View online: https://www.drupal.org/node/2793115
* Advisory ID: DRUPAL-SA-CONTRIB-2016-050
* Project: Flag [1] (third-party module)
* Version: 7.x
* Date: 2016-August-31
* Security risk: 12/25 ( Moderately Critical)
AC:None/A:User/CI:Some/II:None/E:Theoretical/TD:Default [2]
* Vulnerability: Information Disclosure
-------- DESCRIPTION
---------------------------------------------------------
Flag enables users to mark content with any number of admin-defined flags,
such as 'bookmarks' or 'spam'. Flag Bookmark is a submodule within Flag,
which provides a 'bookmarks' flag, and default views to list bookmarked
content.
The provided view that lists each user's bookmarked content as a tab on their
user profile has for its access control the permission to use the 'bookmarks'
flag. This means that any user who has permission to use the 'bookmarks' flag
can see the list of content that any user has bookmarked.
This vulnerability is mitigated by the fact that the site must have enabled
the Flag Bookmark module to create this view, and an attacker must have a
role with the permission "Flag node entities as bookmarks".
-------- CVE IDENTIFIER(S) ISSUED
--------------------------------------------
* /A CVE identifier [3] will be requested, and added upon issuance, in
accordance with Drupal Security Team processes./
-------- VERSIONS AFFECTED
---------------------------------------------------
* Flag 7.x-3.x versions prior to 7.x-3.8.
Drupal core is not affected. If you do not use the contributed Flag [4]
module, there is nothing you need to do.
-------- SOLUTION
------------------------------------------------------------
Install the latest version:
* If you use the Flag module for Drupal 7.x, upgrade to Flag 7.x-3.8 [5]
If you have Flag Bookmark enabled, or have enabled it in the past and still
have the flag_bookmarks_tab view active, edit this and change the User: uid
contextual filter's as follows:
1) set the validator to 'Current user ID matches argument value'
2) set the action to take if the filter value does not validate to 'Show
"Page not found"'.
Also see the Flag [6] project page.
-------- REPORTED BY
---------------------------------------------------------
* Dave Long [7]
-------- FIXED BY
------------------------------------------------------------
* Joachim Noreiko [8], the module maintainer
* Dave Long [9]
-------- COORDINATED BY
------------------------------------------------------
* Lee Rowlands [10] of the Drupal Security Team
* Michael Hess [11] of the Drupal Security Team
* Mori Sugimoto [12] of the Drupal Security Team
* Rick Manelius [13] of the Drupal Security Team
-------- CONTACT AND MORE INFORMATION
----------------------------------------
The Drupal security team can be reached at security at drupal.org or via the
contact form at https://www.drupal.org/contact [14].
Learn more about the Drupal Security team and their policies [15], writing
secure code for Drupal [16], and securing your site [17].
Follow the Drupal Security Team on Twitter at
https://twitter.com/drupalsecurity [18]
[1] https://www.drupal.org/project/flag
[2] https://www.drupal.org/security-team/risk-levels
[3] http://cve.mitre.org/
[4] https://www.drupal.org/project/flag
[5] https://www.drupal.org/node/2793073
[6] https://www.drupal.org/project/flag
[7] https://www.drupal.org/user/246492
[8] https://www.drupal.org/user/107701
[9] https://www.drupal.org/user/246492
[10] https://www.drupal.org/user/395439
[11] https://www.drupal.org/user/102818
[12] https://www.drupal.org/user/82971
[13] https://www.drupal.org/user/680072
[14] https://www.drupal.org/contact
[15] https://www.drupal.org/security-team
[16] https://www.drupal.org/writing-secure-code
[17] https://www.drupal.org/security/secure-configuration
[18] https://twitter.com/drupalsecurity
View online: https://www.drupal.org/node/2789421
* Advisory ID: DRUPAL-SA-CONTRIB-2016-049
* Project: Workbench Scheduler [1] (third-party module)
* Version: 7.x
* Date: 2016-August-24
* Security risk: 13/25 ( Moderately Critical)
AC:Complex/A:User/CI:Some/II:Some/E:Theoretical/TD:All [2]
* Vulnerability: Access bypass
-------- DESCRIPTION
---------------------------------------------------------
Workbench Scheduler module provides users with the ability to create
schedules that change moderated content from one workbench moderation state
to another.
