View online: http://drupal.org/SA-CORE-2013-002
* Advisory ID: DRUPAL-SA-CORE-2013-002
* Project: Drupal core [1]
* Version: 7.x
* Date: 2013-February-20
* Security risk: Critical [2]
* Exploitable from: Remote
* Vulnerability: Denial of service
-------- DESCRIPTION
---------------------------------------------------------
Drupal core's Image module allows for the on-demand generation of image
derivatives. This capability can be abused by requesting a large number of
new derivatives which can fill up the server disk space, and which can cause
a very high CPU load. Either of these effects may lead to the site becoming
unavailable or unresponsive.
Please see the Drupal 7.20 release notes [3] for important notes about the
changes which were made to fix this issue, since some sites will require
extra testing and care when deploying this Drupal core release.
-------- CVE IDENTIFIER(S) ISSUED
--------------------------------------------
* /A CVE identifier [4] will be requested, and added upon issuance, in
accordance with Drupal Security Team processes./
-------- VERSIONS AFFECTED
---------------------------------------------------
* Drupal core 7.x versions prior to 7.20.
-------- SOLUTION
------------------------------------------------------------
Install the latest version:
* If you use Drupal 7.x, upgrade to Drupal core 7.20 [5].
Also see the Drupal core [6] project page.
-------- REPORTED BY
---------------------------------------------------------
* Bèr Kessels [7]
* aBrookland [8]
* Chad Fennell [9]
-------- FIXED BY
------------------------------------------------------------
* Damien Tournoud [10] of the Drupal Security Team
* Peter Wolanin [11] of the Drupal Security Team
* David Rothstein [12] of the Drupal Security Team
* Heine Deelstra [13] of the Drupal Security Team
* Bèr Kessels [14]
-------- COORDINATED BY
------------------------------------------------------
* David Rothstein [15] of the Drupal Security Team
* Stéphane Corlosquet [16] of the Drupal Security Team
* Peter Wolanin [17] of the Drupal Security Team
* Greg Knaddison [18] of the Drupal Security Team
-------- CONTACT AND MORE INFORMATION
----------------------------------------
The Drupal security team can be reached at security at drupal.org or via the
contact form at http://drupal.org/contact [19].
Learn more about the Drupal Security team and their policies [20], writing
secure code for Drupal [21], and securing your site [22].
[1] http://drupal.org/project/drupal
[2] http://drupal.org/security-team/risk-levels
[3] http://drupal.org/drupal-7.20-release-notes
[4] http://cve.mitre.org/
[5] http://drupal.org/drupal-7.20-release-notes
[6] http://drupal.org/project/drupal
[7] http://drupal.org/user/2663
[8] http://drupal.org/user/2274988
[9] http://drupal.org/user/10297
[10] http://drupal.org/user/22211
[11] http://drupal.org/user/49851
[12] http://drupal.org/user/124982
[13] http://drupal.org/user/17943
[14] http://drupal.org/user/2663
[15] http://drupal.org/user/124982
[16] http://drupal.org/user/52142
[17] http://drupal.org/user/49851
[18] http://drupal.org/user/36762
[19] http://drupal.org/contact
[20] http://drupal.org/security-team
[21] http://drupal.org/writing-secure-code
[22] http://drupal.org/security/secure-configuration
View online: http://drupal.org/node/1922756
* Advisory ID: DRUPAL-SA-CONTRIB-2013-023
* Project: Varnish HTTP Accelerator Integration [1] (third-party module)
* Version: 6.x, 7.x
* Date: 2013-February-20
* Security risk: Less critical [2]
* Exploitable from: Remote
* Vulnerability: Cross Site Scripting
-------- DESCRIPTION
---------------------------------------------------------
This module provides integration between your Drupal site and the Varnish
HTTP Accelerator, an advanced and very fast reverse-proxy system.
The module doesn't sufficiently filter user-supplied text provided in the
configuration settings.
This vulnerability is mitigated by the fact that an attacker must have a role
with the permission "Administer Varnish".
