View online: https://www.drupal.org/node/2846791
* Advisory ID: DRUPAL-SA-CONTRIB-2017-008
* Project: Salescloud [1] (third-party module)
* Version: 7.x
* Date: 2017-Jan-25
* Security risk: 19/25 ( Critical)
AC:None/A:None/CI:Some/II:Some/E:Proof/TD:All [2]
-------- DESCRIPTION
---------------------------------------------------------
This module Connects Drupal to SalesCloud's API, a Commerce Platform as a
Service.
-------- CVE IDENTIFIER(S) ISSUED
--------------------------------------------
* /A CVE identifier [3] will be requested, and added upon issuance, in
accordance with Drupal Security Team processes./
-------- VERSIONS AFFECTED
---------------------------------------------------
* All versions
Drupal core is not affected. If you do not use the contributed salescloud [4]
module, there is nothing you need to do.
-------- SOLUTION
------------------------------------------------------------
If you use the salescloud module for Drupal 7.x you should uninstall it.
Also see the salescloud [5] project page.
-------- REPORTED BY
---------------------------------------------------------
* Cash Williams [6] of the Drupal Security Team
-------- FIXED BY
------------------------------------------------------------
Not applicable
-------- CONTACT AND MORE INFORMATION
----------------------------------------
The Drupal security team can be reached at security at drupal.org or via the
contact form at https://www.drupal.org/contact [7].
Learn more about the Drupal Security team and their policies [8], writing
secure code for Drupal [9], and securing your site [10].
Follow the Drupal Security Team on Twitter at
https://twitter.com/drupalsecurity [11]
[1] https://www.drupal.org/project/oauth
[2] https://www.drupal.org/security-team/risk-levels
[3] http://cve.mitre.org/
[4] https://www.drupal.org/project/salescloud
[5] https://www.drupal.org/project/salescloud
[6] https://www.drupal.org/u/cashwilliams
[7] https://www.drupal.org/contact
[8] https://www.drupal.org/security-team
[9] https://www.drupal.org/writing-secure-code
[10] https://www.drupal.org/security/secure-configuration
[11] https://twitter.com/drupalsecurity
View online: https://www.drupal.org/node/2846787
* Advisory ID: DRUPAL-SA-CONTRIB-2017-006
* Project: oauth [1] (third-party module)
* Version: 7.x
* Date: 2017-Jan-25
* Security risk: 19/25 ( Critical)
AC:None/A:None/CI:Some/II:Some/E:Proof/TD:All [2]
-------- DESCRIPTION
---------------------------------------------------------
This module implements the OAuth 1.0 standard for use with Drupal and acts as
a support module for other modules that wish to use OAuth.
-------- CVE IDENTIFIER(S) ISSUED
--------------------------------------------
* /A CVE identifier [3] will be requested, and added upon issuance, in
accordance with Drupal Security Team processes./
-------- VERSIONS AFFECTED
---------------------------------------------------
* All versions
Drupal core is not affected. If you do not use the contributed Oauth [4]
module, there is nothing you need to do.
-------- SOLUTION
------------------------------------------------------------
If you use the oauth module for Drupal 7.x you should uninstall it.
Also see the oauth [5] project page.
-------- REPORTED BY
---------------------------------------------------------
* Tim Brandin [6]
* Damien McKenna [7] of the Drupal Security Team
-------- FIXED BY
------------------------------------------------------------
Not applicable
-------- CONTACT AND MORE INFORMATION
----------------------------------------
The Drupal security team can be reached at security at drupal.org or via the
contact form at https://www.drupal.org/contact [8].
Learn more about the Drupal Security team and their policies [9], writing
secure code for Drupal [10], and securing your site [11].
Follow the Drupal Security Team on Twitter at
https://twitter.com/drupalsecurity [12]
[1] https://www.drupal.org/project/oauth
[2] https://www.drupal.org/security-team/risk-levels
[3] http://cve.mitre.org/
[4] https://www.drupal.org/project/oauth
[5] https://www.drupal.org/project/oauth
[6] https://www.drupal.org/u/timbrandin
[7] https://www.drupal.org/u/DamienMcKenna
[8] https://www.drupal.org/contact
[9] https://www.drupal.org/security-team
[10] https://www.drupal.org/writing-secure-code
[11] https://www.drupal.org/security/secure-configuration
[12] https://twitter.com/drupalsecurity
View online: https://www.drupal.org/node/2842760
* Advisory ID: DRUPAL-SA-CONTRIB-2017-005
* Project:
(third-party module)
* Version: 7.x
* Date: 2017-January-11
* Security risk: 23/25 ( Highly Critical)
AC:None/A:User/CI:All/II:All/E:Exploit/TD:All [1]
* Vulnerability: Arbitrary PHP code execution
-------- DESCRIPTION
---------------------------------------------------------
The Mailjet module integrates with a 3rd party system to deliver
site-generated emails, including newsletters, system notifications, etc.
