View online: https://www.drupal.org/node/2459359
* Advisory ID: DRUPAL-SA-CONTRIB-2015-087
* Project: Ubercart Webform Checkout Pane [1] (third-party module)
* Version: 6.x, 7.x
* Date: 2015-March-25
* Security risk: 14/25 ( Moderately Critical)
AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:All [2]
* Vulnerability: Cross Site Scripting
-------- DESCRIPTION
---------------------------------------------------------
Ubercart Webform Checkout Pane module allows you to define Webform nodes as
checkout/order panes in Ubercart.
The module doesn't sufficiently sanitize user supplied text in some pages,
thereby exposing a Cross Site Scripting vulnerability.
This vulnerability is mitigated by the fact that an attacker must have a user
with permission to create/edit Ubercart products or webforms.
-------- CVE IDENTIFIER(S) ISSUED
--------------------------------------------
* /A CVE identifier [3] will be requested, and added upon issuance, in
accordance with Drupal Security Team processes./
-------- VERSIONS AFFECTED
---------------------------------------------------
* All versions of Ubercart Webform Checkout Pane module
Drupal core is not affected. If you do not use the contributed Ubercart
Webform Checkout Pane [4] module, there is nothing you need to do.
-------- SOLUTION
------------------------------------------------------------
If you use the Ubercart Webform Checkout Pane module you should uninstall it.
Also see the Ubercart Webform Checkout Pane [5] project page.
-------- REPORTED BY
---------------------------------------------------------
* Joel Stein [6]
* Dylan Tack [7] of the Drupal Security Team
* Pere Orga [8] of the Drupal Security Team
-------- FIXED BY
------------------------------------------------------------
Not applicable.
-------- COORDINATED BY
------------------------------------------------------
* Pere Orga [9] of the Drupal Security Team
-------- CONTACT AND MORE INFORMATION
----------------------------------------
The Drupal security team can be reached at security at drupal.org or via the
contact form at https://www.drupal.org/contact [10].
Learn more about the Drupal Security team and their policies [11], writing
secure code for Drupal [12], and securing your site [13].
Follow the Drupal Security Team on Twitter at
https://twitter.com/drupalsecurity [14]
[1] https://www.drupal.org/project/uc_webform_pane
[2] https://www.drupal.org/security-team/risk-levels
[3] http://cve.mitre.org/
[4] https://www.drupal.org/project/uc_webform_pane
[5] https://www.drupal.org/project/uc_webform_pane
[6] https://www.drupal.org/user/36598
[7] https://www.drupal.org/user/96647
[8] https://www.drupal.org/user/2301194
[9] https://www.drupal.org/user/2301194
[10] https://www.drupal.org/contact
[11] https://www.drupal.org/security-team
[12] https://www.drupal.org/writing-secure-code
[13] https://www.drupal.org/security/secure-configuration
[14] https://twitter.com/drupalsecurity
View online: https://www.drupal.org/node/2459349
* Advisory ID: DRUPAL-SA-CONTRIB-2015-086
* Project: Decisions [1] (third-party module)
* Version: 6.x
* Date: 2015-March-25
* Security risk: 13/25 ( Moderately Critical)
AC:Basic/A:None/CI:None/II:Some/E:Theoretical/TD:All [2]
* Vulnerability: Cross Site Request Forgery
-------- DESCRIPTION
---------------------------------------------------------
Decisions module is a replacement for the Poll module and provides advanced
voting systems and decision-making tools.
The module doesn't sufficiently protect some links against CSRF. A malicious
user can cause another user to remove individual voters by getting their
browser to make a request to a specially-crafted URL.
-------- CVE IDENTIFIER(S) ISSUED
--------------------------------------------
* /A CVE identifier [3] will be requested, and added upon issuance, in
accordance with Drupal Security Team processes./
-------- VERSIONS AFFECTED
---------------------------------------------------
* All versions of Decisions module
Drupal core is not affected. If you do not use the contributed Decisions [4]
module, there is nothing you need to do.
-------- SOLUTION
------------------------------------------------------------
If you use the Decisions module you should uninstall it.
Also see the Decisions [5] project page.
-------- REPORTED BY
---------------------------------------------------------
* Pere Orga [6] of the Drupal Security Team
-------- FIXED BY
------------------------------------------------------------
Not applicable.