-------- CVE IDENTIFIER(S) ISSUED
--------------------------------------------
* /A CVE identifier [3] will be requested, and added upon issuance, in
accordance with Drupal Security Team processes./
-------- VERSIONS AFFECTED
---------------------------------------------------
* Varnish 6.x-1.x versions prior to 6.x-1.2.
* Varnish 7.x-1.x versions prior to 7.x-1.2.
Drupal core is not affected. If you do not use the contributed Varnish HTTP
Accelerator Integration [4] module, there is nothing you need to do.
-------- SOLUTION
------------------------------------------------------------
Install the latest version:
* If you use the Varnish module for Drupal 6.x, upgrade to Varnish 6.x-1.2
[5]
* If you use the Varnish module for Drupal 7.x, upgrade to Varnish
7.x-1.0-beta2 [6]
Also see the Varnish HTTP Accelerator Integration [7] project page.
-------- REPORTED BY
---------------------------------------------------------
* Ivo Van Geertruyen [8] of the Drupal Security Team
-------- FIXED BY
------------------------------------------------------------
* Josh Koenig [9] the module maintainer
* Fabian Sörqvist [10] the module maintainer
* Ivo Van Geertruyen [11] of the Drupal Security Team
-------- COORDINATED BY
------------------------------------------------------
* Greg Knaddison [12] of the Drupal Security Team
* Ben Jeavons [13] of the Drupal Security Team
-------- CONTACT AND MORE INFORMATION
----------------------------------------
The Drupal security team can be reached at security at drupal.org or via the
contact form at http://drupal.org/contact [14].
Learn more about the Drupal Security team and their policies [15], writing
secure code for Drupal [16], and securing your site [17].
[1] http://drupal.org/project/varnish
[2] http://drupal.org/security-team/risk-levels
[3] http://cve.mitre.org/
[4] http://drupal.org/project/varnish
[5] http://drupal.org/node/1922730
[6] http://drupal.org/node/1922726
[7] http://drupal.org/project/varnish
[8] http://drupal.org/user/383424
[9] http://drupal.org/user/3313
[10] http://drupal.org/user/255704
[11] http://drupal.org/user/383424
[12] http://drupal.org/user/36762
[13] http://drupal.org/user/91990
[14] http://drupal.org/contact
[15] http://drupal.org/security-team
[16] http://drupal.org/writing-secure-code
[17] http://drupal.org/security/secure-configuration
View online: http://drupal.org/node/1922438
* Advisory ID: DRUPAL-SA-CONTRIB-2013-021
* Project: Display Suite [1] (third-party module)
* Version: 7.x
* Date: 2013-February-20
* Security risk: Moderately critical [2]
* Exploitable from: Remote
* Vulnerability: Cross Site Scripting
-------- DESCRIPTION
---------------------------------------------------------
Display Suite allows you to take full control over how your content is
displayed using a drag and drop interface.
In certain situations, Display Suite does not properly sanitize user-supplied
data, allowing a malicious user to embed scripts within a page, resulting in
a Cross-site Scripting (XSS) vulnerability.
This vulnerability is mitigated by the fact that the site must use a
contributed module that alters usernames such as the realname module and the
author field must be displayed as plain text "author".
-------- CVE IDENTIFIER(S) ISSUED
--------------------------------------------
* /A CVE identifier [3] will be requested, and added upon issuance, in
accordance with Drupal Security Team processes./
-------- VERSIONS AFFECTED
---------------------------------------------------
* Display Suite 7.x-1.x versions prior to 7.x-1.7.
* Display Suite 7.x-2.x versions prior to 7.x-2.1.
Drupal core is not affected. If you do not use the contributed Display Suite
[4] module, there is nothing you need to do.
-------- SOLUTION
------------------------------------------------------------
Install the latest version:
* If you use the Display Suite module for Drupal 7.x-1.x, upgrade to Display
Suite 7.x-1.7 [5]
* If you use the Display Suite module for Drupal 7.x-2.x, upgrade to Display
Suite 7.x-2.1 [6]
Also see the Display Suite [7] project page.
