View online: https://www.drupal.org/node/2862986
* Advisory ID: DRUPAL-SA-CONTRIB-2014-0XX
* Project: Linkit- Enriched linking experience [1] (third-party module)
* Version: 8.x
* Date: 2017-March-22
* Security risk: 10/25 ( Moderately Critical)
AC:Basic/A:User/CI:Some/II:None/E:Theoretical/TD:Default [2]
* Vulnerability: Access bypass
-------- DESCRIPTION
---------------------------------------------------------
Linkit provides an easy interface for internal and external linking with
WYSIWYG editors by using an autocomplete field.
When searching for entities, this module doesn't always enforce the access
restrictions and users may see information about entities they should not be
able to access.
This is mitigated by the fact that a user must have access to a text format
that uses Linkit.
-------- CVE IDENTIFIER(S) ISSUED
--------------------------------------------
* /A CVE identifier [3] will be requested, and added upon issuance, in
accordance with Drupal Security Team processes./
-------- VERSIONS AFFECTED
---------------------------------------------------
* Linkit 8.x-4.x versions prior to 8.x-4.3.
Drupal core is not affected. If you do not use the contributed Linkit-
Enriched linking experience [4] module, there is nothing you need to do.
-------- SOLUTION
------------------------------------------------------------
Install the latest version:
* If you use the Linkit module for Drupal 8.x, upgrade to Linkit 8.x-4.3
[5]
Also see the Linkit- Enriched linking experience [6] project page.
-------- REPORTED BY
---------------------------------------------------------
* Ben Dougherty [7] of the Drupal Security Team
-------- FIXED BY
------------------------------------------------------------
* Emil Stjerneman [8] the module maintainer
* Ben Dougherty [9] of the Drupal Security Team
-------- COORDINATED BY
------------------------------------------------------
* Michael Hess [10] of the Drupal Security Team
-------- CONTACT AND MORE INFORMATION
----------------------------------------
The Drupal security team can be reached at security at drupal.org or via the
contact form at https://www.drupal.org/contact [11].
Learn more about the Drupal Security team and their policies [12], writing
secure code for Drupal [13], and securing your site [14].
Follow the Drupal Security Team on Twitter at
https://twitter.com/drupalsecurity [15]
[1] https://www.drupal.org/project/linkit
[2] https://www.drupal.org/security-team/risk-levels
[3] http://cve.mitre.org/
[4] https://www.drupal.org/project/linkit
[5] https://www.drupal.org/project/linkit/releases/8.x-4.3
[6] https://www.drupal.org/project/linkit
[7] https://www.drupal.org/user/1852732
[8] https://www.drupal.org/user/464598
[9] https://www.drupal.org/user/1852732
[10] https://www.drupal.org/u/mlhess
[11] https://www.drupal.org/contact
[12] https://www.drupal.org/security-team
[13] https://www.drupal.org/writing-secure-code
[14] https://www.drupal.org/security/secure-configuration
[15] https://twitter.com/drupalsecurity
View online: https://www.drupal.org/node/2862985
* Advisory ID: DRUPAL-SA-CONTRIB-2017-032
* Project: Office Hours [1] (third-party module)
* Version: 7.x
* Date: 2017-March-22
* Security risk: 10/25 ( Moderately Critical)
AC:Basic/A:Admin/CI:None/II:Some/E:Theoretical/TD:All [2]
* Vulnerability: Cross Site Scripting
-------- DESCRIPTION
---------------------------------------------------------
This module enables you to show the office hours of a location to the public.
The module doesn't sufficiently filter user input for malicious Cross Site
Scripting (xss).
This vulnerability is mitigated by the fact that an attacker must have a role
with a permission to add fields to an entity.
-------- CVE IDENTIFIER(S) ISSUED
--------------------------------------------
* /A CVE identifier [3] will be requested, and added upon issuance, in
accordance with Drupal Security Team processes./
-------- VERSIONS AFFECTED
---------------------------------------------------
* Office Hours 7.x-1.x versions prior to 7.x-1.6.
Drupal core is not affected. If you do not use the contributed Office Hours
[4] module, there is nothing you need to do.
-------- SOLUTION
------------------------------------------------------------
Install the latest version:
* If you use the Office Hours module for Drupal 7.x, upgrade to
office_hours
7.x-1.6 [5]
Also see the Office Hours [6] project page.
