View online: https://drupal.org/node/2236807
* Advisory ID: DRUPAL-SA-CONTRIB-2014-039
* Project: Revisioning [1] (third-party module)
* Version: 7.x
* Date: 2014-April-09
* Security risk: Moderately critical [2]
* Exploitable from: Remote
* Vulnerability: Access bypass
-------- DESCRIPTION
---------------------------------------------------------
This module enables you to manage publication workflows whereby new, not
publicly visible revisions of existing published content may be created by an
author for review, while the current revision remains live to the public.
The new revision does not go live until it is approved by a moderator with
the necessary privileges to publish the new revision, replacing the old.
The module didn't properly invoke access grants introduced by other
contributed modules. Instead it gives "view" access to published content and
does not enforce view access restrictions imposed by other modules.
This vulnerability is mitigated by the fact that this is only an issue when
your site uses modules that introduce additional access grants over and above
core's access permissions, such as Taxonomy Access or Content Access.
-------- CVE IDENTIFIER(S) ISSUED
--------------------------------------------
* /A CVE identifier [3] will be requested, and added upon issuance, in
accordance with Drupal Security Team processes./
-------- VERSIONS AFFECTED
---------------------------------------------------
* Revisioning version 7.x-1.7 only
Drupal core is not affected. If you do not use the contributed Revisioning
[4] module, there is nothing you need to do.
-------- SOLUTION
------------------------------------------------------------
Install the latest version:
* If you use the Revisioning module 7.x-1.7, upgrade to 7.x-1.8 [5].
Revisioning 7.x-1.6 does not have the bug, but reverting to 7.x-1.6
naturally also means you miss out on any bug-fixes and features of
version
7.x-1.7
Also see the Revisioning [6] project page.
-------- REPORTED BY
---------------------------------------------------------
* Ryan Jacobs [7]
-------- FIXED BY
------------------------------------------------------------
* Rik de Boer [8], the module maintainer
* Ryan Jacobs [9]
-------- COORDINATED BY
------------------------------------------------------
* Mark Ferree [10] provisional member of the Drupal Security Team
-------- CONTACT AND MORE INFORMATION
----------------------------------------
The Drupal security team can be reached at security at drupal.org or via the
contact form at http://drupal.org/contact [11].
Learn more about the Drupal Security team and their policies [12], writing
secure code for Drupal [13], and securing your site [14].
Follow the Drupal Security Team on Twitter at
https://twitter.com/drupalsecurity [15]
[1] http://drupal.org/project/revisioning
[2] http://drupal.org/security-team/risk-levels
[3] http://cve.mitre.org/
[4] http://drupal.org/project/revisioning
[5] https://drupal.org/node/2235477
[6] http://drupal.org/project/revisioning
[7] https://drupal.org/user/422459
[8] http://drupal.org/user/404007
[9] https://drupal.org/user/422459
[10] http://drupal.org/user/76245
[11] http://drupal.org/contact
[12] http://drupal.org/security-team
[13] http://drupal.org/writing-secure-code
[14] http://drupal.org/security/secure-configuration
[15] https://twitter.com/drupalsecurity
View online: https://drupal.org/node/2236811
* Advisory ID: DRUPAL-SA-CONTRIB-2014-038
* Project: SimpleCorp [1] (third-party theme)
* Version: 7.x
* Date: 2014-April-09
* Security risk: Moderately critical [2]
* Exploitable from: Remote
* Vulnerability: Cross Site Scripting
-------- DESCRIPTION
---------------------------------------------------------
SimpleCorp theme is a free responsive Drupal theme.
The SimpleCorp theme does not properly sanitize theme settings before they
are used in the output of a page.
This vulnerability is mitigated by the fact that an attacker must have a role
with the permission "administer themes".
-------- CVE IDENTIFIER(S) ISSUED
--------------------------------------------
* /A CVE identifier [3] will be requested, and added upon issuance, in
accordance with Drupal Security Team processes./
-------- VERSIONS AFFECTED
---------------------------------------------------
* Simplecorp-7.x-1.0
Drupal core is not affected. If you do not use the contributed SimpleCorp [4]
theme, there is nothing you need to do.
-------- SOLUTION
------------------------------------------------------------
Install the latest version:
* If you use the SimpleCorp theme 7.x-1.0 for Drupal 7.x, upgrade to
SimpleCorp theme 7.x-1.1. [5]
Also see the SimpleCorp [6] project page.