-------- REPORTED BY
---------------------------------------------------------
* Stéphane Corlosquet [8] of the Drupal Security Team
-------- FIXED BY
------------------------------------------------------------
* Stéphane Corlosquet [9] of the Drupal Security Team
* Kristof De Jaeger [10] the module maintainer
-------- COORDINATED BY
------------------------------------------------------
* Stéphane Corlosquet [11] of the Drupal Security Team
-------- CONTACT AND MORE INFORMATION
----------------------------------------
The Drupal security team can be reached at security at drupal.org or via the
contact form at http://drupal.org/contact [12].
Learn more about the Drupal Security team and their policies [13], writing
secure code for Drupal [14], and securing your site [15].
[1] http://drupal.org/project/ds
[2] http://drupal.org/security-team/risk-levels
[3] http://cve.mitre.org/
[4] http://drupal.org/project/ds
[5] http://drupal.org/node/1922430
[6] http://drupal.org/node/1922424
[7] http://drupal.org/project/ds
[8] http://drupal.org/user/52142
[9] http://drupal.org/user/52142
[10] http://drupal.org/user/107403
[11] http://drupal.org/user/52142
[12] http://drupal.org/contact
[13] http://drupal.org/security-team
[14] http://drupal.org/writing-secure-code
[15] http://drupal.org/security/secure-configuration
View online: http://drupal.org/node/1922446
* Advisory ID: DRUPAL-SA-CONTRIB-2013-022
* Project: Menu Reference [1] (third-party module)
* Version: 7.x
* Date: 2013-February-20
* Security risk: Moderately critical [2]
* Exploitable from: Remote
* Vulnerability: Cross Site Scripting
-------- DESCRIPTION
---------------------------------------------------------
Module Menu Reference doesn't escape HTML that contains menu link title
displayed in Menu Reference "Rendered links" formatter.
This vulnerability is mitigated by the fact that an attacker must have a role
with the permission "Administer menus and menu items" to insert HTML code in
menu link title.
-------- CVE IDENTIFIER(S) ISSUED
--------------------------------------------
* /A CVE identifier [3] will be requested, and added upon issuance, in
accordance with Drupal Security Team processes./
-------- VERSIONS AFFECTED
---------------------------------------------------
* Menu Reference 7.x-1.x versions prior to 7.x-1.0.
Drupal core is not affected. If you do not use the contributed Menu Reference
[4] module, there is nothing you need to do.
-------- SOLUTION
------------------------------------------------------------
Install the latest version:
* If you use the Menu Reference module for Drupal 7.x, upgrade to Menu
Reference 7.x-1.1 [5]
Also see the Menu Reference [6] project page.
-------- REPORTED BY
---------------------------------------------------------
* Tamás Demeter-Haludka [7]
-------- FIXED BY
------------------------------------------------------------
* Tomáš Barej [8] the module maintainer
-------- COORDINATED BY
------------------------------------------------------
* Greg Knaddison [9] of the Drupal Security Team
-------- CONTACT AND MORE INFORMATION
----------------------------------------
The Drupal security team can be reached at security at drupal.org or via the
contact form at http://drupal.org/contact [10].
Learn more about the Drupal Security team and their policies [11], writing
secure code for Drupal [12], and securing your site [13].
[1] http://drupal.org/project/menu_reference
[2] http://drupal.org/security-team/risk-levels
[3] http://cve.mitre.org/
[4] http://drupal.org/project/menu_reference
[5] http://drupal.org/node/1922434
[6] http://drupal.org/project/menu_reference
[7] http://drupal.org/user/372872
[8] http://drupal.org/user/258659
[9] http://drupal.org/user/36762
[10] http://drupal.org/contact
[11] http://drupal.org/security-team
[12] http://drupal.org/writing-secure-code
[13] http://drupal.org/security/secure-configuration
View online: http://drupal.org/node/1922418
* Advisory ID: DRUPAL-SA-CONTRIB-2013-020
* Project: Ubercart [1] (third-party module)
* Version: 7.x
* Date: 2013-February-20
* Security risk: Moderately critical [2]
* Exploitable from: Remote
* Vulnerability: Cross Site Scripting
-------- DESCRIPTION
---------------------------------------------------------
The Ubercart module for Drupal provides a shopping cart and e-commerce
features for Drupal.
