View online: https://www.drupal.org/node/2710247
* Advisory ID: DRUPAL-SA-CONTRIB-2016-024
* Project: EPSA Crop - Image Cropping [1] (third-party module)
* Version: 7.x
* Date: 2016-April-20
* Security risk: 18/25 ( Critical)
AC:None/A:None/CI:Some/II:Some/E:Theoretical/TD:All [2]
* Vulnerability: Cross Site Scripting, Cross Site Request Forgery
-------- DESCRIPTION
---------------------------------------------------------
EPSA Crop is a module that allows a user to choose coordinates for different
presets on an image. If a user defines coordinates EPSACrop will override the
Imagecache process and will set new coordinates.
-------- CVE IDENTIFIER(S) ISSUED
--------------------------------------------
* /A CVE identifier [3] will be requested, and added upon issuance, in
accordance with Drupal Security Team processes./
-------- VERSIONS AFFECTED
---------------------------------------------------
* All versions of EPSA Crop module.
Drupal core is not affected. If you do not use the contributed EPSA Crop [4]
module, there is nothing you need to do.
-------- SOLUTION
------------------------------------------------------------
If you use the EPSA Crop module for Drupal 7.x you should uninstall it.
Also see the EPSA Crop [5] project page.
-------- REPORTED BY
---------------------------------------------------------
* Heine Deelstra of the Drupal Security Team [6]
-------- FIXED BY
------------------------------------------------------------
Not applicable.
-------- CONTACT AND MORE INFORMATION
----------------------------------------
The Drupal security team can be reached at security at drupal.org or via the
contact form at https://www.drupal.org/contact [7].
Learn more about the Drupal Security team and their policies [8], writing
secure code for Drupal [9], and securing your site [10].
Follow the Drupal Security Team on Twitter at
https://twitter.com/drupalsecurity [11]
[1] https://www.drupal.org/project/epsacrop
[2] https://www.drupal.org/security-team/risk-levels
[3] http://cve.mitre.org/
[4] https://www.drupal.org/project/epsacrop
[5] https://www.drupal.org/project/epsacrop
[6] https://www.drupal.org/u/Heine
[7] https://www.drupal.org/contact
[8] https://www.drupal.org/security-team
[9] https://www.drupal.org/writing-secure-code
[10] https://www.drupal.org/security/secure-configuration
[11] https://twitter.com/drupalsecurity
View online: https://www.drupal.org/node/2710115
* Advisory ID: DRUPAL-SA-CONTRIB-2016-023
* Project: Organic groups [1] (third-party module)
* Version: 7.x
* Date: 2016-April-20
* Security risk: 12/25 ( Moderately Critical)
AC:Complex/A:User/CI:Some/II:Some/E:Theoretical/TD:Default [2]
* Vulnerability: Access bypass
-------- DESCRIPTION
---------------------------------------------------------
This module enables users to create and manage their own 'groups'. Each group
can have subscribers, and maintains a group home page where subscribers
communicate among themselves. Selective groups require approval in order to
become a member, or even invitation-only groups.
Under the certain field configurations a user is able to subscribe without
approval to group that requires approving the membership. Depending on
permissions, the user may be able to post content to that group.
-------- CVE IDENTIFIER(S) ISSUED
--------------------------------------------
* /A CVE identifier [3] will be requested, and added upon issuance, in
accordance with Drupal Security Team processes./
-------- VERSIONS AFFECTED
---------------------------------------------------
* Organic groups 7.x-2.x versions prior to 7.x-2.9.
Drupal core is not affected. If you do not use the contributed Organic groups
[4] module, there is nothing you need to do.
-------- SOLUTION
------------------------------------------------------------
Install the latest version:
* If you use the Organic groups module for Drupal 7.x, upgrade to Organic
groups 7.x-2.9 [5]
Also see the Organic groups [6] project page.
-------- REPORTED BY
---------------------------------------------------------
* Jonathan Hedstrom (jhedstrom) [7]
-------- FIXED BY
------------------------------------------------------------
* Jonathan Hedstrom (jhedstrom) [8]
* Helena Eksler [9]
-------- COORDINATED BY
------------------------------------------------------
* David Snopek [10] of the Drupal Security Team
* Mike Potter [11] provisional member of the Drupal Security Team
-------- CONTACT AND MORE INFORMATION
----------------------------------------
The Drupal security team can be reached at security at drupal.org or via the
contact form at https://www.drupal.org/contact [12].