-------- REPORTED BY
---------------------------------------------------------
* Drupal_Jedi [7]
-------- FIXED BY
------------------------------------------------------------
* Drupal_Jedi [8]
* John Voskuilen [9]
* Dave Hall [10]
-------- COORDINATED BY
------------------------------------------------------
* Michael Hess [11] of the Drupal Security Team
-------- CONTACT AND MORE INFORMATION
----------------------------------------
The Drupal security team can be reached at security at drupal.org or via the
contact form at https://www.drupal.org/contact [12].
Learn more about the Drupal Security team and their policies [13], writing
secure code for Drupal [14], and securing your site [15].
Follow the Drupal Security Team on Twitter at
https://twitter.com/drupalsecurity [16]
[1] https://www.drupal.org/project/office_hours
[2] https://www.drupal.org/security-team/risk-levels
[3] http://cve.mitre.org/
[4] https://www.drupal.org/project/office_hours
[5] https://www.drupal.org/node/2860680
[6] https://www.drupal.org/project/office_hours
[7] https://www.drupal.org/u/Drupal_Jedi
[8] https://www.drupal.org/u/Drupal_Jedi
[9] https://www.drupal.org/u/johnv
[10] https://www.drupal.org/u/skwashd
[11] https://www.drupal.org/u/mlhess
[12] https://www.drupal.org/contact
[13] https://www.drupal.org/security-team
[14] https://www.drupal.org/writing-secure-code
[15] https://www.drupal.org/security/secure-configuration
[16] https://twitter.com/drupalsecurity
View online: https://www.drupal.org/SA-2017-001
Drupal 8.2.7, a maintenance release which contains fixes for security
vulnerabilities, is now available for download.
Download Drupal 8.2.7 [1]
*Upgrading [2] your existing Drupal 8 sites is strongly recommended.* There
are no new features nor non-security-related bug fixes in this release. See
the 8.2.7 release notes [3] for details on important changes and known issues
affecting this release. Read on for details of the security vulnerabilities
that were fixed in this release.
* Advisory ID: DRUPAL-SA-CORE-2017-001
* Project: Drupal core [4]
* Version: 7.x, 8.x
* Date: 2017-March-15
-------- DESCRIPTION
---------------------------------------------------------
.. Editor module incorrectly checks access to inline private files - Drupal 8
- Access Bypass - Critical - CVE-2017-6377
When adding a private file via a configured text editor (like CKEditor), the
editor will not correctly check access for the file being attached, resulting
in an access bypass.
.. Some admin paths were not protected with a CSRF token - Drupal 8 - Cross
Site Request Forgery - Moderately Critical - CVE-2017-6379
Some administrative paths did not include protection for CSRF. This would
allow an attacker to disable some blocks on a site. This issue is mitigated
by the fact that users would have to know the block ID.
.. Remote code execution - Drupal 8 - Remote code execution - Moderately
Critical - CVE-2017-6381
A 3rd party development library including with Drupal 8 development
dependencies is vulnerable to remote code execution.
This is mitigated by the default .htaccess protection against PHP execution,
and the fact that Composer development dependencies aren't normal installed.
You might be vulnerable to this if you are running a version of Drupal before
8.2.2. To be sure you aren’t vulnerable, you can remove the
/vendor/phpunit directory from the site root of your production deployments.
-------- SOLUTION
------------------------------------------------------------
Upgrade to Drupal 8.2.7
-------- REPORTED BY
---------------------------------------------------------
.. Editor module incorrectly checks access to inline private files - Drupal 8
- Access Bypass - Critical - CVE-2017-6377
* Casey [5]
.. Some admin paths were not protected with a CSRF token - Drupal 8 - Cross
Site Request Forgery - Moderately Critical - CVE-2017-6379
* Samuel Mortenson [6]
.. Remote code execution - Drupal 8 - Remote code execution - Moderately
Critical - CVE-2017-6381
* Timo Hilsdorf [7]
-------- FIXED BY
------------------------------------------------------------
.. Editor module incorrectly checks access to inline private files - Drupal 8
- Access Bypass - Critical - CVE-2017-6377
* László Csécsy [8]
* Wim Leers [9]
* Alex Pott [10] of the Drupal Security Team
* Klaus Purer [11] of the Drupal Security Team
.. Some admin paths were not protected with a CSRF token - Drupal 8 - Cross
Site Request Forgery - Moderately Critical - CVE-2017-6379
* Samuel Mortenson [12]
* Sascha Grossenbacher
.. Remote code execution - Drupal 8 - Remote code execution -Moderately
Critical - CVE-2017-6381
* Klaus Purer [13] Of the Drupal Security Team
* Mixologic [14]
-------- CONTACT AND MORE INFORMATION
----------------------------------------
The Drupal security team can be reached at security at drupal.org or via the
contact form at https://www.drupal.org/contact [15].
