Security-news October 2015

security-news@drupal.org

1 participants
9 discussions

Field as Block - Less Critical - Information Disclosure - SA-CONTRIB-2015-161
by security-news＠drupal.org 28 Oct '15

28 Oct '15

View online: https://www.drupal.org/node/2603560 * Advisory ID: DRUPAL-SA-CONTRIB-2015-161 * Project: Field as Block [1] (third-party module) * Version: 7.x * Date: 2015-October-28 * Security risk: 8/25 ( Less Critical) AC:Basic/A:Admin/CI:Some/II:None/E:Theoretical/TD:Uncommon [2] * Vulnerability: Access bypass -------- DESCRIPTION --------------------------------------------------------- This module enables you to take a field from the current entity and place it elsewhere as a block. The module caches the block output in a manner that could allow sensitive content to be seen by visitors who should not see it. The problem will only occur when other modules alter field output based on user permissions. -------- CVE IDENTIFIER(S) ISSUED -------------------------------------------- * /A CVE identifier [3] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ -------- VERSIONS AFFECTED --------------------------------------------------- * Field as Block 7.x-1.x versions prior to 7.x-1.4. Drupal core is not affected. If you do not use the contributed Field as Block [4] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the Field as Block module for Drupal 7.x, upgrade to Field as Block 7.x-1.4 [5] Also see the Field as Block [6] project page. -------- REPORTED BY --------------------------------------------------------- * László Csécsy [7] -------- FIXED BY ------------------------------------------------------------ * László Csécsy [8] * Marc van Gend [9] the module maintainer -------- COORDINATED BY ------------------------------------------------------ * Hunter Fox [10] of the Drupal Security Team * Greg Knaddison [11] of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact [12]. Learn more about the Drupal Security team and their policies [13], writing secure code for Drupal [14], and securing your site [15]. Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity [16] [1] https://www.drupal.org/project/fieldblock [2] https://www.drupal.org/security-team/risk-levels [3] http://cve.mitre.org/ [4] https://www.drupal.org/project/fieldblock [5] https://www.drupal.org/node/2603420 [6] https://www.drupal.org/project/fieldblock [7] https://www.drupal.org/user/199303 [8] https://www.drupal.org/user/199303 [9] https://www.drupal.org/user/158153 [10] https://www.drupal.org/u/hefox [11] https://www.drupal.org/u/greggles [12] https://www.drupal.org/contact [13] https://www.drupal.org/security-team [14] https://www.drupal.org/writing-secure-code [15] https://www.drupal.org/security/secure-configuration [16] https://twitter.com/drupalsecurity

1 0

Webform CiviCRM Integration - Moderately Critical - Cross Site Scripting (XSS) - SA-CONTRIB-2015-160
by security-news＠drupal.org 21 Oct '15

