View online: https://www.drupal.org/node/2577903
* Advisory ID: DRUPAL-SA-CONTRIB-2015-0XX
* Project: Taxonomy Find [1] (third-party module)
* Version: 6.x, 7.x
* Date: 2015-September-30
* Security risk: 13/25 ( Moderately Critical)
AC:None/A:Admin/CI:Some/II:Some/E:Theoretical/TD:Uncommon [2]
* Vulnerability: Cross Site Scripting
-------- DESCRIPTION
---------------------------------------------------------
This module enables you to add a simple search interface to lookup taxonomy
terms by name.
The module doesn't sufficiently sanitize output of taxonomy vocabulary names
and term names.
This vulnerability is mitigated by the fact that an attacker must have a role
with the permission "Administer vocabularies and terms" or the ability to add
or edit nodes or entities with taxonomy fields attached.
-------- CVE IDENTIFIER(S) ISSUED
--------------------------------------------
* /A CVE identifier [3] will be requested, and added upon issuance, in
accordance with Drupal Security Team processes./
-------- VERSIONS AFFECTED
---------------------------------------------------
* MODULE 6.x-2.x versions up to 6.x-1.2.
* MODULE 7.x-2.x versions up to 7.x-1.0.
Drupal core is not affected. If you do not use the contributed Taxonomy Find
[4] module, there is nothing you need to do.
-------- SOLUTION
------------------------------------------------------------
If you use the Taxonomy Find module you should uninstall it.
Also see the Taxonomy Find [5] project page.
-------- REPORTED BY
---------------------------------------------------------
* Matt Vance [6] provisional member of the Drupal Security Team
-------- FIXED BY
------------------------------------------------------------
Not applicable.
-------- COORDINATED BY
------------------------------------------------------
* Rick Manelius [7] of the Drupal Security Team
* Matt Vance [8] provisional member of the Drupal Security Team
-------- CONTACT AND MORE INFORMATION
----------------------------------------
The Drupal security team can be reached at security at drupal.org or via the
contact form at https://www.drupal.org/contact [9].
Learn more about the Drupal Security team and their policies [10], writing
secure code for Drupal [11], and securing your site [12].
Follow the Drupal Security Team on Twitter at
https://twitter.com/drupalsecurity [13]
[1] https://www.drupal.org/project/taxonomy_find
[2] https://www.drupal.org/security-team/risk-levels
[3] http://cve.mitre.org/
[4] https://www.drupal.org/project/taxonomy_find
[5] https://www.drupal.org/project/taxonomy_find
[6] https://www.drupal.org/user/88338
[7] https://www.drupal.org/user/680072
[8] https://www.drupal.org/user/88338
[9] https://www.drupal.org/contact
[10] https://www.drupal.org/security-team
[11] https://www.drupal.org/writing-secure-code
[12] https://www.drupal.org/security/secure-configuration
[13] https://twitter.com/drupalsecurity
View online: https://www.drupal.org/node/2569631
* Advisory ID: DRUPAL-SA-CONTRIB-2015-151
* Project: Scald: Media Management made easy [1] (third-party module)
* Version: 7.x
* Date: 2015-September-16
* Security risk: 11/25 ( Moderately Critical)
AC:Basic/A:None/CI:Some/II:None/E:Theoretical/TD:Uncommon [2]
* Vulnerability: Information Disclosure
-------- DESCRIPTION
---------------------------------------------------------
This module enables you to easily manage your media assets and re-use them in
all your content.
The module provided a "debug" context that gave access to all the atom
properties, including all the fields attached to this atom, without applying
the corresponding field restrictions.
This vulnerability is mitigated by the fact that only sites that added fields
to an atom type and then restricted access to those fields are vulnerable.
-------- CVE IDENTIFIER(S) ISSUED
--------------------------------------------
* /A CVE identifier [3] will be requested, and added upon issuance, in
accordance with Drupal Security Team processes./
-------- VERSIONS AFFECTED
---------------------------------------------------
* Scald 7.x-1.x versions prior to 7.x-1.5.
Drupal core is not affected. If you do not use the contributed Scald: Media
Management made easy [4] module, there is nothing you need to do.
