View online: https://drupal.org/node/2124289
* Advisory ID: DRUPAL-SA-CONTRIB-2013-086
* Project: Monster Menus [1] (third-party module)
* Version: 7.x
* Date: 2013-October-30
* Security risk: Critical [2]
* Exploitable from: Remote
* Vulnerability: Access bypass
-------- DESCRIPTION
---------------------------------------------------------
Monster Menus includes the ability to protect the visibility of comments for
each node based on hierarchical permissions. However, a carefully-crafted URL
could be used to bypass these permissions, allowing an anonymous user to view
the comments associated with certain nodes.
In order for this flaw to be relevant and exploited, the node itself must be
readable by the attacker. Furthermore, the "Who can read comments" setting
for the node must be something other than "Everyone".
-------- CVE IDENTIFIER(S) ISSUED
--------------------------------------------
* /A CVE identifier [3] will be requested, and added upon issuance, in
accordance with Drupal Security Team processes./
-------- VERSIONS AFFECTED
---------------------------------------------------
* monster_menus 7.x-1.x versions prior to 7.x-1.15.
Drupal core is not affected. If you do not use the contributed Monster Menus
[4] module, there is nothing you need to do.
-------- SOLUTION
------------------------------------------------------------
Install the latest version:
* If you use the monster_menus module for Drupal 7.x, upgrade to
monster_menus 7.x-1.15 [5]
Also see the Monster Menus [6] project page.
-------- REPORTED BY
---------------------------------------------------------
* Dan Wilga [7]
-------- FIXED BY
------------------------------------------------------------
* Dan Wilga [8] the module maintainer
-------- COORDINATED BY
------------------------------------------------------
* Greg Knaddison [9] of the Drupal Security Team
-------- CONTACT AND MORE INFORMATION
----------------------------------------
The Drupal security team can be reached at security at drupal.org or via the
contact form at http://drupal.org/contact [10].
Learn more about the Drupal Security team and their policies [11], writing
secure code for Drupal [12], and securing your site [13].
[1] http://drupal.org/project/monster_menus
[2] http://drupal.org/security-team/risk-levels
[3] http://cve.mitre.org/
[4] http://drupal.org/project/monster_menus
[5] https://drupal.org/node/2123287
[6] http://drupal.org/project/monster_menus
[7] https://drupal.org/user/56892
[8] https://drupal.org/user/56892
[9] http://drupal.org/user/36762
[10] http://drupal.org/contact
[11] http://drupal.org/security-team
[12] http://drupal.org/writing-secure-code
[13] http://drupal.org/security/secure-configuration
View online: https://drupal.org/node/2124279
* Advisory ID: DRUPAL-SA-CONTRIB-2013-085
* Project: Feed Element Mapper [1] (third-party module)
* Version: 6.x
* Date: 2013-October-30
* Security risk: Less critical [2]
* Exploitable from: Remote
* Vulnerability: Cross Site Scripting
-------- DESCRIPTION
---------------------------------------------------------
Feed Element Mapper is an add-on module for FeedAPI that maps elements on a
feed item such as tags or the author name to taxonomy or CCK fields.
The module doesn't sufficiently filter text when displaying options to users.
This vulnerability is mitigated by the fact that an attacker must have a role
with the permission "administer taxonomy".
-------- CVE IDENTIFIER(S) ISSUED
--------------------------------------------
* /A CVE identifier [3] will be requested, and added upon issuance, in
accordance with Drupal Security Team processes./
-------- VERSIONS AFFECTED
---------------------------------------------------
All versions of the module.
Drupal core is not affected. If you do not use the contributed Feed Element
Mapper [4] module, there is nothing you need to do.
-------- SOLUTION
------------------------------------------------------------
Users of the module are encouraged to evaluate the risks and mitigating
factors and remove the module. There is no release with a fix available. The
module is generally unsupported and users are encouraged to switch to FeedAPI
suite of modules.