-------- COORDINATED BY
------------------------------------------------------
* Pere Orga [7] of the Drupal Security Team
-------- CONTACT AND MORE INFORMATION
----------------------------------------
The Drupal security team can be reached at security at drupal.org or via the
contact form at https://www.drupal.org/contact [8].
Learn more about the Drupal Security team and their policies [9], writing
secure code for Drupal [10], and securing your site [11].
Follow the Drupal Security Team on Twitter at
https://twitter.com/drupalsecurity [12]
[1] https://www.drupal.org/project/decisions
[2] https://www.drupal.org/security-team/risk-levels
[3] http://cve.mitre.org/
[4] https://www.drupal.org/project/decisions
[5] https://www.drupal.org/project/decisions
[6] https://www.drupal.org/user/2301194
[7] https://www.drupal.org/user/2301194
[8] https://www.drupal.org/contact
[9] https://www.drupal.org/security-team
[10] https://www.drupal.org/writing-secure-code
[11] https://www.drupal.org/security/secure-configuration
[12] https://twitter.com/drupalsecurity
View online: https://www.drupal.org/node/2459337
* Advisory ID: DRUPAL-SA-CONTRIB-2015-085
* Project: Invoice [1] (third-party module)
* Version: 6.x, 7.x
* Date: 2015-March-25
* Security risk: 14/25 ( Moderately Critical)
AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:All [2]
* Vulnerability: Cross Site Scripting, Cross Site Request Forgery
-------- DESCRIPTION
---------------------------------------------------------
Invoice module allows you to create invoices in Drupal.
The module doesn't sufficiently sanitize user supplied text in some pages,
thereby exposing a Cross Site Scripting vulnerability.
Additionally, some URLs were not protected against CSRF. A malicious user can
cause another user to create, delete and alter invoices by getting their
browser to make a request to a specially-crafted URL.
The XSS vulnerability is mitigated by the fact that an attacker must have a
role with the permission "Administer own invoices" and be able to create/edit
nodes of the "Invoice" content type.
-------- CVE IDENTIFIER(S) ISSUED
--------------------------------------------
* /A CVE identifier [3] will be requested, and added upon issuance, in
accordance with Drupal Security Team processes./
-------- VERSIONS AFFECTED
---------------------------------------------------
* All versions of Invoice module
Drupal core is not affected. If you do not use the contributed Invoice [4]
module, there is nothing you need to do.
-------- SOLUTION
------------------------------------------------------------
If you use the Invoice module you should uninstall it.
Also see the Invoice [5] project page.
-------- REPORTED BY
---------------------------------------------------------
* Matt Vance [6], provisional member Drupal Security Team
* Pere Orga [7] of the Drupal Security Team
-------- FIXED BY
------------------------------------------------------------
Not applicable.
-------- COORDINATED BY
------------------------------------------------------
* Pere Orga [8] of the Drupal Security Team
* Matt Vance [9], provisional member Drupal Security Team
-------- CONTACT AND MORE INFORMATION
----------------------------------------
The Drupal security team can be reached at security at drupal.org or via the
contact form at https://www.drupal.org/contact [10].
Learn more about the Drupal Security team and their policies [11], writing
secure code for Drupal [12], and securing your site [13].
Follow the Drupal Security Team on Twitter at
https://twitter.com/drupalsecurity [14]
[1] https://www.drupal.org/project/invoice
[2] https://www.drupal.org/security-team/risk-levels
[3] http://cve.mitre.org/
[4] https://www.drupal.org/project/invoice
[5] https://www.drupal.org/project/invoice
[6] https://www.drupal.org/user/88338
[7] https://www.drupal.org/user/2301194
[8] https://www.drupal.org/user/2301194
[9] https://www.drupal.org/user/88338
[10] https://www.drupal.org/contact
[11] https://www.drupal.org/security-team
[12] https://www.drupal.org/writing-secure-code
[13] https://www.drupal.org/security/secure-configuration
[14] https://twitter.com/drupalsecurity
View online: https://www.drupal.org/node/2459327
* Advisory ID: DRUPAL-SA-CONTRIB-2015-084
* Project: Linear Case [1] (third-party module)
* Version: 6.x
* Date: 2015-March-25
* Security risk: 14/25 ( Moderately Critical)
AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:All [2]
* Vulnerability: Cross Site Scripting
-------- DESCRIPTION
---------------------------------------------------------
Linear Case module allows you to organize Closed Question documents in case
studies.