Learn more about the Drupal Security team and their policies [16], writing
secure code for Drupal [17], and securing your site [18].
Follow the Drupal Security Team on Twitter at
https://twitter.com/drupalsecurity [19]
[1] http://ftp.drupal.org/files/projects/drupal-8.2.7.tar.gz
[2] https://www.drupal.org/upgrade
[3] https://www.drupal.org/project/drupal/releases/8.2.7
[4] https://www.drupal.org/project/drupal
[5] https://www.drupal.org/u/casey
[6] http://drupal.org/u/samuel.mortenson
[7] https://www.drupal.org/user/3506593
[8] https://www.drupal.org/u/Boobaa
[9] https://www.drupal.org/u/wim-leers
[10] https://www.drupal.org/u/alexpott
[11] https://www.drupal.org/u/klausi
[12] https://www.drupal.org/u/samuel.mortenson
[13] https://www.drupal.org/u/klausi
[14] https://www.drupal.org/u/Mixologic
[15] https://www.drupal.org/contact
[16] https://www.drupal.org/security-team
[17] https://www.drupal.org/writing-secure-code
[18] https://www.drupal.org/security/secure-configuration
[19] https://twitter.com/drupalsecurity
View online: https://www.drupal.org/node/2860906
* Advisory ID: DRUPAL-SA-CONTRIB-2017-031
* Project: Private [1] (third-party module)
* Version: 7.x
* Date: 2017-March-15
* Security risk: 15/25 ( Critical)
AC:Basic/A:None/CI:Some/II:Some/E:Theoretical/TD:Default [2]
* Vulnerability: Access bypass
-------- DESCRIPTION
---------------------------------------------------------
This module enables you to mark nodes as private so that they are only
accessible to users that have been granted an extra permissions.
The module doesn't always enforce the access restrictions. In some cases a
node that a site admin expects to be private is actually accessible as normal
or nodes may be editable in ways a site admin may not expect.
-------- CVE IDENTIFIER(S) ISSUED
--------------------------------------------
* /A CVE identifier [3] will be requested, and added upon issuance, in
accordance with Drupal Security Team processes./
-------- VERSIONS AFFECTED
---------------------------------------------------
* Private 7.x-1.x versions
Drupal core is not affected. If you do not use the contributed Private [4]
module, there is nothing you need to do.
-------- SOLUTION
------------------------------------------------------------
Install the latest version:
* If you use the Private module 7.x-1.x your site may be at risk. The only
completely safe option is to take the website off-line. In most cases,
disabling the module will not mitigate the vulnerabilities as that will
expose even more private information.
* A new maintainer has developed a beta secure version of the module using
the 7.x-2.x branch. This is a partial rewrite and /needs further
testing/.
Please test it and provide bug reports and help developing patches.
Also see the Private [5] project page.
-------- REPORTED BY
---------------------------------------------------------
* Adam Shepherd [6]
-------- FIXED BY
------------------------------------------------------------
* Adam Shepherd [7] The module maintainer
-------- COORDINATED BY
------------------------------------------------------
* Greg Knaddison [8] of the Drupal Security Team
-------- CONTACT AND MORE INFORMATION
----------------------------------------
The Drupal security team can be reached at security at drupal.org or via the
contact form at https://www.drupal.org/contact [9].
Learn more about the Drupal Security team and their policies [10], writing
secure code for Drupal [11], and securing your site [12].