Also see the Feed Element Mapper [5] project page.
-------- REPORTED BY
---------------------------------------------------------
* Justin Klein-Keane [6]
-------- FIXED BY
------------------------------------------------------------
Not applicable.
-------- COORDINATED BY
------------------------------------------------------
* Greg Knaddison [7] of the Drupal Security Team
-------- CONTACT AND MORE INFORMATION
----------------------------------------
The Drupal security team can be reached at security at drupal.org or via the
contact form at http://drupal.org/contact [8].
Learn more about the Drupal Security team and their policies [9], writing
secure code for Drupal [10], and securing your site [11].
[1] http://drupal.org/project/feedapi_mapper
[2] http://drupal.org/security-team/risk-levels
[3] http://cve.mitre.org/
[4] http://drupal.org/project/feedapi_mapper
[5] http://drupal.org/project/feedapi_mapper
[6] http://drupal.org/user/302225
[7] http://drupal.org/user/36762
[8] http://drupal.org/contact
[9] http://drupal.org/security-team
[10] http://drupal.org/writing-secure-code
[11] http://drupal.org/security/secure-configuration
View online: https://drupal.org/node/2123995
* Advisory ID: DRUPAL-SA-CONTRIB-2013-083
* Project: Quiz [1] (third-party module)
* Version: 6.x
* Date: 2013-October-30
* Security risk: Moderately critical [2]
* Exploitable from: Remote
* Vulnerability: Access bypass, Information Disclosure, Multiple
vulnerabilities
-------- DESCRIPTION
---------------------------------------------------------
.... Access bypass on deleting quiz results
The Quiz module provides tools for authoring and administering quizzes
through Drupal. A quiz is given as a series of questions, with only one
question appearing per page. Scores are then stored in the database.
The module doesn't sufficiently check the delete quiz results permission. All
users who have the permission to view Quiz results can access the delete
option in the results page irrespective of "delete any quiz results" and
"delete results for own quiz" permissions.
This vulnerability is mitigated by the fact that an attacker must have a role
with the permission "view any quiz results" or "view results for own quiz".
.... Access bypass in viewing quiz views
The Quiz module has Views integration including default Views. These default
views provided by the module do not have proper access control. If the Views
are enabled and the access controls are left unchanged then information about
users quiz results may be disclosed.
-------- CVE IDENTIFIER(S) ISSUED
--------------------------------------------
* /A CVE identifier [3] will be requested, and added upon issuance, in
accordance with Drupal Security Team processes./
-------- VERSIONS AFFECTED
---------------------------------------------------
* Quiz 6.x-4.x versions prior to 6.x-4.5.
Drupal core is not affected. If you do not use the contributed Quiz [4]
module, there is nothing you need to do.
-------- SOLUTION
------------------------------------------------------------
Install the latest version:
* If you use the Quiz module for Drupal 6.x, upgrade to Quiz 6.x-4.5 [5]
* For both versions: Review the Quiz results view and delete permissions and
ensure it is working as expected for intended users
Also see the Quiz [6] project page.
-------- REPORTED BY
---------------------------------------------------------
* nirvanajyothi [7]
* Cat Hirst [8]
-------- FIXED BY
------------------------------------------------------------
* Wouter Admiraal [9]
* Sivaji Ganesh [10] the module co-maintainer
* Falcon [11] the module maintainer
-------- COORDINATED BY
------------------------------------------------------
* Dan Smith [12], Jakub Suchy [13], Ned McClain [14], Greg Knaddison [15] of
the Drupal Security Team
-------- CONTACT AND MORE INFORMATION
----------------------------------------
The Drupal security team can be reached at security at drupal.org or via the
contact form at http://drupal.org/contact [16].
Learn more about the Drupal Security team and their policies [17], writing
secure code for Drupal [18], and securing your site [19].