The module doesn't sufficiently sanitize user supplied text in some pages,
thereby exposing a Cross Site Scripting vulnerability.
This vulnerability is mitigated by the fact that an attacker must have a user
with permission to edit/create Linear Case nodes.
-------- CVE IDENTIFIER(S) ISSUED
--------------------------------------------
* /A CVE identifier [3] will be requested, and added upon issuance, in
accordance with Drupal Security Team processes./
-------- VERSIONS AFFECTED
---------------------------------------------------
* Linear Case 6.x-1.x versions prior to 6.x-1.3.
Drupal core is not affected. If you do not use the contributed Linear Case
[4] module, there is nothing you need to do.
-------- SOLUTION
------------------------------------------------------------
Install the latest version:
* If you use the Linear Case module for Drupal 6.x, upgrade to Linear Case
6.x-1.3 [5]
Also see the Linear Case [6] project page.
-------- REPORTED BY
---------------------------------------------------------
* Pere Orga [7] of the Drupal Security Team
-------- FIXED BY
------------------------------------------------------------
* Koos van der Kolk [8] the module maintainer
-------- COORDINATED BY
------------------------------------------------------
* Pere Orga [9] of the Drupal Security Team
-------- CONTACT AND MORE INFORMATION
----------------------------------------
The Drupal security team can be reached at security at drupal.org or via the
contact form at https://www.drupal.org/contact [10].
Learn more about the Drupal Security team and their policies [11], writing
secure code for Drupal [12], and securing your site [13].
Follow the Drupal Security Team on Twitter at
https://twitter.com/drupalsecurity [14]
[1] https://www.drupal.org/project/linearcase
[2] https://www.drupal.org/security-team/risk-levels
[3] http://cve.mitre.org/
[4] https://www.drupal.org/project/linearcase
[5] https://www.drupal.org/node/2459197
[6] https://www.drupal.org/project/linearcase
[7] https://www.drupal.org/user/2301194
[8] https://www.drupal.org/user/562054
[9] https://www.drupal.org/user/2301194
[10] https://www.drupal.org/contact
[11] https://www.drupal.org/security-team
[12] https://www.drupal.org/writing-secure-code
[13] https://www.drupal.org/security/secure-configuration
[14] https://twitter.com/drupalsecurity
View online: https://www.drupal.org/node/2459323
* Advisory ID: DRUPAL-SA-CONTRIB-2015-083
* Project: Webform Multiple File Upload [1] (third-party module)
* Version: 6.x, 7.x
* Date: 2015-March-25
* Security risk: 13/25 ( Moderately Critical)
AC:Basic/A:None/CI:None/II:Some/E:Theoretical/TD:All [2]
* Vulnerability: Cross Site Request Forgery
-------- DESCRIPTION
---------------------------------------------------------
Webform Multiple File Upload module enables you to upload multiple files at
once in webforms.
The module doesn't sufficiently protect some URLs against CSRF. A malicious
user can cause a user with edit access to webforms to delete files by getting
their browser to make a request to a specially-crafted URL.
-------- CVE IDENTIFIER(S) ISSUED
--------------------------------------------
* /A CVE identifier [3] will be requested, and added upon issuance, in
accordance with Drupal Security Team processes./
-------- VERSIONS AFFECTED
---------------------------------------------------
* Webform Multiple File Upload 6.x-1.x versions prior to 6.x-1.3.
* Webform Multiple File Upload 7.x-1.x versions prior to 7.x-1.3.
Drupal core is not affected. If you do not use the contributed Webform
Multiple File Upload [4] module, there is nothing you need to do.
-------- SOLUTION
------------------------------------------------------------
Install the latest version:
* If you use the Webform Multiple File Upload module for Drupal 6.x,
upgrade
to Webform Multiple File Upload 6.x-1.3 [5]
* If you use the Webform Multiple File Upload module for Drupal 7.x,
upgrade
to Webform Multiple File Upload 7.x-1.3 [6]
Also see the Webform Multiple File Upload [7] project page.