An authenticated user could add a schedule to a node even when that content
type has schedules disabled.
The vulnerability is mitigated by the fact that a attacker must have access
to an account in the system with permission to edit content and create
schedules. Also, only sites with a specific combination of permissions and
modules are affected.
-------- CVE IDENTIFIER(S) ISSUED
--------------------------------------------
* /A CVE identifier [3] will be requested, and added upon issuance, in
accordance with Drupal Security Team processes./
-------- VERSIONS AFFECTED
---------------------------------------------------
* Workbench Scheduler 7.x-1.x versions prior to 7.x-1.9.
Drupal core is not affected. If you do not use the contributed Workbench
Scheduler [4] module, there is nothing you need to do.
-------- SOLUTION
------------------------------------------------------------
Install the latest version:
* If you use the Workbench Scheduler module for Drupal 7.x, upgrade to
Workbench Scheduler 7.x-1.9 [5]
Also see the Workbench Scheduler [6] project page.
-------- REPORTED BY
---------------------------------------------------------
* Caroline Boyden [7]
-------- FIXED BY
------------------------------------------------------------
* Caroline Boyden [8]
* Joshua Bolduc [9], the module maintainer
-------- COORDINATED BY
------------------------------------------------------
* Pere Orga [10] of the Drupal Security Team
-------- CONTACT AND MORE INFORMATION
----------------------------------------
The Drupal security team can be reached at security at drupal.org or via the
contact form at https://www.drupal.org/contact [11].
Learn more about the Drupal Security team and their policies [12], writing
secure code for Drupal [13], and securing your site [14].
Follow the Drupal Security Team on Twitter at
https://twitter.com/drupalsecurity [15]
[1] https://www.drupal.org/project/workbench_scheduler
[2] https://www.drupal.org/security-team/risk-levels
[3] http://cve.mitre.org/
[4] https://www.drupal.org/project/workbench_scheduler
[5] https://www.drupal.org/project/workbench_scheduler/releases/7.x-1.9
[6] https://www.drupal.org/project/workbench_scheduler
[7] https://www.drupal.org/user/657902
[8] https://www.drupal.org/user/657902
[9] https://www.drupal.org/user/1386490
[10] https://www.drupal.org/u/pere-orga
[11] https://www.drupal.org/contact
[12] https://www.drupal.org/security-team
[13] https://www.drupal.org/writing-secure-code
[14] https://www.drupal.org/security/secure-configuration
[15] https://twitter.com/drupalsecurity
View online: https://www.drupal.org/node/2785687
* Advisory ID: DRUPAL-SA-CONTRIB-2014-048
* Project: Panelizer [1] (third-party module)
* Version: 7.x
* Date: 2016-August-17
* Security risk: 12/25 ( Moderately Critical)
AC:None/A:User/CI:None/II:Some/E:Theoretical/TD:Default [2]
* Vulnerability: Access bypass
-------- DESCRIPTION
---------------------------------------------------------
Panelizer enables you to use Panels to replace the display of any entity, and
even modify the Panels configuration in-place using the Panels In-Place
Editor (IPE).
The default behavior for Panels IPE is to allow any user with the permissions
"Use the Panels In-Place Editor" and "Change layouts with the Panels In-Place
Editor " access to the IPE regardless of whether or not a user has access to
edit the underlying entity. While users cannot edit the entity itself, they
can change the layout and the different panel panes shown (effectively
allowing them to edit it).
This vulnerability is mitigated by the fact that an attacker must have a role
with the permission "Use the Panels In-Place Editor" and the IPE must be
enabled for the specific content type.
-------- CVE IDENTIFIER(S) ISSUED
--------------------------------------------
* /A CVE identifier [3] will be requested, and added upon issuance, in
accordance with Drupal Security Team processes./
-------- VERSIONS AFFECTED
---------------------------------------------------
* Panelizer 7.x-3.x versions prior to 7.x-3.3.
Drupal core is not affected. If you do not use the contributed Panelizer [4]
module, there is nothing you need to do.
-------- SOLUTION
------------------------------------------------------------
Install the latest version:
* If you use the Panelizer module for Drupal 7.x, upgrade to Panelizer
7.x-3.3 [5]
Also see the Panelizer [6] project page.
