View online: https://drupal.org/node/2221481
* Advisory ID: DRUPAL-SA-CONTRIB-2014-033
* Project: Nivo Slider [1] (third-party module)
* Version: 7.x
* Date: 2014-March-19
* Security risk: Moderately critical [2]
* Exploitable from: Remote
* Vulnerability: Cross Site Scripting
-------- DESCRIPTION
---------------------------------------------------------
Nivo Slider provides a way to showcase featured content. Nivo Slider gives
administrators a simple method of adding slides to the slideshow, an
administration interface to configure slideshow settings, and simple slider
positioning using the Drupal block system.
The module doesn't sufficiently sanitize the title of images in the slider.
This vulnerability is mitigated by the fact that an attacker must have a role
with the permission "administer nivo slider".
-------- CVE IDENTIFIER(S) ISSUED
--------------------------------------------
* /A CVE identifier [3] will be requested, and added upon issuance, in
accordance with Drupal Security Team processes./
-------- VERSIONS AFFECTED
---------------------------------------------------
* Nivo Slider 7.x-2.x versions prior to 7.x-1.11.
Drupal core is not affected. If you do not use the contributed Nivo Slider
[4] module, there is nothing you need to do.
-------- SOLUTION
------------------------------------------------------------
Install the latest version:
* If you use the Nivo Slider module for Drupal 7.x, upgrade to Nivo Slider
7.x.1.11 [5]
Also see the Nivo Slider [6] project page.
-------- REPORTED BY
---------------------------------------------------------
* James Davis [7]
-------- FIXED BY
------------------------------------------------------------
* Devin Carlson (module maintainer) [8]
* James Davis [9]
-------- COORDINATED BY
------------------------------------------------------
* Domenic Santangelo [10] provisional member of the Drupal Security Team
* Ben Jeavons [11] of the Drupal Security Team
* Greg Knaddison [12] of the Drupal Security Team
* Lee Rowlands [13] of the Drupal Security Team
-------- CONTACT AND MORE INFORMATION
----------------------------------------
The Drupal security team can be reached at security at drupal.org or via the
contact form at http://drupal.org/contact [14].
Learn more about the Drupal Security team and their policies [15], writing
secure code for Drupal [16], and securing your site [17].
Follow the Drupal Security Team on Twitter at
https://twitter.com/drupalsecurity [18]
[1] http://drupal.org/project/nivo_slider
[2] http://drupal.org/security-team/risk-levels
[3] http://cve.mitre.org/
[4] http://drupal.org/project/nivo_slider
[5] https://drupal.org/node/2220545
[6] http://drupal.org/project/nivo_slider
[7] http://drupal.org/user/2766355
[8] https://drupal.org/user/290182
[9] http://drupal.org/user/2766355
[10] https://drupal.org/user/173461
[11] http://drupal.org/user/91990
[12] https://drupal.org/user/36762
[13] https://drupal.org/user/395439
[14] http://drupal.org/contact
[15] http://drupal.org/security-team
[16] http://drupal.org/writing-secure-code
[17] http://drupal.org/security/secure-configuration
[18] https://twitter.com/drupalsecurity
View online: https://drupal.org/node/2221403
* Advisory ID: DRUPAL-SA-CONTRIB-2014-032
* Project: Xapian integration [1] (third-party module)
* Version: 6.x, 7.x
* Date: 2014-March-19
* Security risk: Not critical [2]
* Exploitable from: Remote
* Vulnerability: Access bypass
-------- DESCRIPTION
---------------------------------------------------------
This module enables you to use Xapian system to do searches of a Xapian index
from within drupal.
The module doesn't verify node access rights when a node is loaded for
display after the search happened in Xapian.
This vulnerability is mitigated by the fact that the system must be using a
node access control module.
-------- CVE IDENTIFIER(S) ISSUED
--------------------------------------------
* /A CVE identifier [3] will be requested, and added upon issuance, in
accordance with Drupal Security Team processes./
-------- VERSIONS AFFECTED
---------------------------------------------------
* Xapian integration 6.x-2.x versions prior to 6.x-2.2.
* Xapian integration 7.x-2.x versions prior to 7.x-1.2.
Drupal core is not affected. If you do not use the contributed Xapian
integration [4] module, there is nothing you need to do.