The "full name" field in Views did not properly sanitize output.
The vulnerability is mitigated by the fact that an attacker must get far
enough in the checkout process to store their name with an order.
-------- CVE IDENTIFIER(S) ISSUED
--------------------------------------------
* /A CVE identifier [3] will be requested, and added upon issuance, in
accordance with Drupal Security Team processes./
-------- VERSIONS AFFECTED
---------------------------------------------------
* Ubercart 7.x-3.x versions prior to 7.x-3.4.
Drupal core is not affected. If you do not use the contributed Ubercart [4]
module, there is nothing you need to do.
-------- SOLUTION
------------------------------------------------------------
Install the latest version:
* If you use the Ubercart module for Drupal 7.x, upgrade to Ubercart 7.x-3.4
[5]
Also see the Ubercart [6] project page.
-------- REPORTED BY
---------------------------------------------------------
* 20th [7]
-------- FIXED BY
------------------------------------------------------------
* 20th [8]
* Dave Long [9] the module maintainer
-------- COORDINATED BY
------------------------------------------------------
* Greg Knaddison [10] of the Drupal Security Team
-------- CONTACT AND MORE INFORMATION
----------------------------------------
The Drupal security team can be reached at security at drupal.org or via the
contact form at http://drupal.org/contact [11].
Learn more about the Drupal Security team and their policies [12], writing
secure code for Drupal [13], and securing your site [14].
[1] http://drupal.org/project/ubercart
[2] http://drupal.org/security-team/risk-levels
[3] http://cve.mitre.org/
[4] http://drupal.org/project/ubercart
[5] http://drupal.org/node/1922136
[6] http://drupal.org/project/ubercart
[7] http://drupal.org/user/486690
[8] http://drupal.org/user/486690
[9] http://drupal.org/user/246492
[10] http://drupal.org/user/36762
[11] http://drupal.org/contact
[12] http://drupal.org/security-team
[13] http://drupal.org/writing-secure-code
[14] http://drupal.org/security/secure-configuration
View online: http://drupal.org/node/1922416
* Advisory ID: DRUPAL-SA-CONTRIB-2013-019
* Project: Ubercart Views [1] (third-party module)
* Version: 6.x
* Date: 2013-February-20
* Security risk: Moderately critical [2]
* Exploitable from: Remote
* Vulnerability: Cross Site Scripting
-------- DESCRIPTION
---------------------------------------------------------
Ubercart Views provides Views integration for the Ubercart shopping cart
module.
The "full name" field in Views is not properly sanitized on output.
The vulnerability is mitigated by the fact that an attacker must get far
enough in the checkout process to store their name with an order.
-------- CVE IDENTIFIER(S) ISSUED
--------------------------------------------
* /A CVE identifier [3] will be requested, and added upon issuance, in
accordance with Drupal Security Team processes./
-------- VERSIONS AFFECTED
---------------------------------------------------
* All versions of Ubercart Views for Drupal 6.x prior to 6.x-3.3.
Drupal core is not affected. If you do not use the contributed Ubercart Views
[4] module, there is nothing you need to do.
-------- SOLUTION
------------------------------------------------------------
Install the latest version:
* If you use the Ubercart Views module for Drupal 6.x, upgrade to Ubercart
Views 6.x-3.3 [5]
Also see the Ubercart Views [6] project page.