-------- REPORTED BY
---------------------------------------------------------
* Dennis Walgaard [7]
-------- FIXED BY
------------------------------------------------------------
* George Tsopouridis [8] the theme maintainer
-------- COORDINATED BY
------------------------------------------------------
* Klaus Purer [9] of the Drupal Security Team
-------- CONTACT AND MORE INFORMATION
----------------------------------------
The Drupal security team can be reached at security at drupal.org or via the
contact form at http://drupal.org/contact [10].
Learn more about the Drupal Security team and their policies [11], writing
secure code for Drupal [12], and securing your site [13].
Follow the Drupal Security Team on Twitter at
https://twitter.com/drupalsecurity [14]
[1] http://drupal.org/project/simplecorp
[2] http://drupal.org/security-team/risk-levels
[3] http://cve.mitre.org/
[4] http://drupal.org/project/simplecorp
[5] https://drupal.org/node/2236255
[6] http://drupal.org/project/simplecorp
[7] https://drupal.org/user/883702
[8] http://drupal.org/user/829430
[9] https://drupal.org/user/262198
[10] http://drupal.org/contact
[11] http://drupal.org/security-team
[12] http://drupal.org/writing-secure-code
[13] http://drupal.org/security/secure-configuration
[14] https://twitter.com/drupalsecurity
View online: https://drupal.org/node/2236797
* Advisory ID: DRUPAL-SA-CONTRIB-2014-037
* Project: BlueMasters [1] (third-party module)
* Version: 7.x
* Date: 2014-April-09
* Security risk: Moderately critical [2]
* Exploitable from: Remote
* Vulnerability: Cross Site Scripting
-------- DESCRIPTION
---------------------------------------------------------
Bluemasters is a responsive layout theme for Drupal 7.
The Bluemasters theme does not properly sanitize theme settings before they
are used in the output of a page.
This vulnerability is mitigated by the fact that an attacker must have a role
with the permission "administer themes".
-------- CVE IDENTIFIER(S) ISSUED
--------------------------------------------
* /A CVE identifier [3] will be requested, and added upon issuance, in
accordance with Drupal Security Team processes./
-------- VERSIONS AFFECTED
---------------------------------------------------
* Bluemasters 7.x-2.x versions prior to 7.x-2.1.
Drupal core is not affected. If you do not use the contributed BlueMasters
[4] theme, there is nothing you need to do.
-------- SOLUTION
------------------------------------------------------------
Install the latest version:
* If you use the Bluemasters theme 7.x-2.0 for Drupal 7.x, upgrade to
Bluemasters 7.x-2.1 [5].
Also see the BlueMasters [6] project page.
-------- REPORTED BY
---------------------------------------------------------
* Dennis Walgaard [7]
-------- FIXED BY
------------------------------------------------------------
* George Tsopouridis [8] the theme maintainer
-------- COORDINATED BY
------------------------------------------------------
* Klaus Purer [9] of the Drupal Security Team
-------- CONTACT AND MORE INFORMATION
----------------------------------------
The Drupal security team can be reached at security at drupal.org or via the
contact form at http://drupal.org/contact [10].
Learn more about the Drupal Security team and their policies [11], writing
secure code for Drupal [12], and securing your site [13].
Follow the Drupal Security Team on Twitter at
https://twitter.com/drupalsecurity [14]
[1] http://drupal.org/project/bluemasters
[2] http://drupal.org/security-team/risk-levels
[3] http://cve.mitre.org/
[4] http://drupal.org/project/bluemasters
[5] https://drupal.org/node/2236251
[6] http://drupal.org/project/bluemasters
[7] https://drupal.org/user/883702
[8] http://drupal.org/user/829430
[9] https://drupal.org/user/262198
[10] http://drupal.org/contact
[11] http://drupal.org/security-team
[12] http://drupal.org/writing-secure-code
[13] http://drupal.org/security/secure-configuration
[14] https://twitter.com/drupalsecurity
View online: https://drupal.org/node/2231663
* Advisory ID: DRUPAL-SA-CONTRIB-2014-035
* Project: CAS [1] (third-party module)
* Version: 6.x, 7.x
* Date: 2014-April-02
* Security risk: Critical [2]
* Exploitable from: Remote
* Vulnerability: Access bypass
-------- DESCRIPTION
---------------------------------------------------------
The cas_server module of the CAS project implements the CAS 1.0 and 2.0
specifications for providing a single sign-on to relying party web
application (the "service" in CAS specs). The CAS server creates single-use
tickets when serving a user's login request, which is subsequently deleted
when the relying party validates the ticket.
However, this successful validation will be cached if the Drupal page cache
is enabled, and subsequent identical validations can be processed even though
the single-use ticket has been deleted.