Learn more about the Drupal Security team and their policies [13], writing
secure code for Drupal [14], and securing your site [15].
Follow the Drupal Security Team on Twitter at
https://twitter.com/drupalsecurity [16]
[1] https://www.drupal.org/project/og
[2] https://www.drupal.org/security-team/risk-levels
[3] http://cve.mitre.org/
[4] https://www.drupal.org/project/og
[5] https://www.drupal.org/node/2709927
[6] https://www.drupal.org/project/og
[7] https://www.drupal.org/user/208732
[8] https://www.drupal.org/user/208732
[9] https://www.drupal.org/user/2997591
[10] https://www.drupal.org/user/266527
[11] https://www.drupal.org/user/616192
[12] https://www.drupal.org/contact
[13] https://www.drupal.org/security-team
[14] https://www.drupal.org/writing-secure-code
[15] https://www.drupal.org/security/secure-configuration
[16] https://twitter.com/drupalsecurity
View online: https://www.drupal.org/node/2710063
* Advisory ID: DRUPAL-SA-CONTRIB-2016-022
* Project: Search API [1] (third-party module)
* Version: 7.x
* Date: 2016-April-20
* Security risk: 11/25 ( Moderately Critical)
AC:None/A:User/CI:Some/II:None/E:Theoretical/TD:Uncommon [2]
* Vulnerability: Information Disclosure, Cross Site Scripting, Access
bypass
-------- DESCRIPTION
---------------------------------------------------------
This module enables you to build searches using a wide range of features,
data sources and backends.
.... Search index not updated by node access changes
The module doesn't sufficiently re-index nodes when using the "Node access"
or "Access check" data alterations and non-standard ways of changing node
access are used. This could lead to nodes or comments being listed in search
results to which the visitor viewing the results should not have access.
This vulnerability is mitigated by the fact that this only occurs in uncommon
setups, and that only nodes that were already accessible to the user at some
point can be displayed.
.... XSS vulnerability in Views search results
The module doesn't sufficiently sanitize field values returned directly from
the search server (e.g., Solr).
This vulnerability is mitigated by the fact that several components/modules
need to be configured in a specific way to allow this vulnerability to be
exploited.
.... Doesn't check for "access comments" permission when searching for
comments
The module doesn't sufficiently check the user's permissions when comments
are searched.
This vulnerability is mitigated by the fact that it only occurs in specific
site configurations:
* A search index with item type "Comment".
* Using the "Access check" data alteration for protection.
* The site allowing certain users to view content (nodes), but not
comments.
* A search page for the comment index must be accessible for these users.
-------- CVE IDENTIFIER(S) ISSUED
--------------------------------------------
* /A CVE identifier [3] will be requested, and added upon issuance, in
accordance with Drupal Security Team processes./
-------- VERSIONS AFFECTED
---------------------------------------------------
* Search API 7.x-1.x versions prior to 7.x-1.18.
Drupal core is not affected. If you do not use the contributed Search API [4]
module, there is nothing you need to do.
-------- SOLUTION
------------------------------------------------------------
Install the latest version:
* If you use the Search API module for Drupal 7.x, upgrade to Search API
7.x-1.18 [5]
Also see the Search API [6] project page.
-------- REPORTED BY
---------------------------------------------------------
* Thomas Seidl [7] the module maintainer
* Mike Potter [8]
-------- FIXED BY
------------------------------------------------------------
* Thomas Seidl [9], the module maintainer
-------- COORDINATED BY
------------------------------------------------------
* Mike Potter [10] provisional member of the Drupal Security Team
-------- CONTACT AND MORE INFORMATION
----------------------------------------
The Drupal security team can be reached at security at drupal.org or via the
contact form at https://www.drupal.org/contact [11].
Learn more about the Drupal Security team and their policies [12], writing
secure code for Drupal [13], and securing your site [14].