-------- REPORTED BY
---------------------------------------------------------
* Branden Hamilton [7]
* Joep Hendrix [8]
-------- FIXED BY
------------------------------------------------------------
* Jakob Perry [9] the module maintainer
* Damien Mckenna [10]
* Mike Potter [11] provisional member of the Drupal Security Team
* David Snopek [12] of the Drupal Security Team
-------- COORDINATED BY
------------------------------------------------------
* Mike Potter [13] provisional member of the Drupal Security Team
-------- CONTACT AND MORE INFORMATION
----------------------------------------
The Drupal security team can be reached at security at drupal.org or via the
contact form at https://www.drupal.org/contact [14].
Learn more about the Drupal Security team and their policies [15], writing
secure code for Drupal [16], and securing your site [17].
Follow the Drupal Security Team on Twitter at
https://twitter.com/drupalsecurity [18]
[1] https://www.drupal.org/project/panelizer
[2] https://www.drupal.org/security-team/risk-levels
[3] http://cve.mitre.org/
[4] https://www.drupal.org/project/panelizer
[5] https://www.drupal.org/project/panelizer/releases/7.x-3.3
[6] https://www.drupal.org/project/panelizer
[7] https://www.drupal.org/u/brandenlhamilton
[8] https://www.drupal.org/u/joep.hendrix
[9] https://www.drupal.org/u/japerry
[10] https://www.drupal.org/u/damienmckenna
[11] https://www.drupal.org/u/mpotter
[12] https://www.drupal.org/u/dsnopek
[13] https://www.drupal.org/u/mpotter
[14] https://www.drupal.org/contact
[15] https://www.drupal.org/security-team
[16] https://www.drupal.org/writing-secure-code
[17] https://www.drupal.org/security/secure-configuration
[18] https://twitter.com/drupalsecurity
View online: https://www.drupal.org/node/2785631
* Advisory ID: DRUPAL-SA-CONTRIB-2016-047
* Project: Panels [1] (third-party module)
* Version: 7.x
* Date: 2016-August-17
* Security risk: 15/25 ( Critical)
AC:None/A:None/CI:All/II:None/E:Theoretical/TD:All [2]
* Vulnerability: Access bypass, Information Disclosure
-------- DESCRIPTION
---------------------------------------------------------
.... Panels does not check access on some routes (Critical)
Panels allows users with certain permissions to modify the layout and panel
panes on pages or entities utilizing panels.
Much of the functionality to modify these panels rely on backend routes that
call administrative forms. These forms did not provide any access checks, or
site specific encoded urls. This can allow an attacker to guess the backend
url as an anonymous user and see data loaded for the form.
There is no mitigation for this exploit. Any site with panels enabled is
vulnerable.
.... Panels In-place Editor does not properly check for access (Moderately
Critical)
The Panels In-Place Editor (IPE) allows users with certain permissions to
modify the layout and panel content of pages.
The default behavior for Panels IPE is to allow any user with the permissions
"Use the Panels In-Place Editor" and "Change layouts with the Panels In-Place
Editor " access to the IPE regardless of whether or not a user has proper
access to the page. While users cannot edit the page content itself, they
can change the layout and the different panel panes shown.
This vulnerability is mitigated by the fact that an attacker must have a role
with the permission "Use the Panels In-Place Editor" and the IPE must be
enabled for the specific content type.
-------- CVE IDENTIFIER(S) ISSUED
--------------------------------------------
* /A CVE identifier [3] will be requested, and added upon issuance, in
accordance with Drupal Security Team processes./
-------- VERSIONS AFFECTED
---------------------------------------------------
* Panels 7.x-3.x versions prior to 7.x-3.6.
Drupal core is not affected. If you do not use the contributed Panels [4]
module, there is nothing you need to do.
-------- SOLUTION
------------------------------------------------------------
Install the latest version:
* If you use the panels module for Drupal 7x, upgrade to Panels 7.x-3.6 [5]
Also see the Panels [6] project page.
-------- REPORTED BY
---------------------------------------------------------
* Pere Orga [7] of the Drupal Security Team
* John Coltrane [8]
* Branden Hamilton [9]
* Joep Hendrix [10]
-------- FIXED BY
------------------------------------------------------------
* Jakob Perry [11] the module maintainer
* Damien Mckenna [12]
* Mike Potter [13] provisional member of the Drupal Security Team
* David Snopek [14] of the Drupal Security Team
-------- COORDINATED BY
------------------------------------------------------
* Mike Potter [15] provisional member of the Drupal Security Team
-------- CONTACT AND MORE INFORMATION
----------------------------------------
The Drupal security team can be reached at security at drupal.org or via the
contact form at https://www.drupal.org/contact [16].