-------- REPORTED BY
---------------------------------------------------------
* Pere Orga [8] of the Drupal Security Team
-------- FIXED BY
------------------------------------------------------------
* Jelle Sebreghts [9] the module maintainer
-------- COORDINATED BY
------------------------------------------------------
* Pere Orga [10] of the Drupal Security Team
-------- CONTACT AND MORE INFORMATION
----------------------------------------
The Drupal security team can be reached at security at drupal.org or via the
contact form at https://www.drupal.org/contact [11].
Learn more about the Drupal Security team and their policies [12], writing
secure code for Drupal [13], and securing your site [14].
Follow the Drupal Security Team on Twitter at
https://twitter.com/drupalsecurity [15]
[1] https://www.drupal.org/project/webform_multifile
[2] https://www.drupal.org/security-team/risk-levels
[3] http://cve.mitre.org/
[4] https://www.drupal.org/project/webform_multifile
[5] https://www.drupal.org/node/2459031
[6] https://www.drupal.org/node/2459035
[7] https://www.drupal.org/project/webform_multifile
[8] https://www.drupal.org/user/2301194
[9] https://www.drupal.org/user/829198
[10] https://www.drupal.org/user/2301194
[11] https://www.drupal.org/contact
[12] https://www.drupal.org/security-team
[13] https://www.drupal.org/writing-secure-code
[14] https://www.drupal.org/security/secure-configuration
[15] https://twitter.com/drupalsecurity
View online: https://www.drupal.org/node/2459315
* Advisory ID: DRUPAL-SA-CONTRIB-2015-082
* Project: Crumbs [1] (third-party module)
* Version: 7.x
* Date: 2015-March-25
* Security risk: 13/25 ( Moderately Critical)
AC:Basic/A:Admin/CI:Some/II:Some/E:Theoretical/TD:All [2]
* Vulnerability: Cross Site Scripting
-------- DESCRIPTION
---------------------------------------------------------
This module enables you to add navigation to your webpages colloquially
referred to as "breadcrumbs".
The module doesn't sufficiently sanitize custom HTML separators for
breadcrumbs, thereby exposing a Cross Site Scripting vulnerability.
This vulnerability is mitigated by the fact that an attacker must have a role
with the permission "Administer Crumbs".
-------- CVE IDENTIFIER(S) ISSUED
--------------------------------------------
* /A CVE identifier [3] will be requested, and added upon issuance, in
accordance with Drupal Security Team processes./
-------- VERSIONS AFFECTED
---------------------------------------------------
* Crumbs 7.x-2.x versions prior to 7.x-2.3
Drupal core is not affected. If you do not use the contributed Crumbs [4]
module, there is nothing you need to do.
-------- SOLUTION
------------------------------------------------------------
Install the latest version:
* If you use the Crumbs module for Drupal 7.x, upgrade to Crumbs 7.x-2.3
[5]
Also see the Crumbs [6] project page.
-------- REPORTED BY
---------------------------------------------------------
* Colleen Blaho [7]
-------- FIXED BY
------------------------------------------------------------
* Andreas Hennings [8] the module maintainer
-------- COORDINATED BY
------------------------------------------------------
* Pere Orga [9] of the Drupal Security Team
-------- CONTACT AND MORE INFORMATION
----------------------------------------
The Drupal security team can be reached at security at drupal.org or via the
contact form at https://www.drupal.org/contact [10].
Learn more about the Drupal Security team and their policies [11], writing
secure code for Drupal [12], and securing your site [13].
Follow the Drupal Security Team on Twitter at
https://twitter.com/drupalsecurity [14]
[1] https://www.drupal.org/project/crumbs
[2] https://www.drupal.org/security-team/risk-levels
[3] http://cve.mitre.org/
[4] https://www.drupal.org/project/crumbs
[5] https://www.drupal.org/node/2458675
[6] https://www.drupal.org/project/crumbs
[7] https://www.drupal.org/user/3042419
[8] https://www.drupal.org/u/donquixote
[9] https://www.drupal.org/user/2301194
[10] https://www.drupal.org/contact
[11] https://www.drupal.org/security-team
[12] https://www.drupal.org/writing-secure-code
[13] https://www.drupal.org/security/secure-configuration
[14] https://twitter.com/drupalsecurity
View online: https://www.drupal.org/node/2459311
* Advisory ID: DRUPAL-SA-CONTRIB-2015-081
* Project: Petition [1] (third-party module)
* Version: 6.x
* Date: 2015-March-25
* Security risk: 14/25 ( Moderately Critical)
AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:All [2]
* Vulnerability: Cross Site Scripting
-------- DESCRIPTION
---------------------------------------------------------
The Petition module enables you to create petitions which users may sign.