Follow the Drupal Security Team on Twitter at
https://twitter.com/drupalsecurity [15]
[1] https://www.drupal.org/project/search_api
[2] https://www.drupal.org/security-team/risk-levels
[3] http://cve.mitre.org/
[4] https://www.drupal.org/project/search_api
[5] https://www.drupal.org/node/2710001
[6] https://www.drupal.org/project/search_api
[7] https://www.drupal.org/u/drunken-monkey
[8] https://www.drupal.org/u/mpotter
[9] https://www.drupal.org/u/drunken-monkey
[10] https://www.drupal.org/u/mpotter
[11] https://www.drupal.org/contact
[12] https://www.drupal.org/security-team
[13] https://www.drupal.org/writing-secure-code
[14] https://www.drupal.org/security/secure-configuration
[15] https://twitter.com/drupalsecurity
View online: https://www.drupal.org/node/2705765
* Advisory ID: DRUPAL-SA-CONTRIB-2016-021
* Project: Boost [1] (third-party module)
* Version: 7.x
* Date: 2016-April-13
* Security risk: 11/25 ( Moderately Critical)
AC:Complex/A:None/CI:Some/II:None/E:Theoretical/TD:Default [2]
* Vulnerability: Information Disclosure
-------- DESCRIPTION
---------------------------------------------------------
This module provides static page caching for Drupal enabling a very
significant performance and scalability boost for sites that receive mostly
anonymous traffic.
The module doesn't prevent form cache from leaking between anonymous users
which could result in information disclosure, where one user sees form data
generated for another.
This vulnerability is mitigated by the fact that it only affects AJAX forms
which expose sensitive data to anonymous users.
-------- CVE IDENTIFIER(S) ISSUED
--------------------------------------------
* /A CVE identifier [3] will be requested, and added upon issuance, in
accordance with Drupal Security Team processes./
-------- VERSIONS AFFECTED
---------------------------------------------------
* Boost 7.x-1.x versions prior to 7.x-1.1.
Drupal core is not affected. If you do not use the contributed Boost [4]
module, there is nothing you need to do.
-------- SOLUTION
------------------------------------------------------------
Install the latest version:
* If you use the Boost module for Drupal 7.x, upgrade to Boost 7.x-1.1 [5]
Also see the Boost [6] project page.
-------- REPORTED BY
---------------------------------------------------------
* David Rothstein [7] of the Drupal Security Team
-------- FIXED BY
------------------------------------------------------------
* znerol [8]
* David Rothstein [9] of the Drupal Security Team
-------- COORDINATED BY
------------------------------------------------------
* Greg Knaddison [10] of the Drupal Security Team
* Michael Hess [11] of the Drupal Security Team
* David Snopek [12] of the Drupal Security Team
-------- CONTACT AND MORE INFORMATION
----------------------------------------
The Drupal security team can be reached at security at drupal.org or via the
contact form at https://www.drupal.org/contact [13].
Learn more about the Drupal Security team and their policies [14], writing
secure code for Drupal [15], and securing your site [16].
Follow the Drupal Security Team on Twitter at
https://twitter.com/drupalsecurity [17]
[1] https://www.drupal.org/project/boost
[2] https://www.drupal.org/security-team/risk-levels
[3] http://cve.mitre.org/
[4] https://www.drupal.org/project/boost
[5] https://www.drupal.org/node/2705769
[6] https://www.drupal.org/project/boost
[7] https://www.drupal.org/user/124982
[8] https://www.drupal.org/user/63999
[9] https://www.drupal.org/user/124982
[10] https://www.drupal.org/u/greggles
[11] https://www.drupal.org/u/mlhess
[12] https://www.drupal.org/u/dsnopek
[13] https://www.drupal.org/contact
[14] https://www.drupal.org/security-team
[15] https://www.drupal.org/writing-secure-code
[16] https://www.drupal.org/security/secure-configuration
[17] https://twitter.com/drupalsecurity
View online: https://www.drupal.org/node/2705637
* Advisory ID: DRUPAL-SA-CONTRIB-2016-020
* Project: Features [1] (third-party module)
* Version: 7.x
* Date: 2016-April-13
* Security risk: 7/25 ( Less Critical)
AC:Basic/A:Admin/CI:None/II:None/E:Theoretical/TD:All [2]
* Vulnerability: Cross Site Request Forgery, Denial of Service
-------- DESCRIPTION
---------------------------------------------------------
This module enables you to organize and export configuration data.
The module doesn't sufficiently protect the admin/structure/features/cleanup
path with a token. If an attacker can trick an admin with the "manage
features" permission to request a special URL, it could lead to clearing the
cache repeatedly and a Denial of Service (DoS) attack.
This vulnerability is mitigated by the fact that the admin with the "manage
features" permissions must be logged in when they request the special URL.
-------- CVE IDENTIFIER(S) ISSUED
--------------------------------------------
* /A CVE identifier [3] will be requested, and added upon issuance, in
accordance with Drupal Security Team processes./
-------- VERSIONS AFFECTED
---------------------------------------------------
* Features 7.x-2.x versions prior to 7.x-2.9.
