View online: https://www.drupal.org/node/2445971
* Advisory ID: DRUPAL-SA-CONTRIB-2015-068
* Project: Campaign Monitor [1] (third-party module)
* Version: 7.x
* Date: 2015-March-04
* Security risk: 13/25 ( Moderately Critical)
AC:Basic/A:None/CI:None/II:Some/E:Theoretical/TD:All [2]
* Vulnerability: Cross Site Request Forgery
-------- DESCRIPTION
---------------------------------------------------------
Campaign Monitor module integrates the Campaign Monitor API into Drupal.
The module doesn't sufficiently protect some URLs against CSRF. A malicious
user can cause another user to enable and disable list subscriptions by
getting their browser to make a request to a specially-crafted URL.
-------- CVE IDENTIFIER(S) ISSUED
--------------------------------------------
* /A CVE identifier [3] will be requested, and added upon issuance, in
accordance with Drupal Security Team processes./
-------- VERSIONS AFFECTED
---------------------------------------------------
* Campaign Monitor 7.x-1.0
Drupal core is not affected. If you do not use the contributed Campaign
Monitor [4] module, there is nothing you need to do.
-------- SOLUTION
------------------------------------------------------------
If you use the Campaign Monitor module for Drupal 7 you should uninstall it.
Also see the Campaign Monitor [5] project page.
-------- REPORTED BY
---------------------------------------------------------
* Pere Orga [6] of the Drupal Security Team
-------- FIXED BY
------------------------------------------------------------
Not applicable.
-------- COORDINATED BY
------------------------------------------------------
* Pere Orga [7] of the Drupal Security Team
-------- CONTACT AND MORE INFORMATION
----------------------------------------
The Drupal security team can be reached at security at drupal.org or via the
contact form at https://www.drupal.org/contact [8].
Learn more about the Drupal Security team and their policies [9], writing
secure code for Drupal [10], and securing your site [11].
Follow the Drupal Security Team on Twitter at
https://twitter.com/drupalsecurity [12]
[1] https://www.drupal.org/project/campaignmonitor
[2] https://www.drupal.org/security-team/risk-levels
[3] http://cve.mitre.org/
[4] https://www.drupal.org/project/campaignmonitor
[5] https://www.drupal.org/project/campaignmonitor
[6] https://www.drupal.org/user/2301194
[7] https://www.drupal.org/user/2301194
[8] https://www.drupal.org/contact
[9] https://www.drupal.org/security-team
[10] https://www.drupal.org/writing-secure-code
[11] https://www.drupal.org/security/secure-configuration
[12] https://twitter.com/drupalsecurity
View online: https://www.drupal.org/node/2445967
* Advisory ID: DRUPAL-SA-CONTRIB-2015-067
* Project: Finder [1] (third-party module)
* Version: 6.x, 7.x
* Date: 2015-March-04
* Security risk: 9/25 ( Less Critical)
AC:Complex/A:None/CI:None/II:None/E:Theoretical/TD:All [2]
* Vulnerability: Open Redirect
-------- DESCRIPTION
---------------------------------------------------------
Finder module allows you to create flexible faceted search forms to find
entities such as nodes or users based on the values of fields and database
attributes.
The provided function finder_form_goto() is susceptible to a phishing attack.
An attacker could formulate a redirect in a way that gets the Drupal site to
send the user to an arbitrarily provided URL.
-------- CVE IDENTIFIER(S) ISSUED
--------------------------------------------
* /A CVE identifier [3] will be requested, and added upon issuance, in
accordance with Drupal Security Team processes./
-------- VERSIONS AFFECTED
---------------------------------------------------
* All versions of Finder module
Drupal core is not affected. If you do not use the contributed Finder [4]
module, there is nothing you need to do.
-------- SOLUTION
------------------------------------------------------------
If you use the Finder module you should uninstall it.
Also see the Finder [5] project page.
-------- REPORTED BY
---------------------------------------------------------
* Pere Orga [6] of the Drupal Security Team
-------- FIXED BY
------------------------------------------------------------
Not applicable.
-------- COORDINATED BY
------------------------------------------------------
* Pere Orga [7] of the Drupal Security Team
-------- CONTACT AND MORE INFORMATION
----------------------------------------
The Drupal security team can be reached at security at drupal.org or via the
contact form at https://www.drupal.org/contact [8].