-------- REPORTED BY
---------------------------------------------------------
* 20th [7]
-------- FIXED BY
------------------------------------------------------------
* 20th [8]
* Dave Long [9] the module maintainer
-------- COORDINATED BY
------------------------------------------------------
* Greg Knaddison [10] of the Drupal Security Team
-------- CONTACT AND MORE INFORMATION
----------------------------------------
The Drupal security team can be reached at security at drupal.org or via the
contact form at http://drupal.org/contact [11].
Learn more about the Drupal Security team and their policies [12], writing
secure code for Drupal [13], and securing your site [14].
[1] http://drupal.org/project/uc_views
[2] http://drupal.org/security-team/risk-levels
[3] http://cve.mitre.org/
[4] http://drupal.org/project/uc_views
[5] http://drupal.org/node/1922128
[6] http://drupal.org/project/uc_views
[7] http://drupal.org/user/486690
[8] http://drupal.org/user/486690
[9] http://drupal.org/user/246492
[10] http://drupal.org/user/36762
[11] http://drupal.org/contact
[12] http://drupal.org/security-team
[13] http://drupal.org/writing-secure-code
[14] http://drupal.org/security/secure-configuration
View online: http://drupal.org/node/1922410
* Advisory ID: DRUPAL-SA-CONTRIB-2013-018
* Project: Taxonomy Manager [1] (third-party module)
* Version: 6.x, 7.x
* Date: 2013-February-20
* Security risk: Moderately critical [2]
* Exploitable from: Remote
* Vulnerability: Cross Site Request Forgery
-------- DESCRIPTION
---------------------------------------------------------
The Taxonomy Manager provides an advanced interface for administrating
taxonomy vocabularies.
The module doesn't sufficiently verify POST requests thereby exposing a Cross
Site Request Forgery vulnerability.
This vulnerability is mitigated by the fact that an attacker must trick a
user with 'administer taxonomy' permissions onto a prepared page with a
site-specific malicious HTML form submission.
-------- CVE IDENTIFIER(S) ISSUED
--------------------------------------------
* /A CVE identifier [3] will be requested, and added upon issuance, in
accordance with Drupal Security Team processes./
-------- VERSIONS AFFECTED
---------------------------------------------------
* Taxonomy Manager 6.x-2.x versions prior to 6.x-2.2.
* Taxonomy Manager 7.x-1.x versions prior to 7.x-1.0-rc1.
Drupal core is not affected. If you do not use the contributed Taxonomy
Manager [4] module, there is nothing you need to do.
-------- SOLUTION
------------------------------------------------------------
Install the latest version:
* If you use the Taxonomy Manager module for Drupal 6.x, upgrade to Taxonomy
Manager 6.x-2.3 [5]
* If you use the Taxonomy Manager module for Drupal 7.x, upgrade to Taxonomy
Manager 7.x-1.0-rc2 [6]
Also see the Taxonomy Manager [7] project page.
-------- REPORTED BY
---------------------------------------------------------
* Matthias Hutterer [8] the module maintainer
-------- FIXED BY
------------------------------------------------------------
* Matthias Hutterer [9] the module maintainer
-------- COORDINATED BY
------------------------------------------------------
* Klaus Purer [10] of the Drupal Security Team
* Greg Knaddison [11] of the Drupal Security Team
-------- CONTACT AND MORE INFORMATION
----------------------------------------
The Drupal security team can be reached at security at drupal.org or via the
contact form at http://drupal.org/contact [12].
Learn more about the Drupal Security team and their policies [13], writing
secure code for Drupal [14], and securing your site [15].