21 Oct '15

View online: https://www.drupal.org/node/2598536 * Advisory ID: DRUPAL-SA-CONTRIB-2015-160 * Project: Webform CiviCRM Integration [1] (third-party module) * Version: 7.x * Date: 2015-October-21 * Security risk: 12/25 ( Moderately Critical) AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:Uncommon [2] * Vulnerability: Cross Site Scripting -------- DESCRIPTION --------------------------------------------------------- Webform CiviCRM Integration allows you to add CiviCRM fields to a Drupal Webform. The module doesn't sufficiently escape user input. Some of the vulnerabilities are mitigated by the fact that an attacker must have a role with the permission to edit the webform node plus "access CiviCRM" to define the input prompts, or permission to create events in CiviCRM. -------- CVE IDENTIFIER(S) ISSUED -------------------------------------------- * /A CVE identifier [3] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ -------- VERSIONS AFFECTED --------------------------------------------------- * Webform CiviCRM 7.x versions prior to 7.x-4.13. Drupal core is not affected. If you do not use the contributed Webform CiviCRM Integration [4] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the Webform CiviCRM module for Drupal 7.x, upgrade to Webform CiviCRM 7.x-4.13 [5] Also see the Webform CiviCRM Integration [6] project page. -------- REPORTED BY --------------------------------------------------------- * Neil Drumm [7] of the Drupal Security Team -------- FIXED BY ------------------------------------------------------------ * Coleman Watts [8] the module maintainer * Chris Burgess [9] of the CiviCRM Security Team -------- COORDINATED BY ------------------------------------------------------ * Greg Knaddison [10] of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact [11]. Learn more about the Drupal Security team and their policies [12], writing secure code for Drupal [13], and securing your site [14]. Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity [15] [1] https://www.drupal.org/project/webform_civicrm [2] https://www.drupal.org/security-team/risk-levels [3] http://cve.mitre.org/ [4] https://www.drupal.org/project/webform_civicrm [5] https://www.drupal.org/node/2589615 [6] https://www.drupal.org/project/webform_civicrm [7] https://www.drupal.org/user/3064 [8] https://www.drupal.org/user/639856 [9] https://www.drupal.org/user/76026 [10] https://www.drupal.org/u/greggles [11] https://www.drupal.org/contact [12] https://www.drupal.org/security-team [13] https://www.drupal.org/writing-secure-code [14] https://www.drupal.org/security/secure-configuration [15] https://twitter.com/drupalsecurity

1 0

LABjs - Less Critical - Open Redirect - SA-CONTRIB-2015-159
by security-news＠drupal.org 21 Oct '15

21 Oct '15

View online: https://www.drupal.org/node/2598434 * Advisory ID: DRUPAL-SA-CONTRIB-2015-159 * Project: LABjs [1] (third-party module) * Version: 7.x * Date: 2015-October-21 * Security risk: 9/25 ( Less Critical) AC:Basic/A:None/CI:None/II:None/E:Theoretical/TD:Default [2] * Vulnerability: Open Redirect -------- DESCRIPTION --------------------------------------------------------- The LABjs module integrates LABjs with Drupal for web performance optimization. The module ships with a modified version of the core Overlay JavaScript file, which is vulnerable to an open redirect attack (see SA-CORE-2015-004 [3]). Only sites with the Overlay module enabled are vulnerable. An incomplete fix for this issue was released in SA-CONTRIB-2015-124 [4]. -------- CVE IDENTIFIER(S) ISSUED -------------------------------------------- * /A CVE identifier [5] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ -------- VERSIONS AFFECTED --------------------------------------------------- * LABjs 7.x-1.x versions prior to 7.x-1.8. Drupal core is not affected. If you do not use the contributed LABjs [6] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the LABjs module for Drupal 7.x, upgrade to LABjs 7.x-1.8 [7] Also see the LABjs [8] project page. -------- REPORTED BY --------------------------------------------------------- * Pere Orga [9] of the Drupal Security Team * Samuel Mortenson [10] -------- FIXED BY ------------------------------------------------------------ * Hai-Nam Nguyen [11] the module maintainer * Pere Orga [12] of the Drupal Security Team -------- COORDINATED BY ------------------------------------------------------ * The Drupal Security Team [13] -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact [14]. Learn more about the Drupal Security team and their policies [15], writing secure code for Drupal [16], and securing your site [17]. Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity [18] [1] https://www.drupal.org/project/labjs [2] https://www.drupal.org/security-team/risk-levels [3] https://www.drupal.org/SA-CORE-2015-004 [4] https://www.drupal.org/node/2507735 [5] http://cve.mitre.org/ [6] https://www.drupal.org/project/labjs [7] https://www.drupal.org/node/2569611 [8] https://www.drupal.org/project/labjs [9] https://www.drupal.org/user/2301194 [10] https://www.drupal.org/u/samuel.mortenson [11] https://www.drupal.org/u/jcisio [12] https://www.drupal.org/u/pere-orga [13] https://www.drupal.org/security-team [14] https://www.drupal.org/contact [15] https://www.drupal.org/security-team [16] https://www.drupal.org/writing-secure-code [17] https://www.drupal.org/security/secure-configuration [18] https://twitter.com/drupalsecurity