Follow the Drupal Security Team on Twitter at
https://twitter.com/drupalsecurity [13]
[1] https://www.drupal.org/project/private
[2] https://www.drupal.org/security-team/risk-levels
[3] http://cve.mitre.org/
[4] https://www.drupal.org/project/private
[5] https://www.drupal.org/project/private
[6] https://www.drupal.org/u/adamps
[7] https://www.drupal.org/u/adamps
[8] https://www.drupal.org/u/greggles
[9] https://www.drupal.org/contact
[10] https://www.drupal.org/security-team
[11] https://www.drupal.org/writing-secure-code
[12] https://www.drupal.org/security/secure-configuration
[13] https://twitter.com/drupalsecurity
View online: https://www.drupal.org/node/2858880
* Advisory ID: DRUPAL-SA-CONTRIB-2017-030
* Project: Password Reset Landing Page (PRLP) [1] (third-party module)
* Version: 8.x
* Date: 2017-March-08
* Security risk: 16/25 ( Critical)
AC:None/A:User/CI:Some/II:Some/E:Theoretical/TD:All [2]
* Vulnerability: Access bypass, Privilege escalation
-------- DESCRIPTION
---------------------------------------------------------
This module adds a form on the password-reset-landing page to allow changing
the password of the user during the log in process.
The module does not sufficiently validate all access tokens, which allows an
attacker to change the password of any arbitrary user and gain access to
their account.
In order to exploit, the attacker must have an active account on the site.
-------- CVE IDENTIFIER(S) ISSUED
--------------------------------------------
* /A CVE identifier [3] will be requested, and added upon issuance, in
accordance with Drupal Security Team processes./
-------- VERSIONS AFFECTED
---------------------------------------------------
* PRLP versions prior to 8.x-1.3
Drupal core is not affected. If you do not use the contributed Password Reset
Landing Page (PRLP) [4] module, there is nothing you need to do.
-------- SOLUTION
------------------------------------------------------------
Install the latest version:
* If you use the PRLP module for Drupal 8.x, upgrade to PRLP 8.x-1.3 [5]
(the latest 8.x release as of this advisory date).
Also see the Password Reset Landing Page (PRLP) [6] project page.
-------- REPORTED BY
---------------------------------------------------------
* Renaud CUNY [7]
-------- FIXED BY
------------------------------------------------------------
* Jitesh Doshi [8] the module maintainer
-------- COORDINATED BY
------------------------------------------------------
* Greg Knaddison [9] of the Drupal Security Team
* Michael Hess [10] of the Drupal Security Team
-------- CONTACT AND MORE INFORMATION
----------------------------------------
The Drupal security team can be reached at security at drupal.org or via the
contact form at https://www.drupal.org/contact [11].
Learn more about the Drupal Security team and their policies [12], writing
secure code for Drupal [13], and securing your site [14].
Follow the Drupal Security Team on Twitter at
https://twitter.com/drupalsecurity [15]
[1] https://www.drupal.org/project/prlp
[2] https://www.drupal.org/security-team/risk-levels
[3] http://cve.mitre.org/
[4] https://www.drupal.org/project/prlp
[5] https://www.drupal.org/project/prlp/releases/8.x-1.3
[6] https://www.drupal.org/project/prlp
[7] https://www.drupal.org/u/renaudcuny
[8] https://www.drupal.org/user/1799550
[9] https://www.drupal.org/u/greggles
[10] https://www.drupal.org/u/mlhess
[11] https://www.drupal.org/contact
[12] https://www.drupal.org/security-team
[13] https://www.drupal.org/writing-secure-code
[14] https://www.drupal.org/security/secure-configuration
[15] https://twitter.com/drupalsecurity
View online: https://www.drupal.org/node/2858847
* Advisory ID: DRUPAL-SA-CONTRIB-2016-029
* Project: Services [1] (third-party module)
* Version: 7.x
* Date: 2017-March-08
* Security risk: 21/25 ( Highly Critical)
AC:None/A:None/CI:All/II:All/E:Theoretical/TD:Default [2]
* Vulnerability: Arbitrary PHP code execution
-------- DESCRIPTION
---------------------------------------------------------
This module provides a standardized solution for building API's so that
external clients can communicate with Drupal.
The module accepts user submitted data in PHP's serialization format
("Content-Type: application/vnd.php.serialized") which can lead to arbitrary
remote code execution.
This vulnerability is mitigated by the fact that an attacker must know your
Service Endpoint's path, and your Service Endpoint must have
"application/vnd.php.serialized" enabled as a request parser.
-------- CVE IDENTIFIER(S) ISSUED
--------------------------------------------
* /A CVE identifier [3] will be requested, and added upon issuance, in
accordance with Drupal Security Team processes./
-------- VERSIONS AFFECTED
---------------------------------------------------
* Services 7.x-3.x versions prior to 7.x-3.19.