Learn more about the Drupal Security team and their policies [17], writing
secure code for Drupal [18], and securing your site [19].
Follow the Drupal Security Team on Twitter at
https://twitter.com/drupalsecurity [20]
[1] https://www.drupal.org/project/panels
[2] https://www.drupal.org/security-team/risk-levels
[3] http://cve.mitre.org/
[4] https://www.drupal.org/project/panels
[5] https://www.drupal.org/node/2785597/edit
[6] https://www.drupal.org/project/panels
[7] https://www.drupal.org/u/pere-orga
[8] https://www.drupal.org/u/jcoltrane
[9] https://www.drupal.org/u/brandenlhamilton
[10] https://www.drupal.org/user/125580
[11] https://www.drupal.org/u/japerry
[12] https://www.drupal.org/u/damienmckenna
[13] https://www.drupal.org/u/mpotter
[14] https://www.drupal.org/u/dsnopek
[15] https://www.drupal.org/u/mpotter
[16] https://www.drupal.org/contact
[17] https://www.drupal.org/security-team
[18] https://www.drupal.org/writing-secure-code
[19] https://www.drupal.org/security/secure-configuration
[20] https://twitter.com/drupalsecurity
View online: https://www.drupal.org/node/2785531
* Advisory ID: DRUPAL-SA-CONTRIB-2016-046
* Project: Hosting [1] (third-party module)
* Version: 7.x
* Date: 2016-August-17
* Security risk: 9/25 ( Less Critical)
AC:Basic/A:User/CI:Some/II:None/E:Theoretical/TD:Uncommon [2]
* Vulnerability: Access bypass
-------- DESCRIPTION
---------------------------------------------------------
The Hosting module is a core component of the Aegir Hosting System.
This install profile, and accompanying suite of modules, is a hosting system
that sits alongside a LAMP or LEMP server to create, deploy and manage Drupal
sites.
The Hosting module does not sufficiently control access to any custom content
types created by the user. The default content types are sufficiently
protected.
This vulnerability is mitigated by the fact that on a typical installation
the users who have access normally have admin privilege already, and few
installations will have created additional custom content types.
-------- CVE IDENTIFIER(S) ISSUED
--------------------------------------------
* /A CVE identifier [3] will be requested, and added upon issuance, in
accordance with Drupal Security Team processes./
-------- VERSIONS AFFECTED
---------------------------------------------------
* Hosting 7.x-3.x versions prior to 7.x-3.7.
Drupal core is not affected. If you do not use the contributed Hosting [4]
module, there is nothing you need to do.
-------- SOLUTION
------------------------------------------------------------
Install the latest version:
* If you use the hosting module for Drupal 7.x, upgrade to hosting 7.x-3.7
[5]
Also see the Hosting [6] project page.
-------- REPORTED BY
---------------------------------------------------------
* Robin van Sloten (Neograph734) [7]
-------- FIXED BY
------------------------------------------------------------
* Herman van Rink (helmo) [8] on of the module maintainers
-------- COORDINATED BY
------------------------------------------------------
* Michael Hess [9] of the Drupal Security Team
-------- CONTACT AND MORE INFORMATION
----------------------------------------
The Drupal security team can be reached at security at drupal.org or via the
contact form at https://www.drupal.org/contact [10].
Learn more about the Drupal Security team and their policies [11], writing
secure code for Drupal [12], and securing your site [13].
