View online: https://www.drupal.org/node/2495931
* Advisory ID: DRUPAL-SA-CONTRIB-2015-115
* Project: Chamilo integration [1] (third-party module)
* Version: 7.x
* Date: 2015-May-27
* Security risk: 8/25 ( Less Critical)
AC:Basic/A:User/CI:None/II:None/E:Theoretical/TD:All [2]
* Vulnerability: Open Redirect
-------- DESCRIPTION
---------------------------------------------------------
Chamilo integration module integrates Drupal with Chamilo LMS.
The module has an Open Redirect vulnerability, it doesn't sufficiently check
passed parameters in the URL. An attacker could trick users to visit
malicious sites without realizing it.
-------- CVE IDENTIFIER(S) ISSUED
--------------------------------------------
* /A CVE identifier [3] will be requested, and added upon issuance, in
accordance with Drupal Security Team processes./
-------- VERSIONS AFFECTED
---------------------------------------------------
* Chamilo integration 7.x-1.x versions prior to 7.x-1.2
Drupal core is not affected. If you do not use the contributed Chamilo
integration [4] module, there is nothing you need to do.
-------- SOLUTION
------------------------------------------------------------
* If you use the Chamilo integration module for Drupal 7.x, upgrade to
Chamilo integration 7.x-1.2 [5]
Also see the Chamilo integration [6] project page.
-------- REPORTED BY
---------------------------------------------------------
* Pere Orga [7] of the Drupal Security Team
-------- FIXED BY
------------------------------------------------------------
* Yannick Warnier [8] the module maintainer
* Fernando Paredes García [9] the module maintainer
-------- COORDINATED BY
------------------------------------------------------
* Pere Orga [10] of the Drupal Security Team
-------- CONTACT AND MORE INFORMATION
----------------------------------------
The Drupal security team can be reached at security at drupal.org or via the
contact form at https://www.drupal.org/contact [11].
Learn more about the Drupal Security team and their policies [12], writing
secure code for Drupal [13], and securing your site [14].
Follow the Drupal Security Team on Twitter at
https://twitter.com/drupalsecurity [15]
[1] https://www.drupal.org/project/chamilo
[2] https://www.drupal.org/security-team/risk-levels
[3] http://cve.mitre.org/
[4] https://www.drupal.org/project/chamilo
[5] https://www.drupal.org/node/2495929
[6] https://www.drupal.org/project/chamilo
[7] https://www.drupal.org/user/2301194
[8] https://www.drupal.org/user/124205
[9] https://www.drupal.org/user/125473
[10] https://www.drupal.org/user/2301194
[11] https://www.drupal.org/contact
[12] https://www.drupal.org/security-team
[13] https://www.drupal.org/writing-secure-code
[14] https://www.drupal.org/security/secure-configuration
[15] https://twitter.com/drupalsecurity
View online: https://www.drupal.org/node/2495903
* Advisory ID: DRUPAL-SA-CONTRIB-2015-114
* Project: Storage API [1] (third-party module)
* Version: 7.x
* Date: 2015-May-27
* Security risk: 13/25 ( Moderately Critical)
AC:None/A:None/CI:Some/II:None/E:Theoretical/TD:Uncommon [2]
* Vulnerability: Access bypass
-------- DESCRIPTION
---------------------------------------------------------
The Storage API module creates an underlying agnostic storage layer for
Drupal using many different underlying storage methods. Storage API can be
used to create fields for entities to hold data.
The module failed to restrict access to the Storage API fields attached to
entities that are not nodes.
This is mitigated by the fact that only entities with fields using storage
classes that have access restrictions are affected (they don't have by
default).
-------- CVE IDENTIFIER(S) ISSUED
--------------------------------------------
* /A CVE identifier [3] will be requested, and added upon issuance, in
accordance with Drupal Security Team processes./
-------- VERSIONS AFFECTED
---------------------------------------------------
* Storage API 7.x-1.x versions prior to 7.x-1.8.
Drupal core is not affected. If you do not use the contributed Storage API
[4] module, there is nothing you need to do.