1 0

jQuery Update - Less Critical - Open Redirect - SA-CONTRIB-2015-158
by security-news＠drupal.org 21 Oct '15

21 Oct '15

View online: https://www.drupal.org/node/2598426 * Advisory ID: DRUPAL-SA-CONTRIB-2015-158 * Project: jQuery Update [1] (third-party module) * Version: 7.x * Date: 2015-October-21 * Security risk: 9/25 ( Less Critical) AC:Basic/A:None/CI:None/II:None/E:Theoretical/TD:Default [2] * Vulnerability: Open Redirect -------- DESCRIPTION --------------------------------------------------------- The jQuery Update module enables you to update jQuery on your site. The module ships with a modified version of the core Overlay JavaScript file, which is vulnerable to an open redirect attack (see SA-CORE-2015-004 [3]). Only sites with the Overlay module enabled are vulnerable. An incomplete fix for this issue was released in SA-CONTRIB-2015-123 [4]. -------- CVE IDENTIFIER(S) ISSUED -------------------------------------------- * /A CVE identifier [5] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ -------- VERSIONS AFFECTED --------------------------------------------------- * jQuery Update 7.x-2.x versions prior to 7.x-2.7 Drupal core is not affected. If you do not use the contributed jQuery Update [6] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the jQuery Update module 2.x branch, upgrade to jQuery Update 7.x-2.7 [7] Also see the jQuery Update [8] project page. -------- REPORTED BY --------------------------------------------------------- * Samuel Mortenson [9] * Pere Orga [10] of the Drupal Security Team -------- FIXED BY ------------------------------------------------------------ * Pere Orga [11] of the Drupal Security Team * Mark Carver [12], module maintainer -------- COORDINATED BY ------------------------------------------------------ * The Drupal Security Team [13] -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact [14]. Learn more about the Drupal Security team and their policies [15], writing secure code for Drupal [16], and securing your site [17]. Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity [18] [1] https://www.drupal.org/project/jquery_update [2] https://www.drupal.org/security-team/risk-levels [3] https://www.drupal.org/SA-CORE-2015-004 [4] https://www.drupal.org/node/2507729 [5] http://cve.mitre.org/ [6] https://www.drupal.org/project/jquery_update [7] https://www.drupal.org/node/2597768 [8] https://www.drupal.org/project/jquery_update [9] https://www.drupal.org/u/samuel.mortenson [10] https://www.drupal.org/user/2301194 [11] https://www.drupal.org/user/2301194 [12] https://www.drupal.org/u/markcarver [13] https://www.drupal.org/security-team [14] https://www.drupal.org/contact [15] https://www.drupal.org/security-team [16] https://www.drupal.org/writing-secure-code [17] https://www.drupal.org/security/secure-configuration [18] https://twitter.com/drupalsecurity

1 0

Drupal Core - Overlay - Less Critical - Open Redirect - SA-CORE-2015-004
by security-news＠drupal.org 21 Oct '15