The module doesn't sufficiently sanitize user supplied text in some
administration pages, thereby exposing a Cross Site Scripting vulnerability.
This vulnerability is mitigated by the fact that an attacker must have a role
with the permission "create petition".
-------- CVE IDENTIFIER(S) ISSUED
--------------------------------------------
* /A CVE identifier [3] will be requested, and added upon issuance, in
accordance with Drupal Security Team processes./
-------- VERSIONS AFFECTED
---------------------------------------------------
* Petition 6.x-1.x versions prior to 6.x-1.3.
Drupal core is not affected. If you do not use the contributed Petition [4]
module, there is nothing you need to do.
-------- SOLUTION
------------------------------------------------------------
Install the latest version:
* If you use the Petition module for Drupal 6.x, upgrade to Petition
6.x-1.3
[5]
Also see the Petition [6] project page.
-------- REPORTED BY
---------------------------------------------------------
* Pere Orga [7] of the Drupal Security Team
-------- FIXED BY
------------------------------------------------------------
* Sean Robertson [8] the module maintainer
* Pere Orga [9] of the Drupal Security Team
-------- COORDINATED BY
------------------------------------------------------
* Pere Orga [10] of the Drupal Security Team
-------- CONTACT AND MORE INFORMATION
----------------------------------------
The Drupal security team can be reached at security at drupal.org or via the
contact form at https://www.drupal.org/contact [11].
Learn more about the Drupal Security team and their policies [12], writing
secure code for Drupal [13], and securing your site [14].
Follow the Drupal Security Team on Twitter at
https://twitter.com/drupalsecurity [15]
[1] https://www.drupal.org/project/petition
[2] https://www.drupal.org/security-team/risk-levels
[3] http://cve.mitre.org/
[4] https://www.drupal.org/project/petition
[5] https://www.drupal.org/node/2458683
[6] https://www.drupal.org/project/petition
[7] https://www.drupal.org/user/2301194
[8] https://www.drupal.org/user/7074
[9] https://www.drupal.org/user/2301194
[10] https://www.drupal.org/user/2301194
[11] https://www.drupal.org/contact
[12] https://www.drupal.org/security-team
[13] https://www.drupal.org/writing-secure-code
[14] https://www.drupal.org/security/secure-configuration
[15] https://twitter.com/drupalsecurity
View online: https://www.drupal.org/node/2455011
* Advisory ID: DRUPAL-SA-CONTRIB-2015-080
* Project: Profile2 Privacy [1] (third-party module)
* Version: 7.x
* Date: 2015-March-18
* Security risk: 14/25 ( Moderately Critical)
AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:All [2]
* Vulnerability: Cross Site Scripting
-------- DESCRIPTION
---------------------------------------------------------
Profile2 Privacy module enables you to show or hide parts of a profile2
entity based on pre-configured field sets with a title and description.
The module doesn't sufficiently sanitize user supplied text in some pages,
thereby exposing a Cross Site Scripting vulnerability.
This vulnerability is mitigated by the fact that an attacker must have a role
with the permission "Administer Profile2 Privacy Levels".
-------- CVE IDENTIFIER(S) ISSUED
--------------------------------------------
* /A CVE identifier [3] will be requested, and added upon issuance, in
accordance with Drupal Security Team processes./
-------- VERSIONS AFFECTED
---------------------------------------------------
* Profile2 Privacy 7.x-1.x versions prior to 7.x-1.5.
Drupal core is not affected. If you do not use the contributed Profile2
Privacy [4] module, there is nothing you need to do.
-------- SOLUTION
------------------------------------------------------------
Install the latest version:
* If you use the Profile2 Privacy module for Drupal 7.x, upgrade to
Profile2
Privacy 7.x-1.5 [5]
Also see the Profile2 Privacy [6] project page.