-------- SOLUTION
------------------------------------------------------------
Install the latest version:
* If you use the Xapian integration module for Drupal 6.x, upgrade to
Xapian
integration 6.x-2.2 [5]
* If you use the Xapian integration module for Drupal 7.x, upgrade to
Xapian
integration 7.x-1.2 [6]
Also see the Xapian integration [7] project page.
-------- REPORTED BY
---------------------------------------------------------
* Antonello Lobianco [8].
-------- FIXED BY
------------------------------------------------------------
* Marco Villegas [9] the module maintainer
-------- COORDINATED BY
------------------------------------------------------
* Greg Knaddison [10] of the Drupal Security Team
-------- CONTACT AND MORE INFORMATION
----------------------------------------
The Drupal security team can be reached at security at drupal.org or via the
contact form at http://drupal.org/contact [11].
Learn more about the Drupal Security team and their policies [12], writing
secure code for Drupal [13], and securing your site [14].
Follow the Drupal Security Team on Twitter at
https://twitter.com/drupalsecurity [15]
[1] http://drupal.org/project/xapian
[2] http://drupal.org/security-team/risk-levels
[3] http://cve.mitre.org/
[4] http://drupal.org/project/xapian
[5] https://drupal.org/node/2220483
[6] https://drupal.org/node/2220487
[7] http://drupal.org/project/xapian
[8] https://drupal.org/user/170459
[9] http://drupal.org/user/132175
[10] https://drupal.org/user/36762
[11] http://drupal.org/contact
[12] http://drupal.org/security-team
[13] http://drupal.org/writing-secure-code
[14] http://drupal.org/security/secure-configuration
[15] https://twitter.com/drupalsecurity
View online: https://drupal.org/node/2216607
* Advisory ID: DRUPAL-SA-CONTRIB-2014-031
* Project: Webform Template [1] (third-party module)
* Version: 7.x
* Date: 2014-March-12
* Security risk: Less critical [2]
* Exploitable from: Remote
* Vulnerability: Access Bypass
-------- DESCRIPTION
---------------------------------------------------------
This module enables you to copy webform config from one node to another.
The module doesn't respect node access when providing possible nodes to copy
from. As a result, a user may be disclosed the titles of nodes he does not
have view access to and as such he may be able to copy the webform
configuration from otherwise hidden nodes.
This vulnerability is mitigated by the fact that the system must be using a
node access control module and an attacker must have a role that has access
to edit nodes of the "webform template destination" type.
-------- CVE IDENTIFIER(S) ISSUED
--------------------------------------------
* /A CVE identifier [3] will be requested, and added upon issuance, in
accordance with Drupal Security Team processes./
-------- VERSIONS AFFECTED
---------------------------------------------------
* All Webform Template 6.x-1.x versions.
* Webform Template 7.x-1.x versions prior to 7.x-1.3.
Drupal core is not affected. If you do not use the contributed Webform
Template [4] module, there is nothing you need to do.
-------- SOLUTION
------------------------------------------------------------
Install the latest version:
* If you use the Webform Template module for Drupal 7.x, upgrade to a newer
version. The issue is fixed as from 7.x-1.3 [5].
* If using an older version, be aware of the risks & consequences.
*Note: *For some people, the previous behavior was actually exactly how they
used this module. To restore the original functionality, go to the settings (
admin/config/content/webform_template ) and check the "Defeat node access"
checkbox.
Also see the Webform Template [6] project page.
-------- REPORTED BY
---------------------------------------------------------
* theunraveler [7]
-------- FIXED BY
------------------------------------------------------------
* rv0 [8] the module maintainer
-------- COORDINATED BY
------------------------------------------------------
* Rick Manelius [9] of the Drupal Security Team
-------- CONTACT AND MORE INFORMATION
----------------------------------------
The Drupal security team can be reached at security at drupal.org or via the
contact form at http://drupal.org/contact [10].
Learn more about the Drupal Security team and their policies [11], writing
secure code for Drupal [12], and securing your site [13].