Follow the Drupal Security Team on Twitter at
https://twitter.com/drupalsecurity [14]
[1] https://www.drupal.org/project/hosting
[2] https://www.drupal.org/security-team/risk-levels
[3] http://cve.mitre.org/
[4] https://www.drupal.org/project/hosting
[5] https://www.drupal.org/project/hosting/releases/7.x-3.7
[6] https://www.drupal.org/project/hosting
[7] https://www.drupal.org/user/2397482
[8] https://www.drupal.org/u/helmo
[9] https://www.drupal.org/u/mlhess
[10] https://www.drupal.org/contact
[11] https://www.drupal.org/security-team
[12] https://www.drupal.org/writing-secure-code
[13] https://www.drupal.org/security/secure-configuration
[14] https://twitter.com/drupalsecurity
View online: https://www.drupal.org/node/2782109
* Advisory ID: SA-CONTRIB-2016-045
* Project: Require Login [1] (third-party module)
* Version: 7.x, 8.x
* Date: 2016-August-10
* Security risk: 13/25 ( Moderately Critical)
AC:Basic/A:None/CI:Some/II:None/E:Theoretical/TD:All [2]
* Vulnerability: Cross Site Scripting, Access bypass
-------- DESCRIPTION
---------------------------------------------------------
This module enables you to restrict site access without using user roles or
permissions.
The module does not sufficiently escape some of its settings, and, in some
cases, allows malicious users to bypass the protection offered by Require
Login.
-------- CVE IDENTIFIER(S) ISSUED
--------------------------------------------
* /A CVE identifier [3] will be requested, and added upon issuance, in
accordance with Drupal Security Team processes./
-------- VERSIONS AFFECTED
---------------------------------------------------
* Require Login 7.x-2.x versions prior to 7.x-2.4
* Require Login 8.x-1.x versions prior to 8.x-1.8
Drupal core is not affected. If you do not use the contributed Require Login
[4] module, there is nothing you need to do.
-------- SOLUTION
------------------------------------------------------------
Install the latest version:
* If you use the Require Login module for Drupal 7.x, upgrade to Require
Login 7.x-2.4 [5]
* If you use the Require Login module for Drupal 8.x, upgrade to Require
Login 8.x-1.8 [6]
Also see the Require Login [7] project page.
-------- REPORTED BY
---------------------------------------------------------
* Ivo Van Geertruyen [8] of the Drupal Security Team
-------- FIXED BY
------------------------------------------------------------
* Robert Phillips [9] the module maintainer
* Ivo Van Geertruyen [10] of the Drupal Security Team
-------- COORDINATED BY
------------------------------------------------------
* Ivo Van Geertruyen [11] of the Drupal Security Team
-------- CONTACT AND MORE INFORMATION
----------------------------------------
The Drupal security team can be reached at security at drupal.org or via the
contact form at https://www.drupal.org/contact [12].
Learn more about the Drupal Security team and their policies [13], writing
secure code for Drupal [14], and securing your site [15].
Follow the Drupal Security Team on Twitter at
https://twitter.com/drupalsecurity [16]
[1] https://www.drupal.org/project/require_login
[2] https://www.drupal.org/security-team/risk-levels
[3] http://cve.mitre.org/
[4] https://www.drupal.org/project/require_login
[5] https://drupal.org/project/require_login/releases/7.x-2.4
[6] https://drupal.org/project/require_login/releases/8.x-1.8
[7] https://www.drupal.org/project/require_login
[8] https://www.drupal.org/u/mr.baileys
[9] https://www.drupal.org/user/459772
[10] https://www.drupal.org/u/mr.baileys
[11] https://www.drupal.org/u/mr.baileys
[12] https://www.drupal.org/contact
[13] https://www.drupal.org/security-team
[14] https://www.drupal.org/writing-secure-code
[15] https://www.drupal.org/security/secure-configuration
[16] https://twitter.com/drupalsecurity
View online: https://www.drupal.org/node/2782027
* Advisory ID: DRUPAL-SA-CONTRIB-2016-043
* Project: Piwik Web Analytics [1] (third-party module)
* Version: 7.x, 8.x
* Date: 2016-August-10
* Security risk: 13/25 ( Moderately Critical)
AC:None/A:Admin/CI:Some/II:Some/E:Theoretical/TD:Uncommon [2]
* Vulnerability: Cross Site Scripting
-------- DESCRIPTION
---------------------------------------------------------
This module enables you to add integration with Piwik statistics service.
The module allows admin users to enter custom JavaScript snippets to add
advanced tracking functionality. The permission required to enter this
JavaScript was not marked as restricted.
This vulnerability is mitigated by the fact that an attacker must have a role
with the permission "Administer Piwik".
For greater flexibility a new feature has been added to the module to
implement the new permission "Add JavaScript snippets" that can be assigned
to users who are allowed to add JS code snippets into your web site.
