View online: https://www.drupal.org/node/2507619
* Advisory ID: DRUPAL-SA-CONTRIB-2015-121
* Project: The eXtensible Catalog (XC) Drupal Toolkit [1] (third-party
module)
* Version: 6.x, 7.x
* Date: 2015-June-17
* Security risk: 15/25 ( Critical)
AC:Basic/A:None/CI:Some/II:Some/E:Theoretical/TD:Default [2]
* Vulnerability: Cross Site Request Forgery
-------- DESCRIPTION
---------------------------------------------------------
The eXtensible Catalog Drupal Toolkit is a set of Drupal modules to harvest
records of the XC Schema format from a Metadata Services Toolkit (MST).
The XC NCIP Provider module doesn't sufficiently protect some URLs against
CSRF. A malicious user can cause a user with "administer ncip providers"
permission to alter NCIP providers by getting their browser to make a request
to a specially-crafted URL.
This vulnerability is mitigated by the fact that only sites that have the XC
NCIP Provider module enabled are affected.
-------- CVE IDENTIFIER(S) ISSUED
--------------------------------------------
* /A CVE identifier [3] will be requested, and added upon issuance, in
accordance with Drupal Security Team processes./
-------- VERSIONS AFFECTED
---------------------------------------------------
* All versions of The eXtensible Catalog (XC) Drupal Toolkit
Drupal core is not affected. If you do not use the contributed The eXtensible
Catalog (XC) Drupal Toolkit [4] module, there is nothing you need to do.
-------- SOLUTION
------------------------------------------------------------
If you use The eXtensible Catalog (XC) Drupal Toolkit you should uninstall
it.
Also see the The eXtensible Catalog (XC) Drupal Toolkit [5] project page.
-------- REPORTED BY
---------------------------------------------------------
* Pere Orga [6] of the Drupal Security Team
-------- FIXED BY
------------------------------------------------------------
Not applicable.
-------- COORDINATED BY
------------------------------------------------------
* Pere Orga [7] of the Drupal Security Team
-------- CONTACT AND MORE INFORMATION
----------------------------------------
The Drupal security team can be reached at security at drupal.org or via the
contact form at https://www.drupal.org/contact [8].
Learn more about the Drupal Security team and their policies [9], writing
secure code for Drupal [10], and securing your site [11].
Follow the Drupal Security Team on Twitter at
https://twitter.com/drupalsecurity [12]
[1] https://www.drupal.org/project/xc
[2] https://www.drupal.org/security-team/risk-levels
[3] http://cve.mitre.org/
[4] https://www.drupal.org/project/xc
[5] https://www.drupal.org/project/xc
[6] https://www.drupal.org/user/2301194
[7] https://www.drupal.org/user/2301194
[8] https://www.drupal.org/contact
[9] https://www.drupal.org/security-team
[10] https://www.drupal.org/writing-secure-code
[11] https://www.drupal.org/security/secure-configuration
[12] https://twitter.com/drupalsecurity
View online: https://www.drupal.org/node/2507605
* Advisory ID: DRUPAL-SA-CONTRIB-2015-120
* Project: Inline Entity Form [1] (third-party module)
* Version: 7.x
* Date: 2015-June-17
* Security risk: 7/25 ( Less Critical)
AC:Basic/A:Admin/CI:None/II:None/E:Theoretical/TD:All [2]
* Vulnerability: Cross Site Scripting
-------- DESCRIPTION
---------------------------------------------------------
The Inline Entity Form module provides a field widget for inline management
(creation, modification, removal) of referenced entities.
The module doesn't sufficiently sanitize user supplied text, thereby exposing
a Cross Site Scripting vulnerability.
This vulnerability is mitigated by the fact that an attacker must have a role
with permission to create/edit fields.
-------- CVE IDENTIFIER(S) ISSUED
--------------------------------------------
* /A CVE identifier [3] will be requested, and added upon issuance, in
accordance with Drupal Security Team processes./
-------- VERSIONS AFFECTED
---------------------------------------------------
* Inline Entity Form 7.x-1.x versions prior to 7.x-1.6.
Drupal core is not affected. If you do not use the contributed Inline Entity
Form [4] module, there is nothing you need to do.
-------- SOLUTION
------------------------------------------------------------
Install the latest version:
* If you use the Inline Entity Form module for Drupal 7.x, upgrade to
Inline
Entity Form 7.x-1.6 [5]
Also see the Inline Entity Form [6] project page.