Follow the Drupal Security Team on Twitter at
https://twitter.com/drupalsecurity [14]
[1] http://drupal.org/project/webform_template
[2] http://drupal.org/security-team/risk-levels
[3] http://cve.mitre.org/
[4] http://drupal.org/project/webform_template
[5] https://drupal.org//drupal.org/node/2216447
[6] http://drupal.org/project/webform_template
[7] https://drupal.org/user/71548
[8] https://drupal.org/user/655596
[9] https://drupal.org/user/680072
[10] http://drupal.org/contact
[11] http://drupal.org/security-team
[12] http://drupal.org/writing-secure-code
[13] http://drupal.org/security/secure-configuration
[14] https://twitter.com/drupalsecurity
View online: https://drupal.org/node/2216269
* Advisory ID: DRUPAL-SA-CONTRIB-2014-030
* Project: SexyBookmarks [1] (third-party module)
* Version: 6.x
* Date: 2014-March-12
* Security risk: Moderately critical [2]
* Exploitable from: Remote
* Vulnerability: Information Disclosure
-------- DESCRIPTION
---------------------------------------------------------
The SexyBookmarks module is a port of the WordPress SexyBookmarks plug-in.
The module adds social bookmarking using the Shareaholic service.
The module discloses the private files location when Drupal 6 is configured
to use private files.
This vulnerability is mitigated by the fact that only sites using private
files are affected.
-------- CVE IDENTIFIER(S) ISSUED
--------------------------------------------
* /A CVE identifier [3] will be requested, and added upon issuance, in
accordance with Drupal Security Team processes./
-------- VERSIONS AFFECTED
---------------------------------------------------
* All SexyBookmarks 6.x-2.x versions.
Drupal core is not affected. If you do not use the contributed SexyBookmarks
[4] module, there is nothing you need to do.
-------- SOLUTION
------------------------------------------------------------
* If you use the SexyBookmarks module for Drupal 6.x you should disable it.
* Users can also consider using the Shareaholic [5] module which provides
similar features. However, the Shareaholic module is currently only
available for Drupal 7 so affected users would have to upgrade to Drupal
7
first.
Also see the SexyBookmarks [6] project page.
-------- REPORTED BY
---------------------------------------------------------
* Don Morris [7]
-------- FIXED BY
------------------------------------------------------------
Not applicable.
-------- COORDINATED BY
------------------------------------------------------
* Greg Knaddison [8] of the Drupal Security Team
* Cash Williams [9] provisional member of the Drupal Security Team
-------- CONTACT AND MORE INFORMATION
----------------------------------------
The Drupal security team can be reached at security at drupal.org or via the
contact form at http://drupal.org/contact [10].
Learn more about the Drupal Security team and their policies [11], writing
secure code for Drupal [12], and securing your site [13].
Follow the Drupal Security Team on Twitter at
https://twitter.com/drupalsecurity [14]
[1] http://drupal.org/project/sexybookmarks
[2] http://drupal.org/security-team/risk-levels
[3] http://cve.mitre.org/
[4] http://drupal.org/project/sexybookmarks
[5] http://drupal.org/project/shareaholic
[6] http://drupal.org/project/sexybookmarks
[7] http://drupal.org/user/79398
[8] http://drupal.org/user/36762
[9] http://drupal.org/user/421070
[10] http://drupal.org/contact
[11] http://drupal.org/security-team
[12] http://drupal.org/writing-secure-code
[13] http://drupal.org/security/secure-configuration
[14] https://twitter.com/drupalsecurity
View online: https://drupal.org/node/2211381
* Advisory ID: DRUPAL-SA-CONTRIB-2014-027
* Project: NewsFlash [1] (third-party theme)
* Version: 6.x, 7.x
* Date: 2014-March-05
* Security risk: Moderately critical [2]
* Exploitable from: Remote
* Vulnerability: Cross Site Scripting
-------- DESCRIPTION
---------------------------------------------------------
Newsflash is a theme that features 7 color styles, 12 collapsible regions,
suckerfish menus, fluid or fixed widths, built-in IE transparent PNG fix, and
lots more.
The theme does not sanitize the user provided theme setting for the font
family CSS property, thereby exposing a cross-site scripting (XSS)
vulnerability.
This vulnerability is mitigated by the fact that an attacker must have a role
with the permission "administer themes".