-------- SOLUTION
------------------------------------------------------------
Install the latest version:
* If you use the Scald module for Drupal 7.x, upgrade to Scald 7.x-1.5 [5]
Also see the Scald: Media Management made easy [6] project page.
-------- REPORTED BY
---------------------------------------------------------
* Franck Deroche [7]
-------- FIXED BY
------------------------------------------------------------
* Franck Deroche [8] the module maintainer
* Nagy Bálint [9] the module maintainer
-------- COORDINATED BY
------------------------------------------------------
* Pere Orga [10] of the Drupal Security Team
-------- CONTACT AND MORE INFORMATION
----------------------------------------
The Drupal security team can be reached at security at drupal.org or via the
contact form at https://www.drupal.org/contact [11].
Learn more about the Drupal Security team and their policies [12], writing
secure code for Drupal [13], and securing your site [14].
Follow the Drupal Security Team on Twitter at
https://twitter.com/drupalsecurity [15]
[1] https://www.drupal.org/project/scald
[2] https://www.drupal.org/security-team/risk-levels
[3] http://cve.mitre.org/
[4] https://www.drupal.org/project/scald
[5] https://www.drupal.org/node/2569621
[6] https://www.drupal.org/project/scald
[7] https://www.drupal.org/u/defr
[8] https://www.drupal.org/u/defr
[9] https://www.drupal.org/u/nagy.balint
[10] https://www.drupal.org/user/2301194
[11] https://www.drupal.org/contact
[12] https://www.drupal.org/security-team
[13] https://www.drupal.org/writing-secure-code
[14] https://www.drupal.org/security/secure-configuration
[15] https://twitter.com/drupalsecurity
View online: https://www.drupal.org/node/2569599
* Advisory ID: DRUPAL-SA-CONTRIB-2015-150
* Project: CMS Updater [1] (third-party module)
* Version: 7.x
* Date: 2015-September-16
* Security risk: 12/25 ( Moderately Critical)
AC:Basic/A:User/CI:None/II:Some/E:Proof/TD:All [2]
* Vulnerability: Cross Site Scripting, Access bypass
-------- DESCRIPTION
---------------------------------------------------------
CMS Updater allows to update Drupal core automatically with a subscription
service.
*Access bypass *
The module does not sufficiently protect the settings page allowing any user
with the permission "access administration pages" to change settings.
This vulnerability is mitigated by the fact that an attacker must have the
"access administration pages" permission on the site.
*Cross Site Scripting (XSS)*
The module does not sanitize user provided text on the configuration page
thereby exposing a cross site scripting vulnerability.
There are no mitigating factors for the cross site scripting.
-------- CVE IDENTIFIER(S) ISSUED
--------------------------------------------
* /A CVE identifier [3] will be requested, and added upon issuance, in
accordance with Drupal Security Team processes./
-------- VERSIONS AFFECTED
---------------------------------------------------
* CMS Updater 7.x-1.x versions prior to 7.x-1.3.
Drupal core is not affected. If you do not use the contributed CMS Updater
[4] module, there is nothing you need to do.
-------- SOLUTION
------------------------------------------------------------
Install the latest version:
* If you use the CMS Updater module for Drupal 7.x, upgrade to CMS Updater
7.x-1.3 [5]
Also see the CMS Updater [6] project page.
-------- REPORTED BY
---------------------------------------------------------
* Klaus Purer [7] of the Drupal Security Team
-------- FIXED BY
------------------------------------------------------------
* Christian Steiger [8] the module maintainer
-------- COORDINATED BY
------------------------------------------------------
* Klaus Purer [9] of the Drupal Security Team
-------- CONTACT AND MORE INFORMATION
----------------------------------------
The Drupal security team can be reached at security at drupal.org or via the
contact form at https://www.drupal.org/contact [10].
Learn more about the Drupal Security team and their policies [11], writing
secure code for Drupal [12], and securing your site [13].