Learn more about the Drupal Security team and their policies [9], writing
secure code for Drupal [10], and securing your site [11].
Follow the Drupal Security Team on Twitter at
https://twitter.com/drupalsecurity [12]
[1] https://www.drupal.org/project/finder
[2] https://www.drupal.org/security-team/risk-levels
[3] http://cve.mitre.org/
[4] https://www.drupal.org/project/finder
[5] https://www.drupal.org/project/finder
[6] https://www.drupal.org/user/2301194
[7] https://www.drupal.org/user/2301194
[8] https://www.drupal.org/contact
[9] https://www.drupal.org/security-team
[10] https://www.drupal.org/writing-secure-code
[11] https://www.drupal.org/security/secure-configuration
[12] https://twitter.com/drupalsecurity
View online: https://www.drupal.org/node/2445961
* Advisory ID: DRUPAL-SA-CONTRIB-2015-066
* Project: Tracking Code [1] (third-party module)
* Version: 7.x
* Date: 2015-March-04
* Security risk: 13/25 ( Moderately Critical)
AC:Basic/A:None/CI:None/II:Some/E:Theoretical/TD:All [2]
* Vulnerability: Cross Site Request Forgery
-------- DESCRIPTION
---------------------------------------------------------
Tracking Code module allows you to create tracking code snippets and control
their visibility.
The module doesn't sufficiently protect some URLs against CSRF. A malicious
user can cause an administrator to disable tracking codes by getting their
browser to make a request to a specially-crafted URL.
-------- CVE IDENTIFIER(S) ISSUED
--------------------------------------------
* /A CVE identifier [3] will be requested, and added upon issuance, in
accordance with Drupal Security Team processes./
-------- VERSIONS AFFECTED
---------------------------------------------------
* All versions of Tracking Code module
Drupal core is not affected. If you do not use the contributed Tracking Code
[4] module, there is nothing you need to do.
-------- SOLUTION
------------------------------------------------------------
If you use the Tracking Code module you should uninstall it.
Also see the Tracking Code [5] project page.
-------- REPORTED BY
---------------------------------------------------------
* Pere Orga [6] of the Drupal Security Team
-------- FIXED BY
------------------------------------------------------------
Not applicable.
-------- COORDINATED BY
------------------------------------------------------
* Pere Orga [7] of the Drupal Security Team
-------- CONTACT AND MORE INFORMATION
----------------------------------------
The Drupal security team can be reached at security at drupal.org or via the
contact form at https://www.drupal.org/contact [8].
Learn more about the Drupal Security team and their policies [9], writing
secure code for Drupal [10], and securing your site [11].
Follow the Drupal Security Team on Twitter at
https://twitter.com/drupalsecurity [12]
[1] https://www.drupal.org/project/tracking_code
[2] https://www.drupal.org/security-team/risk-levels
[3] http://cve.mitre.org/
[4] https://www.drupal.org/project/tracking_code
[5] https://www.drupal.org/project/tracking_code
[6] https://www.drupal.org/user/2301194
[7] https://www.drupal.org/user/2301194
[8] https://www.drupal.org/contact
[9] https://www.drupal.org/security-team
[10] https://www.drupal.org/writing-secure-code
[11] https://www.drupal.org/security/secure-configuration
[12] https://twitter.com/drupalsecurity
View online: https://www.drupal.org/node/2445955
* Advisory ID: DRUPAL-SA-CONTRIB-2015-065
* Project: Registration codes [1] (third-party module)
* Version: 6.x, 7.x
* Date: 2015-March-04
* Security risk: 16/25 ( Critical)
AC:Basic/A:None/CI:Some/II:Some/E:Theoretical/TD:All [2]
* Vulnerability: Cross Site Scripting, Cross Site Request Forgery
-------- DESCRIPTION
---------------------------------------------------------
Registration codes module allows new account registrations only for users who
provide a valid registration code.
The module was not properly sanitizing user supplied text in some pages,
thereby exposing XSS vulnerabilities.
Additionally, some URLs were not protected against CSRF, a malicious user can
cause an administrator to delete rules by getting their browser to make a
request to a specially-crafted URL.
The XSS vulnerabilities may be mitigated by the fact that an attacker must
have a user allowed to create/edit taxonomy terms or nodes.