* Features 7.x-1.x which is no longer supported.
Drupal core is not affected. If you do not use the contributed Features [4]
module, there is nothing you need to do.
-------- SOLUTION
------------------------------------------------------------
Install the latest version:
* If you use the Features module for Drupal 7.x, upgrade to Features
7.x-2.9
[5]
Also see the Features [6] project page.
-------- REPORTED BY
---------------------------------------------------------
* James Kerrigan [7]
-------- FIXED BY
------------------------------------------------------------
* James Kerrigan [8]
* Mike Potter [9] the module maintainer
-------- COORDINATED BY
------------------------------------------------------
* David Snopek [10] of the Drupal Security Team
-------- CONTACT AND MORE INFORMATION
----------------------------------------
The Drupal security team can be reached at security at drupal.org or via the
contact form at https://www.drupal.org/contact [11].
Learn more about the Drupal Security team and their policies [12], writing
secure code for Drupal [13], and securing your site [14].
Follow the Drupal Security Team on Twitter at
https://twitter.com/drupalsecurity [15]
[1] https://www.drupal.org/project/features
[2] https://www.drupal.org/security-team/risk-levels
[3] http://cve.mitre.org/
[4] https://www.drupal.org/project/features
[5] https://www.drupal.org/node/2705595
[6] https://www.drupal.org/project/features
[7] https://www.drupal.org/user/2511902
[8] https://www.drupal.org/user/2511902
[9] https://www.drupal.org/user/616192
[10] https://www.drupal.org/u/dsnopek
[11] https://www.drupal.org/contact
[12] https://www.drupal.org/security-team
[13] https://www.drupal.org/writing-secure-code
[14] https://www.drupal.org/security/secure-configuration
[15] https://twitter.com/drupalsecurity
View online: https://www.drupal.org/node/2701259
* Advisory ID: DRUPAL-SA-CONTRIB-2016-019
* Project: Drupal Commerce [1] (third-party module)
* Version: 7.x
* Date: 2016-April-06
* Security risk: 9/25 ( Less Critical)
AC:Basic/A:None/CI:None/II:None/E:Theoretical/TD:Default [2]
* Vulnerability: Information Disclosure
-------- DESCRIPTION
---------------------------------------------------------
This module enables you to build an online store that uses nodes to display
products through the use of product reference fields. The default widget for
those fields is an autocomplete textfield similar to the taxonomy term
reference field's autocomplete widget. As you type in the textfield, the
Commerce Product module returns a JSON array of matching product SKUs /
titles for you to select.
The module doesn't sufficiently restrict access to the autocomplete path
under the default configuration of the field. A visitor to the website could
browse directly to the autocomplete path to see a list of products that would
ordinarily be returned to the autocomplete JavaScript to populate the
autocomplete dropdown. Default parameters on the function used to generate
this list cause it to bypass the product access control check that would
ordinarily restrict product visibility to end users based on your site's
permissions.
This vulnerability is mitigated by the fact that an attacker must know what
the autocomplete path is and what arguments to include in it to generate a
valid response based on your site's architecture. Additionally, in most
eCommerce sites, product SKUs and titles are not by themselves considered
private information.
-------- CVE IDENTIFIER(S) ISSUED
--------------------------------------------
* /A CVE identifier [3] will be requested, and added upon issuance, in
accordance with Drupal Security Team processes./
-------- VERSIONS AFFECTED
---------------------------------------------------
* Drupal Commerce 7.x-1.x versions prior to 7.x-1.13.
Drupal core is not affected. If you do not use the contributed Drupal
Commerce [4] module, there is nothing you need to do.
-------- SOLUTION
------------------------------------------------------------
Install the latest version:
* If you use the Drupal Commerce module for Drupal 7.x, upgrade to Drupal
Commerce 7.x-1.13 [5]
Also see the Drupal Commerce [6] project page.
-------- REPORTED BY
---------------------------------------------------------
* Nikolay Ignatov [7]
* Matthias Hutterer [8]
-------- FIXED BY
------------------------------------------------------------
* Matt Glaman [9] the module co-maintainer
-------- COORDINATED BY
------------------------------------------------------
* Klaus Purer [10] of the Drupal Security Team
* Greg Knaddison [11] of the Drupal Security Team
-------- CONTACT AND MORE INFORMATION
----------------------------------------
The Drupal security team can be reached at security at drupal.org or via the
contact form at https://www.drupal.org/contact [12].