21 Oct '15

View online: https://www.drupal.org/SA-CORE-2015-004 * Advisory ID: DRUPAL-SA-CORE-2015-004 * Project: Drupal core [1] * Version: 7.x * Date: 2015-October-21 * Security risk: 9/25 ( Less Critical) AC:Basic/A:None/CI:None/II:None/E:Theoretical/TD:Default [2] * Vulnerability: Open Redirect -------- DESCRIPTION --------------------------------------------------------- The Overlay module in Drupal core displays administrative pages as a layer over the current page (using JavaScript), rather than replacing the page in the browser window. The Overlay module does not sufficiently validate URLs prior to displaying their contents, leading to an open redirect vulnerability. This vulnerability is mitigated by the fact that it can only be used against site users who have the "Access the administrative overlay" permission, and that the Overlay module must be enabled. An incomplete fix for this issue was released as part of SA-CORE-2015-002 [3]. -------- CVE IDENTIFIER(S) ISSUED -------------------------------------------- * /A CVE identifier [4] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ -------- VERSIONS AFFECTED --------------------------------------------------- * Drupal core 7.x versions prior to 7.41. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use Drupal 7.x, upgrade to Drupal 7.41 [5] Also see the Drupal core [6] project page. -------- REPORTED BY --------------------------------------------------------- * Samuel Mortenson [7] * Pere Orga [8] of the Drupal Security Team -------- FIXED BY ------------------------------------------------------------ * Pere Orga [9] of the Drupal Security Team * David Rothstein [10] of the Drupal Security Team -------- COORDINATED BY ------------------------------------------------------ * The Drupal Security Team [11] -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact [12]. Learn more about the Drupal Security team and their policies [13], writing secure code for Drupal [14], and securing your site [15]. Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity [16] [1] https://www.drupal.org/project/drupal [2] https://www.drupal.org/security-team/risk-levels [3] https://www.drupal.org/SA-CORE-2015-002 [4] http://cve.mitre.org/ [5] https://www.drupal.org/drupal-7.41-release-notes [6] https://www.drupal.org/project/drupal [7] https://www.drupal.org/u/samuel.mortenson [8] https://www.drupal.org/u/pere-orga [9] https://www.drupal.org/u/pere-orga [10] https://www.drupal.org/u/david_rothstein [11] https://www.drupal.org/security-team [12] https://www.drupal.org/contact [13] https://www.drupal.org/security-team [14] https://www.drupal.org/writing-secure-code [15] https://www.drupal.org/security/secure-configuration [16] https://twitter.com/drupalsecurity

1 0

Twilio - Moderately Critical - Access bypass - SA-CONTRIB-2015-157
by security-news＠drupal.org 14 Oct '15

14 Oct '15

View online: https://www.drupal.org/node/2592901 * Advisory ID: DRUPAL-SA-CONTRIB-2015-157 * Project: Twilio [1] (third-party module) * Version: 7.x * Date: 2015-October-14 * Security risk: 14/25 ( Moderately Critical) AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:All [2] * Vulnerability: Access bypass -------- DESCRIPTION --------------------------------------------------------- This module provides hooks and rules integration to leverage the Twilio API to send/receive phone calls and text messages. The module relies on existing permissions for providing administration which can lead to untrusted users having access to perform actions that may not be intended. This vulnerability is mitigated by the fact that an attacker must have access to a session with the role that has the permission "access administration pages". -------- CVE IDENTIFIER(S) ISSUED -------------------------------------------- * /A CVE identifier [3] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ -------- VERSIONS AFFECTED --------------------------------------------------- * Twilio 7.x-1.x versions prior to 7.x-1.11 Drupal core is not affected. If you do not use the contributed Twilio [4] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the Twilio module for Drupal 7.x, upgrade to Twilio 7.x-1.11 [5] Grant the permission "administer twilio" to any roles that should be able to administer the Twilio module. Also see the Twilio [6] project page. -------- REPORTED BY --------------------------------------------------------- * Ivo Van Geertruyen [7] of the Drupal Security Team * Pere Orga i Esteve [8] of the Drupal Security Team -------- FIXED BY ------------------------------------------------------------ * Arvin Singla [9] the module maintainer -------- COORDINATED BY ------------------------------------------------------ * Greg Knaddison [10] of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact [11]. Learn more about the Drupal Security team and their policies [12], writing secure code for Drupal [13], and securing your site [14]. Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity [15] [1] https://www.drupal.org/project/twilio [2] https://www.drupal.org/security-team/risk-levels [3] http://cve.mitre.org/ [4] https://www.drupal.org/project/twilio [5] https://www.drupal.org/node/2577607 [6] https://www.drupal.org/project/twilio [7] https://www.drupal.org/user/383424 [8] https://www.drupal.org/user/2301194 [9] https://www.drupal.org/user/61137 [10] https://www.drupal.org/user/36762 [11] https://www.drupal.org/contact [12] https://www.drupal.org/security-team [13] https://www.drupal.org/writing-secure-code [14] https://www.drupal.org/security/secure-configuration [15] https://twitter.com/drupalsecurity