The Mailjet module included v5.2.8 of the PHPMailer library in its "includes"
directory. Per PSA-2016-004 [2], this version of the PHPMailer library was
vulnerable to PHP code execution.
Per Drupal.org policy, 3rd party code should not be stored [3] in drupal.org
repositories.
Updating this module will require manual actions to replace the PHPMailer
library as described in the README.txt file included in the release.
-------- CVE IDENTIFIER(S) ISSUED
--------------------------------------------
* /A CVE identifier [4] will be requested, and added upon issuance, in
accordance with Drupal Security Team processes./
-------- VERSIONS AFFECTED
---------------------------------------------------
* Mailjet 7.x-2.x versions prior 7.x-2.9.
Drupal core is not affected. If you do not use the contributed
module, there is nothing you need to do.
-------- SOLUTION
------------------------------------------------------------
Install the latest version:
* If you use the Mailjet module for Drupal 7.x, upgrade to Mailjet7.x-2.9
[5]
Also see the
project page.
-------- REPORTED BY
---------------------------------------------------------
* hargobind [6]
-------- FIXED BY
------------------------------------------------------------
* Proxiad [7] the module maintainer
-------- COORDINATED BY
------------------------------------------------------
* Damien McKenna [8] of the Drupal Security Team
-------- CONTACT AND MORE INFORMATION
----------------------------------------
The Drupal security team can be reached at security at drupal.org or via the
contact form at https://www.drupal.org/contact [9].
Learn more about the Drupal Security team and their policies [10], writing
secure code for Drupal [11], and securing your site [12].
Follow the Drupal Security Team on Twitter at
https://twitter.com/drupalsecurity [13]
[1] https://www.drupal.org/security-team/risk-levels
[2] https://www.drupal.org/psa-2016-004
[3] https://www.drupal.org/node/422996
[4] http://cve.mitre.org/
[5] https://www.drupal.org/project/mailjet/releases/7.x-2.9
[6] https://www.drupal.org/u/hargobind
[7] https://www.drupal.org/u/proxiad
[8] https://www.drupal.org/u/damienmckenna
[9] https://www.drupal.org/contact
[10] https://www.drupal.org/security-team
[11] https://www.drupal.org/writing-secure-code
[12] https://www.drupal.org/security/secure-configuration
[13] https://twitter.com/drupalsecurity
View online: https://www.drupal.org/node/2842759
* Advisory ID: DRUPAL-SA-CONTRIB-2017-004
* Project: OpenLucius [1] (third-party distribution)
* Version: 7.x
* Date: 2017-January-11
* Security risk: 14/25 ( Moderately Critical)
AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:All [2]
* Vulnerability: Cross Site Scripting, Cross Site Request Forgery
-------- DESCRIPTION
---------------------------------------------------------
OpenLucius is a work management platform for social communication,
documentation, and projects.
The distribution doesn't sufficiently use tokens when marking messages for
users as read thereby exposing a Cross Site Request Forgery (CSRF)
vulnerability.
The distribution does not sufficiently filter taxonomy term names before
outputting them to HTML thereby exposing a Cross Site Scripting (XSS)
vulnerability. This vulnerability is mitigated by the fact that an attacker
must have permissions to insert malicious taxonomy terms.
-------- CVE IDENTIFIER(S) ISSUED
--------------------------------------------
* /A CVE identifier [3] will be requested, and added upon issuance, in
accordance with Drupal Security Team processes./
-------- VERSIONS AFFECTED
---------------------------------------------------
* Openlucius 7.x-1.x versions prior to 7.x-1.6.
Drupal core is not affected. If you do not use the contributed OpenLucius
News [4] module, there is nothing you need to do.
-------- SOLUTION
------------------------------------------------------------
Install the latest version:
* If you use the Openlucius for Drupal 7.x, upgrade to Openlucius 7.x-1.7
[5]
Also see the OpenLucius News [6] project page.
-------- REPORTED BY
---------------------------------------------------------
* Klaus Purer [7] of the Drupal Security Team
-------- FIXED BY
------------------------------------------------------------
* Thomas Dik [8] the distribution maintainer
-------- COORDINATED BY
------------------------------------------------------
* Klaus Purer [9] of the Drupal Security Team
-------- CONTACT AND MORE INFORMATION
----------------------------------------
The Drupal security team can be reached at security at drupal.org or via the
contact form at https://www.drupal.org/contact [10].
Learn more about the Drupal Security team and their policies [11], writing
secure code for Drupal [12], and securing your site [13].
