View online: https://www.drupal.org/node/2603560
* Advisory ID: DRUPAL-SA-CONTRIB-2015-161
* Project: Field as Block [1] (third-party module)
* Version: 7.x
* Date: 2015-October-28
* Security risk: 8/25 ( Less Critical)
AC:Basic/A:Admin/CI:Some/II:None/E:Theoretical/TD:Uncommon [2]
* Vulnerability: Access bypass
-------- DESCRIPTION
---------------------------------------------------------
This module enables you to take a field from the current entity and place it
elsewhere as a block.
The module caches the block output in a manner that could allow sensitive
content to be seen by visitors who should not see it.
The problem will only occur when other modules alter field output based on
user permissions.
-------- CVE IDENTIFIER(S) ISSUED
--------------------------------------------
* /A CVE identifier [3] will be requested, and added upon issuance, in
accordance with Drupal Security Team processes./
-------- VERSIONS AFFECTED
---------------------------------------------------
* Field as Block 7.x-1.x versions prior to 7.x-1.4.
Drupal core is not affected. If you do not use the contributed Field as Block
[4] module, there is nothing you need to do.
-------- SOLUTION
------------------------------------------------------------
Install the latest version:
* If you use the Field as Block module for Drupal 7.x, upgrade to Field as
Block 7.x-1.4 [5]
Also see the Field as Block [6] project page.
-------- REPORTED BY
---------------------------------------------------------
* László Csécsy [7]
-------- FIXED BY
------------------------------------------------------------
* László Csécsy [8]
* Marc van Gend [9] the module maintainer
-------- COORDINATED BY
------------------------------------------------------
* Hunter Fox [10] of the Drupal Security Team
* Greg Knaddison [11] of the Drupal Security Team
-------- CONTACT AND MORE INFORMATION
----------------------------------------
The Drupal security team can be reached at security at drupal.org or via the
contact form at https://www.drupal.org/contact [12].
Learn more about the Drupal Security team and their policies [13], writing
secure code for Drupal [14], and securing your site [15].
Follow the Drupal Security Team on Twitter at
https://twitter.com/drupalsecurity [16]
[1] https://www.drupal.org/project/fieldblock
[2] https://www.drupal.org/security-team/risk-levels
[3] http://cve.mitre.org/
[4] https://www.drupal.org/project/fieldblock
[5] https://www.drupal.org/node/2603420
[6] https://www.drupal.org/project/fieldblock
[7] https://www.drupal.org/user/199303
[8] https://www.drupal.org/user/199303
[9] https://www.drupal.org/user/158153
[10] https://www.drupal.org/u/hefox
[11] https://www.drupal.org/u/greggles
[12] https://www.drupal.org/contact
[13] https://www.drupal.org/security-team
[14] https://www.drupal.org/writing-secure-code
[15] https://www.drupal.org/security/secure-configuration
[16] https://twitter.com/drupalsecurity
View online: https://www.drupal.org/node/2598536
* Advisory ID: DRUPAL-SA-CONTRIB-2015-160
* Project: Webform CiviCRM Integration [1] (third-party module)
* Version: 7.x
* Date: 2015-October-21
* Security risk: 12/25 ( Moderately Critical)
AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:Uncommon [2]
* Vulnerability: Cross Site Scripting
-------- DESCRIPTION
---------------------------------------------------------
Webform CiviCRM Integration allows you to add CiviCRM fields to a Drupal
Webform.
The module doesn't sufficiently escape user input.
Some of the vulnerabilities are mitigated by the fact that an attacker must
have a role with the permission to edit the webform node plus "access
CiviCRM" to define the input prompts, or permission to create events in
CiviCRM.
-------- CVE IDENTIFIER(S) ISSUED
--------------------------------------------
* /A CVE identifier [3] will be requested, and added upon issuance, in
accordance with Drupal Security Team processes./
-------- VERSIONS AFFECTED
---------------------------------------------------
* Webform CiviCRM 7.x versions prior to 7.x-4.13.
Drupal core is not affected. If you do not use the contributed Webform
CiviCRM Integration [4] module, there is nothing you need to do.
