View online: https://www.drupal.org/node/2463891
* Advisory ID: DRUPAL-SA-CONTRIB-2015-092
* Project: Open Graph Importer [1] (third-party module)
* Version: 7.x
* Date: 2015-April-01
* Security risk: 10/25 ( Moderately Critical)
AC:Basic/A:User/CI:None/II:Some/E:Theoretical/TD:Default [2]
* Vulnerability: Access bypass
-------- DESCRIPTION
---------------------------------------------------------
This module enables you to import content from a web page by scraping its
Open Graph data.
The module doesn't sufficiently check for "create" permission to the content
type that is configured as the destination for imported content, thus
allowing a user with the "import og_tag_importer" permission to create
content regardless of other permissions.
-------- CVE IDENTIFIER(S) ISSUED
--------------------------------------------
* /A CVE identifier [3] will be requested, and added upon issuance, in
accordance
with Drupal Security Team processes./
-------- VERSIONS AFFECTED
---------------------------------------------------
* og_tag_importer 7.x-1.x versions.
Drupal core is not affected. If you do not use the contributed Open Graph
Importer [4] module,
there is nothing you need to do.
-------- SOLUTION
------------------------------------------------------------
Disable the module. There is no safe version of the module to use.
Also see the Open Graph Importer [5] project page.
-------- REPORTED BY
---------------------------------------------------------
* Chang Xiao [6] the module maintainer
* Cameron Eagans [7] of the Drupal Security Team
-------- FIXED BY
------------------------------------------------------------
Not applicable.
-------- COORDINATED BY
------------------------------------------------------
* David Stoline [8] of the Drupal Security Team
* Damien McKenna [9] of the Drupal Security Team (provisional)
-------- CONTACT AND MORE INFORMATION
----------------------------------------
The Drupal security team can be reached at security at drupal.org or via the
contact form at https://www.drupal.org/contact [10].
Learn more about the Drupal Security team and their policies [11], writing
secure code for Drupal [12], and securing your site [13].
Follow the Drupal Security Team on Twitter at
https://twitter.com/drupalsecurity [14]
[1] https://www.drupal.org/project/og_tag_importer
[2] https://www.drupal.org/security-team/risk-levels
[3] http://cve.mitre.org/
[4] https://www.drupal.org/project/og_tag_importer
[5] https://www.drupal.org/project/og_tag_importer
[6] https://www.drupal.org/u/xcf33
[7] https://www.drupal.org/user/404732
[8] https://www.drupal.org/user/329570
[9] https://www.drupal.org/user/108450
[10] https://www.drupal.org/contact
[11] https://www.drupal.org/security-team
[12] https://www.drupal.org/writing-secure-code
[13] https://www.drupal.org/security/secure-configuration
[14] https://twitter.com/drupalsecurity
View online: https://www.drupal.org/node/2463843
* Advisory ID: DRUPAL-SA-CONTRIB-2015-091
* Project: Current Search Links [1] (third-party module)
* Version: 7.x
* Date: 2015-April-01
* Security risk: 15/25 ( Critical)
AC:Basic/A:None/CI:Some/II:Some/E:Theoretical/TD:Default [2]
* Vulnerability: Cross Site Scripting
-------- DESCRIPTION
---------------------------------------------------------
Current Search Links module is an extension to the Facet API Current Search
Blocks module. Instead of just showing the current search it turns the
current search keywords into links that you can drop from the search.
The module doesn't sufficiently sanitize the entered search query, thereby
exposing a XSS vulnerability. An attacker could exploit this vulnerability by
getting the victim to visit a specially-crafted URL.
This is mitigated by the fact that only sites with the option "Append the
keywords passed by the user to the list" disabled are affected.
-------- CVE IDENTIFIER(S) ISSUED
--------------------------------------------
* /A CVE identifier [3] will be requested, and added upon issuance, in
accordance
with Drupal Security Team processes./
-------- VERSIONS AFFECTED
---------------------------------------------------
* Current Search Links 7.x-1.x versions prior to 7.x-1.1.
Drupal core is not affected. If you do not use the contributed Current Search
Links [4] module,
there is nothing you need to do.
-------- SOLUTION
------------------------------------------------------------
Install the latest version:
* If you use the Current Search Links module for Drupal 7.x, upgrade to
Current Search Links 7.x-1.1 [5]
Also see the Current Search Links [6] project page.
-------- REPORTED BY
---------------------------------------------------------
* Sogeti security team
* Martijn de Wit [7]
-------- FIXED BY
------------------------------------------------------------
* Johnny van de Laar [8] the module maintainer
-------- COORDINATED BY
------------------------------------------------------
* Pere Orga [9] of the Drupal Security Team
-------- CONTACT AND MORE INFORMATION
----------------------------------------
The Drupal security team can be reached at security at drupal.org or via the
contact form at https://www.drupal.org/contact [10].
Learn more about the Drupal Security team and their policies [11], writing
secure code for Drupal [12], and securing your site [13].