Drupal core is not affected. If you do not use the contributed Services [4]
module, there is nothing you need to do.
-------- SOLUTION
------------------------------------------------------------
Install the latest version:
* If you use the Services 3.x module for Drupal 7.x, upgrade to Services
7.x-3.19 [5]
You may disable "application/vnd.php.serialized" under "Request parsing" in
Drupal to prevent the exploit:
/admin/structure/services/list/[my-endpoint]/server
However, installing the latest version of the Services module is highly
recommended.
Also see the Services [6] project page.
-------- REPORTED BY
---------------------------------------------------------
* Charles Fol [7]
-------- FIXED BY
------------------------------------------------------------
* Kyle Browning [8], module maintainer
* Tyler Frankenstein [9], module maintainer
-------- COORDINATED BY
------------------------------------------------------
* Klaus Purer [10] of the Drupal Security Team
* Michael Hess [11] of the Drupal Security Team
-------- CONTACT AND MORE INFORMATION
----------------------------------------
The Drupal security team can be reached at security at drupal.org or via the
contact form at https://www.drupal.org/contact [12].
Learn more about the Drupal Security team and their policies [13], writing
secure code for Drupal [14], and securing your site [15].
Follow the Drupal Security Team on Twitter at
https://twitter.com/drupalsecurity [16]
[1] https://www.drupal.org/project/services
[2] https://www.drupal.org/security-team/risk-levels
[3] http://cve.mitre.org/
[4] https://www.drupal.org/project/services
[5] https://www.drupal.org/project/services/releases/7.x-3.19
[6] https://www.drupal.org/project/services
[7] https://www.drupal.org/user/3520095
[8] https://www.drupal.org/user/211387
[9] https://www.drupal.org/user/150680
[10] https://www.drupal.org/user/262198
[11] https://www.drupal.org/user/102818
[12] https://www.drupal.org/contact
[13] https://www.drupal.org/security-team
[14] https://www.drupal.org/writing-secure-code
[15] https://www.drupal.org/security/secure-configuration
[16] https://twitter.com/drupalsecurity
View online: https://www.drupal.org/node/2857073
* Advisory ID: DRUPAL-SA-CONTRIB-2017-028
* Project: breakpoint panels [1] (third-party module)
* Version: 7.x
* Date: 2017-March-01
-------- DESCRIPTION
---------------------------------------------------------
Breakpoint panels adds a button to the Panels In-Place Editor for each pane.
When selected, it will display checkboxes next to all of the breakpoints
specified in that modules UI. Unchecking any of these will 'hide' it from
that breakpoint.
The security team is marking this module unsupported. There is a known
security issue with the module that has not been fixed by the maintainer. If
you would like to maintain this module, please read:
https://www.drupal.org/node/251466
-------- CVE IDENTIFIER(S) ISSUED
--------------------------------------------
* /A CVE identifier [2] will be requested, and added upon issuance, in
accordance with Drupal Security Team processes./
-------- VERSIONS AFFECTED
---------------------------------------------------
* All versions
Drupal core is not affected. If you do not use the contributed breakpoint
panels [3] module, there is nothing you need to do.
-------- SOLUTION
------------------------------------------------------------
If you use the breakpoint panels module for Drupal 7.x you should uninstall
it.
Also see the breakpoint panels [4] project page.
-------- REPORTED BY
---------------------------------------------------------
* Dylan Tack [5]
-------- FIXED BY
------------------------------------------------------------
Not applicable
-------- CONTACT AND MORE INFORMATION
----------------------------------------
The Drupal security team can be reached at security at drupal.org or via the
contact form at https://www.drupal.org/contact [6].
Learn more about the Drupal Security team and their policies [7], writing
secure code for Drupal [8], and securing your site [9].