-------- CVE IDENTIFIER(S) ISSUED
--------------------------------------------
* /A CVE identifier [3] will be requested, and added upon issuance, in
accordance with Drupal Security Team processes./
-------- VERSIONS AFFECTED
---------------------------------------------------
* All versions of Registration codes
Drupal core is not affected. If you do not use the contributed Registration
codes [4] module, there is nothing you need to do.
-------- SOLUTION
------------------------------------------------------------
If you use the Registration codes module you should uninstall it.
Also see the Registration codes [5] project page.
-------- REPORTED BY
---------------------------------------------------------
* Pere Orga [6] of the Drupal Security Team
-------- FIXED BY
------------------------------------------------------------
Not applicable.
-------- COORDINATED BY
------------------------------------------------------
* Pere Orga [7] of the Drupal Security Team
-------- CONTACT AND MORE INFORMATION
----------------------------------------
The Drupal security team can be reached at security at drupal.org or via the
contact form at https://www.drupal.org/contact [8].
Learn more about the Drupal Security team and their policies [9], writing
secure code for Drupal [10], and securing your site [11].
Follow the Drupal Security Team on Twitter at
https://twitter.com/drupalsecurity [12]
[1] https://www.drupal.org/project/regcode
[2] https://www.drupal.org/security-team/risk-levels
[3] http://cve.mitre.org/
[4] https://www.drupal.org/project/regcode
[5] https://www.drupal.org/project/regcode
[6] https://www.drupal.org/user/2301194
[7] https://www.drupal.org/user/2301194
[8] https://www.drupal.org/contact
[9] https://www.drupal.org/security-team
[10] https://www.drupal.org/writing-secure-code
[11] https://www.drupal.org/security/secure-configuration
[12] https://twitter.com/drupalsecurity
View online: https://www.drupal.org/node/2445953
* Advisory ID: DRUPAL-SA-CONTRIB-2015-064
* Project: Ubercart Discount Coupons [1] (third-party module)
* Version: 6.x
* Date: 2015-March-04
* Security risk: 14/25 ( Moderately Critical)
AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:All [2]
* Vulnerability: Cross Site Scripting
-------- DESCRIPTION
---------------------------------------------------------
Ubercart Discount Coupons module provides discount coupons for Ubercart
stores.
The module doesn't sufficiently sanitize user supplied text in some
administration pages, thereby exposing a Cross Site Scripting vulnerability.
The vulnerability is mitigated by the fact that an attacker must have a user
with permission to create/edit taxonomy terms. Note that for vocabularies
with free tagging enabled, this includes any user with permission to add/edit
content of a type to which the vocabulary applies.
-------- CVE IDENTIFIER(S) ISSUED
--------------------------------------------
* /A CVE identifier [3] will be requested, and added upon issuance, in
accordance with Drupal Security Team processes./
-------- VERSIONS AFFECTED
---------------------------------------------------
* Ubercart Discount Coupons 6.x-1.x versions prior to 6.x-1.8
Drupal core is not affected. If you do not use the contributed Ubercart
Discount Coupons [4] module, there is nothing you need to do.
-------- SOLUTION
------------------------------------------------------------
Install the latest version:
* If you use the Ubercart Discount Coupons module for Drupal 6.x, upgrade
to
Ubercart Discount Coupons 6.x-1.8 [5]
Also see the Ubercart Discount Coupons [6] project page.
-------- REPORTED BY
---------------------------------------------------------
* Pere Orga [7] of the Drupal Security Team
-------- FIXED BY
------------------------------------------------------------
* wodenx [8] the module maintainer
-------- COORDINATED BY
------------------------------------------------------
* Pere Orga [9] of the Drupal Security Team
-------- CONTACT AND MORE INFORMATION
----------------------------------------
The Drupal security team can be reached at security at drupal.org or via the
contact form at https://www.drupal.org/contact [10].
Learn more about the Drupal Security team and their policies [11], writing
secure code for Drupal [12], and securing your site [13].