Follow the Drupal Security Team on Twitter at
https://twitter.com/drupalsecurity [14]
[1] https://www.drupal.org/project/current_search_links
[2] https://www.drupal.org/security-team/risk-levels
[3] http://cve.mitre.org/
[4] https://www.drupal.org/project/current_search_links
[5] https://www.drupal.org/node/2463493
[6] https://www.drupal.org/project/current_search_links
[7] https://www.drupal.org/user/83953
[8] https://www.drupal.org/user/248932
[9] https://www.drupal.org/user/2301194
[10] https://www.drupal.org/contact
[11] https://www.drupal.org/security-team
[12] https://www.drupal.org/writing-secure-code
[13] https://www.drupal.org/security/secure-configuration
[14] https://twitter.com/drupalsecurity
View online: https://www.drupal.org/node/2463835
* Advisory ID: DRUPAL-SA-CONTRIB-2015-090
* Project: Password policy [1] (third-party module)
* Version: 6.x, 7.x
* Date: 2015-April-01
* Security risk: 15/25 ( Critical)
AC:Basic/A:None/CI:Some/II:Some/E:Theoretical/TD:Default [2]
* Vulnerability: Cross Site Scripting
-------- DESCRIPTION
---------------------------------------------------------
The Password Policy module allows enforcing restrictions on user passwords by
defining password policies.
The module doesn't sufficiently sanitize usernames in some administration
pages, thereby exposing a Cross Site Scripting vulnerability.
This vulnerability is mitigated by the fact that only sites with a policy
that uses the username constraint are affected. Also, only sites importing
users from an external source (like distributed authentication) may allow
non-standard usernames that might contain malicious characters, as Drupal
core has validation when creating users via the user interface.
-------- CVE IDENTIFIER(S) ISSUED
--------------------------------------------
* /A CVE identifier [3] will be requested, and added upon issuance, in
accordance with Drupal Security Team processes./
-------- VERSIONS AFFECTED
---------------------------------------------------
* Password Policy 6.x-1.x versions prior to 6.x-1.11.
* Password Policy 7.x-1.x versions prior to 7.x-1.11.
Drupal core is not affected. If you do not use the contributed Password
policy [4] module, there is nothing you need to do.
-------- SOLUTION
------------------------------------------------------------
Install the latest version:
* If you use the Password Policy 6.x-1.x module for Drupal 6.x, upgrade to
Password Policy 6.x-1.11 [5]
* If you use the Password Policy 7.x-1.x module for Drupal 7.x, upgrade to
Password Policy 7.x-1.11 [6]
Also see the Password policy [7] project page.
-------- REPORTED BY
---------------------------------------------------------
* AohRveTPV [8], the module maintainer
-------- FIXED BY
------------------------------------------------------------
* AohRveTPV [9], the module maintainer
-------- COORDINATED BY
------------------------------------------------------
* Pere Orga [10] of the Drupal Security Team
-------- CONTACT AND MORE INFORMATION
----------------------------------------
The Drupal security team can be reached at security at drupal.org or via the
contact form at https://www.drupal.org/contact [11].
Learn more about the Drupal Security team and their policies [12], writing
secure code for Drupal [13], and securing your site [14].
Follow the Drupal Security Team on Twitter at
https://twitter.com/drupalsecurity [15]
[1] https://www.drupal.org/project/password_policy
[2] https://www.drupal.org/security-team/risk-levels
[3] http://cve.mitre.org/
[4] https://www.drupal.org/project/password_policy
[5] https://www.drupal.org/node/2463329
[6] https://www.drupal.org/node/2463327
[7] https://www.drupal.org/project/password_policy
[8] https://www.drupal.org/user/aohrveptv
[9] https://www.drupal.org/user/aohrvetpv
[10] https://www.drupal.org/user/2301194
[11] https://www.drupal.org/contact
[12] https://www.drupal.org/security-team
[13] https://www.drupal.org/writing-secure-code
[14] https://www.drupal.org/security/secure-configuration
[15] https://twitter.com/drupalsecurity
View online: https://www.drupal.org/node/2463831
* Advisory ID: DRUPAL-SA-CONTRIB-2015-089
* Project: EntityBulkDelete [1] (third-party module)
* Version: 7.x
* Date: 2015-April-01
* Security risk: 16/25 ( Critical)
AC:Basic/A:None/CI:Some/II:Some/E:Theoretical/TD:All [2]
* Vulnerability: Cross Site Scripting
-------- DESCRIPTION
---------------------------------------------------------
EntityBulkDelete module allows you to delete entities in bulk using the Batch
API.
The module doesn't sufficiently sanitize user supplied text in some
administration pages, thereby exposing a Cross Site Scripting vulnerability.
This vulnerability is mitigated by the fact that an attacker must be allowed
to create/edit comments, create/edit taxonomy terms or create/edit nodes.