If you have granted the Administer Google Analytics to non trusted users,
please check your settings to make sure all javascript entered is valid.
-------- CVE IDENTIFIER(S) ISSUED
--------------------------------------------
* /A CVE identifier [3] will be requested, and added upon issuance, in
accordance with Drupal Security Team processes./
-------- VERSIONS AFFECTED
---------------------------------------------------
* Piwik 7.x-2.x versions prior to 7.x-2.9.
* Piwik 8.x-2.x versions prior to 8.x-1.1.
Drupal core is not affected. If you do not use the contributed Piwik Web
Analytics [4] module, there is nothing you need to do.
-------- SOLUTION
------------------------------------------------------------
Install the latest version:
* If you use the Piwik module for Drupal 7.x, upgrade to Piwik 7.x-2.9 [5]
* If you use the Piwik module for Drupal 8.x, upgrade to Piwik 8.x-1.1 [6]
Also see the Piwik Web Analytics [7] project page.
-------- REPORTED BY
---------------------------------------------------------
* Alexander Hass [8] the module maintainer
-------- FIXED BY
------------------------------------------------------------
* Alexander Hass [9] the module maintainer
-------- COORDINATED BY
------------------------------------------------------
* Michael Hess [10] of the Drupal Security Team
-------- CONTACT AND MORE INFORMATION
----------------------------------------
The Drupal security team can be reached at security at drupal.org or via the
contact form at https://www.drupal.org/contact [11].
Learn more about the Drupal Security team and their policies [12], writing
secure code for Drupal [13], and securing your site [14].
Follow the Drupal Security Team on Twitter at
https://twitter.com/drupalsecurity [15]
[1] https://www.drupal.org/project/piwik
[2] https://www.drupal.org/security-team/risk-levels
[3] http://cve.mitre.org/
[4] https://www.drupal.org/project/piwik
[5] https://www.drupal.org/project/piwik/releases/7.x-2.9
[6] https://www.drupal.org/project/piwik/releases/8.x-1.1
[7] https://www.drupal.org/project/piwik
[8] https://www.drupal.org/u/hass
[9] https://www.drupal.org/u/hass
[10] https://www.drupal.org/u/mlhess
[11] https://www.drupal.org/contact
[12] https://www.drupal.org/security-team
[13] https://www.drupal.org/writing-secure-code
[14] https://www.drupal.org/security/secure-configuration
[15] https://twitter.com/drupalsecurity
View online: https://www.drupal.org/node/2782023
* Advisory ID: DRUPAL-SA-CONTRIB-2016-042
* Project: Google Analytics [1] (third-party module)
* Version: 7.x, 8.x
* Date: 2016-August-10
* Security risk: 13/25 ( Moderately Critical)
AC:None/A:Admin/CI:Some/II:Some/E:Theoretical/TD:Uncommon [2]
* Vulnerability: Cross Site Scripting
-------- DESCRIPTION
---------------------------------------------------------
This module enables you to add integration with Google Analytics statistics
service.
The module allows admin users to enter custom JavaScript snippets to add
advanced tracking functionality. The permission required to enter this
JavaScript was not marked as restricted.
This vulnerability is mitigated by the fact that an attacker must have a role
with the permission "Administer Google Analytics".
For greater flexibility a new feature has been added to the module to
implement the new permission "Add JavaScript snippets" that can be assigned
to users who are allowed to add JS code snippets into your web site.
If you have granted the Administer Google Analytics to non trusted users,
please check your settings to make sure all javascript entered is valid.
-------- CVE IDENTIFIER(S) ISSUED
--------------------------------------------
* /A CVE identifier [3] will be requested, and added upon issuance, in
accordance with Drupal Security Team processes./
-------- VERSIONS AFFECTED
---------------------------------------------------
* Google Analytics 7.x-2.x versions prior to 7.x-2.3.
* Google Analytics 8.x-2.x versions prior to 8.x-2.1.
Drupal core is not affected. If you do not use the contributed Google
Analytics [4] module, there is nothing you need to do.
-------- SOLUTION
------------------------------------------------------------
Install the latest version:
* If you use the Google Analytics module for Drupal 7.x, upgrade to Google
Analytics 7.x-2.3 [5]
* If you use the Google Analytics module for Drupal 8.x, upgrade to Google
Analytics 8.x-2.1 [6]
Also see the Google Analytics [7] project page.