Follow the Drupal Security Team on Twitter at
https://twitter.com/drupalsecurity [14]
[1] https://www.drupal.org/project/uc_coupon
[2] https://www.drupal.org/security-team/risk-levels
[3] http://cve.mitre.org/
[4] https://www.drupal.org/project/uc_coupon
[5] https://www.drupal.org/node/2438357
[6] https://www.drupal.org/project/uc_coupon
[7] https://www.drupal.org/user/2301194
[8] https://www.drupal.org/user/896508
[9] https://www.drupal.org/user/2301194
[10] https://www.drupal.org/contact
[11] https://www.drupal.org/security-team
[12] https://www.drupal.org/writing-secure-code
[13] https://www.drupal.org/security/secure-configuration
[14] https://twitter.com/drupalsecurity
View online: https://www.drupal.org/node/2445935
* Advisory ID: DRUPAL-SA-CONTRIB-2015-063
* Project: Webform [1] (third-party module)
* Version: 6.x, 7.x
* Date: 2015-March-04
* Security risk: 13/25 ( Moderately Critical)
AC:Basic/A:Admin/CI:Some/II:Some/E:Theoretical/TD:All [2]
* Vulnerability: Cross Site Scripting
-------- DESCRIPTION
---------------------------------------------------------
Webform enables you to create surveys, personalized contact forms, contests,
and the like.
-------- CROSS SITE SCRIPTING RELATED TO WEBFORM SUBMISSIONS
-----------------
The module doesn't sufficiently escape user data presented to administrative
users in the webform results table. This issue affects the 7.x-4.x branch
only.
This vulnerability is mitigated by the fact that an attacker must have a role
with permission to submit a webform and the administrative user must
subsequently visit the webform's results table tab.
To mitigate this vulnerability, you can disable the view-based results table
and restore the legacy hard-coded results table by adding this line to your
settings.php file:
<?php $conf['webform_table'] = TRUE;
?>
-------- CROSS SITE SCRIPTING RELATED TO BLOCKS
------------------------------
The module doesn't sufficiently escape node titles of webforms which
administrators may make available as blocks and displayed to any user. This
issue affects all 6.x and 7.x branches of the module.
This vulnerability is mitigated by the fact that an attacker must have a role
with permission to administer blocks and create or edit webform nodes.
-------- CVE IDENTIFIER(S) ISSUED
--------------------------------------------
* /A CVE identifier [3] will be requested, and added upon issuance, in
accordance
with Drupal Security Team processes./
-------- VERSIONS AFFECTED
---------------------------------------------------
* webform 6.x versions prior to 6.x-3.22.
* webform 7.x-3.x versions prior to 7.x-3.22.
* webform 7.x-4.x versions prior to 7.x-4.4.
Drupal core is not affected. If you do not use the contributed Webform [4]
module,
there is nothing you need to do.
-------- SOLUTION
------------------------------------------------------------
Install the latest version:
* If you use the webform module for Drupal 6.x, upgrade to webform 6.x-3.22
[5]
* If you use the webform module for Drupal 7.x, upgrade to webform 7.x-3.22
[6] or webform 7.x-4.4 [7]
Also see the Webform [8] project page.
-------- REPORTED BY
---------------------------------------------------------
* Dan Chadwick [9], the module maintainer
-------- FIXED BY
------------------------------------------------------------
* Dan Chadwick [10], the module maintainer
-------- COORDINATED BY
------------------------------------------------------
* Greg Knaddison [11] of the Drupal Security Team
-------- CONTACT AND MORE INFORMATION
----------------------------------------
The Drupal security team can be reached at security at drupal.org or via the
contact form at https://www.drupal.org/contact [12].
Learn more about the Drupal Security team and their policies [13], writing
secure code for Drupal [14], and securing your site [15].
Follow the Drupal Security Team on Twitter at
https://twitter.com/drupalsecurity [16]
[1] https://www.drupal.org/project/webform
[2] https://www.drupal.org/security-team/risk-levels
[3] http://cve.mitre.org/
[4] https://www.drupal.org/project/webform
[5] http://drupal.org/node/2445291
[6] http://drupal.org/node/2445295
[7] http://drupal.org/node/2445297
[8] https://www.drupal.org/project/webform
[9] https://www.drupal.org/user/504278
[10] https://www.drupal.org/user/504278
[11] https://www.drupal.org/user/36762
[12] https://www.drupal.org/contact
[13] https://www.drupal.org/security-team
[14] https://www.drupal.org/writing-secure-code
[15] https://www.drupal.org/security/secure-configuration
[16] https://twitter.com/drupalsecurity