-------- SOLUTION
------------------------------------------------------------
Install the latest version:
* If you use the Storage API module for Drupal 7.x, upgrade to Storage API
7.x-1.8 [5]
Also see the Storage API [6] project page.
-------- REPORTED BY
---------------------------------------------------------
* David Gil [7]
-------- FIXED BY
------------------------------------------------------------
* David Gil [8]
* Perignon [9] the module maintainer
-------- COORDINATED BY
------------------------------------------------------
* Pere Orga [10] of the Drupal Security Team
-------- CONTACT AND MORE INFORMATION
----------------------------------------
The Drupal security team can be reached at security at drupal.org or via the
contact form at https://www.drupal.org/contact [11].
Learn more about the Drupal Security team and their policies [12], writing
secure code for Drupal [13], and securing your site [14].
Follow the Drupal Security Team on Twitter at
https://twitter.com/drupalsecurity [15]
[1] https://www.drupal.org/project/storage_api
[2] https://www.drupal.org/security-team/risk-levels
[3] http://cve.mitre.org/
[4] https://www.drupal.org/project/storage_api
[5] https://www.drupal.org/node/2495895
[6] https://www.drupal.org/project/storage_api
[7] https://www.drupal.org/user/876000
[8] https://www.drupal.org/user/876000
[9] https://www.drupal.org/user/1547200
[10] https://www.drupal.org/user/2301194
[11] https://www.drupal.org/contact
[12] https://www.drupal.org/security-team
[13] https://www.drupal.org/writing-secure-code
[14] https://www.drupal.org/security/secure-configuration
[15] https://twitter.com/drupalsecurity
View online: https://www.drupal.org/node/2492317
* Advisory ID: DRUPAL-SA-CONTRIB-2014-113
* Project: Hostmaster (Aegir) [1] (third-party module)
* Version: 6.x, 7.x
* Date: 2015-May-20
* Security risk: 13/25 ( Moderately Critical)
AC:Complex/A:Admin/CI:All/II:Some/E:Theoretical/TD:Default [2]
* Vulnerability: Arbitrary PHP code execution
-------- DESCRIPTION
---------------------------------------------------------
The Aegir Hosting System enables you to deploy and manage Drupal sites.
When writing Apache vhost files for hosted sites on a common platform
(multi-site), Aegir doesn't block execution of code uploaded to another site
on the same platform.
This vulnerability is mitigated by the fact that an attacker must already
have compromised another site, on the same multi-site install, sufficiently
to upload executable code to its files directory.
-------- CVE IDENTIFIER(S) ISSUED
--------------------------------------------
* /A CVE identifier [3] will be requested, and added upon issuance, in
accordance
with Drupal Security Team processes./
-------- VERSIONS AFFECTED
---------------------------------------------------
* Aegir Hosting System 6.x-2.x versions prior to 6.x-2.4.
* Aegir Hosting System 7.x-3.x versions prior to 7.x-3.0-beta2.
Drupal core is not affected. If you do not use the contributed Hostmaster
(Aegir) [4] distribution,
there is nothing you need to do.
-------- SOLUTION
------------------------------------------------------------
Install the latest version:
* If you use the Aegir Hosting System for Drupal 6.x, upgrade to Aegir
6.x-2.4 [5]
* If you use the Aegir Hosting System for Drupal 7.x, upgrade to Aegir
7.x-3.0-beta2 [6]
After installation you need to run a verify task on all hosted sites. The
easiest method is to use the Views Bulk Operations on the hosting/sites page.
Also see the Hostmaster (Aegir) [7] project page.
-------- REPORTED BY
---------------------------------------------------------
* Gaël Gosset [8]
-------- FIXED BY
------------------------------------------------------------
* Herman van Rink [9], a maintainer of the Aegir Hosting System.
-------- COORDINATED BY
------------------------------------------------------
* Michael Hess [10] of the Drupal Security Team
-------- CONTACT AND MORE INFORMATION
----------------------------------------
The Drupal security team can be reached at security at drupal.org or via the
contact form at https://www.drupal.org/contact [11].