Follow the Drupal Security Team on Twitter at
https://twitter.com/drupalsecurity [14]
[1] https://www.drupal.org/project/cms_updater
[2] https://www.drupal.org/security-team/risk-levels
[3] http://cve.mitre.org/
[4] https://www.drupal.org/project/cms_updater
[5] https://www.drupal.org/node/2569111
[6] https://www.drupal.org/project/cms_updater
[7] https://www.drupal.org/user/262198
[8] https://www.drupal.org/u/bofrost
[9] https://www.drupal.org/user/262198
[10] https://www.drupal.org/contact
[11] https://www.drupal.org/security-team
[12] https://www.drupal.org/writing-secure-code
[13] https://www.drupal.org/security/secure-configuration
[14] https://twitter.com/drupalsecurity
View online: https://www.drupal.org/node/2569577
* Advisory ID: DRUPAL-SA-CONTRIB-2015-148
* Project: Drupal 7 driver for SQL Server and SQL Azure [1]
(third-party
module)
* Version: 7.x
* Date: 2015-September-16
* Security risk: 10/25 ( Moderately Critical)
AC:Complex/A:None/CI:Some/II:None/E:Theoretical/TD:Uncommon [2]
* Vulnerability: SQL Injection
-------- DESCRIPTION
---------------------------------------------------------
Drupal 7 driver for SQL Server and SQL Azure module has a SQL injection
vulnerability.
Certain characters aren't properly escaped by the Drupal database API. A
malicious user may be able to access restricted information by performing a
specially-crafted search.
Only sites that use contrib or custom modules which rely on the db_like()
function may be affected.
-------- CVE IDENTIFIER(S) ISSUED
--------------------------------------------
* /A CVE identifier [3] will be requested, and added upon issuance, in
accordance with Drupal Security Team processes./
-------- VERSIONS AFFECTED
---------------------------------------------------
* Drupal 7 driver for SQL Server and SQL Azure 7.x-1.x versions prior to
7.x-1.4
Drupal core is not affected. If you do not use the contributed Drupal 7
driver for SQL Server and SQL Azure [4] module, there is nothing you need to
do.
-------- SOLUTION
------------------------------------------------------------
Install the latest version:
* If you use the Drupal 7 driver for SQL Server and SQL Azure module for
Drupal 7.x-1.x, you can upgrade to Drupal 7 driver for SQL Server and SQL
Azure 7.x-1.4 [5]
* If you use the Drupal 7 driver for SQL Server and SQL Azure module for
Drupal 7.x-2.x, you can upgrade to Drupal 7 driver for SQL Server and SQL
Azure 7.x-2.0 [6]
Although a 7.x-1.4 version has been released the 7.x-1.x branch is currently
unsupported and not maintained.
Also see the Drupal 7 driver for SQL Server and SQL Azure [7] project page.
-------- REPORTED BY
---------------------------------------------------------
* Fabio Epifani [8]
-------- FIXED BY
------------------------------------------------------------
* David Garcia [9] the module maintainer
* Fabio Epifani [10]
-------- COORDINATED BY
------------------------------------------------------
* Pere Orga [11] of the Drupal Security Team
* Michael Hess [12] of the Drupal Security Team
-------- CONTACT AND MORE INFORMATION
----------------------------------------
The Drupal security team can be reached at security at drupal.org or via the
contact form at https://www.drupal.org/contact [13].
Learn more about the Drupal Security team and their policies [14], writing
secure code for Drupal [15], and securing your site [16].
Follow the Drupal Security Team on Twitter at
https://twitter.com/drupalsecurity [17]
[1] https://www.drupal.org/project/sqlsrv
[2] https://www.drupal.org/security-team/risk-levels
[3] http://cve.mitre.org/
[4] https://www.drupal.org/project/sqlsrv
[5] https://www.drupal.org/node/2569003
[6] https://www.drupal.org/node/2569005
[7] https://www.drupal.org/project/sqlsrv
[8] https://www.drupal.org/user/2840771
[9] https://www.drupal.org/user/696200
[10] https://www.drupal.org/user/2840771
[11] https://www.drupal.org/user/2301194
[12] https://www.drupal.org/u/mlhess
[13] https://www.drupal.org/contact
[14] https://www.drupal.org/security-team
[15] https://www.drupal.org/writing-secure-code
[16] https://www.drupal.org/security/secure-configuration
[17] https://twitter.com/drupalsecurity
View online: https://www.drupal.org/node/2569587
* Advisory ID: SA-CONTRIB-2015-149
* Project: amoCRM [1] (third-party module)
* Version: 7.x
* Date: 2015-September-16
* Security risk: 13/25 ( Moderately Critical)
AC:Basic/A:None/CI:None/II:Some/E:Proof/TD:Default [2]
* Vulnerability: Cross Site Scripting
-------- DESCRIPTION
---------------------------------------------------------
This module enables you to integrate with amoCRM service using webhooks.