Follow the Drupal Security Team on Twitter at
https://twitter.com/drupalsecurity [10]
[1] https://www.drupal.org/project/breakpoint_panels
[2] http://cve.mitre.org/
[3] https://www.drupal.org/project/breakpoint_panels
[4] https://www.drupal.org/project/breakpoint_panels
[5] https://www.drupal.org/user/96647
[6] https://www.drupal.org/contact
[7] https://www.drupal.org/security-team
[8] https://www.drupal.org/writing-secure-code
[9] https://www.drupal.org/security/secure-configuration
[10] https://twitter.com/drupalsecurity
View online: https://www.drupal.org/node/2857028
* Advisory ID: DRUPAL-SA-CONTRIB-2017-027
* Project: AES encryption [1] (third-party module)
* Version: 7.x, 8.x
* Date: 2017-March-01
-------- DESCRIPTION
---------------------------------------------------------
This module provides an API that allows other modules to encrypt and decrypt
data using the AES encryption algorithm.
The module does not follow requirements for encrypting data safely. An
attacker who gains access to data encrypted with this module could decrypt it
more easily than should be possible. The maintainer has opted not to fix
these weaknesses. See solution section for details on how to migrate to a
supported and more secure AES encryption module.
-------- CVE IDENTIFIER(S) ISSUED
--------------------------------------------
* /A CVE identifier [2] will be requested, and added upon issuance, in
accordance with Drupal Security Team processes./
-------- VERSIONS AFFECTED
---------------------------------------------------
* All versions of the AES module
Drupal core is not affected. If you do not use the contributed AES encryption
[3] module, there is nothing you need to do.
-------- SOLUTION
------------------------------------------------------------
If you're using the AES only because Drupal Remote Dashboard (DRD) [4] and
Drupal Remote Dashboard Server (DRD Server) [5] depend on it, then update to
the latest versions of DRD or DRD Server and disable the AES module -- those
modules no longer depend on it.
In all other situations, you can replace the AES module with the Real AES [6]
module:
* If you don't have a recent backup, make a backup of your site's database
and codebase. Consider taking your site offline (e.g. using Drupal's
maintenance mode) as some features may not work properly during this
upgrade process.
* *Do NOT follow the normal uninstall process for the AES module.* The
uninstall process would delete your encryption key and make it impossible
to recover your data! Instead, disable the module and delete the AES
module directory *without uninstalling the module.*
* Download and extract the latest release of Real AES [7]
* Download and extract the latest release of Key [8]
* Enable the Real AES, Key and AES compatibility modules
* Use the Key [9] module to create a new 128-bit encryption key with the
name "Real AES Key".
* Clear all your Drupal caches.
* Modules that depend on AES and store encrypted data will continue to
function as normal. They should decrypt and re-encrypt any stored data.
The Real AES module provides some functions from the AES module (like,
aes_encrypt() and aes_decrypt()) which can decrypt using your old key,
but
will re-encrypt using the new key and more correct AES encryption.
*More detailed instructions available on the AES project page [10]*
Also see the AES encryption [11] project page.
-------- REPORTED BY
---------------------------------------------------------
* Heine Deelstra [12] of the Drupal Security Team
-------- CONTACT AND MORE INFORMATION
----------------------------------------
The Drupal security team can be reached at security at drupal.org or via the
contact form at https://www.drupal.org/contact [13].
Learn more about the Drupal Security team and their policies [14], writing
secure code for Drupal [15], and securing your site [16].
Follow the Drupal Security Team on Twitter at
https://twitter.com/drupalsecurity [17]
[1] https://www.drupal.org/project/aes
[2] http://cve.mitre.org/
[3] https://www.drupal.org/project/aes
[4] https://www.drupal.org/project/drd
[5] https://www.drupal.org/project/drd_server
[6] http://drupal.org/project/real_aes
[7] http://drupal.org/project/real_aes
[8] http://drupal.org/project/key
[9] http://drupal.org/project/key
[10] https://www.drupal.org/project/aes
[11] https://www.drupal.org/project/aes
[12] https://www.drupal.org/user/17943
[13] https://www.drupal.org/contact
[14] https://www.drupal.org/security-team
[15] https://www.drupal.org/writing-secure-code
[16] https://www.drupal.org/security/secure-configuration
[17] https://twitter.com/drupalsecurity
View online: https://www.drupal.org/node/2857021
* Advisory ID: DRUPAL-SA-CONTRIB-2017-026
* Project: Location Map [1] (third-party module)
* Version: 7.x
* Date: 2017-March-01
* Security risk: 10/25 ( Moderately Critical)
AC:Basic/A:User/CI:None/II:Some/E:Theoretical/TD:Default [2]
* Vulnerability: Cross Site Scripting, Access bypass
-------- DESCRIPTION
---------------------------------------------------------
This module enables you to display one simple location map via Google Maps.