A user's session on a relying party can be therefore be re-initialized via a
session replay attack involving the cas_server module, even when the user
deletes cookies and server-side sessions for both sites.
This would require an attacker to sniff the service URL containing the ticket
ID, such as with a non-SSL relying party, by protocol downgrade, or by
accessing an earlier user's web activity on a public computer.
-------- CVE IDENTIFIER(S) ISSUED
--------------------------------------------
* /A CVE identifier [3] will be requested, and added upon issuance, in
accordance with Drupal Security Team processes./
-------- VERSIONS AFFECTED
---------------------------------------------------
* CAS Server 6.x-2.x versions prior to 6.x-3.3.
* CAS Server 7.x-2.x versions prior to 7.x-1.3.
Drupal core is not affected. If you do not use the contributed CAS [4]
module, there is nothing you need to do.
-------- SOLUTION
------------------------------------------------------------
Install the latest version:
* If you use the CAS Server module for Drupal 6.x, upgrade to CAS Server
6.x-3.3 [5]
* If you use the CAS Server module for Drupal 7.x, upgrade to CAS Server
7.x-1.3 [6]
Also see the CAS [7] project page.
-------- REPORTED BY
---------------------------------------------------------
* Eric Searcy [8]
* Greg Knaddison [9] of the Drupal Security Team
-------- FIXED BY
------------------------------------------------------------
* Eric Searcy [10]
* Tim Yale [11], the module maintainer
* Greg Knaddison [12] of the Drupal Security Team
-------- COORDINATED BY
------------------------------------------------------
* Greg Knaddison [13] of the Drupal Security Team
-------- CONTACT AND MORE INFORMATION
----------------------------------------
The Drupal security team can be reached at security at drupal.org or via the
contact form at http://drupal.org/contact [14].
Learn more about the Drupal Security team and their policies [15], writing
secure code for Drupal [16], and securing your site [17].
Follow the Drupal Security Team on Twitter at
https://twitter.com/drupalsecurity [18]
[1] http://drupal.org/project/cas
[2] http://drupal.org/security-team/risk-levels
[3] http://cve.mitre.org/
[4] http://drupal.org/project/cas
[5] https://drupal.org/node/2231659
[6] https://drupal.org/node/2231657
[7] http://drupal.org/project/cas
[8] http://drupal.org/user/137284
[9] http://drupal.org/user/36762
[10] http://drupal.org/user/137284
[11] http://drupal.org/user/2413764
[12] http://drupal.org/user/36762
[13] http://drupal.org/user/36762
[14] http://drupal.org/contact
[15] http://drupal.org/security-team
[16] http://drupal.org/writing-secure-code
[17] http://drupal.org/security/secure-configuration
[18] https://twitter.com/drupalsecurity
View online: https://drupal.org/node/2231665
* Advisory ID: DRUPAL-SA-CONTRIB-2014-034
* Project: Custom Search [1] (third-party module)
* Version: 6.x, 7.x
* Date: 2014-April-02
* Security risk: Moderately critical [2]
* Exploitable from: Remote
* Vulnerability: Cross Site Scripting
-------- DESCRIPTION
---------------------------------------------------------
The Custom Search module alters the default search box to provide additional
search filtering options and control.
Custom Search contains a persistent cross-site scripting (XSS) vulnerability
due to the fact that it fails to sanitize filter labels before display.
This vulnerability is mitigated by the fact that an attacker must have a role
with the permission "administer custom search."
-------- CVE IDENTIFIER(S) ISSUED
--------------------------------------------
* /A CVE identifier [3] will be requested, and added upon issuance, in
accordance with Drupal Security Team processes./
-------- VERSIONS AFFECTED
---------------------------------------------------
* Custom Search 6.x-1.x versions prior to 6.x-1.12.
* Custom Search 7.x-1.x versions prior to 7.x-1.14.
Drupal core is not affected. If you do not use the contributed Custom Search
[4] module, there is nothing you need to do.
-------- SOLUTION
------------------------------------------------------------
Install the latest version:
* If you use the Custom Search module for Drupal 6.x, upgrade to Custom
Search 6.x-1.12 [5]
* If you use the Custom Search module for Drupal 7.x, upgrade to Custom
Search 7.x-1.14 [6]
Also see the Custom Search [7] project page.