The module does not sufficiently sanitize the logged data when malicious POST
data is received.
This vulnerability is mitigated by the fact that a module such "Database
logging" (dblog) must be enabled which displays log messages in a HTML
context.
-------- CVE IDENTIFIER(S) ISSUED
--------------------------------------------
* /A CVE identifier [3] will be requested, and added upon issuance, in
accordance with Drupal Security Team processes./
-------- VERSIONS AFFECTED
---------------------------------------------------
* amoCRM 7.x-1.x versions prior to 7.x-1.2.
Drupal core is not affected. If you do not use the contributed amoCRM [4]
module, there is nothing you need to do.
-------- SOLUTION
------------------------------------------------------------
Install the latest version:
* If you use the amoCRM module for Drupal 7.x, upgrade to amoCRM 7.x-1.2
[5]
Also see the amoCRM [6] project page.
-------- REPORTED BY
---------------------------------------------------------
* Klaus Purer [7] of the Drupal Security Team
-------- FIXED BY
------------------------------------------------------------
* Dmitry Kiselev [8] the module maintainer
-------- COORDINATED BY
------------------------------------------------------
* Klaus Purer [9] of the Drupal Security Team
-------- CONTACT AND MORE INFORMATION
----------------------------------------
The Drupal security team can be reached at security at drupal.org or via the
contact form at https://www.drupal.org/contact [10].
Learn more about the Drupal Security team and their policies [11], writing
secure code for Drupal [12], and securing your site [13].
Follow the Drupal Security Team on Twitter at
https://twitter.com/drupalsecurity [14]
[1] https://www.drupal.org/project/amocrm
[2] https://www.drupal.org/security-team/risk-levels
[3] http://cve.mitre.org/
[4] https://www.drupal.org/project/amocrm
[5] https://www.drupal.org/node/2569243
[6] https://www.drupal.org/project/amocrm
[7] https://www.drupal.org/user/262198
[8] https://www.drupal.org/user/1945174
[9] https://www.drupal.org/user/262198
[10] https://www.drupal.org/contact
[11] https://www.drupal.org/security-team
[12] https://www.drupal.org/writing-secure-code
[13] https://www.drupal.org/security/secure-configuration
[14] https://twitter.com/drupalsecurity
View online: https://www.drupal.org/node/2565827
* Advisory ID: DRUPAL-SA-CONTRIB-2015-146
* Project: Twitter [1] (third-party module)
* Version: 6.x, 7.x
* Date: 2015-September-09
* Security risk: 12/25 ( Moderately Critical)
AC:Basic/A:User/CI:None/II:Some/E:Exploit/TD:Uncommon [2]
* Vulnerability: Access bypass
-------- DESCRIPTION
---------------------------------------------------------
This module enables you to pull in public tweets from Twitter accounts, post
messages to Twitter to announce content changes, and authenticate using
Twitter.
The module doesn't sufficiently check for access when using the Twitter Post
submodule to post messages to Twitter and allows a tweet to be posted to any
authenticated account, not just one that the user owns.
The module also doesn't sufficiently check for access when listing a user's
connected Twitter accounts, allowing any user to change the options for any
other account, including deleting the attached Twitter account.
This vulnerability is mitigated by the fact that an attacker must have a role
with the permission "post to twitter" in order to post to Twitter, and have
either the permission "add twitter accounts" or "add authenticated twitter
accounts" in order to access the accounts list.
-------- CVE IDENTIFIER(S) ISSUED
--------------------------------------------
* /A CVE identifier [3] will be requested, and added upon issuance, in
accordance with Drupal Security Team processes./
-------- VERSIONS AFFECTED
---------------------------------------------------
* Twitter 6.x-5.x versions prior to 6.x-5.2.