[1] http://drupal.org/project/taxonomy_manager
[2] http://drupal.org/security-team/risk-levels
[3] http://cve.mitre.org/
[4] http://drupal.org/project/taxonomy_manager
[5] http://drupal.org/node/1922170
[6] http://drupal.org/node/1922168
[7] http://drupal.org/project/taxonomy_manager
[8] http://drupal.org/user/59747
[9] http://drupal.org/user/59747
[10] http://drupal.org/user/262198
[11] http://drupal.org/user/36762
[12] http://drupal.org/contact
[13] http://drupal.org/security-team
[14] http://drupal.org/writing-secure-code
[15] http://drupal.org/security/secure-configuration
View online: http://drupal.org/node/1922400
* Advisory ID: DRUPAL-SA-CONTRIB-2013-017
* Project: Yandex.Metrics [1] (third-party module)
* Version: 6.x, 7.x
* Date: 2013-February-20
* Security risk: Moderately critical [2]
* Exploitable from: Remote
* Vulnerability: Cross Site Scripting
-------- DESCRIPTION
---------------------------------------------------------
The Yandex.Metrics module enables you to install Yandex.Metrica tracking code
and watch reports by key indicators of user activity.
The module doesn't sufficiently escape Yandex.Metrica service data when being
displayed.
This vulnerability is mitigated by the fact that it only impacts sites with
published content which contains special code and which is indexed by Yandex
search engine.
-------- CVE IDENTIFIER(S) ISSUED
--------------------------------------------
* /A CVE identifier [3] will be requested, and added upon issuance, in
accordance with Drupal Security Team processes./
-------- VERSIONS AFFECTED
---------------------------------------------------
* Yandex.Metrics 6.x-1.x versions prior to 6.x-1.6.
* Yandex.Metrics 7.x-1.x versions prior to 7.x-1.5.
Drupal core is not affected. If you do not use the contributed Yandex.Metrics
[4] module, there is nothing you need to do.
-------- SOLUTION
------------------------------------------------------------
Install the latest version:
* If you use the Yandex.Metrics module for Drupal 6.x, upgrade to
Yandex.Metrics 6.x-1.6 [5]
* If you use the Yandex.Metrics module for Drupal 7.x, upgrade to
Yandex.Metrics 7.x-1.5 [6]
Also see the Yandex.Metrics [7] project page.
-------- REPORTED BY
---------------------------------------------------------
* Konstantin Komelin [8]
-------- FIXED BY
------------------------------------------------------------
* Konstantin Komelin [9]
-------- COORDINATED BY
------------------------------------------------------
* Greg Knaddison [10] of the Drupal Security Team
* Lee Rowlands [11] of the Drupal Security Team
-------- CONTACT AND MORE INFORMATION
----------------------------------------
The Drupal security team can be reached at security at drupal.org or via the
contact form at http://drupal.org/contact [12].
Learn more about the Drupal Security team and their policies [13], writing
secure code for Drupal [14], and securing your site [15].
[1] http://drupal.org/project/yandex_metrics
[2] http://drupal.org/security-team/risk-levels
[3] http://cve.mitre.org/
[4] http://drupal.org/project/yandex_metrics
[5] http://drupal.org/node/1921340
[6] http://drupal.org/node/1921342
[7] http://drupal.org/project/yandex_metrics
[8] http://drupal.org/user/1195752
[9] http://drupal.org/user/1195752
[10] http://drupal.org/user/36762
[11] http://drupal.org/user/395439
[12] http://drupal.org/contact
[13] http://drupal.org/security-team
[14] http://drupal.org/writing-secure-code
[15] http://drupal.org/security/secure-configuration
View online: http://drupal.org/node/1916370
* Advisory ID: DRUPAL-SA-CONTRIB-2013-016
* Project: Banckle Chat [1] (third-party module)
* Version: 7.x
* Date: 2013-February-13
* Security risk: Highly critical [2]
* Exploitable from: Remote
* Vulnerability: Access bypass
-------- DESCRIPTION
---------------------------------------------------------
This module enables you to chat with the visitors of your web site.
The module doesn't sufficiently check access to its admin pages.
This vulnerability is not mitigated.
-------- CVE IDENTIFIER(S) ISSUED
--------------------------------------------
* /A CVE identifier [3] will be requested, and added upon issuance, in
accordance with Drupal Security Team processes./
-------- VERSIONS AFFECTED
---------------------------------------------------
* All Banckle Chat 7.x-1.x versions.