-------- REPORTED BY
---------------------------------------------------------
* Matt Vance [7], provisional member of the Drupal Security Team
-------- FIXED BY
------------------------------------------------------------
* Matt Vance [8], provisional member of the Drupal Security Team
-------- CONTACT AND MORE INFORMATION
----------------------------------------
The Drupal security team can be reached at security at drupal.org or via the
contact form at https://www.drupal.org/contact [9].
Learn more about the Drupal Security team and their policies [10], writing
secure code for Drupal [11], and securing your site [12].
Follow the Drupal Security Team on Twitter at
https://twitter.com/drupalsecurity [13]
[1] https://www.drupal.org/project/inline_entity_form
[2] https://www.drupal.org/security-team/risk-levels
[3] http://cve.mitre.org/
[4] https://www.drupal.org/project/inline_entity_form
[5] https://www.drupal.org/node/2507593
[6] https://www.drupal.org/project/inline_entity_form
[7] https://www.drupal.org/user/88338
[8] https://www.drupal.org/user/88338
[9] https://www.drupal.org/contact
[10] https://www.drupal.org/security-team
[11] https://www.drupal.org/writing-secure-code
[12] https://www.drupal.org/security/secure-configuration
[13] https://twitter.com/drupalsecurity
View online: https://www.drupal.org/node/2507581
* Advisory ID: DRUPAL-SA-CONTRIB-2015-119
* Project: Apache Solr Real-Time [1] (third-party module)
* Version: 7.x
* Date: 2015-June-17
* Security risk: 15/25 ( Critical)
AC:None/A:None/CI:Some/II:None/E:Theoretical/TD:All [2]
* Vulnerability: Access bypass
-------- DESCRIPTION
---------------------------------------------------------
This module allows content-changes to be committed to Apache Solr in
real-time.
The module doesn't check the status of an entity being indexed which means
that unpublished content will get indexed by Solr and the title and partial
content may be exposed to any user who has permission to search site content.
-------- CVE IDENTIFIER(S) ISSUED
--------------------------------------------
* /A CVE identifier [3] will be requested, and added upon issuance, in
accordance with Drupal Security Team processes./
-------- VERSIONS AFFECTED
---------------------------------------------------
* Apache Solr Real-Time 7.x-2.x versions prior to 7.x-2.2.
Drupal core is not affected. If you do not use the contributed Apache Solr
Real-Time [4] module, there is nothing you need to do.
-------- SOLUTION
------------------------------------------------------------
Install the latest version:
* If you use the Apache Solr Real-Time module for Drupal 7.x, upgrade to
Apache Solr Real-Time 7.x-2.2 [5]
Also see the Apache Solr Real-Time [6] project page.
-------- REPORTED BY
---------------------------------------------------------
* Hunter Fox [7] of the Drupal Security Team
-------- FIXED BY
------------------------------------------------------------
* Marcus Deglos [8] the module maintainer
* Steve Williams [9] the module maintainer
-------- CONTACT AND MORE INFORMATION
----------------------------------------
The Drupal security team can be reached at security at drupal.org or via the
contact form at https://www.drupal.org/contact [10].
Learn more about the Drupal Security team and their policies [11], writing
secure code for Drupal [12], and securing your site [13].
Follow the Drupal Security Team on Twitter at
https://twitter.com/drupalsecurity [14]
[1] https://www.drupal.org/project/apachesolr_realtime
[2] https://www.drupal.org/security-team/risk-levels
[3] http://cve.mitre.org/
[4] https://www.drupal.org/project/apachesolr_realtime
[5] https://www.drupal.org/node/2489890
[6] https://www.drupal.org/project/apachesolr_realtime
[7] https://www.drupal.org/user/426416
[8] https://www.drupal.org/user/321496
[9] https://www.drupal.org/user/223023
[10] https://www.drupal.org/contact
[11] https://www.drupal.org/security-team
[12] https://www.drupal.org/writing-secure-code
[13] https://www.drupal.org/security/secure-configuration
[14] https://twitter.com/drupalsecurity
View online: https://www.drupal.org/node/2507563
* Advisory ID: DRUPAL-SA-CONTRIB-2015-118
* Project: HTTP Strict Transport Security [1] (third-party module)
* Version: 6.x, 7.x
* Date: 2015-June-17
* Security risk: 12/25 ( Moderately Critical)
AC:Complex/A:None/CI:Some/II:None/E:Theoretical/TD:All [2]
* Vulnerability: Multiple vulnerabilities
-------- DESCRIPTION
---------------------------------------------------------
The contributed HSTS module makes it easy for site administrators to
implement HTTP Strict Transport Security (HSTS) by setting the
Strict-Transport-Security header on each page generated by Drupal.