[1] http://drupal.org/project/quiz
[2] http://drupal.org/security-team/risk-levels
[3] http://cve.mitre.org/
[4] http://drupal.org/project/quiz
[5] https://drupal.org/node/2123727
[6] http://drupal.org/project/quiz
[7] https://drupal.org/user/252387
[8] https://drupal.org/user/162748
[9] https://drupal.org/user/440510
[10] https://drupal.org/user/328724
[11] https://drupal.org/user/530912
[12] https://drupal.org/user/241220
[13] https://drupal.org/user/31977
[14] https://drupal.org/user/798324
[15] https://drupal.org/user/36762
[16] http://drupal.org/contact
[17] http://drupal.org/security-team
[18] http://drupal.org/writing-secure-code
[19] http://drupal.org/security/secure-configuration
View online: https://drupal.org/node/2124241
* Advisory ID: DRUPAL-SA-CONTRIB-2013-084
* Project: FileField Sources [1] (third-party module)
* Version: 6.x, 7.x
* Date: 2013-Oct-30
* Security risk: Moderately critical [2]
* Exploitable from: Remote
* Vulnerability: Access bypass
-------- DESCRIPTION
---------------------------------------------------------
This module expands on the FileField module by allowing you to select new or
existing files through additional means, such as re-using files with an
auto-complete textfield, attaching server-side files uploaded via FTP,
transferring file files from a remote server, pasting a file directly from
the clipboard, and selecting existing files through the IMCE file browser.
The module doesn't sufficiently check file access permissions when attaching
an existing file. Any existing file could be re-used and the user would then
be granted access to that file.
This vulnerability is mitigated by the fact that an attacker must have a
permission granting the ability to create content which has a file field
using the module.
-------- CVE IDENTIFIER(S) ISSUED
--------------------------------------------
* /A CVE identifier [3] will be requested, and added upon issuance, in
accordance with Drupal Security Team processes./
-------- VERSIONS AFFECTED
---------------------------------------------------
* Filefield Sources 6.x-1.x versions prior to 6.x-1.9.
* Filefield Sources 7.x-1.x versions prior to 7.x-1.9.
Drupal core is not affected. If you do not use the contributed FileField
Sources [4] module, there is nothing you need to do.
-------- SOLUTION
------------------------------------------------------------
Install the latest version:
* If you use the FileField Sources module for Drupal 6.x, upgrade to
FileField Sources 6.x-1.9 [5]
* If you use the FileField Sources module for Drupal 7.x, upgrade to
FileField Sources 7.x-1.9 [6]
Also see the FileField Sources [7] project page.
-------- REPORTED BY
---------------------------------------------------------
* Joseph Lee [8]
-------- FIXED BY
------------------------------------------------------------
* Nathan Haug [9] the module maintainer
* Cash Williams [10] provisional member of the Drupal Security Team
-------- COORDINATED BY
------------------------------------------------------
* Cash Williams [11] provisional member of the Drupal Security Team
* David Stoline [12] of the Drupal Security Team
-------- CONTACT AND MORE INFORMATION
----------------------------------------
The Drupal security team can be reached at security at drupal.org or via the
contact form at http://drupal.org/contact [13].
Learn more about the Drupal Security team and their policies [14], writing
secure code for Drupal [15], and securing your site [16].
[1] http://drupal.org/project/filefield_sources
[2] http://drupal.org/security-team/risk-levels
[3] http://cve.mitre.org/
[4] http://drupal.org/project/filefield_sources
[5] https://drupal.org/node/2124217
[6] https://drupal.org/node/2124219
[7] http://drupal.org/project/filefield_sources
[8] http://drupal.org/user/32743
[9] http://drupal.org/user/6399
[10] http://drupal.org/user/29938
[11] http://drupal.org/user/29938
[12] http://drupal.org/user/329570
[13] http://drupal.org/contact
[14] http://drupal.org/security-team
[15] http://drupal.org/writing-secure-code
[16] http://drupal.org/security/secure-configuration
View online: https://drupal.org/node/2118873
* Advisory ID: DRUPAL-SA-CONTRIB-2013-082
* Project: Bean [1] (third-party module)
* Version: 7.x
* Date: 2013-10-23
* Security risk: Highly critical [2]
* Exploitable from: Remote
* Vulnerability: Cross Site Scripting
-------- DESCRIPTION
---------------------------------------------------------
This module enables you to create block entities a.k.a. beans.
