Security-news February 2015

security-news@drupal.org

1 participants
29 discussions

SA-CONTRIB-2015-062 - Watchdog Aggregator - Cross Site Request Forgery (CSRF) - Unsupported
by security-news＠drupal.org 25 Feb '15

25 Feb '15

View online: https://www.drupal.org/node/2437993 * Advisory ID: DRUPAL-SA-CONTRIB-2015-062 * Project: Watchdog Aggregator [1] (third-party module) * Version: 6.x, 7.x * Date: 2015-February-25 * Security risk: 13/25 ( Moderately Critical) AC:Basic/A:None/CI:None/II:Some/E:Theoretical/TD:All [2] * Vulnerability: Cross Site Request Forgery -------- DESCRIPTION --------------------------------------------------------- Watchdog Aggregator collects watchdog messages from external sites. The module doesn't sufficiently protect some URLs against CSRF. A malicious user can cause an administrator to enable and disable monitoring sites by getting their browser to make a request to a specially-crafted URL. -------- CVE IDENTIFIER(S) ISSUED -------------------------------------------- * /A CVE identifier [3] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ -------- VERSIONS AFFECTED --------------------------------------------------- All versions of Watchdog Aggregator module. Drupal core is not affected. If you do not use the contributed Watchdog Aggregator [4] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ If you use the Watchdog Aggregator module you should uninstall it. Also see the Watchdog Aggregator [5] project page. -------- REPORTED BY --------------------------------------------------------- * Pere Orga [6] of the Drupal Security Team -------- FIXED BY ------------------------------------------------------------ Not applicable. -------- COORDINATED BY ------------------------------------------------------ * Pere Orga [7] of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact [8]. Learn more about the Drupal Security team and their policies [9], writing secure code for Drupal [10], and securing your site [11]. Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity [12] [1] https://www.drupal.org/project/watchdog_aggregator [2] https://www.drupal.org/security-team/risk-levels [3] http://cve.mitre.org/ [4] https://www.drupal.org/project/watchdog_aggregator [5] https://www.drupal.org/project/watchdog_aggregator [6] https://www.drupal.org/user/2301194 [7] https://www.drupal.org/user/2301194 [8] https://www.drupal.org/contact [9] https://www.drupal.org/security-team [10] https://www.drupal.org/writing-secure-code [11] https://www.drupal.org/security/secure-configuration [12] https://twitter.com/drupalsecurity

1 0

SA-CONTRIB-2015-061 - Ubercart Webform Integration - Cross Site Scripting (XSS) - Unsupported
by security-news＠drupal.org 25 Feb '15

25 Feb '15

View online: https://www.drupal.org/node/2437991 * Advisory ID: DRUPAL-SA-CONTRIB-2015-061 * Project: Ubercart Webform Integration [1] (third-party module) * Version: 6.x, 7.x * Date: 2015-February-25 * Security risk: 14/25 ( Moderately Critical) AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:All [2] * Vulnerability: Cross Site Scripting -------- DESCRIPTION --------------------------------------------------------- Ubercart Webform Integration module integrates Webform and Ubercart modules. The module doesn't sufficiently sanitize user supplied text in some pages, thereby exposing a Cross Site Scripting vulnerability. This vulnerability is mitigated by the fact that an attacker must have permission to create/edit nodes. -------- CVE IDENTIFIER(S) ISSUED -------------------------------------------- * /A CVE identifier [3] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ -------- VERSIONS AFFECTED --------------------------------------------------- * All versions of Ubercart Webform Integration module. Drupal core is not affected. If you do not use the contributed Ubercart Webform Integration [4] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ If you use the Ubercart Webform Integration module you should uninstall it. Also see the Ubercart Webform Integration [5] project page. -------- REPORTED BY --------------------------------------------------------- * Pere Orga [6] of the Drupal Security Team -------- FIXED BY ------------------------------------------------------------ Not applicable. -------- COORDINATED BY ------------------------------------------------------ * Pere Orga [7] of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact [8]. Learn more about the Drupal Security team and their policies [9], writing secure code for Drupal [10], and securing your site [11]. Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity [12] [1] https://www.drupal.org/project/uc_webform [2] https://www.drupal.org/security-team/risk-levels [3] http://cve.mitre.org/ [4] https://www.drupal.org/project/uc_webform [5] https://www.drupal.org/project/uc_webform [6] https://www.drupal.org/user/2301194 [7] https://www.drupal.org/user/2301194 [8] https://www.drupal.org/contact [9] https://www.drupal.org/security-team [10] https://www.drupal.org/writing-secure-code [11] https://www.drupal.org/security/secure-configuration [12] https://twitter.com/drupalsecurity