-------- SOLUTION
------------------------------------------------------------
Install the latest version:
* If you use the Webform CiviCRM module for Drupal 7.x, upgrade to Webform
CiviCRM 7.x-4.13 [5]
Also see the Webform CiviCRM Integration [6] project page.
-------- REPORTED BY
---------------------------------------------------------
* Neil Drumm [7] of the Drupal Security Team
-------- FIXED BY
------------------------------------------------------------
* Coleman Watts [8] the module maintainer
* Chris Burgess [9] of the CiviCRM Security Team
-------- COORDINATED BY
------------------------------------------------------
* Greg Knaddison [10] of the Drupal Security Team
-------- CONTACT AND MORE INFORMATION
----------------------------------------
The Drupal security team can be reached at security at drupal.org or via the
contact form at https://www.drupal.org/contact [11].
Learn more about the Drupal Security team and their policies [12], writing
secure code for Drupal [13], and securing your site [14].
Follow the Drupal Security Team on Twitter at
https://twitter.com/drupalsecurity [15]
[1] https://www.drupal.org/project/webform_civicrm
[2] https://www.drupal.org/security-team/risk-levels
[3] http://cve.mitre.org/
[4] https://www.drupal.org/project/webform_civicrm
[5] https://www.drupal.org/node/2589615
[6] https://www.drupal.org/project/webform_civicrm
[7] https://www.drupal.org/user/3064
[8] https://www.drupal.org/user/639856
[9] https://www.drupal.org/user/76026
[10] https://www.drupal.org/u/greggles
[11] https://www.drupal.org/contact
[12] https://www.drupal.org/security-team
[13] https://www.drupal.org/writing-secure-code
[14] https://www.drupal.org/security/secure-configuration
[15] https://twitter.com/drupalsecurity
View online: https://www.drupal.org/SA-CORE-2015-004
* Advisory ID: DRUPAL-SA-CORE-2015-004
* Project: Drupal core [1]
* Version: 7.x
* Date: 2015-October-21
* Security risk: 9/25 ( Less Critical)
AC:Basic/A:None/CI:None/II:None/E:Theoretical/TD:Default [2]
* Vulnerability: Open Redirect
-------- DESCRIPTION
---------------------------------------------------------
The Overlay module in Drupal core displays administrative pages as a layer
over the current page (using JavaScript), rather than replacing the page in
the browser window. The Overlay module does not sufficiently validate URLs
prior to displaying their contents, leading to an open redirect
vulnerability.
This vulnerability is mitigated by the fact that it can only be used against
site users who have the "Access the administrative overlay" permission, and
that the Overlay module must be enabled.
An incomplete fix for this issue was released as part of SA-CORE-2015-002
[3].
-------- CVE IDENTIFIER(S) ISSUED
--------------------------------------------
* /A CVE identifier [4] will be requested, and added upon issuance, in
accordance with Drupal Security Team processes./
-------- VERSIONS AFFECTED
---------------------------------------------------
* Drupal core 7.x versions prior to 7.41.
-------- SOLUTION
------------------------------------------------------------
Install the latest version:
* If you use Drupal 7.x, upgrade to Drupal 7.41 [5]
Also see the Drupal core [6] project page.
-------- REPORTED BY
---------------------------------------------------------
* Samuel Mortenson [7]
* Pere Orga [8] of the Drupal Security Team
-------- FIXED BY
------------------------------------------------------------
* Pere Orga [9] of the Drupal Security Team
* David Rothstein [10] of the Drupal Security Team
-------- COORDINATED BY
------------------------------------------------------
* The Drupal Security Team [11]
-------- CONTACT AND MORE INFORMATION
----------------------------------------
The Drupal security team can be reached at security at drupal.org or via the
contact form at https://www.drupal.org/contact [12].
Learn more about the Drupal Security team and their policies [13], writing
secure code for Drupal [14], and securing your site [15].