-------- REPORTED BY
---------------------------------------------------------
* Justin C. Klein Keane [8]
-------- FIXED BY
------------------------------------------------------------
* Justin C. Klein Keane [9]
* Jérôme Danthinne [10], module maintainer
-------- COORDINATED BY
------------------------------------------------------
* Greg Knaddison [11] of the Drupal Security Team
* Ben Jeavons [12] of the Drupal Security Team
-------- CONTACT AND MORE INFORMATION
----------------------------------------
The Drupal security team can be reached at security at drupal.org or via the
contact form at http://drupal.org/contact [13].
Learn more about the Drupal Security team and their policies [14], writing
secure code for Drupal [15], and securing your site [16].
Follow the Drupal Security Team on Twitter at
https://twitter.com/drupalsecurity [17]
[1] http://drupal.org/project/custom_search
[2] http://drupal.org/security-team/risk-levels
[3] http://cve.mitre.org/
[4] http://drupal.org/project/custom_search
[5] https://drupal.org/node/2231533
[6] https://drupal.org/node/2231531
[7] http://drupal.org/project/custom_search
[8] http://drupal.org/user/302225
[9] http://drupal.org/user/302225
[10] https://drupal.org/user/313766
[11] https://drupal.org/user/36762
[12] http://drupal.org/user/91990
[13] http://drupal.org/contact
[14] http://drupal.org/security-team
[15] http://drupal.org/writing-secure-code
[16] http://drupal.org/security/secure-configuration
[17] https://twitter.com/drupalsecurity
View online: https://drupal.org/node/2231671
* Advisory ID: DRUPAL-SA-CONTRIB-2014-036
* Project: Printer, email and PDF versions [1] (third-party module)
* Version: 6.x, 7.x
* Date: 2014-April-02
* Security risk: Moderately critical [2]
* Exploitable from: Remote
* Vulnerability: Cross Site Scripting
-------- DESCRIPTION
---------------------------------------------------------
This module provides printer-friendly versions of content, including send by
e-mail and PDF versions.
The module does not sufficiently sanitize user provided input when generating
the printed version of a node.
This is mitigated by the fact that an attacker must have permission to create
a node which offers the print functionality.
-------- CVE IDENTIFIER(S) ISSUED
--------------------------------------------
* /A CVE identifier [3] will be requested, and added upon issuance, in
accordance with Drupal Security Team processes./
-------- VERSIONS AFFECTED
---------------------------------------------------
* Printer, email and PDF versions 6.x-1.x versions prior to 6.x-1.19.
* Printer, email and PDF versions 7.x-1.x versions prior to 7.x-1.3.
* Printer, email and PDF versions 7.x-2.x versions prior to 7.x-2.0.
Drupal core is not affected. If you do not use the contributed Printer, email
and PDF versions [4] module, there is nothing you need to do.
-------- SOLUTION
------------------------------------------------------------
Install the latest version:
* If you use the Printer, email and PDF versions module for Drupal 6.x,
upgrade to print 6.x-1.19 [5]
* If you use the Printer, email and PDF versions module for Drupal 7.x,
upgrade to print 7.x-1.3 [6] or print 7.x-2.0 [7]
Also see the Printer, email and PDF versions [8] project page.
-------- REPORTED BY
---------------------------------------------------------
* Dinesh Waghmare [9]
-------- FIXED BY
------------------------------------------------------------
* Dinesh Waghmare [10]
* Cash Williams [11] provisional member of the Drupal Security Team
* João Ventura [12] the module maintainer
* Heine Deelstra [13] of the Drupal Security Team
-------- COORDINATED BY
------------------------------------------------------
* Heine Deelstra [14] of the Drupal Security Team
-------- CONTACT AND MORE INFORMATION
----------------------------------------
The Drupal security team can be reached at security at drupal.org or via the
contact form at http://drupal.org/contact [15].
Learn more about the Drupal Security team and their policies [16], writing
secure code for Drupal [17], and securing your site [18].
Follow the Drupal Security Team on Twitter at
https://twitter.com/drupalsecurity [19]
[1] http://drupal.org/project/print
[2] http://drupal.org/security-team/risk-levels
[3] http://cve.mitre.org/
[4] http://drupal.org/project/print
[5] https://drupal.org/node/2231191
[6] https://drupal.org/node/2231197
[7] https://drupal.org/node/2231199
[8] http://drupal.org/project/print
[9] http://drupal.org/user/2279292
[10] http://drupal.org/user/2279292
[11] http://drupal.org/user/421070
[12] http://drupal.org/user/122464
[13] http://drupal.org/user/17943
[14] http://drupal.org/user/17943
[15] http://drupal.org/contact
[16] http://drupal.org/security-team
[17] http://drupal.org/writing-secure-code
[18] http://drupal.org/security/secure-configuration
[19] https://twitter.com/drupalsecurity