1 0

SA-CONTRIB-2015-060 - Custom Sitemap - Cross Site Request Forgery (CSRF) - Unsupported
by security-news＠drupal.org 25 Feb '15

25 Feb '15

View online: https://www.drupal.org/node/2437985 * Advisory ID: DRUPAL-SA-CONTRIB-2015-060 * Project: Custom Sitemap [1] (third-party module) * Version: 7.x * Date: 2015-February-25 * Security risk: 13/25 ( Moderately Critical) AC:Basic/A:None/CI:None/II:Some/E:Theoretical/TD:All [2] * Vulnerability: Cross Site Request Forgery -------- DESCRIPTION --------------------------------------------------------- The Custom Sitemap module enables you to add custom sitemaps to a site. The module doesn't sufficiently protect some URLs against CSRF. A malicious user could trick an administrator into deleting sitemaps by getting their browser to make a request to a specially-crafted URL. -------- CVE IDENTIFIER(S) ISSUED -------------------------------------------- * /A CVE identifier [3] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ -------- VERSIONS AFFECTED --------------------------------------------------- All versions of Custom Sitemap module. Drupal core is not affected. If you do not use the contributed Custom Sitemap [4] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ If you use the Custom Sitemap module you should uninstall it. Also see the Custom Sitemap [5] project page. -------- REPORTED BY --------------------------------------------------------- * Pere Orga [6] of the Drupal Security Team -------- FIXED BY ------------------------------------------------------------ Not applicable. -------- COORDINATED BY ------------------------------------------------------ * Pere Orga [7] of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact [8]. Learn more about the Drupal Security team and their policies [9], writing secure code for Drupal [10], and securing your site [11]. Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity [12] [1] https://www.drupal.org/project/custom_sitemap [2] https://www.drupal.org/security-team/risk-levels [3] http://cve.mitre.org/ [4] https://www.drupal.org/project/custom_sitemap [5] https://www.drupal.org/project/custom_sitemap [6] https://www.drupal.org/user/2301194 [7] https://www.drupal.org/user/2301194 [8] https://www.drupal.org/contact [9] https://www.drupal.org/security-team [10] https://www.drupal.org/writing-secure-code [11] https://www.drupal.org/security/secure-configuration [12] https://twitter.com/drupalsecurity

1 0

SA-CONTRIB-2015-059 - Spider Video Player - Multiple vulnerabilities - Unsupported
by security-news＠drupal.org 25 Feb '15

