org/user/36762
[14] http://drupal.org/contact
[15] http://drupal.org/security-team
[16] http://drupal.org/writing-secure-code
[17] http://drupal.org/security/secure-configuration