* Twitter 7.x-5.x versions prior to 7.x-5.9.
* Twitter 7.x-6.x versions prior to 7.x-6.0.
Drupal core is not affected. If you do not use the contributed Twitter [4]
module, there is nothing you need to do.
-------- SOLUTION
------------------------------------------------------------
Install the latest version:
* If you use the Twitter 5.x module for Drupal 6.x, upgrade to Twitter
6.x-5.2 [5] or later.
* If you use the Twitter 5.x module for Drupal 7.x, upgrade to Twitter
7.x-5.9 [6] or later.
* If you use the Twitter 6.x module for Drupal 7.x, upgrade to Twitter
7.x-6.0 [7] or later.
Also see the Twitter [8] project page.
-------- REPORTED BY
---------------------------------------------------------
* Chris Car [9]
* Carl Bowles [10]
* Stein Magne Bjørklund [11]
* Omnia Ibrahim [12]
* Daniel Roman Sabate [13]
* mshepherd [14]
* voughndutch [15]
-------- FIXED BY
------------------------------------------------------------
* adirael [16]
* arcovia [17]
* Michael Nielson [18]
* Damien McKenna [19], the module maintainer.
-------- COORDINATED BY
------------------------------------------------------
* David Snopek [20] of the Drupal Security Team.
-------- CONTACT AND MORE INFORMATION
----------------------------------------
The Drupal security team can be reached at security at drupal.org or via the
contact form at https://www.drupal.org/contact [21].
Learn more about the Drupal Security team and their policies [22], writing
secure code for Drupal [23], and securing your site [24].
Follow the Drupal Security Team on Twitter at
https://twitter.com/drupalsecurity [25]
[1] https://www.drupal.org/project/twitter
[2] https://www.drupal.org/security-team/risk-levels
[3] http://cve.mitre.org/
[4] https://www.drupal.org/project/twitter
[5] https://www.drupal.org/node/2559989
[6] https://www.drupal.org/node/2559981
[7] https://www.drupal.org/node/2559985
[8] https://www.drupal.org/project/twitter
[9] https://www.drupal.org/u/chris_car
[10] https://www.drupal.org/u/carlbowles100
[11] https://www.drupal.org/u/steinmb
[12] https://www.drupal.org/u/omnia.ibrahim
[13] https://www.drupal.org/u/dromansab
[14] https://www.drupal.org/u/mshepherd
[15] https://www.drupal.org/user/1374418
[16] https://www.drupal.org/u/adirael
[17] https://www.drupal.org/u/arcovia
[18] https://www.drupal.org/u/nielsonm
[19] https://www.drupal.org/u/damienmckenna
[20] https://www.drupal.org/u/dsnopek
[21] https://www.drupal.org/contact
[22] https://www.drupal.org/security-team
[23] https://www.drupal.org/writing-secure-code
[24] https://www.drupal.org/security/secure-configuration
[25] https://twitter.com/drupalsecurity
View online: https://www.drupal.org/node/2565875
* Advisory ID: DRUPAL-SA-CONTRIB-2015-147
* Project: RESTful [1] (third-party module)
* Version: 7.x
* Date: 2015-September-09
* Security risk: 12/25 ( Moderately Critical)
AC:Basic/A:None/CI:Some/II:None/E:Theoretical/TD:Default [2]
* Vulnerability: Access bypass
-------- DESCRIPTION
---------------------------------------------------------
This module enables you to expose your Drupal backend by generating a RESTful
API.
The module doesn't sufficiently account for core's page cache generation for
anonymous users, when using non-cookie authentication providers.
Authenticated users, via one of the authentication providers, can have their
pages cached as anonymous users, and therefore allowing access to potentially
restricted information during subsequent anonymous requests.
-------- CVE IDENTIFIER(S) ISSUED
--------------------------------------------
* /A CVE identifier [3] will be requested, and added upon issuance, in
accordance with Drupal Security Team processes./
-------- VERSIONS AFFECTED
---------------------------------------------------
* RESTful 7.x-1.x versions prior to 7.x-1.3.