25 Feb '15

View online: https://www.drupal.org/node/2437981 * Advisory ID: DRUPAL-SA-CONTRIB-2015-059 * Project: Spider Video Player [1] (third-party module) * Version: 6.x, 7.x * Date: 2015-February-25 * Security risk: 15/25 ( Critical) AC:None/A:None/CI:None/II:Some/E:Theoretical/TD:All [2] * Vulnerability: Access bypass, Cross Site Request Forgery, Multiple vulnerabilities -------- DESCRIPTION --------------------------------------------------------- Spider Video Player module enables you to add HTML5 and Flash videos to your site. The module doesn't sufficiently check user input when deleting files. A malicious user could delete arbitrary files by making a request to a specially-crafted URL. This vulnerability is mitigated by the fact that the attacker must have a role with the permission "access Spider Video Player administration". Additionally, the module doesn't sufficiently protect some URLs against CSRF. A malicious user could trick an administrator into deleting videos by getting their browser to make a request to a specially-crafted URL. -------- CVE IDENTIFIER(S) ISSUED -------------------------------------------- * /A CVE identifier [3] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ -------- VERSIONS AFFECTED --------------------------------------------------- All versions of Spider Video Player module. Drupal core is not affected. If you do not use the contributed Spider Video Player [4] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ If you use the Spider Video Player module you should uninstall it. Also see the Spider Video Player [5] project page. -------- REPORTED BY --------------------------------------------------------- * Pere Orga [6] of the Drupal Security Team -------- FIXED BY ------------------------------------------------------------ Not applicable. -------- COORDINATED BY ------------------------------------------------------ * Pere Orga [7] of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact [8]. Learn more about the Drupal Security team and their policies [9], writing secure code for Drupal [10], and securing your site [11]. Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity [12] [1] https://www.drupal.org/project/player [2] https://www.drupal.org/security-team/risk-levels [3] http://cve.mitre.org/ [4] https://www.drupal.org/project/player [5] https://www.drupal.org/project/player [6] https://www.drupal.org/user/2301194 [7] https://www.drupal.org/user/2301194 [8] https://www.drupal.org/contact [9] https://www.drupal.org/security-team [10] https://www.drupal.org/writing-secure-code [11] https://www.drupal.org/security/secure-configuration [12] https://twitter.com/drupalsecurity

1 0

SA-CONTRIB-2015-058 - Spider Catalog - Cross Site Request Forgery (CSRF) - Unsupported
by security-news＠drupal.org 25 Feb '15

25 Feb '15

View online: https://www.drupal.org/node/2437977 * Advisory ID: DRUPAL-SA-CONTRIB-2015-058 * Project: Spider Catalog [1] (third-party module) * Version: 6.x, 7.x * Date: 2015-February-25 * Security risk: 13/25 ( Moderately Critical) AC:Basic/A:None/CI:None/II:Some/E:Theoretical/TD:All [2] * Vulnerability: Cross Site Request Forgery -------- DESCRIPTION --------------------------------------------------------- Spider Catalog module enables you to build product catalogs. The module doesn't sufficiently protect some URLs against CSRF. A malicious user can cause an administrator to delete products, ratings and categories by getting their browser to make a request to a specially-crafted URL. -------- CVE IDENTIFIER(S) ISSUED -------------------------------------------- * /A CVE identifier [3] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ -------- VERSIONS AFFECTED --------------------------------------------------- All versions of Spider Catalog module. Drupal core is not affected. If you do not use the contributed Spider Catalog [4] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ If you use the Spider Catalog module you should uninstall it. Also see the Spider Catalog [5] project page. -------- REPORTED BY --------------------------------------------------------- * Pere Orga [6] of the Drupal Security Team -------- FIXED BY ------------------------------------------------------------ Not applicable. -------- COORDINATED BY ------------------------------------------------------ * Pere Orga [7] of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact [8]. Learn more about the Drupal Security team and their policies [9], writing secure code for Drupal [10], and securing your site [11]. Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity [12] [1] https://www.drupal.org/project/spider-catalog [2] https://www.drupal.org/security-team/risk-levels [3] http://cve.mitre.org/ [4] https://www.drupal.org/project/spider-catalog [5] https://www.drupal.org/project/spider-catalog [6] https://www.drupal.org/user/2301194 [7] https://www.drupal.org/user/2301194 [8] https://www.drupal.org/contact [9] https://www.drupal.org/security-team [10] https://www.drupal.org/writing-secure-code [11] https://www.drupal.org/security/secure-configuration [12] https://twitter.com/drupalsecurity

1 0

SA-CONTRIB-2015-057 - Spider Contacts - Multiple vulnerabilities - Unsupported
by security-news＠drupal.org 25 Feb '15