1 0

Colorbox - Access bypass - Less Critical - SA-CONTRIB-2015-156
by security-news＠drupal.org 07 Oct '15

07 Oct '15

View online: https://www.drupal.org/node/2582071 * Advisory ID: DRUPAL-SA-CONTRIB-2015-156 * Project: Colorbox [1] (third-party module) * Version: 7.x * Date: 2015-October-07 * Security risk: 8/25 ( Less Critical) AC:Basic/A:User/CI:None/II:None/E:Theoretical/TD:All [2] * Vulnerability: Access bypass -------- DESCRIPTION --------------------------------------------------------- This module allows for integration of Colorbox, a jQuery lightbox plugin, into Drupal. The module allows unprivileged users to add unexpected content to a Colorbox, including content from external sites. This allows an unprivileged user to deface a site. This vulnerability is mitigated by the fact that an attacker must have permission to post comments with a text format that allows links. -------- CVE IDENTIFIER(S) ISSUED -------------------------------------------- * /A CVE identifier [3] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ -------- VERSIONS AFFECTED --------------------------------------------------- * Colorbox 7.x-2.x versions prior to 7.x-2.10. Drupal core is not affected. If you do not use the contributed Colorbox [4] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the Colorbox module for Drupal 7.x, upgrade to Colorbox 7.x-2.10 [5] Also see the Colorbox [6] project page. -------- REPORTED BY --------------------------------------------------------- * znerol [7] -------- FIXED BY ------------------------------------------------------------ * Fredrik Jonsson [8] the module maintainer * Ben Dougherty [9] of the Drupal Security Team -------- COORDINATED BY ------------------------------------------------------ * Ben Dougherty [10] of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact [11]. Learn more about the Drupal Security team and their policies [12], writing secure code for Drupal [13], and securing your site [14]. Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity [15] [1] https://www.drupal.org/project/colorbox [2] https://www.drupal.org/security-team/risk-levels [3] http://cve.mitre.org/ [4] https://www.drupal.org/project/colorbox [5] https://www.drupal.org/node/2578165 [6] https://www.drupal.org/project/colorbox [7] https://www.drupal.org/user/63999 [8] https://www.drupal.org/user/5546 [9] https://www.drupal.org/user/1852732 [10] https://www.drupal.org/user/1852732 [11] https://www.drupal.org/contact [12] https://www.drupal.org/security-team [13] https://www.drupal.org/writing-secure-code [14] https://www.drupal.org/security/secure-configuration [15] https://twitter.com/drupalsecurity

1 0

Entity Registration - Moderately Critical - Information Disclosure - SA-CONTRIB-2015-155
by security-news＠drupal.org 07 Oct '15