HSTS module provides a configuration UI for the HSTS "include subdomains"
directive, which indicates that the browser should apply the HSTS policy to
all subdomains on the site's domain.
HSTS module did not implement the "include subdomains" directive correctly
(it is misspelled as include_subdomains rather than includeSubDomains). As a
result, the HSTS policy was not applied to subdomains as site administrators
had expected.
This vulnerability is mitigated by the fact that only subdomains where HSTS
was expected to be enabled are affected and an attacker would still need to
execute a man-in-the-middle attack to exploit the issue.
-------- CVE IDENTIFIER(S) ISSUED
--------------------------------------------
* /A CVE identifier [3] will be requested, and added upon issuance, in
accordance with Drupal Security Team processes./
-------- VERSIONS AFFECTED
---------------------------------------------------
* HSTS 7.x-1.x versions prior to 7.x-1.2.
* HSTS 6.x-1.x versions prior to 6.x-1.1.
Drupal core is not affected. If you do not use the contributed HTTP Strict
Transport Security [4] module, there is nothing you need to do.
-------- SOLUTION
------------------------------------------------------------
Install the latest version:
* If you use the HSTS module for Drupal 7.x, upgrade to HSTS 7.x-1.2 [5]
* If you use the HSTS module for Drupal 6.x, upgrade to HSTS 6.x-1.1 [6]
Also see the HTTP Strict Transport Security [7] project page.
-------- REPORTED BY
---------------------------------------------------------
* Mark Burdett [8]
-------- FIXED BY
------------------------------------------------------------
* Mark Burdett [9]
-------- COORDINATED BY
------------------------------------------------------
* Greg Knaddison [10] of the Drupal Security Team
-------- CONTACT AND MORE INFORMATION
----------------------------------------
The Drupal security team can be reached at security at drupal.org or via the
contact form at https://www.drupal.org/contact [11].
Learn more about the Drupal Security team and their policies [12], writing
secure code for Drupal [13], and securing your site [14].
Follow the Drupal Security Team on Twitter at
https://twitter.com/drupalsecurity [15]
[1] https://www.drupal.org/project/hsts
[2] https://www.drupal.org/security-team/risk-levels
[3] http://cve.mitre.org/
[4] https://www.drupal.org/project/hsts
[5] https://www.drupal.org/node/2507539
[6] https://www.drupal.org/node/2507543
[7] https://www.drupal.org/project/hsts
[8] https://www.drupal.org/user/12302
[9] https://www.drupal.org/user/12302
[10] https://www.drupal.org/user/36762
[11] https://www.drupal.org/contact
[12] https://www.drupal.org/security-team
[13] https://www.drupal.org/writing-secure-code
[14] https://www.drupal.org/security/secure-configuration
[15] https://twitter.com/drupalsecurity
View online: https://www.drupal.org/node/2499787
* Advisory ID: DRUPAL-SA-CONTRIB-2015-116
* Project: Novalnet Payment Module- Ubercart [1] (third-party module)
* Version: 6.x, 7.x
* Date: 2015-June-03
* Security risk: 15/25 ( Critical)
AC:Complex/A:None/CI:Some/II:Some/E:Theoretical/TD:All [2]
* Vulnerability: SQL Injection
-------- DESCRIPTION
---------------------------------------------------------
This module enables you add the Novalnet payment service provider to
Ubercart.
The module fails to sanitize a database query by not using the database API
properly, thereby leading to a SQL Injection vulnerability. Since the
affected path is not protected against CSRF, a malicious user can exploit
this vulnerability by triggering a request to a specially-crafted URL.
This vulnerability is mitigated by the fact that the malicious request must
come from a specific Novalnet IP address.
-------- CVE IDENTIFIER(S) ISSUED
--------------------------------------------
* /A CVE identifier [3] will be requested, and added upon issuance, in
accordance with Drupal Security Team processes./
-------- VERSIONS AFFECTED
---------------------------------------------------
* All versions of Novalnet Payment Module Ubercart module
Drupal core is not affected. If you do not use the contributed Novalnet
Payment Module Ubercart [4] module, there is nothing you need to do.