Learn more about the Drupal Security team and their policies [12], writing
secure code for Drupal [13], and securing your site [14].
Follow the Drupal Security Team on Twitter at
https://twitter.com/drupalsecurity [15]
[1] https://www.drupal.org/project/hostmaster
[2] https://www.drupal.org/security-team/risk-levels
[3] http://cve.mitre.org/
[4] https://www.drupal.org/project/hostmaster
[5] https://www.drupal.org/node/2492313
[6] https://www.drupal.org/node/2492215
[7] https://www.drupal.org/project/hostmaster
[8] https://www.drupal.org/u/ga%C3%ABlg
[9] https://www.drupal.org/u/helmo
[10] https://www.drupal.org/user/102818
[11] https://www.drupal.org/contact
[12] https://www.drupal.org/security-team
[13] https://www.drupal.org/writing-secure-code
[14] https://www.drupal.org/security/secure-configuration
[15] https://twitter.com/drupalsecurity
View online: https://www.drupal.org/node/2492209
* Advisory ID: DRUPAL-SA-CONTRIB-2014-110
* Project: Web Links [1] (third-party module)
* Version: 6.x, 7.x
* Date: 2015-May-20
* Security risk: 7/25 ( Less Critical)
AC:Basic/A:User/CI:None/II:None/E:Theoretical/TD:Default [2]
* Vulnerability: Cross Site Scripting
-------- DESCRIPTION
---------------------------------------------------------
The Web Links module provides a comprehensive way to manage url links to
other websites.
The module doesn't sufficiently sanitize user supplied text, thereby exposing
a Cross Site Scripting vulnerability.
This vulnerability is mitigated by the fact that an attacker must have a role
with permission to create/edit weblink nodes.
-------- CVE IDENTIFIER(S) ISSUED
--------------------------------------------
* /A CVE identifier [3] will be requested, and added upon issuance, in
accordance
with Drupal Security Team processes./
-------- VERSIONS AFFECTED
---------------------------------------------------
* Web Links 6.x-2.x versions prior to 6.x-2.6
* Web Links 7.x-1.x versions prior to 7.x-1.0
Drupal core is not affected. If you do not use the contributed Web Links [4]
module,
there is nothing you need to do.
-------- SOLUTION
------------------------------------------------------------
Install the latest version:
* If you use the Web Links module for Drupal 6.x, upgrade to
weblinks-6.x-2.6 [5]
* If you use the Web Links module for Drupal 7.x, upgrade to
weblinks-7.x-1.0 [6]
Also see the Web Links [7] project page.
-------- REPORTED BY
---------------------------------------------------------
* Jonathan Smith [8] the module maintainer
-------- FIXED BY
------------------------------------------------------------
* Jonathan Smith [9] the module maintainer
* Gerhard Stegemann [10] the module maintainer
-------- COORDINATED BY
------------------------------------------------------
* Michael Hess [11] of the Drupal Security Team
* Greg Knaddison [12] of the Drupal Security Team
-------- CONTACT AND MORE INFORMATION
----------------------------------------
The Drupal security team can be reached at security at drupal.org or via the
contact form at https://www.drupal.org/contact [13].
Learn more about the Drupal Security team and their policies [14], writing
secure code for Drupal [15], and securing your site [16].