-------- REPORTED BY
---------------------------------------------------------
* Matt Vance [7] provisional member of the Drupal Security Team
-------- FIXED BY
------------------------------------------------------------
* Matt Vance [8] provisional member of the Drupal Security Team
* Jason Yee [9], module maintainer
* Maria Fisher [10], module maintainer
* Greg Knaddison [11] of the Drupal Security Team
-------- COORDINATED BY
------------------------------------------------------
* Matt Vance [12] provisional member of the Drupal Security Team
-------- CONTACT AND MORE INFORMATION
----------------------------------------
The Drupal security team can be reached at security at drupal.org or via the
contact form at https://www.drupal.org/contact [13].
Learn more about the Drupal Security team and their policies [14], writing
secure code for Drupal [15], and securing your site [16].
Follow the Drupal Security Team on Twitter at
https://twitter.com/drupalsecurity [17]
[1] https://www.drupal.org/project/profile2_privacy
[2] https://www.drupal.org/security-team/risk-levels
[3] http://cve.mitre.org/
[4] https://www.drupal.org/project/profile2_privacy
[5] https://www.drupal.org/node/2454383
[6] https://www.drupal.org/project/profile2_privacy
[7] https://www.drupal.org/user/88338
[8] https://www.drupal.org/user/88338
[9] https://www.drupal.org/user/712186
[10] https://www.drupal.org/user/2210776
[11] https://www.drupal.org/user/36762
[12] https://www.drupal.org/user/88338
[13] https://www.drupal.org/contact
[14] https://www.drupal.org/security-team
[15] https://www.drupal.org/writing-secure-code
[16] https://www.drupal.org/security/secure-configuration
[17] https://twitter.com/drupalsecurity
View online: https://www.drupal.org/node/2454909
* Advisory ID: DRUPAL-SA-CONTRIB-2015-079
* Project: Chaos tool suite (ctools) [1] (third-party module)
* Version: 6.x, 7.x
* Date: 2015-March-18
* Security risk: 13/25 (Moderately Critical)
AC:Basic/A:None/CI:Some/II:None/E:Theoretical/TD:All [2]
* Vulnerability: Access bypass, Open Redirect
-------- DESCRIPTION
---------------------------------------------------------
This module provides a set of APIs and tools to improve the developer
experience.
.... Access bypass in autocomplete (Drupal 7 only)
Among other many other things, CTools provides an autocomplete callback for
finding entities by their titles or ID.
In CTools version 1.5, additional checks were created to defend against
leaking titles for entities that the user doesn't have access to. However,
certain edge cases were found to leak this private data.
This vulnerability is mitigated by the fact that you must perform the
autocomplete search on custom entities that don't include an access query
tag, or you must know the ID of the entity whose title you are trying to get.
.... Open redirect in confirmation pages (Drupal 6 and 7)
Also, CTools did not sanitize user provided URLs when processing confirmation
delete pages, thereby exposing an open redirect attack vector.
This vulnerability is mitigated by the fact that a module using CTools must
allow for users to insert a malicious external URL that is sent to the
confirmation page.
-------- CVE IDENTIFIER(S) ISSUED
--------------------------------------------
* /A CVE identifier [3] will be requested, and added upon issuance, in
accordance with Drupal Security Team processes./
-------- VERSIONS AFFECTED
---------------------------------------------------
* CTools 6.x-1.x versions prior to 6.x-1.12.
* CTools 7.x-1.x versions prior to 7.x-1.7.
Drupal core is not affected. If you do not use the contributed Chaos tool
suite (ctools) [4] module, there is nothing you need to do.
-------- SOLUTION
------------------------------------------------------------
Install the latest version:
* If you use the CTools module for Drupal 6.x, upgrade to CTools 6.x-1.12
[5]
* If you use the CTools module for Drupal 7.x, upgrade to CTools 7.x-1.7
[6]
Also see the Chaos tool suite (ctools) [7] project page.
-------- REPORTED BY
---------------------------------------------------------
* Richard Thomas [8]
* Pere Orga [9] of the Drupal Security Team
-------- FIXED BY
------------------------------------------------------------
* Jakob Perry [10], the module maintainer
* Richard Thomas [11]
-------- COORDINATED BY
------------------------------------------------------
* David Snopek [12] of the Drupal Security Team
* Pere Orga [13] of the Drupal Security Team
-------- CONTACT AND MORE INFORMATION
----------------------------------------
The Drupal security team can be reached at security at drupal.org or via the
contact form at https://www.drupal.org/contact [14].