The module did not sufficiently filter bean titles for dangerous html.
This vulnerability is mitigated by the fact that an attacker must have
permission to create or edit beans.
-------- CVE IDENTIFIER(S) ISSUED
--------------------------------------------
* /A CVE identifier [3] will be requested, and added upon issuance, in
accordance with Drupal Security Team processes./
-------- VERSIONS AFFECTED
---------------------------------------------------
* Bean 7.x-1.x versions prior to 7.x-1.5
Drupal core is not affected. If you do not use the contributed Bean [4]
module, there is nothing you need to do.
-------- SOLUTION
------------------------------------------------------------
Install the latest version:
* If you use the Bean module for Drupal 7.x, upgrade to Bean 7.x-1.5 [5]
Also see the Bean [6] project page.
-------- REPORTED BY
---------------------------------------------------------
* Francesco Quagliati [7]
-------- FIXED BY
------------------------------------------------------------
* Damien McKenna [8] the module maintainer
-------- COORDINATED BY
------------------------------------------------------
* Hunter Fox [9] of the Drupal Security Team
-------- CONTACT AND MORE INFORMATION
----------------------------------------
The Drupal security team can be reached at security at drupal.org or via the
contact form at http://drupal.org/contact [10].
Learn more about the Drupal Security team and their policies [11], writing
secure code for Drupal [12], and securing your site [13].
[1] http://drupal.org/project/bean
[2] http://drupal.org/security-team/risk-levels
[3] http://cve.mitre.org/
[4] http://drupal.org/project/bean
[5] https://drupal.org/node/2118867
[6] http://drupal.org/project/bean
[7] http://drupal.org/user/1977720
[8] https://drupal.org/user/108450
[9] http://drupal.org/user/426416
[10] http://drupal.org/contact
[11] http://drupal.org/security-team
[12] http://drupal.org/writing-secure-code
[13] http://drupal.org/security/secure-configuration
View online: https://drupal.org/node/2118717
* Advisory ID: DRUPAL-SA-CONTRIB-2013-081
* Project: Spaces [1] (third-party module)
* Version: 6.x
* Date: 2013-10-23
* Security risk: Less critical [2]
* Exploitable from: Remote
* Vulnerability: Access bypass
-------- DESCRIPTION
---------------------------------------------------------
This module enables you to make configuration options generally available
only at the sitewide level to be configurable and overridden by individual
"spaces" on a Drupal site.
The spaces submodule, Spaces OG, doesn't properly handle deleting of organic
group group spaces when the option to move to a new group is selected.
Instead of moving the content to a new group, the content is left orphaned,
and for deleted private groups, that content will then be viewable by anyone
with "access content" permission when the site's or content's access is
rebuilt.
The issue is mitigated by needing to be using the submodule spaces OG, and
needing the site users to be in the situation of deleting a group and using
that move option, and needing the content's access to be rebuilt.
-------- CVE IDENTIFIER(S) ISSUED
--------------------------------------------
* /A CVE identifier [3] will be requested, and added upon issuance, in
accordance with Drupal Security Team processes./
-------- VERSIONS AFFECTED
---------------------------------------------------
* Spaces 6.x-3.x versions prior to 6.x-3.7.
Drupal core is not affected. If you do not use the contributed Spaces [4]
module, there is nothing you need to do.