-------- CVE IDENTIFIER(S) ISSUED
--------------------------------------------
* /A CVE identifier [3] will be requested, and added upon issuance, in
accordance with Drupal Security Team processes./
-------- VERSIONS AFFECTED
---------------------------------------------------
* NewsFlash 6.x-1.x versions prior to 6.x-1.7.
* NewsFlash 7.x-1.x versions prior to 7.x-2.5.
Drupal core is not affected. If you do not use the contributed NewsFlash [4]
theme, there is nothing you need to do.
-------- SOLUTION
------------------------------------------------------------
Install the latest version:
* If you use the theme NewsFlash for Drupal 7.x, upgrade to NewsFlash
7.x-2.5 [5]
* If you use the theme NewsFlash for Drupal 6.x, upgrade to NewsFlash
6.x-1.7 [6]
Also see the NewsFlash [7] project page.
-------- REPORTED BY
---------------------------------------------------------
* Dennis Walgaard [8]
-------- FIXED BY
------------------------------------------------------------
* Alyx Vance [9] the theme maintainer
-------- COORDINATED BY
------------------------------------------------------
* Klaus Purer [10] of the Drupal Security Team
-------- CONTACT AND MORE INFORMATION
----------------------------------------
The Drupal security team can be reached at security at drupal.org or via the
contact form at http://drupal.org/contact [11].
Learn more about the Drupal Security team and their policies [12], writing
secure code for Drupal [13], and securing your site [14].
Follow the Drupal Security Team on Twitter at
https://twitter.com/drupalsecurity [15]
[1] http://drupal.org/project/newsflash
[2] http://drupal.org/security-team/risk-levels
[3] http://cve.mitre.org/
[4] http://drupal.org/project/newsflash
[5] https://drupal.org/node/2210621
[6] https://drupal.org/node/2210619
[7] http://drupal.org/project/newsflash
[8] https://drupal.org/user/883702
[9] https://drupal.org/user/1284976
[10] https://drupal.org/user/262198
[11] http://drupal.org/contact
[12] http://drupal.org/security-team
[13] http://drupal.org/writing-secure-code
[14] http://drupal.org/security/secure-configuration
[15] https://twitter.com/drupalsecurity
View online: https://drupal.org/node/2211401
* Advisory ID: DRUPAL-SA-CONTRIB-2014-028
* Project: Masquerade [1] (third-party module)
* Version: 6.x, 7.x
* Date: 2014-March-05
* Security risk: Highly critical [2]
* Exploitable from: Remote
* Vulnerability: Access bypass
-------- DESCRIPTION
---------------------------------------------------------
This module allows a user with the right permissions to switch users.
When a user has been limited to only masquerading as certain users via the
"Enter the users this user is able to masquerade as" user profile field, they
can still masquerade as any user on the site by using the "Enter the username
to masquerade as." autocomplete field in the masquerade block.
This vulnerability is mitigated by the fact that an attacker must have access
to masquerade as another user.
-------- CVE IDENTIFIER(S) ISSUED
--------------------------------------------
* /A CVE identifier [3] will be requested, and added upon issuance, in
accordance with Drupal Security Team processes./
-------- VERSIONS AFFECTED
---------------------------------------------------
* Masquerade 6.x-2.x versions prior to 6.x-1.8.
* Masquerade 7.x-2.x versions prior to 7.x-1.0-rc6.
Drupal core is not affected. If you do not use the contributed Masquerade [4]
module, there is nothing you need to do.
-------- SOLUTION
------------------------------------------------------------
Install the latest version:
* If you use the Masquerade module for Drupal 6.x, upgrade to Masquerade
6.x-1.8 [5]
* If you use the Masquerade module for Drupal 7.x, upgrade to Masquerade
7.x-1.0-rc6 [6]
Also see the Masquerade [7] project page.
-------- REPORTED BY
---------------------------------------------------------
* Jeff H [8]
-------- FIXED BY
------------------------------------------------------------
* Laurence Liss [9], provisional member of the Drupal Security Team
* Mark Shropshire [10], one of the Masquerade module maintainers
-------- COORDINATED BY
------------------------------------------------------
* Laurence Liss [11], provisional member of the Drupal Security Team
-------- CONTACT AND MORE INFORMATION
----------------------------------------
The Drupal security team can be reached at security at drupal.org or via the
contact form at http://drupal.org/contact [12].