Follow the Drupal Security Team on Twitter at
https://twitter.com/drupalsecurity [17]
[1] https://www.drupal.org/project/weblinks
[2] https://www.drupal.org/security-team/risk-levels
[3] http://cve.mitre.org/
[4] https://www.drupal.org/project/weblinks
[5] http://www.drupal.org/node/2487548
[6] http://www.drupal.org/node/2487542
[7] https://www.drupal.org/project/weblinks
[8] https://www.drupal.org/user/92645
[9] https://www.drupal.org/user/92645
[10] https://www.drupal.org/user/549330
[11] https://www.drupal.org/u/mlhess
[12] https://www.drupal.org/u/greggles
[13] https://www.drupal.org/contact
[14] https://www.drupal.org/security-team
[15] https://www.drupal.org/writing-secure-code
[16] https://www.drupal.org/security/secure-configuration
[17] https://twitter.com/drupalsecurity
View online: https://www.drupal.org/node/2492245
* Advisory ID: DRUPAL-SA-CONTRIB-2015-012
* Project: Navigate [1] (third-party module)
* Version: 6.x, 7.x
* Date: 2015-May-20
* Security risk: 13/25 ( Moderately Critical)
AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:Default [2]
* Vulnerability: Cross Site Scripting, Access bypass
-------- DESCRIPTION
---------------------------------------------------------
Navigate is a customizable navigation tool for Drupal.
.... Access Bypass
In certain situations the module does not adequately check content
permissions, allowing a malicious user with "navigate view" permission to
modify custom widgets and create new widget database records.
.... Cross-site scripting
The module also doesn't sufficiently filter text, creating an XSS
vulnerability.
This vulnerability is mitigated by the fact that an attacker must have a role
with the permissions "navigate view", "navigate_custom use" and either
"navigate customize" or "navigate administer".
-------- CVE IDENTIFIER(S) ISSUED
--------------------------------------------
* /A CVE identifier [3] will be requested, and added upon issuance, in
accordance
with Drupal Security Team processes./
-------- VERSIONS AFFECTED
---------------------------------------------------
All versions of Navigate module.
Drupal core is not affected. If you do not use the contributed Navigate [4]
module,
there is nothing you need to do.
-------- SOLUTION
------------------------------------------------------------
If you use the Navigate module you should uninstall it.
Also see the Navigate [5] project page.
-------- REPORTED BY
---------------------------------------------------------
* Kate Kligman [6]
-------- FIXED BY
------------------------------------------------------------
Not applicable.
-------- COORDINATED BY
------------------------------------------------------
* Michael Hess [7] of the Drupal Security Team
-------- CONTACT AND MORE INFORMATION
----------------------------------------
The Drupal security team can be reached at security at drupal.org or via the
contact form at https://www.drupal.org/contact [8].
Learn more about the Drupal Security team and their policies [9], writing
secure code for Drupal [10], and securing your site [11].
Follow the Drupal Security Team on Twitter at
https://twitter.com/drupalsecurity [12]
[1] https://www.drupal.org/project/navigate
[2] https://www.drupal.org/security-team/risk-levels
[3] http://cve.mitre.org/
[4] https://www.drupal.org/project/navigate
[5] https://www.drupal.org/project/navigate
[6] https://www.drupal.org/u/kate-kligman
[7] https://www.drupal.org/u/mlhess
[8] https://www.drupal.org/contact
[9] https://www.drupal.org/security-team
[10] https://www.drupal.org/writing-secure-code
[11] https://www.drupal.org/security/secure-configuration
[12] https://twitter.com/drupalsecurity
View online: https://www.drupal.org/node/2492243
* Advisory ID: DRUPAL-SA-CONTRIB-2015-111
* Project: Shipwire [1] (third-party module)
* Version: 7.x
* Date: 2015-May-20
* Security risk: 15/25 ( Critical)
AC:None/A:None/CI:Some/II:None/E:Theoretical/TD:All [2]
* Vulnerability: Information Disclosure
-------- DESCRIPTION
---------------------------------------------------------
The Shipwire API module handles communication with the Shipwire shipping
service.
The Shipwire module doesn't check view permission for the shipments overview
page when installed (admin/shipwire/shipments). Limited non-public
information is displayed on the page.
-------- CVE IDENTIFIER(S) ISSUED
--------------------------------------------
* /A CVE identifier [3] will be requested, and added upon issuance, in
accordance
with Drupal Security Team processes./
-------- VERSIONS AFFECTED
---------------------------------------------------
* Shipwire 7.x-1.x versions prior to 7.x-1.03.
Drupal core is not affected. If you do not use the contributed Shipwire [4]
module,
there is nothing you need to do.
