View online: https://www.drupal.org/node/2657654
* Advisory ID: DRUPAL-SA-CONTRIB-2016-003
* Project: Open Atrium [1] (third-party module)
* Version: 7.x
* Date: 2016-January-27
* Security risk: 13/25 ( Moderately Critical)
AC:None/A:None/CI:Some/II:None/E:Theoretical/TD:Uncommon [2]
* Vulnerability: Access bypass
-------- DESCRIPTION
---------------------------------------------------------
Open Atrium allows you to control access via a hierarchy of public and
private spaces and sub-spaces. If a public sub-space is created within a
private parent-space, the content nodes of the public sub-space are
accessible to users who are not members of the parent private space.
This issue only affects sites that use private sub-spaces.
-------- CVE IDENTIFIER(S) ISSUED
--------------------------------------------
* /A CVE identifier [3] will be requested, and added upon issuance, in
accordance with Drupal Security Team processes./
-------- VERSIONS AFFECTED
---------------------------------------------------
* Open Atrium 7.x-2.x versions prior to 7.x-2.53.
Drupal core is not affected. If you do not use the contributed Open Atrium
[4] module, there is nothing you need to do.
-------- SOLUTION
------------------------------------------------------------
* Upgrade to the latest version, 7.x-2.53 [5]
If you are not able to fully upgrade to the latest version, ensure private
sub-spaces are directly marked as private and are not seen publicly in a
private parent space.
Also see the Open Atrium [6] project page.
-------- REPORTED BY
---------------------------------------------------------
* Mike Potter [7], Open Atrium maintainer.
-------- FIXED BY
------------------------------------------------------------
* Mike Potter [8], Open Atrium maintainer.
* Scott Henry [9], Open Atrium co-maintainer.
-------- COORDINATED BY
------------------------------------------------------
* Hunter Fox [10] of the Drupal Security Team
* Ben Jeavons [11] of the Drupal Security Team
-------- CONTACT AND MORE INFORMATION
----------------------------------------
The Drupal security team can be reached at security at drupal.org or via the
contact form at https://www.drupal.org/contact [12].
Learn more about the Drupal Security team and their policies [13], writing
secure code for Drupal [14], and securing your site [15].
Follow the Drupal Security Team on Twitter at
https://twitter.com/drupalsecurity [16]
[1] https://www.drupal.org/project/openatrium
[2] https://www.drupal.org/security-team/risk-levels
[3] http://cve.mitre.org/
[4] https://www.drupal.org/project/openatrium
[5] https://www.drupal.org/node/2657640
[6] https://www.drupal.org/project/openatrium
[7] https://www.drupal.org/u/mpotter
[8] https://www.drupal.org/u/mpotter
[9] https://www.drupal.org/u/scottalan
[10] https://www.drupal.org/user/426416
[11] https://www.drupal.org/u/coltrane
[12] https://www.drupal.org/contact
[13] https://www.drupal.org/security-team
[14] https://www.drupal.org/writing-secure-code
[15] https://www.drupal.org/security/secure-configuration
[16] https://twitter.com/drupalsecurity
View online: https://www.drupal.org/node/2649800
* Advisory ID: DRUPAL-SA-CONTRIB-2016-002
* Project: RedHen CRM [1] (third-party module)
* Version: 7.x
* Date: 2016-January-13
* Security risk: 13/25 ( Moderately Critical)
AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:Default [2]
* Vulnerability: Cross Site Scripting
-------- DESCRIPTION
---------------------------------------------------------
The Redhen set of modules allows you to build a CRM features in a Drupal
site.
When rendering individual Contacts, this module does not properly filter the
certain data prior to display. When rendering listing of notes or engagement
scores, these modules do not properly filter certain data before display.
This vulnerability is mitigated by the fact that an attacker must have an
authenticated user account with access to edit a contact, administer
engagement scores, or administer taxonomies.
-------- CVE IDENTIFIER(S) ISSUED
--------------------------------------------
* /A CVE identifier [3] will be requested, and added upon issuance, in
accordance with Drupal Security Team processes./
-------- VERSIONS AFFECTED
---------------------------------------------------
* Redhen 7.x-1.x versions prior to 7.x-1.11.
Drupal core is not affected. If you do not use the contributed RedHen CRM [4]
module, there is nothing you need to do.
-------- SOLUTION
------------------------------------------------------------
Install the latest version:
* If you use the RedHen module for Drupal 7.x, upgrade to Redhen 7.x-1.11
[5]
Workaround (if you are unable to update the module immediately):
* In the display settings for your Redhen Contact Types
(admin/structure/redhen/contact_types), hide "name" on all display modes.
* Restrict access to "Administer Engagement Scores" and "Administer
Taxonomies" to trusted users.