-------- SOLUTION
------------------------------------------------------------
Install the latest version:
* If you use the Spaces module for Drupal 6.x, upgrade to Spaces 6.x-3.7 [5]
Also see the Spaces [6] project page.
-------- REPORTED BY
---------------------------------------------------------
* Hunter Fox [7] of the Drupal Security Team
-------- FIXED BY
------------------------------------------------------------
* Tobby Hagler [8] a module maintainer
* Hunter Fox [9] of the Drupal Security Team, module maintainer.
-------- COORDINATED BY
------------------------------------------------------
* Hunter Fox [10] of the Drupal Security Team
-------- CONTACT AND MORE INFORMATION
----------------------------------------
The Drupal security team can be reached at security at drupal.org or via the
contact form at http://drupal.org/contact [11].
Learn more about the Drupal Security team and their policies [12], writing
secure code for Drupal [13], and securing your site [14].
[1] http://drupal.org/project/spaces
[2] http://drupal.org/security-team/risk-levels
[3] http://cve.mitre.org/
[4] http://drupal.org/project/spaces
[5] https://drupal.org/node/2118745
[6] http://drupal.org/project/spaces
[7] http://drupal.org/user/426416
[8] http://drupal.org/user/154797
[9] http://drupal.org/user/426416
[10] http://drupal.org/user/426416
[11] http://drupal.org/contact
[12] http://drupal.org/security-team
[13] http://drupal.org/writing-secure-code
[14] http://drupal.org/security/secure-configuration
View online: https://drupal.org/node/2113515
* Advisory ID: DRUPAL-SA-CONTRIB-2013-080
* Project: Simplenews [1] (third-party module)
* Version: 6.x, 7.x
* Date: 2013-Month-DD
* Security risk: Moderately critical [2]
* Exploitable from: Remote
* Vulnerability: Cross Site Scripting
-------- DESCRIPTION
---------------------------------------------------------
This module enables you to publish and send newsletters to lists of
subscribers.
The module also includes an API that other modules can use to register
subscribers.
The module doesn't sufficiently sanitize e-mail addresses prior to
outputting. The provided forms (sign-up, mass import, ..) validate and only
allow valid e-mail addresses, but e-mail addresses could also be added
directly through the API, which does not validate.
This vulnerability is mitigated by the fact that the Simplnews module
performs input validation which prevents known attacks, so the injection
vector must be added another module (custom or contributed) without
validating the email address using the Simplenews API .
-------- CVE IDENTIFIER(S) ISSUED
--------------------------------------------
* /A CVE identifier [3] will be requested, and added upon issuance, in
accordance with Drupal Security Team processes./
-------- VERSIONS AFFECTED
---------------------------------------------------
* Simplenews 6.x-1.x versions prior to 6.x-1.5.
* Simplenews 7.x-1.x versions prior to 7.x-1.1.
Drupal core is not affected. If you do not use the contributed Simplenews [4]
module, there is nothing you need to do.
-------- SOLUTION
------------------------------------------------------------
Install the latest version:
* If you use the Simplenews module for Drupal 6.x-1.x, upgrade to Simplenews
6.x-1.5 [5]
* If you use the Simplenews module for Drupal 7.x-1.x, upgrade to Simplenews
7.x-1.1 [6]
Also see the Simplenews [7] project page.
-------- REPORTED BY
---------------------------------------------------------
* Pat Redmond [8]
-------- FIXED BY
------------------------------------------------------------
* Sascha Grossenbacher [9] the module maintainer
-------- COORDINATED BY
------------------------------------------------------
* Greg Knaddison [10] and Lee Rowlands [11] of the Drupal Security Team
-------- CONTACT AND MORE INFORMATION
----------------------------------------
The Drupal security team can be reached at security at drupal.org or via the
contact form at http://drupal.org/contact [12].
Learn more about the Drupal Security team and their policies [13], writing
secure code for Drupal [14], and securing your site [15].