-------- SOLUTION
------------------------------------------------------------
Install the latest version:
* If you use the Shipwire module for Drupal 7.x, please upgrade to Shipwire
7.x-1.03 [5] or greater.
* Check the settings have been updated by navigating to Structure -> Views
-> Shipwire shipment. Under 'Page settings' make sure that 'Access' is
set
to 'Permission' -> 'View all Shipwire Shipments'.
Also see the Shipwire [6] project page.
-------- REPORTED BY
---------------------------------------------------------
* Tinker [7]
-------- FIXED BY
------------------------------------------------------------
* Tinker [8]
-------- COORDINATED BY
------------------------------------------------------
* Matt Vance [9] of the Drupal Security Team
-------- CONTACT AND MORE INFORMATION
----------------------------------------
The Drupal security team can be reached at security at drupal.org or via the
contact form at https://www.drupal.org/contact [10].
Learn more about the Drupal Security team and their policies [11], writing
secure code for Drupal [12], and securing your site [13].
Follow the Drupal Security Team on Twitter at
https://twitter.com/drupalsecurity [14]
[1] https://www.drupal.org/project/shipwire
[2] https://www.drupal.org/security-team/risk-levels
[3] http://cve.mitre.org/
[4] https://www.drupal.org/project/shipwire
[5] https://www.drupal.org/node/2487580
[6] https://www.drupal.org/project/shipwire
[7] https://www.drupal.org/user/200883
[8] https://www.drupal.org/user/200883
[9] https://www.drupal.org/u/matt-v
[10] https://www.drupal.org/contact
[11] https://www.drupal.org/security-team
[12] https://www.drupal.org/writing-secure-code
[13] https://www.drupal.org/security/secure-configuration
[14] https://twitter.com/drupalsecurity
View online: https://www.drupal.org/node/2492205
* Advisory ID: DRUPAL-SA-CONTRIB-2015-109
* Project: pass2pdf [1] (third-party module)
* Version: 7.x
* Date: 2015-May-20
* Security risk: 18/25 ( Critical)
AC:None/A:None/CI:Some/II:Some/E:Theoretical/TD:All [2]
* Vulnerability: Information Disclosure
-------- DESCRIPTION
---------------------------------------------------------
This module allows you to let users set a password upon registering, and have
the password emailed to the user in a PDF file.
The module has an Information Disclosure vulnerability. The generated PDF
files are not protected. The user passwords are exposed to anonymous users.
-------- CVE IDENTIFIER(S) ISSUED
--------------------------------------------
* /A CVE identifier [3] will be requested, and added upon issuance, in
accordance
with Drupal Security Team processes./
-------- VERSIONS AFFECTED
---------------------------------------------------
* All versions of pass2pdf module
Drupal core is not affected. If you do not use the contributed pass2pdf [4]
module,
there is nothing you need to do.
-------- SOLUTION
------------------------------------------------------------
If you use the pass2pdf module you should uninstall it.
Also see the pass2pdf [5] project page.
-------- REPORTED BY
---------------------------------------------------------
* Sam Becker [6]
-------- FIXED BY
------------------------------------------------------------
Not applicable.
-------- COORDINATED BY
------------------------------------------------------
* Pere Orga [7] of the Drupal Security Team
-------- CONTACT AND MORE INFORMATION
----------------------------------------
The Drupal security team can be reached at security at drupal.org or via the
contact form at https://www.drupal.org/contact [8].
Learn more about the Drupal Security team and their policies [9], writing
secure code for Drupal [10], and securing your site [11].