Follow the Drupal Security Team on Twitter at
https://twitter.com/drupalsecurity [16]
[1] https://www.drupal.org/project/drupal
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/SA-CORE-2015-002
[4] http://cve.mitre.org/
[5] https://www.drupal.org/drupal-7.41-release-notes
[6] https://www.drupal.org/project/drupal
[7] https://www.drupal.org/u/samuel.mortenson
[8] https://www.drupal.org/u/pere-orga
[9] https://www.drupal.org/u/pere-orga
[10] https://www.drupal.org/u/david_rothstein
[11] https://www.drupal.org/security-team
[12] https://www.drupal.org/contact
[13] https://www.drupal.org/security-team
[14] https://www.drupal.org/writing-secure-code
[15] https://www.drupal.org/security/secure-configuration
[16] https://twitter.com/drupalsecurity
View online: https://www.drupal.org/node/2592901
* Advisory ID: DRUPAL-SA-CONTRIB-2015-157
* Project: Twilio [1] (third-party module)
* Version: 7.x
* Date: 2015-October-14
* Security risk: 14/25 ( Moderately Critical)
AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:All [2]
* Vulnerability: Access bypass
-------- DESCRIPTION
---------------------------------------------------------
This module provides hooks and rules integration to leverage the Twilio API
to send/receive phone calls and text messages.
The module relies on existing permissions for providing administration which
can lead to untrusted users having access to perform actions that may not be
intended.
This vulnerability is mitigated by the fact that an attacker must have access
to a session with the role that has the permission "access administration
pages".
-------- CVE IDENTIFIER(S) ISSUED
--------------------------------------------
* /A CVE identifier [3] will be requested, and added upon issuance, in
accordance with Drupal Security Team processes./
-------- VERSIONS AFFECTED
---------------------------------------------------
* Twilio 7.x-1.x versions prior to 7.x-1.11
Drupal core is not affected. If you do not use the contributed Twilio [4]
module, there is nothing you need to do.
-------- SOLUTION
------------------------------------------------------------
Install the latest version:
* If you use the Twilio module for Drupal 7.x, upgrade to Twilio 7.x-1.11
[5]
Grant the permission "administer twilio" to any roles that should be able to
administer the Twilio module.
Also see the Twilio [6] project page.
-------- REPORTED BY
---------------------------------------------------------
* Ivo Van Geertruyen [7] of the Drupal Security Team
* Pere Orga i Esteve [8] of the Drupal Security Team
-------- FIXED BY
------------------------------------------------------------
* Arvin Singla [9] the module maintainer
-------- COORDINATED BY
------------------------------------------------------
* Greg Knaddison [10] of the Drupal Security Team
-------- CONTACT AND MORE INFORMATION
----------------------------------------
The Drupal security team can be reached at security at drupal.org or via the
contact form at https://www.drupal.org/contact [11].
Learn more about the Drupal Security team and their policies [12], writing
secure code for Drupal [13], and securing your site [14].
Follow the Drupal Security Team on Twitter at
https://twitter.com/drupalsecurity [15]
[1] https://www.drupal.org/project/twilio
[2] https://www.drupal.org/security-team/risk-levels
[3] http://cve.mitre.org/
[4] https://www.drupal.org/project/twilio
[5] https://www.drupal.org/node/2577607
[6] https://www.drupal.org/project/twilio
[7] https://www.drupal.org/user/383424
[8] https://www.drupal.org/user/2301194
[9] https://www.drupal.org/user/61137
[10] https://www.drupal.org/user/36762
[11] https://www.drupal.org/contact
[12] https://www.drupal.org/security-team
[13] https://www.drupal.org/writing-secure-code
[14] https://www.drupal.org/security/secure-configuration
[15] https://twitter.com/drupalsecurity
View online: https://www.drupal.org/node/2582071
* Advisory ID: DRUPAL-SA-CONTRIB-2015-156
* Project: Colorbox [1] (third-party module)
* Version: 7.x
* Date: 2015-October-07
* Security risk: 8/25 ( Less Critical)
AC:Basic/A:User/CI:None/II:None/E:Theoretical/TD:All [2]
* Vulnerability: Access bypass
-------- DESCRIPTION
---------------------------------------------------------
This module allows for integration of Colorbox, a jQuery lightbox plugin,
into Drupal.