Drupal core is not affected. If you do not use the contributed RESTful [4]
module, there is nothing you need to do.
-------- SOLUTION
------------------------------------------------------------
Install the latest version:
* If you use the RESTful module for Drupal 7.x, upgrade to RESTful 7.x-1.3
[5]
Also see the RESTful [6] project page.
-------- REPORTED BY
---------------------------------------------------------
* Richard Thomas [7]
-------- FIXED BY
------------------------------------------------------------
* Mateu Aguiló [8] the module maintainer
* Lee Rowlands [9] of the Drupal Security Team
-------- COORDINATED BY
------------------------------------------------------
* Lee Rowlands [10] of the Drupal Security Team
-------- CONTACT AND MORE INFORMATION
----------------------------------------
The Drupal security team can be reached at security at drupal.org or via the
contact form at https://www.drupal.org/contact [11].
Learn more about the Drupal Security team and their policies [12], writing
secure code for Drupal [13], and securing your site [14].
Follow the Drupal Security Team on Twitter at
https://twitter.com/drupalsecurity [15]
[1] https://www.drupal.org/project/restful
[2] https://www.drupal.org/security-team/risk-levels
[3] http://cve.mitre.org/
[4] https://www.drupal.org/project/restful
[5] https://www.drupal.org/node/2565421
[6] https://www.drupal.org/project/restful
[7] https://www.drupal.org/user/1924680
[8] https://www.drupal.org/user/550110
[9] https://www.drupal.org/user/395439
[10] https://www.drupal.org/user/395439
[11] https://www.drupal.org/contact
[12] https://www.drupal.org/security-team
[13] https://www.drupal.org/writing-secure-code
[14] https://www.drupal.org/security/secure-configuration
[15] https://twitter.com/drupalsecurity
View online: https://www.drupal.org/node/2561971
* Advisory ID: DRUPAL-SA-CONTRIB-2014-145
* Project: Fieldable Panels Panes (FPP) [1] (third-party module)
* Version: 7.x
* Date: 2015-September-02
* Security risk: 8/25 ( Less Critical)
AC:Basic/A:Admin/CI:None/II:Some/E:Theoretical/TD:Uncommon [2]
* Vulnerability: Access bypass
-------- DESCRIPTION
---------------------------------------------------------
Fieldable Panels Panes enables you to create custom panes for embedding in
Panels-based displays (Page Manager, Panelizer, Panels Everywhere) via a
fieldable custom entity type.
The module doesn't sufficiently check for permission to edit existing
Fieldable Panels Panes entities, thus allowing someone to modify a pane they
don't have permission to edit.
This vulnerability is mitigated by the fact that an attacker must have a role
with the necessary permissions to edit a panels display that has a custom
pane, and it's uncommon that someone is given access to this functionality
and not also permission to edit the panes.
-------- CVE IDENTIFIER(S) ISSUED
--------------------------------------------
* /A CVE identifier [3] will be requested, and added upon issuance, in
accordance with Drupal Security Team processes./
-------- VERSIONS AFFECTED
---------------------------------------------------
* Fieldable Panels Panes 7.x-1.x versions prior to 7.x-1.7.
Drupal core is not affected. If you do not use the contributed Fieldable
Panels Panes (FPP) [4] module, there is nothing you need to do.
-------- SOLUTION
------------------------------------------------------------
Install the latest version:
* If you use the Fieldable Panels Panes for Drupal 7, upgrade to Fieldable
Panels Panels 7.x-1.7 [5].
Also see the Fieldable Panels Panes (FPP) [6] project page.
-------- REPORTED BY
---------------------------------------------------------
* Chris Burge [7]
-------- FIXED BY
------------------------------------------------------------
* Chris Burge [8]
* Damien McKenna [9], the module maintainer.
* David Snopek [10] of the Drupal Security Team.
-------- COORDINATED BY
------------------------------------------------------
* David Snopek [11] of the Drupal Security Team.
-------- CONTACT AND MORE INFORMATION
----------------------------------------
The Drupal security team can be reached at security at drupal.org or via the
contact form at https://www.drupal.org/contact [12].