-------- CVE IDENTIFIER(S) ISSUED
--------------------------------------------
* /A CVE identifier [3] will be requested, and added upon issuance, in
accordance with Drupal Security Team processes./
-------- VERSIONS AFFECTED
---------------------------------------------------
* EntityBulkDelete 7.x-1.0
Drupal core is not affected. If you do not use the contributed
EntityBulkDelete [4] module, there is nothing you need to do.
-------- SOLUTION
------------------------------------------------------------
Install the latest version:
* If you use the EntityBulkDelete module for Drupal 7.x, download
EntityBulkDelete 7.x-1.1 [5]
Also see the EntityBulkDelete [6] project page.
-------- REPORTED BY
---------------------------------------------------------
* Pere Orga [7] of the Drupal Security Team
-------- FIXED BY
------------------------------------------------------------
* Rahul Seth [8] the module maintainer
-------- COORDINATED BY
------------------------------------------------------
* Pere Orga [9] of the Drupal Security Team
-------- CONTACT AND MORE INFORMATION
----------------------------------------
The Drupal security team can be reached at security at drupal.org or via the
contact form at https://www.drupal.org/contact [10].
Learn more about the Drupal Security team and their policies [11], writing
secure code for Drupal [12], and securing your site [13].
Follow the Drupal Security Team on Twitter at
https://twitter.com/drupalsecurity [14]
[1] https://www.drupal.org/project/entitybulkdelete
[2] https://www.drupal.org/security-team/risk-levels
[3] http://cve.mitre.org/
[4] https://www.drupal.org/project/entitybulkdelete
[5] https://www.drupal.org/node/2463049
[6] https://www.drupal.org/project/entitybulkdelete
[7] https://www.drupal.org/user/2301194
[8] https://www.drupal.org/u/rahul-seth
[9] https://www.drupal.org/user/2301194
[10] https://www.drupal.org/contact
[11] https://www.drupal.org/security-team
[12] https://www.drupal.org/writing-secure-code
[13] https://www.drupal.org/security/secure-configuration
[14] https://twitter.com/drupalsecurity
View online: https://www.drupal.org/node/2463823
* Advisory ID: DRUPAL-SA-CONTRIB-2015-088
* Project: Imagefield Info [1] (third-party module)
* Version: 7.x
* Date: 2015-April-01
* Security risk: 13/25 ( Moderately Critical)
AC:Basic/A:Admin/CI:Some/II:Some/E:Theoretical/TD:All [2]
* Vulnerability: Cross Site Scripting
-------- DESCRIPTION
---------------------------------------------------------
Imagefield Info module enables you to view image field paths so you can
easily use them with a WYSIWYG editor.
The module doesn't sufficiently sanitize user supplied text in some
administration pages, thereby exposing a Cross Site Scripting vulnerability.
This vulnerability is mitigated by the fact that an attacker must have a role
with the permission "Administer image styles".
-------- CVE IDENTIFIER(S) ISSUED
--------------------------------------------
* /A CVE identifier [3] will be requested, and added upon issuance, in
accordance with Drupal Security Team processes./
-------- VERSIONS AFFECTED
---------------------------------------------------
* Imagefield Info 7.x-1.x versions prior to 7.x-1.2
Drupal core is not affected. If you do not use the contributed Imagefield
Info [4] module, there is nothing you need to do.
-------- SOLUTION
------------------------------------------------------------
Install the latest version:
* If you use the Imagefield Info module for Drupal 7.x, upgrade to
Imagefield Info 7.x-1.2 [5]
Also see the Imagefield Info [6] project page.
-------- REPORTED BY
---------------------------------------------------------
* Pere Orga [7] of the Drupal Security Team
-------- FIXED BY
------------------------------------------------------------
* Peter Lachky [8] the module maintainer
* Pere Orga [9] of the Drupal Security Team
-------- COORDINATED BY
------------------------------------------------------
* Pere Orga [10] of the Drupal Security Team
-------- CONTACT AND MORE INFORMATION
----------------------------------------
The Drupal security team can be reached at security at drupal.org or via the
contact form at https://www.drupal.org/contact [11].
Learn more about the Drupal Security team and their policies [12], writing
secure code for Drupal [13], and securing your site [14].
Follow the Drupal Security Team on Twitter at
https://twitter.com/drupalsecurity [15]
[1] https://www.drupal.org/project/imagefield_info
[2] https://www.drupal.org/security-team/risk-levels
[3] http://cve.mitre.org/
[4] https://www.drupal.org/project/imagefield_info
[5] https://www.drupal.org/node/2463237
[6] https://www.drupal.org/project/imagefield_info
[7] https://www.drupal.org/user/2301194
[8] https://www.drupal.org/user/1437
[9] https://www.drupal.org/user/2301194
[10] https://www.drupal.org/user/2301194
[11] https://www.drupal.org/contact
[12] https://www.drupal.org/security-team
[13] https://www.drupal.org/writing-secure-code
[14] https://www.drupal.org/security/secure-configuration
[15] https://twitter.com/drupalsecurity