Follow the Drupal Security Team on Twitter at
https://twitter.com/drupalsecurity [14]
[1] https://www.drupal.org/project/openlucius
[2] https://www.drupal.org/security-team/risk-levels
[3] http://cve.mitre.org/
[4] https://www.drupal.org/project/openlucius_news
[5] https://www.drupal.org/project/openlucius/releases/7.x-1.7
[6] https://www.drupal.org/project/openlucius_news
[7] https://www.drupal.org/user/262198
[8] https://www.drupal.org/user/1718070
[9] https://www.drupal.org/user/262198
[10] https://www.drupal.org/contact
[11] https://www.drupal.org/security-team
[12] https://www.drupal.org/writing-secure-code
[13] https://www.drupal.org/security/secure-configuration
[14] https://twitter.com/drupalsecurity
View online: https://www.drupal.org/node/2842730
* Advisory ID: DRUPAL-SA-CONTRIB-2017-003
* Project: Autocomplete Deluxe [1] (third-party module)
* Version: 7.x
* Date: 2017-January-11
* Security risk: 13/25 ( Moderately Critical)
AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:Default [2]
* Vulnerability: Cross Site Scripting
-------- DESCRIPTION
---------------------------------------------------------
This module creates a new widget for taxonomy fields based on JQuery UI
autocomplete.
The module doesn't sufficiently escape the entered taxonomy terms thereby
exposing a Cross Site Scripting (XSS) vulnerability. This vulnerability is
mitigated by the fact that an attacker must have the permission to edit a
taxonomy field.
-------- CVE IDENTIFIER(S) ISSUED
--------------------------------------------
* /A CVE identifier [3] will be requested, and added upon issuance, in
accordance with Drupal Security Team processes./
-------- VERSIONS AFFECTED
---------------------------------------------------
* Autocomplete Deluxe 7.x-2.x versions prior to 7.x-2.2.
Drupal core is not affected. If you do not use the contributed Autocomplete
Deluxe [4] module, there is nothing you need to do.
-------- SOLUTION
------------------------------------------------------------
Install the latest version:
* If you use the autocomplete deluxe module for Drupal 7.x, upgrade to
Autocomplete Deluxe 7.x-2.2 [5]
Also see the Autocomplete Deluxe [6] project page.
-------- REPORTED BY
---------------------------------------------------------
* René Wolf [7]
-------- FIXED BY
------------------------------------------------------------
* Sebastian Gilits [8] the module maintainer
-------- COORDINATED BY
------------------------------------------------------
* Klaus Purer [9] of the Drupal Security Team
-------- CONTACT AND MORE INFORMATION
----------------------------------------
The Drupal security team can be reached at security at drupal.org or via the
contact form at https://www.drupal.org/contact [10].
Learn more about the Drupal Security team and their policies [11], writing
secure code for Drupal [12], and securing your site [13].
Follow the Drupal Security Team on Twitter at
https://twitter.com/drupalsecurity [14]
[1] https://www.drupal.org/project/autocomplete_deluxe
[2] https://www.drupal.org/security-team/risk-levels
[3] http://cve.mitre.org/
[4] https://www.drupal.org/project/autocomplete_deluxe
[5] https://www.drupal.org/project/autocomplete_deluxe/releases/7.x-2.2
[6] https://www.drupal.org/project/autocomplete_deluxe
[7] https://www.drupal.org/user/927032
[8] https://www.drupal.org/user/512828
[9] https://www.drupal.org/user/262198
[10] https://www.drupal.org/contact
[11] https://www.drupal.org/security-team
[12] https://www.drupal.org/writing-secure-code
[13] https://www.drupal.org/security/secure-configuration
[14] https://twitter.com/drupalsecurity
View online: https://www.drupal.org/node/2841114
* Advisory ID: DRUPAL-SA-CONTRIB-2017-002
* Project: Doubleclick for Publishers (DFP) [1] (third-party module)
* Version: 7.x
* Date: 2017-January-04
* Security risk: 10/25 ( Moderately Critical)
AC:Complex/A:User/CI:None/II:None/E:Exploit/TD:All [2]
* Vulnerability: Cross Site Scripting
-------- DESCRIPTION
---------------------------------------------------------
This module enables you to to place advertisements on your site that are
served by Google's DFP (Doubleclick for Publisher) service.
The module has multiple Cross Site Scripting (XSS) vulnerabilities due to not
sufficiently escaped fields. These vulnerabilities are mitigated by the fact
that an attacker must have a role with the permission "administer DFP".
The "administer DFP" permission is not marked as restricted.
-------- CVE IDENTIFIER(S) ISSUED
--------------------------------------------
* /A CVE identifier [3] will be requested, and added upon issuance, in
accordance with Drupal Security Team processes./
-------- VERSIONS AFFECTED
---------------------------------------------------
* DFP 7.x-1.x versions prior to 7.x-1.5.
Drupal core is not affected. If you do not use the contributed Doubleclick
for Publishers (DFP) [4] module, there is nothing you need to do.