[1] http://drupal.org/project/simplenews
[2] http://drupal.org/security-team/risk-levels
[3] http://cve.mitre.org/
[4] http://drupal.org/project/simplenews
[5] https://drupal.org/node/2113487
[6] https://drupal.org/node/2113491
[7] http://drupal.org/project/simplenews
[8] https://drupal.org/user/1369488
[9] http://drupal.org/user/214652
[10] http://drupal.org/user/36762
[11] http://drupal.org/user/395439
[12] http://drupal.org/contact
[13] http://drupal.org/security-team
[14] http://drupal.org/writing-secure-code
[15] http://drupal.org/security/secure-configuration
View online: https://drupal.org/node/2113317
* Advisory ID: DRUPAL-SA-CONTRIB-2013-079
* Project: Context [1] (third-party module)
* Version: 6.x, 7.x
* Date: 2013-2013-16
* Security risk: Highly critical [2]
* Exploitable from: Remote
* Vulnerability: Access bypass, Arbitrary PHP code execution
-------- DESCRIPTION
---------------------------------------------------------
Context allows you to manage contextual conditions and reactions for
different portions of your site
This advisory covers two separate issues. The first, and more severe issue
(Highly Critical status), is that the module allows execution of PHP code via
manipulation of a URL argument in a path used for AJAX operations when
running in a configuration without a json_decode function provided by PHP or
the PECL JSON library.
This vulnerability is mitigated by the fact that the server must be running a
version of PHP prior to 5.2 that does not have the json library installed
(PHP 5.2+ come bundled with the JSON library).
The second, less severe issue (Less Critical status), is that Context uses
Drupal's token scheme to restrict access to the json rendering of a block.
This control mechanism is insufficient as Drupal's token scheme is designed
to provide security between two different sessions (or a session and a non
authenticated user) and is not designed to provide security within a session.
This means that a user with access to block A may be able to use the
information about block A and the resulting token in order to generate the
correct token for accessing block B to which they should not have access.
The vulnerability is mitigated by needing blocks that have sensitive
information (for example, custom blocks with private information or a list of
unpublished nodes.)
-------- CVE IDENTIFIER(S) ISSUED
--------------------------------------------
* /A CVE identifier [3] will be requested, and added upon issuance, in
accordance with Drupal Security Team processes./
-------- VERSIONS AFFECTED
---------------------------------------------------
* 6.x-2.x versions prior to 6.x-3.2.
* 7.x-3.x versions prior to 7.x-3.0.
Drupal core is not affected. If you do not use the contributed Context [4]
module, there is nothing you need to do.
-------- SOLUTION
------------------------------------------------------------
Remote code execution can be resolved by any of
* Upgrading your PHP to 5.2+
* Installing the JSON package [5].
* Upgrading context to 6.x-3.2 [6] or 7.x-3.0 [7]
Block access issue can be resolved by upgrading context to 6.x-3.2 [8] or
7.x-3.0 [9].
Also see the Context [10] project page.
-------- REPORTED BY
---------------------------------------------------------
* Heine [11] of the Drupal Security Team
-------- FIXED BY
------------------------------------------------------------
* Hunter [12] of the Drupal Security Team, a module maintainer
* Heine [13] of the Drupal Security Team
* tekante [14] a module maintainer
-------- COORDINATED BY
------------------------------------------------------
* Hunter [15] of the Drupal Security Team
-------- CONTACT AND MORE INFORMATION
----------------------------------------
The Drupal security team can be reached at security at drupal.org or via the
contact form at http://drupal.org/contact [16].
Learn more about the Drupal Security team and their policies [17], writing
secure code for Drupal [18], and securing your site [19].