25 Feb '15

View online: https://www.drupal.org/node/2437973 * Advisory ID: DRUPAL-SA-CONTRIB-2015-057 * Project: Spider Contacts [1] (third-party module) * Version: 6.x, 7.x * Date: 2015-February-25 * Security risk: 20/25 ( Highly Critical) AC:Basic/A:None/CI:All/II:All/E:Theoretical/TD:All [2] * Vulnerability: Cross Site Request Forgery, SQL Injection, Multiple vulnerabilities -------- DESCRIPTION --------------------------------------------------------- Spider Contacts module provides a user-friendly way to manage and display contacts. The module doesn't use Drupal's Database API properly, not sanitizing user input on SQL queries and thereby exposing a SQL Injection vulnerability. This vulnerability is mitigated by the fact that the attacker must have a role with the permission "access Spider Contacts category administration". Additionally, the module doesn't sufficiently protect some URLs against CSRF. A malicious user could trick an administrator into deleting contact categories by getting their browser to make a request to a specially-crafted URL. -------- CVE IDENTIFIER(S) ISSUED -------------------------------------------- * /A CVE identifier [3] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ -------- VERSIONS AFFECTED --------------------------------------------------- All versions of Spider Contacts module. Drupal core is not affected. If you do not use the contributed Spider Contacts [4] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ If you use the Spider Contacts module you should uninstall it. Also see the Spider Contacts [5] project page. -------- REPORTED BY --------------------------------------------------------- * Pere Orga [6] of the Drupal Security Team -------- FIXED BY ------------------------------------------------------------ Not applicable. -------- COORDINATED BY ------------------------------------------------------ * Pere Orga [7] of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact [8]. Learn more about the Drupal Security team and their policies [9], writing secure code for Drupal [10], and securing your site [11]. Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity [12] [1] https://www.drupal.org/project/spider-contacts [2] https://www.drupal.org/security-team/risk-levels [3] http://cve.mitre.org/ [4] https://www.drupal.org/project/spider-contacts [5] https://www.drupal.org/project/spider-contacts [6] https://www.drupal.org/user/2301194 [7] https://www.drupal.org/user/2301194 [8] https://www.drupal.org/contact [9] https://www.drupal.org/security-team [10] https://www.drupal.org/writing-secure-code [11] https://www.drupal.org/security/secure-configuration [12] https://twitter.com/drupalsecurity

1 0

SA-CONTRIB-2015-056 - inLinks Integration - Cross Site Scripting (XSS) - Unsupported
by security-news＠drupal.org 25 Feb '15

25 Feb '15

View online: https://www.drupal.org/node/2437969 * Advisory ID: DRUPAL-SA-CONTRIB-2015-056 * Project: inLinks Integration [1] (third-party module) * Version: 6.x, 7.x * Date: 2015-February-25 * Security risk: 16/25 ( Critical) AC:Basic/A:None/CI:Some/II:Some/E:Theoretical/TD:All [2] * Vulnerability: Cross Site Scripting -------- DESCRIPTION --------------------------------------------------------- inLinks Integration module enables you to use inLinks product from Text Link Ads third-party service. The module doesn't sufficiently sanitize user input in some path arguments, thereby exposing a Cross Site Scripting vulnerability. -------- CVE IDENTIFIER(S) ISSUED -------------------------------------------- * /A CVE identifier [3] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ -------- VERSIONS AFFECTED --------------------------------------------------- All versions of inLinks Integration module. Drupal core is not affected. If you do not use the contributed inLinks Integration [4] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ If you use the inLinks Integration module you should uninstall it. Also see the inLinks Integration [5] project page. -------- REPORTED BY --------------------------------------------------------- * Pere Orga [6] of the Drupal Security Team -------- FIXED BY ------------------------------------------------------------ Not applicable. -------- COORDINATED BY ------------------------------------------------------ * Pere Orga [7] of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact [8]. Learn more about the Drupal Security team and their policies [9], writing secure code for Drupal [10], and securing your site [11]. Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity [12] [1] https://www.drupal.org/project/inlinks [2] https://www.drupal.org/security-team/risk-levels [3] http://cve.mitre.org/ [4] https://www.drupal.org/project/inlinks [5] https://www.drupal.org/project/inlinks [6] https://www.drupal.org/user/2301194 [7] https://www.drupal.org/user/2301194 [8] https://www.drupal.org/contact [9] https://www.drupal.org/security-team [10] https://www.drupal.org/writing-secure-code [11] https://www.drupal.org/security/secure-configuration [12] https://twitter.com/drupalsecurity