Learn more about the Drupal Security team and their policies [13], writing
secure code for Drupal [14], and securing your site [15].
Follow the Drupal Security Team on Twitter at
https://twitter.com/drupalsecurity [16]
[1] https://www.drupal.org/project/fieldable_panels_panes
[2] https://www.drupal.org/security-team/risk-levels
[3] http://cve.mitre.org/
[4] https://www.drupal.org/project/fieldable_panels_panes
[5] https://www.drupal.org/node/2561981
[6] https://www.drupal.org/project/fieldable_panels_panes
[7] https://www.drupal.org/u/chris-burge
[8] https://www.drupal.org/u/chris-burge
[9] https://www.drupal.org/u/damienmckenna
[10] https://www.drupal.org/u/dnopek
[11] https://www.drupal.org/u/dnopek
[12] https://www.drupal.org/contact
[13] https://www.drupal.org/security-team
[14] https://www.drupal.org/writing-secure-code
[15] https://www.drupal.org/security/secure-configuration
[16] https://twitter.com/drupalsecurity
View online: https://www.drupal.org/node/2561951
* Advisory ID: DRUPAL-SA-CONTRIB-2015-144
* Project: Mass Contact [1] (third-party module)
* Version: 6.x, 7.x
* Date: 2015-September-02
* Security risk: 13/25 ( Moderately Critical)
AC:Basic/A:Admin/CI:Some/II:Some/E:Theoretical/TD:All [2]
* Vulnerability: Cross Site Scripting
-------- DESCRIPTION
---------------------------------------------------------
This module allows anyone with permission to send a single message to
multiple users of a site, using the site's roles and/or taxonomy
functionality.
The module doesn't sufficiently sanitize the category labels when they are
displayed.
This vulnerability is mitigated by the fact that an attacker must have a role
with the permission "administer mass contact".
-------- CVE IDENTIFIER(S) ISSUED
--------------------------------------------
* /A CVE identifier [3] will be requested, and added upon issuance, in
accordance with Drupal Security Team processes./
-------- VERSIONS AFFECTED
---------------------------------------------------
* Mass Contact 6.x-1.x versions prior to 6.x-1.6.
* Mass Contact 7.x-1.x versions prior to 7.x-1.1.
Drupal core is not affected. If you do not use the contributed Mass Contact
[4] module, there is nothing you need to do.
-------- SOLUTION
------------------------------------------------------------
Install the latest version:
* If you use the Mass Contact module for Drupal 6.x, upgrade to Mass
Contact
6.x-1.6 [5]
* If you use the Mass Contact module for Drupal 7.x, upgrade to Mass
Contact
7.x-1.1 [6]
Also see the Mass Contact [7] project page.
-------- REPORTED BY
---------------------------------------------------------
* Daniel Johnson [8]
-------- FIXED BY
------------------------------------------------------------
* Jason Flatt [9] the module maintainer
-------- COORDINATED BY
------------------------------------------------------
* Aaron Ott [10] of the Drupal Security Team
-------- CONTACT AND MORE INFORMATION
----------------------------------------
The Drupal security team can be reached at security at drupal.org or via the
contact form at https://www.drupal.org/contact [11].
Learn more about the Drupal Security team and their policies [12], writing
secure code for Drupal [13], and securing your site [14].
Follow the Drupal Security Team on Twitter at
https://twitter.com/drupalsecurity [15]
[1] https://www.drupal.org/project/mass_contact
[2] https://www.drupal.org/security-team/risk-levels
[3] http://cve.mitre.org/
[4] https://www.drupal.org/project/mass_contact
[5] https://www.drupal.org/node/2561695
[6] https://www.drupal.org/node/2561699
[7] https://www.drupal.org/project/mass_contact
[8] https://www.drupal.org/user/970952
[9] https://www.drupal.org/user/4649
[10] https://www.drupal.org/user/154069
[11] https://www.drupal.org/contact
[12] https://www.drupal.org/security-team
[13] https://www.drupal.org/writing-secure-code
[14] https://www.drupal.org/security/secure-configuration
[15] https://twitter.com/drupalsecurity