[1] http://drupal.org/project/context
[2] http://drupal.org/security-team/risk-levels
[3] http://cve.mitre.org/
[4] http://drupal.org/project/context
[5] http://pecl.php.net/package/json
[6] https://drupal.org/node/2112791
[7] https://drupal.org/node/2112785
[8] https://drupal.org/node/2112791
[9] https://drupal.org/node/2112785
[10] http://drupal.org/project/context
[11] http://drupal.org/user/17943
[12] http://drupal.org/user/426416
[13] http://drupal.org/user/17943
[14] http://drupal.org/user/640024
[15] http://drupal.org/user/426416
[16] http://drupal.org/contact
[17] http://drupal.org/security-team
[18] http://drupal.org/writing-secure-code
[19] http://drupal.org/security/secure-configuration
View online: https://drupal.org/node/2103187
* Advisory ID: DRUPAL-SA-CONTRIB-2013-078
* Project: Quick Tabs [1] (third-party module)
* Version: 6.x, 7.x
* Date: 2013-October-02
* Security risk: Moderately critical [2]
* Exploitable from: Remote
* Vulnerability: Access bypass
-------- DESCRIPTION
---------------------------------------------------------
The Quick Tabs module allows you to create blocks of tabbed content,
specifically views, blocks, nodes and other quicktabs. You can create a block
on your site containing multiple tabs with corresponding content.
The module does not sufficiently check block permissions before rendering a
Quick Tab. Before this vulnerability was addressed, if a block had been
restricted to only appear for certain roles, that access was not checked
before rending it within a Quick Tab - leaving the contents of that block
visible to the world.
This vulnerability is mitigated by the fact that node and view permissions
are respected, meaning the vulnerability primarily exists for custom blocks
created for specific roles.
-------- CVE IDENTIFIER(S) ISSUED
--------------------------------------------
* /A CVE identifier [3] will be requested, and added upon issuance, in
accordance with Drupal Security Team processes./
-------- VERSIONS AFFECTED
---------------------------------------------------
* Quick Tabs 7.x-3.x versions prior to 7.x-3.6.
* Quick Tabs 6.x-3.x versions prior to 6.x-3.2.
* Quick Tabs 6.x-2.x versions prior to 6.x-2.2.
Drupal core is not affected. If you do not use the contributed Quick Tabs [4]
module, there is nothing you need to do.
-------- SOLUTION
------------------------------------------------------------
Install the latest version:
* If you use the Quick Tabs 3.x module for Drupal 7.x, upgrade to Quick Tabs
7.x-3.6 [5]
* If you use the Quick Tabs 3.x module for Drupal 6.x, upgrade to Quick Tabs
6.x-3.2 [6]
* If you use the Quick Tabs 2.x module for Drupal 6.x, upgrade to Quick Tabs
6.x-2.2 [7]
Also see the Quick Tabs [8] project page.
-------- REPORTED BY
---------------------------------------------------------
* Steven Wiliam [9]
-------- FIXED BY
------------------------------------------------------------
* Fengtan [10]
* Matt Tucker [11] (one of) the module maintainers
-------- COORDINATED BY
------------------------------------------------------
* Lee Rowlands [12] of the Drupal Security Team
-------- CONTACT AND MORE INFORMATION
----------------------------------------
The Drupal security team can be reached at security at drupal.org or via the
contact form at http://drupal.org/contact [13].
Learn more about the Drupal Security team and their policies [14], writing
secure code for Drupal [15], and securing your site [16].
[1] http://drupal.org/project/quicktabs
[2] http://drupal.org/security-team/risk-levels
[3] http://cve.mitre.org/
[4] http://drupal.org/project/quicktabs
[5] https://drupal.org/node/2103113
[6] https://drupal.org/node/2103121
[7] https://drupal.org/node/2103127
[8] http://drupal.org/project/quicktabs
[9] http://drupal.org/user/299097
[10] http://drupal.org/user/847318
[11] http://drupal.org/user/153963
[12] http://drupal.org/user/395439
[13] http://drupal.org/contact
[14] http://drupal.org/security-team
[15] http://drupal.org/writing-secure-code
[16] http://drupal.org/security/secure-configuration