Also see the RedHen CRM [6] project page.
-------- REPORTED BY
---------------------------------------------------------
* Mikko Rantanen [7]
* Gabe Carleton-Barnes [8], a module maintainer
* Greg Knaddison [9] of the Drupal Security Team
-------- FIXED BY
------------------------------------------------------------
* Jaymz Rhime [10], a module maintainer
* Gabe Carleton-Barnes [11], a module maintainer
-------- COORDINATED BY
------------------------------------------------------
* Greg Knaddison [12] of the Drupal Security Team
-------- CONTACT AND MORE INFORMATION
----------------------------------------
The Drupal security team can be reached at security at drupal.org or via the
contact form at https://www.drupal.org/contact [13].
Learn more about the Drupal Security team and their policies [14], writing
secure code for Drupal [15], and securing your site [16].
Follow the Drupal Security Team on Twitter at
https://twitter.com/drupalsecurity [17]
[1] https://www.drupal.org/project/redhen
[2] https://www.drupal.org/security-team/risk-levels
[3] http://cve.mitre.org/
[4] https://www.drupal.org/project/redhen
[5] https://www.drupal.org/node/2649780
[6] https://www.drupal.org/project/redhen
[7] https://www.drupal.org/user/1004738
[8] https://www.drupal.org/user/1682976
[9] https://www.drupal.org/user/36762
[10] https://www.drupal.org/user/3181097
[11] https://www.drupal.org/user/1682976
[12] https://www.drupal.org/user/36762
[13] https://www.drupal.org/contact
[14] https://www.drupal.org/security-team
[15] https://www.drupal.org/writing-secure-code
[16] https://www.drupal.org/security/secure-configuration
[17] https://twitter.com/drupalsecurity
View online: https://www.drupal.org/node/2645350
* Advisory ID: DRUPAL-SA-CONTRIB-2016-001
* Project: Field Group [1] (third-party module)
* Version: 7.x
* Date: 2016-January-06
* Security risk: 12/25 ( Moderately Critical)
AC:Basic/A:Admin/CI:Some/II:Some/E:Theoretical/TD:Default [2]
* Vulnerability: Cross Site Scripting
-------- DESCRIPTION
---------------------------------------------------------
Field Group module enables you to group fields on entity forms and entity
displays.
When adding a HTML element as group, the user has the option to add custom
HTML attributes on the group. Via this option, a malicious user can embed
scripts within the page, resulting in a Cross-site Scripting (XSS)
vulnerability.
This vulnerability is mitigated by the fact that an attacker has to be able
to configure field display settings, which usually needs a higher level
permission such as /Administer vocabularies and terms/.
-------- CVE IDENTIFIER(S) ISSUED
--------------------------------------------
* /A CVE identifier [3] will be requested, and added upon issuance, in
accordance with Drupal Security Team processes./
-------- VERSIONS AFFECTED
---------------------------------------------------
* Field Group 7.x-1.x versions prior to 7.x-1.5.
Drupal core is not affected. If you do not use the contributed Field Group
[4] module, there is nothing you need to do.
-------- SOLUTION
------------------------------------------------------------
Install the latest version:
* If you use the Field Group module for Drupal 7.x, upgrade to Field Group
7.x-1.5 [5]
Also see the Field Group [6] project page.
-------- REPORTED BY
---------------------------------------------------------
* Pere Orga [7] of the Drupal Security Team
-------- FIXED BY
------------------------------------------------------------
* Nils Destoop [8], module maintainer
* Pere Orga [9] of the Drupal Security Team
-------- COORDINATED BY
------------------------------------------------------
* David Snopek [10] of the Drupal Security Team
-------- CONTACT AND MORE INFORMATION
----------------------------------------
The Drupal security team can be reached at security at drupal.org or via the
contact form at https://www.drupal.org/contact [11].
Learn more about the Drupal Security team and their policies [12], writing
secure code for Drupal [13], and securing your site [14].
Follow the Drupal Security Team on Twitter at
https://twitter.com/drupalsecurity [15]
[1] https://www.drupal.org/project/field_group
[2] https://www.drupal.org/security-team/risk-levels
[3] http://cve.mitre.org/
[4] https://www.drupal.org/project/field_group
[5] https://www.drupal.org/node/2644832
[6] https://www.drupal.org/project/field_group
[7] https://www.drupal.org/u/pere-orga
[8] https://www.drupal.org/user/361625
[9] https://www.drupal.org/u/pere-orga
[10] https://www.drupal.org/user/266527
[11] https://www.drupal.org/contact
[12] https://www.drupal.org/security-team
[13] https://www.drupal.org/writing-secure-code
[14] https://www.drupal.org/security/secure-configuration
[15] https://twitter.com/drupalsecurity