Follow the Drupal Security Team on Twitter at
https://twitter.com/drupalsecurity [12]
[1] https://www.drupal.org/project/pass2pdf
[2] https://www.drupal.org/security-team/risk-levels
[3] http://cve.mitre.org/
[4] https://www.drupal.org/project/pass2pdf
[5] https://www.drupal.org/project/pass2pdf
[6] https://www.drupal.org/user/1485048
[7] https://www.drupal.org/user/2301194
[8] https://www.drupal.org/contact
[9] https://www.drupal.org/security-team
[10] https://www.drupal.org/writing-secure-code
[11] https://www.drupal.org/security/secure-configuration
[12] https://twitter.com/drupalsecurity
View online: https://www.drupal.org/node/2484195
* Advisory ID: DRUPAL-SA-CONTRIB-2015-105
* Project: Video Consultation [1] (third-party module)
* Version: 6.x, 7.x
* Date: 2015-May-06
* Security risk: 14/25 ( Moderately Critical)
AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:All [2]
* Vulnerability: Cross Site Scripting
-------- DESCRIPTION
---------------------------------------------------------
Video Consultation module integrates VideoWhisper Video Consultation software
with Drupal.
The module doesn't sufficiently sanitize user supplied text, thereby exposing
a Cross Site Scripting vulnerability.
-------- CVE IDENTIFIER(S) ISSUED
--------------------------------------------
* /A CVE identifier [3] will be requested, and added upon issuance, in
accordance with Drupal Security Team processes./
-------- VERSIONS AFFECTED
---------------------------------------------------
All versions of Video Consultation module.
Drupal core is not affected. If you do not use the contributed Video
Consultation [4] module, there is nothing you need to do.
-------- SOLUTION
------------------------------------------------------------
If you use the Video Consultation module you should uninstall it.
Also see the Video Consultation [5] project page.
-------- REPORTED BY
---------------------------------------------------------
* Michael Hess [6] of the Drupal Security Team
-------- FIXED BY
------------------------------------------------------------
Not applicable.
-------- COORDINATED BY
------------------------------------------------------
* Pere Orga [7] of the Drupal Security Team
-------- CONTACT AND MORE INFORMATION
----------------------------------------
The Drupal security team can be reached at security at drupal.org or via the
contact form at https://www.drupal.org/contact [8].
Learn more about the Drupal Security team and their policies [9], writing
secure code for Drupal [10], and securing your site [11].
Follow the Drupal Security Team on Twitter at
https://twitter.com/drupalsecurity [12]
[1] https://www.drupal.org/project/vconsult
[2] https://www.drupal.org/security-team/risk-levels
[3] http://cve.mitre.org/
[4] https://www.drupal.org/project/vconsult
[5] https://www.drupal.org/project/vconsult
[6] https://www.drupal.org/user/102818
[7] https://www.drupal.org/user/2301194
[8] https://www.drupal.org/contact
[9] https://www.drupal.org/security-team
[10] https://www.drupal.org/writing-secure-code
[11] https://www.drupal.org/security/secure-configuration
[12] https://twitter.com/drupalsecurity
View online: https://www.drupal.org/node/2484157
* Advisory ID: DRUPAL-SA-CONTRIB-2015-104
* Project: Dynamic display block [1] (third-party module)
* Version: 7.x
* Date: 2015-May-06
* Security risk: 7/25 ( Less Critical)
AC:Complex/A:Admin/CI:Some/II:None/E:Theoretical/TD:Uncommon [2]
* Vulnerability: Access bypass
-------- DESCRIPTION
---------------------------------------------------------
This module enables you to showcase featured content at a prominent place on
the front page of the site in an attractive way.
The module doesn't sufficiently protect access to content a user has no
access to. In certain scenarios a user with the "administer ddblock"
permission can see titles of content for which this user has no access.
This vulnerability is mitigated by the fact that an attacker must have a role
with the permission "administer ddblock" permission.
-------- CVE IDENTIFIER(S) ISSUED
--------------------------------------------
* /A CVE identifier [3] will be requested, and added upon issuance, in
accordance with Drupal Security Team processes./
-------- VERSIONS AFFECTED
---------------------------------------------------
All versions of Dynamic display block module.
Drupal core is not affected. If you do not use the contributed Dynamic
display block [4] module, there is nothing you need to do.
-------- SOLUTION
------------------------------------------------------------
If you use the Dynamic display block module you should uninstall it.
Also see the Dynamic display block [5] project page.