The module allows unprivileged users to add unexpected content to a Colorbox,
including content from external sites. This allows an unprivileged user to
deface a site.
This vulnerability is mitigated by the fact that an attacker must have
permission to post comments with a text format that allows links.
-------- CVE IDENTIFIER(S) ISSUED
--------------------------------------------
* /A CVE identifier [3] will be requested, and added upon issuance, in
accordance with Drupal Security Team processes./
-------- VERSIONS AFFECTED
---------------------------------------------------
* Colorbox 7.x-2.x versions prior to 7.x-2.10.
Drupal core is not affected. If you do not use the contributed Colorbox [4]
module, there is nothing you need to do.
-------- SOLUTION
------------------------------------------------------------
Install the latest version:
* If you use the Colorbox module for Drupal 7.x, upgrade to Colorbox
7.x-2.10 [5]
Also see the Colorbox [6] project page.
-------- REPORTED BY
---------------------------------------------------------
* znerol [7]
-------- FIXED BY
------------------------------------------------------------
* Fredrik Jonsson [8] the module maintainer
* Ben Dougherty [9] of the Drupal Security Team
-------- COORDINATED BY
------------------------------------------------------
* Ben Dougherty [10] of the Drupal Security Team
-------- CONTACT AND MORE INFORMATION
----------------------------------------
The Drupal security team can be reached at security at drupal.org or via the
contact form at https://www.drupal.org/contact [11].
Learn more about the Drupal Security team and their policies [12], writing
secure code for Drupal [13], and securing your site [14].
Follow the Drupal Security Team on Twitter at
https://twitter.com/drupalsecurity [15]
[1] https://www.drupal.org/project/colorbox
[2] https://www.drupal.org/security-team/risk-levels
[3] http://cve.mitre.org/
[4] https://www.drupal.org/project/colorbox
[5] https://www.drupal.org/node/2578165
[6] https://www.drupal.org/project/colorbox
[7] https://www.drupal.org/user/63999
[8] https://www.drupal.org/user/5546
[9] https://www.drupal.org/user/1852732
[10] https://www.drupal.org/user/1852732
[11] https://www.drupal.org/contact
[12] https://www.drupal.org/security-team
[13] https://www.drupal.org/writing-secure-code
[14] https://www.drupal.org/security/secure-configuration
[15] https://twitter.com/drupalsecurity
View online: https://www.drupal.org/node/2582015
* Advisory ID: DRUPAL-SA-CONTRIB-2015-155
* Project: Entity Registration [1] (third-party module)
* Version: 7.x
* Date: 2015-October-07
* Security risk: 14/25 ( Moderately Critical)
AC:Basic/A:None/CI:Some/II:Some/E:Theoretical/TD:Uncommon [2]
* Vulnerability: Information Disclosure
-------- DESCRIPTION
---------------------------------------------------------
This module enables you to manage registrations for events.
The module doesn't sufficiently protect information about who is registered
to attend specific events when anonymous users are granted a permission that
is commonly recommended when allowing anonymous registrations.
This vulnerability is mitigated by the fact that anonymous users must have
the permission "Register other accounts."
-------- CVE IDENTIFIER(S) ISSUED
--------------------------------------------
* /A CVE identifier [3] will be requested, and added upon issuance, in
accordance with Drupal Security Team processes./
-------- VERSIONS AFFECTED
---------------------------------------------------
* Entity Registration 7.x-1.x versions prior to 7.x-1.5.
Drupal core is not affected. If you do not use the contributed Entity
Registration [4] module, there is nothing you need to do.
-------- SOLUTION
------------------------------------------------------------
Install the latest version:
* If you use the Entity Registration module for Drupal 7.x, upgrade to
Entity Registration 7.x-1.6 [5]
/Note on releases: the security bug was fixed in the 7.x-1.5 release, however
that release included many other bug fixes and features. The 7.x-1.6 release
is intended to fix a critical, non-security bug in the 7.x-1.5 release./
Update permissions configuration:
* Remove the "Register other accounts" permission for anonymous users or
other unprivileged roles
* If needed, add the "Register Self" permission for anonymous users and
other unprivileged roles
Also see the Entity Registration [6] project page.