1 0

SA-CONTRIB-2015-055 - Services single sign-on server helper - Open Redirect - Unsupported
by security-news＠drupal.org 25 Feb '15

25 Feb '15

View online: https://www.drupal.org/node/2437965 * Advisory ID: DRUPAL-SA-CONTRIB-2015-055 * Project: Services single sign-on server helper [1] (third-party module) * Version: 7.x * Date: 2015-February-25 * Security risk: 10/25 ( Moderately Critical) AC:Basic/A:None/CI:None/II:None/E:Theoretical/TD:All [2] * Vulnerability: Open Redirect -------- DESCRIPTION --------------------------------------------------------- Services single sign-on server helper module provides functionality to facilitate account information editing on a remote SSO site. The module doesn't validate some user supplied URLs in parameters used for page redirection. An attacker could trick users to visit malicious sites without realizing it. -------- CVE IDENTIFIER(S) ISSUED -------------------------------------------- * /A CVE identifier [3] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ -------- VERSIONS AFFECTED --------------------------------------------------- All versions of Services single sign-on server helper module. Drupal core is not affected. If you do not use the contributed Services single sign-on server helper [4] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ If you use the Services single sign-on server helper module you should uninstall it. Also see the Services single sign-on server helper [5] project page. -------- REPORTED BY --------------------------------------------------------- * Pere Orga [6] of the Drupal Security Team -------- FIXED BY ------------------------------------------------------------ Not applicable. -------- COORDINATED BY ------------------------------------------------------ * Pere Orga [7] of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact [8]. Learn more about the Drupal Security team and their policies [9], writing secure code for Drupal [10], and securing your site [11]. Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity [12] [1] https://www.drupal.org/project/services_sso_server_helper [2] https://www.drupal.org/security-team/risk-levels [3] http://cve.mitre.org/ [4] https://www.drupal.org/project/services_sso_server_helper [5] https://www.drupal.org/project/services_sso_server_helper [6] https://www.drupal.org/user/2301194 [7] https://www.drupal.org/user/2301194 [8] https://www.drupal.org/contact [9] https://www.drupal.org/security-team [10] https://www.drupal.org/writing-secure-code [11] https://www.drupal.org/security/secure-configuration [12] https://twitter.com/drupalsecurity

1 0

SA-CONTRIB-2015-054 - SMS Framework - Cross Site Scripting (XSS)
by security-news＠drupal.org 25 Feb '15

25 Feb '15

View online: https://www.drupal.org/node/2437943 * Advisory ID: DRUPAL-SA-CONTRIB-2015-054 * Project: SMS Framework [1] (third-party module) * Version: 6.x * Date: 2015-February-25 * Security risk: 15/25 ( Critical) AC:Basic/A:None/CI:Some/II:Some/E:Theoretical/TD:Default [2] * Vulnerability: Cross Site Scripting -------- DESCRIPTION --------------------------------------------------------- SMS Framework module enables you to send and receive SMS messages from and into Drupal. The module doesn't sufficiently sanitize user supplied text in message previews, thereby exposing a reflected Cross Site Scripting vulnerability. An attacker could exploit this vulnerability by getting the victim to visit a specially-crafted URL. This vulnerability is mitigated by the fact that the "Send to phone" submodule must be enabled. -------- CVE IDENTIFIER(S) ISSUED -------------------------------------------- * /A CVE identifier [3] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ -------- VERSIONS AFFECTED --------------------------------------------------- * SMS Framework 6.x-1.x versions prior to 6.x-1.1. Drupal core is not affected. If you do not use the contributed SMS Framework [4] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the SMS Framework module for Drupal 6.x, upgrade to SMS Framework 6.x-1.1 [5] Also see the SMS Framework [6] project page. -------- REPORTED BY --------------------------------------------------------- * Pere Orga [7] of the Drupal Security Team -------- FIXED BY ------------------------------------------------------------ * Reinier Battenberg [8] one of the module maintainers * Pere Orga [9] of the Drupal Security Team -------- COORDINATED BY ------------------------------------------------------ * Pere Orga [10] of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact [11]. Learn more about the Drupal Security team and their policies [12], writing secure code for Drupal [13], and securing your site [14]. Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity [15] [1] https://www.drupal.org/project/smsframework [2] https://www.drupal.org/security-team/risk-levels [3] http://cve.mitre.org/ [4] https://www.drupal.org/project/smsframework [5] https://www.drupal.org/node/2431717 [6] https://www.drupal.org/project/smsframework [7] https://www.drupal.org/user/2301194 [8] https://www.drupal.org/user/2696 [9] https://www.drupal.org/user/2301194 [10] https://www.drupal.org/user/2301194 [11] https://www.drupal.org/contact [12] https://www.drupal.org/security-team [13] https://www.drupal.org/writing-secure-code [14] https://www.drupal.org/security/secure-configuration [15] https://twitter.com/drupalsecurity