Learn more about the Drupal Security team and their policies [13], writing
secure code for Drupal [14], and securing your site [15].
Follow the Drupal Security Team on Twitter at
https://twitter.com/drupalsecurity [16]
[1] http://drupal.org/project/masquerade
[2] http://drupal.org/security-team/risk-levels
[3] http://cve.mitre.org/
[4] http://drupal.org/project/masquerade
[5] https://drupal.org/node/2210877
[6] https://drupal.org/node/2210879
[7] http://drupal.org/project/masquerade
[8] http://drupal.org/user/37837
[9] http://drupal.org/user/724750
[10] http://drupal.org/user/14767
[11] http://drupal.org/user/724750
[12] http://drupal.org/contact
[13] http://drupal.org/security-team
[14] http://drupal.org/writing-secure-code
[15] http://drupal.org/security/secure-configuration
[16] https://twitter.com/drupalsecurity
View online: https://drupal.org/node/2211419
* Advisory ID: DRUPAL-SA-CONTRIB-2014-029
* Project: Mime Mail [1] (third-party module)
* Version: 6.x, 7.x
* Date: 2014-March-05
* Security risk: Less critical [2]
* Exploitable from: Remote
* Vulnerability: Access bypass
-------- DESCRIPTION
---------------------------------------------------------
The MIME Mail module allows to send MIME-encoded e-mail messages with
embedded images and attachments.
By default the module only allows files to be embedded or attached that are
located in the public files directory.
The module doesn't sufficiently check the file location, considering similar
paths in different roots as being located in the public files directory,
possibly allowing to send arbitrary files as attachments without permission.
This vulnerability is mitigated by the fact that an attacker must be able to
compose and send e-mail messages to an arbitrary address and the attached
file's location must partly match with the system path of the public files
directory.
-------- CVE IDENTIFIER(S) ISSUED
--------------------------------------------
* /A CVE identifier [3] will be requested, and added upon issuance, in
accordance with Drupal Security Team processes./
-------- VERSIONS AFFECTED
---------------------------------------------------
* Mime Mail 6.x-1.x versions prior to 6.x-1.4.
* Mime Mail 7.x-1.x versions prior to 7.x-1.0-beta3.
Drupal core is not affected. If you do not use the contributed Mime Mail [4]
module, there is nothing you need to do.
-------- SOLUTION
------------------------------------------------------------
Install the latest version:
* If you use the Mime Mail module for Drupal 6.x, upgrade to Mime Mail
6.x-1.4 [5]
* If you use the Mime Mail module for Drupal 7.x, upgrade to Mime Mail
7.x-1.0-beta3 [6]
Also see the Mime Mail [7] project page.
-------- REPORTED BY
---------------------------------------------------------
* Heine Deelstra [8] of the Drupal Security Team
-------- FIXED BY
------------------------------------------------------------
* Gabor Seljan [9] the module maintainer
* Rick Manelius [10] of the Drupal Security Team
-------- COORDINATED BY
------------------------------------------------------
* Rick Manelius [11] of the Drupal Security Team
-------- CONTACT AND MORE INFORMATION
----------------------------------------
The Drupal security team can be reached at security at drupal.org or via the
contact form at http://drupal.org/contact [12].
Learn more about the Drupal Security team and their policies [13], writing
secure code for Drupal [14], and securing your site [15].
Follow the Drupal Security Team on Twitter at
https://twitter.com/drupalsecurity [16]
[1] http://drupal.org/project/mimemail
[2] http://drupal.org/security-team/risk-levels
[3] http://cve.mitre.org/
[4] http://drupal.org/project/mimemail
[5] https://drupal.org/node/2211111
[6] https://drupal.org/node/2211109
[7] http://drupal.org/project/mimemail
[8] http://drupal.org/user/17943
[9] http://drupal.org/user/232117
[10] http://drupal.org/user/680072
[11] http://drupal.org/user/680072
[12] http://drupal.org/contact
[13] http://drupal.org/security-team
[14] http://drupal.org/writing-secure-code
[15] http://drupal.org/security/secure-configuration
[16] https://twitter.com/drupalsecurity