Learn more about the Drupal Security team and their policies [13], writing
secure code for Drupal [14], and securing your site [15].
Follow the Drupal Security Team on Twitter at
https://twitter.com/drupalsecurity [16]
[1] https://www.drupal.org/project/commerce
[2] https://www.drupal.org/security-team/risk-levels
[3] http://cve.mitre.org/
[4] https://www.drupal.org/project/commerce
[5] https://www.drupal.org/node/2701205
[6] https://www.drupal.org/project/commerce
[7] https://www.drupal.org/user/417078
[8] https://www.drupal.org/user/59747
[9] https://www.drupal.org/user/2416470
[10] https://www.drupal.org/u/klausi
[11] https://www.drupal.org/u/greggles
[12] https://www.drupal.org/contact
[13] https://www.drupal.org/security-team
[14] https://www.drupal.org/writing-secure-code
[15] https://www.drupal.org/security/secure-configuration
[16] https://twitter.com/drupalsecurity
View online: https://www.drupal.org/node/2701211
* Advisory ID: DRUPAL-SA-CONTRIB-2016-018
* Project: HybridAuth Social Login [1] (third-party module)
* Version: 7.x
* Date: 2016-April-06
* Security risk: 9/25 ( Less Critical)
AC:Complex/A:User/CI:Some/II:None/E:Theoretical/TD:Default [2]
* Vulnerability: Information Disclosure, Open Redirect
-------- DESCRIPTION
---------------------------------------------------------
The HybridAuth Social Login module enables you to allow visitors to
authenticate or login to a Drupal site using their identities from social
networks like Facebook or Twitter.
.... Open redirect
The module doesn't verify the "destination" redirect after a login to be a
non-external URL causing an open redirect vulnerability. This vulnerability
can be used by any attacker crafting a special login link.
.... Information disclosure
The module doesn't check the tokens in the "destination" redirect value
allowing an attacker to specify arbitrary tokens. Any token value is exposed
in the redirect URL.
This vulnerability is mitigated by the fact that there must be secret data on
the site that is exposed through the token system (for example an access
protected field). An attacker must have a knowledge on what fields/tokens
contain secret information.
-------- CVE IDENTIFIER(S) ISSUED
--------------------------------------------
* /A CVE identifier [3] will be requested, and added upon issuance, in
accordance with Drupal Security Team processes./
-------- VERSIONS AFFECTED
---------------------------------------------------
* HybridAuth Social Login 7.x-2.x versions prior to 7.x-2.15.
Drupal core is not affected. If you do not use the contributed HybridAuth
Social Login [4] module, there is nothing you need to do.
-------- SOLUTION
------------------------------------------------------------
Install the latest version:
* If you use the HybridAuth Social Login module for Drupal 7.x, upgrade to
HybridAuth Social Login 7.x-2.15 [5]
Also see the HybridAuth Social Login [6] project page.
-------- REPORTED BY
---------------------------------------------------------
* Klaus Purer [7] of the Drupal Security Team
-------- FIXED BY
------------------------------------------------------------
* Andrew Berezovsky [8] the module maintainer
* Klaus Purer [9] of the Drupal Security Team
-------- COORDINATED BY
------------------------------------------------------
* Klaus Purer [10] of the Drupal Security Team
-------- CONTACT AND MORE INFORMATION
----------------------------------------
The Drupal security team can be reached at security at drupal.org or via the
contact form at https://www.drupal.org/contact [11].
Learn more about the Drupal Security team and their policies [12], writing
secure code for Drupal [13], and securing your site [14].
Follow the Drupal Security Team on Twitter at
https://twitter.com/drupalsecurity [15]
[1] https://www.drupal.org/project/hybridauth
[2] https://www.drupal.org/security-team/risk-levels
[3] http://cve.mitre.org/
[4] https://www.drupal.org/project/hybridauth
[5] https://www.drupal.org/node/2700919
[6] https://www.drupal.org/project/hybridauth
[7] https://www.drupal.org/u/klausi
[8] https://www.drupal.org/u/duozersk
[9] https://www.drupal.org/u/klausi
[10] https://www.drupal.org/u/klausi
[11] https://www.drupal.org/contact
[12] https://www.drupal.org/security-team
[13] https://www.drupal.org/writing-secure-code
[14] https://www.drupal.org/security/secure-configuration
[15] https://twitter.com/drupalsecurity