-------- REPORTED BY
---------------------------------------------------------
* Michael Hess [8] of the Drupal Security Team
-------- FIXED BY
------------------------------------------------------------
* Lee Rowlands [9] of the Drupal Security Team
* Alexander Hass [10] the module maintainer
-------- COORDINATED BY
------------------------------------------------------
* Michael Hess [11] of the Drupal Security Team
-------- CONTACT AND MORE INFORMATION
----------------------------------------
The Drupal security team can be reached at security at drupal.org or via the
contact form at https://www.drupal.org/contact [12].
Learn more about the Drupal Security team and their policies [13], writing
secure code for Drupal [14], and securing your site [15].
Follow the Drupal Security Team on Twitter at
https://twitter.com/drupalsecurity [16]
[1] https://www.drupal.org/project/google_analytics
[2] https://www.drupal.org/security-team/risk-levels
[3] http://cve.mitre.org/
[4] https://www.drupal.org/project/google_analytics
[5] https://www.drupal.org/project/google_analytics/releases/7.x-2.3
[6] https://www.drupal.org/project/google_analytics/releases/8.x-2.1
[7] https://www.drupal.org/project/google_analytics
[8] https://www.drupal.org/u/mlhess
[9] https://www.drupal.org/u/larowlan
[10] https://www.drupal.org/u/hass
[11] https://www.drupal.org/u/mlhess
[12] https://www.drupal.org/contact
[13] https://www.drupal.org/security-team
[14] https://www.drupal.org/writing-secure-code
[15] https://www.drupal.org/security/secure-configuration
[16] https://twitter.com/drupalsecurity
View online: https://www.drupal.org/node/2778501
* Advisory ID: DRUPAL-SA-CONTRIB-2016-041
* Project: Administration Views [1] (third-party module)
* Version: 7.x
* Date: 2016-August-03
* Security risk: 16/25 ( Critical)
AC:Basic/A:None/CI:Some/II:None/E:Exploit/TD:All [2]
* Vulnerability: Access bypass
-------- DESCRIPTION
---------------------------------------------------------
Administration Views module replaces overview/listing pages with actual views
for superior usability.
The module does not check access properly under certain circumstances.
Anonymous users could get access to read information they should not have
access to.
-------- CVE IDENTIFIER(S) ISSUED
--------------------------------------------
* /A CVE identifier [3] will be requested, and added upon issuance, in
accordance with Drupal Security Team processes./
-------- VERSIONS AFFECTED
---------------------------------------------------
* administration views 7.x-1.x versions prior to 7.x-1.6.
Drupal core is not affected. If you do not use the contributed Administration
Views [4] module, there is nothing you need to do.
-------- SOLUTION
------------------------------------------------------------
Install the latest version:
* If you use the Administration Views module for Drupal 7.x, upgrade to
administration views 7.x-1.6 [5]
Also see the Administration Views [6] project page.
-------- REPORTED BY
---------------------------------------------------------
* John P Warren [7]
-------- FIXED BY
------------------------------------------------------------
* Damian Lee [8] a module maintainer
-------- COORDINATED BY
------------------------------------------------------
* Michael Hess [9] of the Drupal Security Team
-------- CONTACT AND MORE INFORMATION
----------------------------------------
The Drupal security team can be reached at security at drupal.org or via the
contact form at https://www.drupal.org/contact [10].
Learn more about the Drupal Security team and their policies [11], writing
secure code for Drupal [12], and securing your site [13].
Follow the Drupal Security Team on Twitter at
https://twitter.com/drupalsecurity [14]
[1] https://www.drupal.org/project/admin_views
[2] https://www.drupal.org/security-team/risk-levels
[3] http://cve.mitre.org/
[4] https://www.drupal.org/project/admin_views
[5] https://www.drupal.org/project/admin_views/releases/7.x-1.6
[6] https://www.drupal.org/project/admin_views
[7] https://www.drupal.org/user/19623
[8] https://www.drupal.org/user/1037976
[9] https://www.drupal.org/u/mlhess
[10] https://www.drupal.org/contact
[11] https://www.drupal.org/security-team
[12] https://www.drupal.org/writing-secure-code
[13] https://www.drupal.org/security/secure-configuration
[14] https://twitter.com/drupalsecurity