Drupal core is not affected. If you do not use the contributed Banckle Chat
[4] module, there is nothing you need to do.
-------- SOLUTION
------------------------------------------------------------
Uninstall the module.
Also see the Banckle Chat [5] project page.
-------- REPORTED BY
---------------------------------------------------------
* Wale Adesanya [6]
* Lau Futtrup Rasmussen
-------- FIXED BY
------------------------------------------------------------
Not applicable.
-------- COORDINATED BY
------------------------------------------------------
* Gerhard Killesreiter [7] of the Drupal Security Team
-------- CONTACT AND MORE INFORMATION
----------------------------------------
The Drupal security team can be reached at security at drupal.org or via the
contact form at http://drupal.org/contact [8].
Learn more about the Drupal Security team and their policies [9], writing
secure code for Drupal [10], and securing your site [11].
[1] http://drupal.org/project/banckle_live_chat
[2] http://drupal.org/security-team/risk-levels
[3] http://cve.mitre.org/
[4] http://drupal.org/project/banckle_live_chat
[5] http://drupal.org/project/banckle_live_chat
[6] http://drupal.org/user/1028156
[7] http://drupal.org/user/83
[8] http://drupal.org/contact
[9] http://drupal.org/security-team
[10] http://drupal.org/writing-secure-code
[11] http://drupal.org/security/secure-configuration
View online: http://drupal.org/node/1916312
* Advisory ID: DRUPAL-SA-CONTRIB-2013-015
* Project: Manager Change for Organic Groups [1] (third-party module)
* Version: 7.x
* Date: 2013-February-13
* Security risk: Less critical [2]
* Exploitable from: Remote
* Vulnerability: Cross Site Scripting
-------- DESCRIPTION
---------------------------------------------------------
This module extends Organic Groups to allow the manager of a group to select
a new manager for their group (ie if they want to leave the group).
The autocomplete field for selecting a new manager didn't properly filter
usernames.
The vulnerability is mitigated by the fact that Drupal's default registration
validation prevents the creation of username that contain cross site
scripting attacks. However, a contributed module may bypass that validation
or alter the way usernames are loaded in a way that introduces an attack
vector.
-------- CVE IDENTIFIER(S) ISSUED
--------------------------------------------
* /A CVE identifier [3] will be requested, and added upon issuance, in
accordance with Drupal Security Team processes./
-------- VERSIONS AFFECTED
---------------------------------------------------
* Manager Change for Organic Groups 7.x-2.x versions prior to 7.x-2.1.
Drupal core is not affected. If you do not use the contributed
module, there is nothing you need to do.
-------- SOLUTION
------------------------------------------------------------
Install the latest version:
* If you use the 2.x branch of the Manager Change for Organic Groups module
for Drupal 7.x, upgrade to Manager Change for Organic Groups 7.x-2.1 [4]
Also see the
Manager Change for Organic Groups project page.
-------- REPORTED BY
---------------------------------------------------------
* Michael Hess [5] of the Drupal Security Team
-------- FIXED BY
------------------------------------------------------------
* Joe Haskins [6] the module maintainer
-------- COORDINATED BY
------------------------------------------------------
* Michael Hess [7] of the Drupal Security Team
-------- CONTACT AND MORE INFORMATION
----------------------------------------
The Drupal security team can be reached at security at drupal.org or via the
contact form at http://drupal.org/contact [8].
Learn more about the Drupal Security team and their policies [9], writing
secure code for Drupal [10], and securing your site [11].
[1] http://drupal.org/project/og_manager_change
[2] http://drupal.org/security-team/risk-levels
[3] http://cve.mitre.org/
[4] http://drupal.org/node/1915408
[5] http://drupal.org/user/102818
[6] http://drupal.org/user/1358434
[7] http://drupal.org/user/102818
[8] http://drupal.org/contact
[9] http://drupal.org/security-team
[10] http://drupal.org/writing-secure-code
[11] http://drupal.org/security/secure-configuration