-------- REPORTED BY
---------------------------------------------------------
* David Rothstein [6] of the Drupal Security Team
-------- FIXED BY
------------------------------------------------------------
Not applicable.
-------- COORDINATED BY
------------------------------------------------------
* Ben Dougherty [7] provisional member of the Drupal Security Team
-------- CONTACT AND MORE INFORMATION
----------------------------------------
The Drupal security team can be reached at security at drupal.org or via the
contact form at https://www.drupal.org/contact [8].
Learn more about the Drupal Security team and their policies [9], writing
secure code for Drupal [10], and securing your site [11].
Follow the Drupal Security Team on Twitter at
https://twitter.com/drupalsecurity [12]
[1] https://www.drupal.org/project/ddblock
[2] https://www.drupal.org/security-team/risk-levels
[3] http://cve.mitre.org/
[4] https://www.drupal.org/project/ddblock
[5] https://www.drupal.org/project/ddblock
[6] https://www.drupal.org/user/124982
[7] https://www.drupal.org/user/1852732
[8] https://www.drupal.org/contact
[9] https://www.drupal.org/security-team
[10] https://www.drupal.org/writing-secure-code
[11] https://www.drupal.org/security/secure-configuration
[12] https://twitter.com/drupalsecurity
View online: https://www.drupal.org/node/2484169
* Advisory ID: DRUPAL-SA-CONTRIB-2015-106
* Project: Entityform block [1] (third-party module)
* Version: 7.x
* Date: 2015-May-06
* Security risk: 12/25 (Moderately Critical)
AC:None/A:None/CI:None/II:None/E:Theoretical/TD:All [2]
* Vulnerability: Access bypass
-------- DESCRIPTION
---------------------------------------------------------
This module enables you to display an entityform as a block.
The module doesn't sufficiently check permissions on the entityform under
scenarios where the form is locked to a certain role.
-------- CVE IDENTIFIER(S) ISSUED
--------------------------------------------
* /A CVE identifier [3] will be requested, and added upon issuance, in
accordance
with Drupal Security Team processes./
-------- VERSIONS AFFECTED
---------------------------------------------------
* Entityform Block 7.x-1.x versions prior to 7.x-1.3.
Drupal core is not affected. If you do not use the contributed Entityform
block [4] module,
there is nothing you need to do.
-------- SOLUTION
------------------------------------------------------------
Install the latest version:
* If you use the Entityform Block module for Drupal 7.x, upgrade to
Entityform Block 7.x-1.3 [5]
Also see the Entityform block [6] project page.
-------- REPORTED BY
---------------------------------------------------------
* Niels de Feyter [7]
-------- FIXED BY
------------------------------------------------------------
* Tim Whitney [8] the module maintainer
-------- COORDINATED BY
------------------------------------------------------
* Rick Manelius [9] of the Drupal Security Team
* Aaron Ott [10] Provisional member of the Drupal Security Team
-------- CONTACT AND MORE INFORMATION
----------------------------------------
The Drupal security team can be reached at security at drupal.org or via the
contact form at https://www.drupal.org/contact [11].
Learn more about the Drupal Security team and their policies [12], writing
secure code for Drupal [13], and securing your site [14].
Follow the Drupal Security Team on Twitter at
https://twitter.com/drupalsecurity [15]
[1] https://www.drupal.org/project/entityform_block
[2] https://www.drupal.org/security-team/risk-levels
[3] http://cve.mitre.org/
[4] https://www.drupal.org/project/entityform_block
[5] https://www.drupal.org/node/2483687
[6] https://www.drupal.org/project/entityform_block
[7] https://www.drupal.org/user/599438
[8] https://www.drupal.org/u/timodwhit
[9] https://www.drupal.org/u/rickmanelius
[10] https://www.drupal.org/user/154069
[11] https://www.drupal.org/contact
[12] https://www.drupal.org/security-team
[13] https://www.drupal.org/writing-secure-code
[14] https://www.drupal.org/security/secure-configuration
[15] https://twitter.com/drupalsecurity