-------- SOLUTION
------------------------------------------------------------
If you use the Novalnet Payment Module Ubercart module you should uninstall
it.
Also see the Novalnet Payment Module Ubercart [5] project page.
-------- REPORTED BY
---------------------------------------------------------
* Pere Orga [6] of the Drupal Security Team
-------- FIXED BY
------------------------------------------------------------
Not applicable.
-------- COORDINATED BY
------------------------------------------------------
* Pere Orga [7] of the Drupal Security Team
-------- CONTACT AND MORE INFORMATION
----------------------------------------
The Drupal security team can be reached at security at drupal.org or via the
contact form at https://www.drupal.org/contact [8].
Learn more about the Drupal Security team and their policies [9], writing
secure code for Drupal [10], and securing your site [11].
Follow the Drupal Security Team on Twitter at
https://twitter.com/drupalsecurity [12]
[1] https://www.drupal.org/project/uc_novalnet_payment
[2] https://www.drupal.org/security-team/risk-levels
[3] http://cve.mitre.org/
[4] https://www.drupal.org/project/uc_novalnet_payment
[5] https://www.drupal.org/project/uc_novalnet_payment
[6] https://www.drupal.org/user/2301194
[7] https://www.drupal.org/user/2301194
[8] https://www.drupal.org/contact
[9] https://www.drupal.org/security-team
[10] https://www.drupal.org/writing-secure-code
[11] https://www.drupal.org/security/secure-configuration
[12] https://twitter.com/drupalsecurity
View online: https://www.drupal.org/node/2499791
* Advisory ID: DRUPAL-SA-CONTRIB-2015-117
* Project: Novalnet Payment Module- Drupal Commerce [1] (third-party
module)
* Version: 7.x
* Date: 2015-June-03
* Security risk: 15/25 ( Critical)
AC:Complex/A:None/CI:Some/II:Some/E:Theoretical/TD:All [2]
* Vulnerability: SQL Injection
-------- DESCRIPTION
---------------------------------------------------------
This module enables you add the Novalnet payment service provider to Drupal
Commerce.
The module fails to sanitize a database query by not using the database API
properly, thereby leading to a SQL Injection vulnerability. Since the
affected path is not protected against CSRF, a malicious user can exploit
this vulnerability by triggering a request to a specially-crafted URL.
This vulnerability is mitigated by the fact that the malicious request must
come from a specific Novalnet IP address.
-------- CVE IDENTIFIER(S) ISSUED
--------------------------------------------
* /A CVE identifier [3] will be requested, and added upon issuance, in
accordance with Drupal Security Team processes./
-------- VERSIONS AFFECTED
---------------------------------------------------
* All versions of Novalnet Payment Module Drupal Commerce module
Drupal core is not affected. If you do not use the contributed Novalnet
Payment Module Drupal Commerce [4] module, there is nothing you need to do.
-------- SOLUTION
------------------------------------------------------------
If you use the Novalnet Payment Module Drupal Commerce module you should
uninstall it.
Also see the Novalnet Payment Module Drupal Commerce [5] project page.
-------- REPORTED BY
---------------------------------------------------------
* Pere Orga [6] of the Drupal Security Team
-------- FIXED BY
------------------------------------------------------------
Not applicable.
-------- COORDINATED BY
------------------------------------------------------
* Pere Orga [7] of the Drupal Security Team
-------- CONTACT AND MORE INFORMATION
----------------------------------------
The Drupal security team can be reached at security at drupal.org or via the
contact form at https://www.drupal.org/contact [8].
Learn more about the Drupal Security team and their policies [9], writing
secure code for Drupal [10], and securing your site [11].
Follow the Drupal Security Team on Twitter at
https://twitter.com/drupalsecurity [12]
[1] https://www.drupal.org/project/Commerce_novalnet
[2] https://www.drupal.org/security-team/risk-levels
[3] http://cve.mitre.org/
[4] https://www.drupal.org/project/Commerce_novalnet
[5] https://www.drupal.org/project/Commerce_novalnet
[6] https://www.drupal.org/user/2301194
[7] https://www.drupal.org/user/2301194
[8] https://www.drupal.org/contact
[9] https://www.drupal.org/security-team
[10] https://www.drupal.org/writing-secure-code
[11] https://www.drupal.org/security/secure-configuration
[12] https://twitter.com/drupalsecurity