07 Oct '15

View online: https://www.drupal.org/node/2582015 * Advisory ID: DRUPAL-SA-CONTRIB-2015-155 * Project: Entity Registration [1] (third-party module) * Version: 7.x * Date: 2015-October-07 * Security risk: 14/25 ( Moderately Critical) AC:Basic/A:None/CI:Some/II:Some/E:Theoretical/TD:Uncommon [2] * Vulnerability: Information Disclosure -------- DESCRIPTION --------------------------------------------------------- This module enables you to manage registrations for events. The module doesn't sufficiently protect information about who is registered to attend specific events when anonymous users are granted a permission that is commonly recommended when allowing anonymous registrations. This vulnerability is mitigated by the fact that anonymous users must have the permission "Register other accounts." -------- CVE IDENTIFIER(S) ISSUED -------------------------------------------- * /A CVE identifier [3] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ -------- VERSIONS AFFECTED --------------------------------------------------- * Entity Registration 7.x-1.x versions prior to 7.x-1.5. Drupal core is not affected. If you do not use the contributed Entity Registration [4] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the Entity Registration module for Drupal 7.x, upgrade to Entity Registration 7.x-1.6 [5] /Note on releases: the security bug was fixed in the 7.x-1.5 release, however that release included many other bug fixes and features. The 7.x-1.6 release is intended to fix a critical, non-security bug in the 7.x-1.5 release./ Update permissions configuration: * Remove the "Register other accounts" permission for anonymous users or other unprivileged roles * If needed, add the "Register Self" permission for anonymous users and other unprivileged roles Also see the Entity Registration [6] project page. -------- REPORTED BY --------------------------------------------------------- * Caroline Boyden [7] -------- FIXED BY ------------------------------------------------------------ * Gabe Carleton-Barnes [8], the module maintainer -------- COORDINATED BY ------------------------------------------------------ * Michael Hess [9] of the Drupal Security Team * David Snopek [10] of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact [11]. Learn more about the Drupal Security team and their policies [12], writing secure code for Drupal [13], and securing your site [14]. Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity [15] [1] https://www.drupal.org/project/registration [2] https://www.drupal.org/security-team/risk-levels [3] http://cve.mitre.org/ [4] https://www.drupal.org/project/registration [5] https://www.drupal.org/node/2582283 [6] https://www.drupal.org/project/registration [7] https://www.drupal.org/user/657902 [8] https://www.drupal.org/user/1682976 [9] https://www.drupal.org/u/mlhess [10] https://www.drupal.org/u/dsnopek [11] https://www.drupal.org/contact [12] https://www.drupal.org/security-team [13] https://www.drupal.org/writing-secure-code [14] https://www.drupal.org/security/secure-configuration [15] https://twitter.com/drupalsecurity

1 0

Stickynote - Cross Site Scripting (XSS) - Moderately Critical - SA-CONTRIB-2015-154
by security-news＠drupal.org 07 Oct '15

07 Oct '15

View online: https://www.drupal.org/node/2581997 * Advisory ID: DRUPAL-SA-CONTRIB-2015-154 * Project: stickynote [1] (third-party module) * Version: 7.x * Date: 2015-October-07 * Security risk: 14/25 ( Moderately Critical) AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:All [2] * Vulnerability: Cross Site Scripting -------- DESCRIPTION --------------------------------------------------------- This module enables you to create notes on a page inside a block. The module doesn't sufficiently sanitize the note text on the admin listing page. This vulnerability is mitigated by the fact that an attacker must have a role with a permission to create or edit a stickynote. -------- CVE IDENTIFIER(S) ISSUED -------------------------------------------- * /A CVE identifier [3] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ -------- VERSIONS AFFECTED --------------------------------------------------- * Stickynote 7.x-1.x versions prior to 7.x-1.3. Drupal core is not affected. If you do not use the contributed stickynote [4] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version. * If you use the Stickynote module for Drupal 6.x, upgrade to Stickynote 7.x-1.3 [5] Also see the stickynote [6] project page. -------- REPORTED BY --------------------------------------------------------- * Jon Peck [7] -------- FIXED BY ------------------------------------------------------------ * Luke Herrington [8] the module maintainer -------- COORDINATED BY ------------------------------------------------------ * Greg Knaddison [9] of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact [10]. Learn more about the Drupal Security team and their policies [11], writing secure code for Drupal [12], and securing your site [13]. Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity [14] [1] https://www.drupal.org/project/stickynote [2] https://www.drupal.org/security-team/risk-levels [3] http://cve.mitre.org/ [4] https://www.drupal.org/project/stickynote [5] https://www.drupal.org/node/2581519 [6] https://www.drupal.org/project/stickynote [7] https://www.drupal.org/u/fluxsauce [8] https://www.drupal.org/u/infiniteluke [9] https://www.drupal.org/u/greggles [10] https://www.drupal.org/contact [11] https://www.drupal.org/security-team [12] https://www.drupal.org/writing-secure-code [13] https://www.drupal.org/security/secure-configuration [14] https://twitter.com/drupalsecurity

1 0

2026

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

Security-news October 2015