-------- REPORTED BY
---------------------------------------------------------
* Caroline Boyden [7]
-------- FIXED BY
------------------------------------------------------------
* Gabe Carleton-Barnes [8], the module maintainer
-------- COORDINATED BY
------------------------------------------------------
* Michael Hess [9] of the Drupal Security Team
* David Snopek [10] of the Drupal Security Team
-------- CONTACT AND MORE INFORMATION
----------------------------------------
The Drupal security team can be reached at security at drupal.org or via the
contact form at https://www.drupal.org/contact [11].
Learn more about the Drupal Security team and their policies [12], writing
secure code for Drupal [13], and securing your site [14].
Follow the Drupal Security Team on Twitter at
https://twitter.com/drupalsecurity [15]
[1] https://www.drupal.org/project/registration
[2] https://www.drupal.org/security-team/risk-levels
[3] http://cve.mitre.org/
[4] https://www.drupal.org/project/registration
[5] https://www.drupal.org/node/2582283
[6] https://www.drupal.org/project/registration
[7] https://www.drupal.org/user/657902
[8] https://www.drupal.org/user/1682976
[9] https://www.drupal.org/u/mlhess
[10] https://www.drupal.org/u/dsnopek
[11] https://www.drupal.org/contact
[12] https://www.drupal.org/security-team
[13] https://www.drupal.org/writing-secure-code
[14] https://www.drupal.org/security/secure-configuration
[15] https://twitter.com/drupalsecurity
View online: https://www.drupal.org/node/2581997
* Advisory ID: DRUPAL-SA-CONTRIB-2015-154
* Project: stickynote [1] (third-party module)
* Version: 7.x
* Date: 2015-October-07
* Security risk: 14/25 ( Moderately Critical)
AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:All [2]
* Vulnerability: Cross Site Scripting
-------- DESCRIPTION
---------------------------------------------------------
This module enables you to create notes on a page inside a block.
The module doesn't sufficiently sanitize the note text on the admin listing
page.
This vulnerability is mitigated by the fact that an attacker must have a role
with a permission to create or edit a stickynote.
-------- CVE IDENTIFIER(S) ISSUED
--------------------------------------------
* /A CVE identifier [3] will be requested, and added upon issuance, in
accordance with Drupal Security Team processes./
-------- VERSIONS AFFECTED
---------------------------------------------------
* Stickynote 7.x-1.x versions prior to 7.x-1.3.
Drupal core is not affected. If you do not use the contributed stickynote [4]
module, there is nothing you need to do.
-------- SOLUTION
------------------------------------------------------------
Install the latest version.
* If you use the Stickynote module for Drupal 6.x, upgrade to Stickynote
7.x-1.3 [5]
Also see the stickynote [6] project page.
-------- REPORTED BY
---------------------------------------------------------
* Jon Peck [7]
-------- FIXED BY
------------------------------------------------------------
* Luke Herrington [8] the module maintainer
-------- COORDINATED BY
------------------------------------------------------
* Greg Knaddison [9] of the Drupal Security Team
-------- CONTACT AND MORE INFORMATION
----------------------------------------
The Drupal security team can be reached at security at drupal.org or via the
contact form at https://www.drupal.org/contact [10].
Learn more about the Drupal Security team and their policies [11], writing
secure code for Drupal [12], and securing your site [13].
Follow the Drupal Security Team on Twitter at
https://twitter.com/drupalsecurity [14]
[1] https://www.drupal.org/project/stickynote
[2] https://www.drupal.org/security-team/risk-levels
[3] http://cve.mitre.org/
[4] https://www.drupal.org/project/stickynote
[5] https://www.drupal.org/node/2581519
[6] https://www.drupal.org/project/stickynote
[7] https://www.drupal.org/u/fluxsauce
[8] https://www.drupal.org/u/infiniteluke
[9] https://www.drupal.org/u/greggles
[10] https://www.drupal.org/contact
[11] https://www.drupal.org/security-team
[12] https://www.drupal.org/writing-secure-code
[13] https://www.drupal.org/security/secure-configuration
[14] https://twitter.com/drupalsecurity