1 0

SA-CONTRIB-2015-053 - Entity API - Cross Site Scripting (XSS)
by security-news＠drupal.org 25 Feb '15

25 Feb '15

View online: https://www.drupal.org/node/2437905 * Advisory ID: DRUPAL-SA-CONTRIB-2015-053 * Project: Entity API [1] (third-party module) * Version: 7.x * Date: 2015-February-25 * Security risk: 12/25 ( Moderately Critical) AC:Complex/A:Admin/CI:Some/II:Some/E:Theoretical/TD:All [2] * Vulnerability: Cross Site Scripting -------- DESCRIPTION --------------------------------------------------------- The Entity API module extends the entity API of Drupal core in order to provide a unified way to deal with entities and their properties. The module doesn't sufficiently sanitize field labels when exposing them through the Token API thereby exposing a Cross Site Scripting (XSS) vulnerability. This vulnerability is mitigated by the fact that an attacker must have a role with the permission to administer fields such as "administer taxonomy". -------- CVE IDENTIFIER(S) ISSUED -------------------------------------------- * /A CVE identifier [3] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ -------- VERSIONS AFFECTED --------------------------------------------------- * Entity API 7.x-1.x versions prior to 7.x-1.6. Drupal core is not affected. If you do not use the contributed Entity API [4] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the Entity API module for Drupal 7.x, upgrade to Entity API 7.x-1.6 [5] Also see the Entity API [6] project page. -------- REPORTED BY --------------------------------------------------------- * Francisco José Cruz Romanos [7] -------- FIXED BY ------------------------------------------------------------ * Klaus Purer [8] of the Drupal Security Team * Francisco José Cruz Romanos [9] * Wolfgang Ziegler [10] the module maintainer -------- COORDINATED BY ------------------------------------------------------ * Klaus Purer [11] of the Drupal Security Team * Rick Manelius [12] of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact [13]. Learn more about the Drupal Security team and their policies [14], writing secure code for Drupal [15], and securing your site [16]. Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity [17] [1] https://www.drupal.org/project/entity [2] https://www.drupal.org/security-team/risk-levels [3] http://cve.mitre.org/ [4] https://www.drupal.org/project/entity [5] https://www.drupal.org/node/2437885 [6] https://www.drupal.org/project/entity [7] https://www.drupal.org/user/848238 [8] https://www.drupal.org/u/klausi [9] https://www.drupal.org/user/848238 [10] https://www.drupal.org/user/16747 [11] https://www.drupal.org/u/klausi [12] https://www.drupal.org/u/rickmanelius [13] https://www.drupal.org/contact [14] https://www.drupal.org/security-team [15] https://www.drupal.org/writing-secure-code [16] https://www.drupal.org/security/secure-configuration [17] https://twitter.com/drupalsecurity

1 0

2026

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

Security-news February 2015