-------- SOLUTION
------------------------------------------------------------
Install the latest version:
* If you use the DFP module for Drupal 7.x, upgrade to Doubleclick for
Publishers (DFP) 7.x-1.5 [5]
Also see the Doubleclick for Publishers (DFP) [6] project page.
-------- REPORTED BY
---------------------------------------------------------
* Alex Pott [7] of the Drupal Security Team
-------- FIXED BY
------------------------------------------------------------
* Alex Pott [8] of the Drupal Security Team
* Alexander Ross (bleen) [9] the module maintainer
-------- COORDINATED BY
------------------------------------------------------
* Michael Hess [10] of the Drupal Security Team
* Lee Rowlands [11] of the Drupal Security Team
* Cash Williams [12] of the Drupal Security Team
-------- CONTACT AND MORE INFORMATION
----------------------------------------
The Drupal security team can be reached at security at drupal.org or via the
contact form at https://www.drupal.org/contact [13].
Learn more about the Drupal Security team and their policies [14], writing
secure code for Drupal [15], and securing your site [16].
Follow the Drupal Security Team on Twitter at
https://twitter.com/drupalsecurity [17]
[1] https://www.drupal.org/project/dfp
[2] https://www.drupal.org/security-team/risk-levels
[3] http://cve.mitre.org/
[4] https://www.drupal.org/project/dfp
[5] https://www.drupal.org/project/dfp/releases/7.x-1.5
[6] https://www.drupal.org/project/dfp
[7] https://www.drupal.org/u/alexpott
[8] https://www.drupal.org/u/alexpott
[9] https://www.drupal.org/user/77375
[10] https://www.drupal.org/u/mlhess
[11] https://www.drupal.org/user/395439
[12] https://www.drupal.org/u/cashwilliams
[13] https://www.drupal.org/contact
[14] https://www.drupal.org/security-team
[15] https://www.drupal.org/writing-secure-code
[16] https://www.drupal.org/security/secure-configuration
[17] https://twitter.com/drupalsecurity
View online: https://www.drupal.org/node/2841094
* Advisory ID: DRUPAL-SA-CONTRIB-2017-001
* Project: Permissions by Term [1] (third-party module)
* Version: 8.x
* Date: 2017-January-04
* Security risk: 15/25 ( Critical)
AC:None/A:None/CI:Some/II:None/E:Theoretical/TD:All [2]
* Vulnerability: Access bypass, Information Disclosure
-------- DESCRIPTION
---------------------------------------------------------
The Permissions by Term module extends Drupal functionality by restricting
access to single nodes via taxonomy terms. Taxonomy terms are part of the
Drupal core functionality. Taxonomy term permissions can be coupled to
specific user accounts and/or user roles.
Enabling the module unintentionally gives access to all unpublished nodes to
anonymous users
-------- CVE IDENTIFIER(S) ISSUED
--------------------------------------------
* /A CVE identifier [3] will be requested, and added upon issuance, in
accordance with Drupal Security Team processes./
-------- VERSIONS AFFECTED
---------------------------------------------------
* Permissions by Term 8.x-1.x versions prior to 8.x-1.11.
Drupal core is not affected. If you do not use the contributed Permissions by
Term [4] module, there is nothing you need to do.
-------- SOLUTION
------------------------------------------------------------
If you use the Permissions by Term module for Drupal 8.x, upgrade to
Permissions by Term 8.x-1.11. [5]
Also see the Permissions by Term [6] project page.
-------- REPORTED BY
---------------------------------------------------------
* cedric_a [7]
-------- FIXED BY
------------------------------------------------------------
* Peter Majmesku (jepSter) [8] - the module maintainer
-------- COORDINATED BY
------------------------------------------------------
* Michael Hess [9] of the Drupal Security Team
-------- CONTACT AND MORE INFORMATION
----------------------------------------
The Drupal security team can be reached at security at drupal.org or via the
contact form at https://www.drupal.org/contact [10].
Learn more about the Drupal Security team and their policies [11], writing
secure code for Drupal [12], and securing your site [13].
Follow the Drupal Security Team on Twitter at
https://twitter.com/drupalsecurity [14]
[1] https://www.drupal.org/project/permissions_by_term
[2] https://www.drupal.org/security-team/risk-levels
[3] http://cve.mitre.org/
[4] https://www.drupal.org/project/permissions_by_term
[5] https://www.drupal.org/project/permissions_by_term/releases/8.x-1.11
[6] https://www.drupal.org/project/permissions_by_term
[7] https://www.drupal.org/u/cedric_a
[8] https://www.drupal.org/u/jepster
[9] https://www.drupal.org/u/mlhess
[10] https://www.drupal.org/contact
[11] https://www.drupal.org/security-team
[12] https://www.drupal.org/writing-secure-code
[13] https://www.drupal.org/security/secure-configuration
[14] https://twitter.com/drupalsecurity