The module doesn't sufficiently sanitize user input in the configuration text
fields of the module (allows any tags and does not respect text format
configuration).
This vulnerability is mitigated by the fact that an attacker must have a role
with the permission "administer locationmap".
-------- CVE IDENTIFIER(S) ISSUED
--------------------------------------------
* /A CVE identifier [3] will be requested, and added upon issuance, in
accordance with Drupal Security Team processes./
-------- VERSIONS AFFECTED
---------------------------------------------------
* locationmap 7.x-2.x versions prior to 7.x-2.4.
Drupal core is not affected. If you do not use the contributed Location Map
[4] module, there is nothing you need to do.
-------- SOLUTION
------------------------------------------------------------
Install locationmap-7.x-2.4 [5]
Also see the Location Map [6] project page.
-------- REPORTED BY
---------------------------------------------------------
* Stefan Korn [7]
-------- FIXED BY
------------------------------------------------------------
* Stefan Korn [8] the module co-maintainer
-------- COORDINATED BY
------------------------------------------------------
* Michael Hess [9] of the Drupal Security Team
-------- CONTACT AND MORE INFORMATION
----------------------------------------
The Drupal security team can be reached at security at drupal.org or via the
contact form at https://www.drupal.org/contact [10].
Learn more about the Drupal Security team and their policies [11], writing
secure code for Drupal [12], and securing your site [13].
Follow the Drupal Security Team on Twitter at
https://twitter.com/drupalsecurity [14]
[1] https://www.drupal.org/project/locationmap
[2] https://www.drupal.org/security-team/risk-levels
[3] http://cve.mitre.org/
[4] https://www.drupal.org/project/locationmap
[5] https://www.drupal.org/project/locationmap/releases/7.x-2.4
[6] https://www.drupal.org/project/locationmap
[7] https://www.drupal.org/user/1942204
[8] https://www.drupal.org/user/1942204
[9] https://www.drupal.org/u/mlhess
[10] https://www.drupal.org/contact
[11] https://www.drupal.org/security-team
[12] https://www.drupal.org/writing-secure-code
[13] https://www.drupal.org/security/secure-configuration
[14] https://twitter.com/drupalsecurity
View online: https://www.drupal.org/node/2857015
* Advisory ID: DRUPAL-SA-CONTRIB-2017-025
* Project: Remember Me [1] (third-party module)
* Version: 7.x
* Date: 2017-March-01
-------- DESCRIPTION
---------------------------------------------------------
Remember me is a module that allows users to check "Remember me" when
logging in.
The security team is marking this module unsupported. There is a known
security issue with the module that has not been fixed by the maintainer. If
you would like to maintain this module, please read:
https://www.drupal.org/node/251466
-------- CVE IDENTIFIER(S) ISSUED
--------------------------------------------
* /A CVE identifier [2] will be requested, and added upon issuance, in
accordance with Drupal Security Team processes./
-------- VERSIONS AFFECTED
---------------------------------------------------
* All versions
Drupal core is not affected. If you do not use the contributed Remember Me
[3] module, there is nothing you need to do.
-------- SOLUTION
------------------------------------------------------------
If you use the remember_me module for Drupal 7.x you should uninstall it.
Also see the remember_me [4] project page.
-------- REPORTED BY
---------------------------------------------------------
* Kristiaan Van den Eynde [5]
-------- FIXED BY
------------------------------------------------------------
Not applicable
-------- CONTACT AND MORE INFORMATION
----------------------------------------
The Drupal security team can be reached at security at drupal.org or via the
contact form at https://www.drupal.org/contact [6].
Learn more about the Drupal Security team and their policies [7], writing
secure code for Drupal [8], and securing your site [9].
Follow the Drupal Security Team on Twitter at
https://twitter.com/drupalsecurity [10]
[1] https://www.drupal.org/project/remember_me
[2] http://cve.mitre.org/
[3] https://www.drupal.org/project/remember_me
[4] https://www.drupal.org/project/remember_me
[5] https://www.drupal.org/user/1345130
[6] https://www.drupal.org/contact
[7] https://www.drupal.org/security-team
[8] https://www.drupal.org/writing-secure-code
[9] https://www.drupal.org/security/secure-configuration
[10] https://twitter.com/drupalsecurity