Learn more about the Drupal Security team and their policies [15], writing
secure code for Drupal [16], and securing your site [17].
Follow the Drupal Security Team on Twitter at
https://twitter.com/drupalsecurity [18]
[1] https://www.drupal.org/project/ctools
[2] https://www.drupal.org/security-team/risk-levels
[3] http://cve.mitre.org/
[4] https://www.drupal.org/project/ctools
[5] https://www.drupal.org/node/2454885
[6] https://www.drupal.org/node/2454883
[7] https://www.drupal.org/project/ctools
[8] https://www.drupal.org/user/1924680
[9] https://www.drupal.org/user/2301194
[10] https://www.drupal.org/user/45640
[11] https://www.drupal.org/user/1924680
[12] https://www.drupal.org/user/266527
[13] https://www.drupal.org/user/2301194
[14] https://www.drupal.org/contact
[15] https://www.drupal.org/security-team
[16] https://www.drupal.org/writing-secure-code
[17] https://www.drupal.org/security/secure-configuration
[18] https://twitter.com/drupalsecurity
View online: https://www.drupal.org/node/2454903
* Advisory ID: DRUPAL-SA-CONTRIB-2015-078
* Project: Webform [1] (third-party module)
* Version: 6.x, 7.x
* Date: 2015-March-18
* Security risk: 11/25 ( Moderately Critical)
AC:Complex/A:Admin/CI:Some/II:Some/E:Theoretical/TD:Default [2]
* Vulnerability: Cross Site Scripting
-------- DESCRIPTION
---------------------------------------------------------
Webform is the module for making surveys, petitions, contests, personalized
contact forms, and the like in Drupal.
The module doesn't sufficiently sanitize component names when components are
used to determine the e-mail addresses that may be sent upon webform
submission.
This vulnerability is mitigated by the fact that an attacker must have a role
with permission to create/update nodes with an attached webform and (in
7.x-4.x releases) have the permission "edit webform components".
-------- CVE IDENTIFIER(S) ISSUED
--------------------------------------------
* /A CVE identifier [3] will be requested, and added upon issuance, in
accordance with Drupal Security Team processes./
-------- VERSIONS AFFECTED
---------------------------------------------------
* Webform 6.x-3.x versions prior to 6.x-3.23
* Webform 7.x-3.x versions prior to 7.x-3.23
* Webform 7.x-4.x versions prior to 7.x-4.5
Drupal core is not affected. If you do not use the contributed Webform [4]
module, there is nothing you need to do.
-------- SOLUTION
------------------------------------------------------------
Install the latest version:
* If you use the Webform module for Drupal 6.x, upgrade to Webform 6.x-3.23
[5]
* If you use the Webform module for Drupal 7.x, upgrade to Webform 7.x-3.23
[6] or Webform 7.x-4.5 [7], as appropriate.
Also see the Webform [8] project page.
-------- REPORTED BY
---------------------------------------------------------
* Dan Chadwick [9], the module maintainer
-------- FIXED BY
------------------------------------------------------------
* Dan Chadwick [10], the module maintainer
-------- COORDINATED BY
------------------------------------------------------
* Pere Orga [11] of the Drupal Security Team
-------- CONTACT AND MORE INFORMATION
----------------------------------------
The Drupal security team can be reached at security at drupal.org or via the
contact form at https://www.drupal.org/contact [12].
Learn more about the Drupal Security team and their policies [13], writing
secure code for Drupal [14], and securing your site [15].
Follow the Drupal Security Team on Twitter at
https://twitter.com/drupalsecurity [16]
[1] https://www.drupal.org/project/webform
[2] https://www.drupal.org/security-team/risk-levels
[3] http://cve.mitre.org/
[4] https://www.drupal.org/project/webform
[5] https://www.drupal.org/node/2454055
[6] https://www.drupal.org/node/2454059
[7] https://www.drupal.org/node/2454063
[8] https://www.drupal.org/project/webform
[9] https://www.drupal.org/user/504278
[10] https://www.drupal.org/user/504278
[11] https://www.drupal.org/user/2301194
[12] https://www.drupal.org/contact
[13] https://www.drupal.org/security-team
[14] https://www.drupal.org/writing-secure-code
[15] https://www.drupal.org/security/secure-configuration
[16] https://twitter.com/drupalsecurity