View online: https://www.drupal.org/node/2882805
* Advisory ID: DRUPAL-SA-CONTRIB-2017-052
* Project: Lightweight Directory Access Protocol (LDAP) [1]
(third-party module)
* Version: 7.x
* Date: 2017-May-31
* Security risk: 15/25 ( Critical)
AC:Basic/A:User/CI:Some/II:Some/E:Proof/TD:All [2]
* Vulnerability: Multiple vulnerabilities
-------- DESCRIPTION
---------------------------------------------------------
The LDAP module does not sanitize user input correctly in several cases,
allowing a user to modify parameters without restriction and inject data.
If the site administrator chooses to hide the email or password from the user
form (instead of showing or disabling it under "Authorization"), these values
can be overwritten.
-------- CVE IDENTIFIER(S) ISSUED
--------------------------------------------
* /A CVE identifier [3] will be requested, and added upon issuance, in
accordance with Drupal Security Team processes./
-------- VERSIONS AFFECTED
---------------------------------------------------
* LDAP 7.x-2.x versions prior to 7.x-2.2.
Drupal core is not affected. If you do not use the contributed Lightweight
Directory Access Protocol (LDAP) [4] module, there is nothing you need to
do.
-------- SOLUTION
------------------------------------------------------------
Install the latest version:
* If you use the LDAP module for Drupal 7.x-2.x, upgrade to LDAP-7.x-2.2
[5]
Also see the Lightweight Directory Access Protocol (LDAP) [6] project page.
-------- REPORTED BY
---------------------------------------------------------
* ABDERRAZAK ZENNED [7]
-------- FIXED BY
------------------------------------------------------------
* Lee Rowlands [8]
* queenvictoria [9]
* Hendrik Grahl [10]
* Michael Hess [11] of the Drupal Security Team
-------- COORDINATED BY
------------------------------------------------------
* Michael Hess [12] of the Drupal Security Team
-------- CONTACT AND MORE INFORMATION
----------------------------------------
The Drupal security team can be reached at security at drupal.org or via the
contact form at https://www.drupal.org/contact [13].
Learn more about the Drupal Security team and their policies [14], writing
secure code for Drupal [15], and securing your site [16].
Follow the Drupal Security Team on Twitter at
https://twitter.com/drupalsecurity [17]
[1] https://www.drupal.org/project/ldap
[2] https://www.drupal.org/security-team/risk-levels
[3] http://cve.mitre.org/
[4] https://www.drupal.org/project/ldap
[5] https://www.drupal.org/project/ldap/releases/7.x-2.2
[6] https://www.drupal.org/project/ldap
[7] https://www.drupal.org/u/azenned
[8] https://www.drupal.org/u/larowlan
[9] https://www.drupal.org/u/queenvictoria
[10] https://www.drupal.org/u/grahl
[11] https://www.drupal.org/u/mlhess
[12] https://www.drupal.org/u/mlhess
[13] https://www.drupal.org/contact
[14] https://www.drupal.org/security-team
[15] https://www.drupal.org/writing-secure-code
[16] https://www.drupal.org/security/secure-configuration
[17] https://twitter.com/drupalsecurity
View online: https://www.drupal.org/node/2881156
* Advisory ID: DRUPAL-SA-CONTRIB-2017-050
* Project: landing_page [1] (third-party module)
* Date: 24-May-2017
-------- DESCRIPTION
---------------------------------------------------------
The Custom Landing Page Builder module allows webmasters to build custom
landing pages using a WYSIWYG editor while still having full control over the
full layout of the page including the header, navigation, page content,
footer, forms etc.
The security team is marking this module unsupported. There is a known
security issue with the module that has not been fixed by the maintainer.
If you would like to maintain this module, please read:
https://www.drupal.org/node/251466
-------- VERSIONS AFFECTED
---------------------------------------------------
* All versions
Drupal core is not affected. If you do not use the contributed landing_page
[2] module,
there is nothing you need to do.
-------- SOLUTION
------------------------------------------------------------
If you use the landing_page module for Drupal you should uninstall it.
Also see the landing_page [3] project
page.
-------- REPORTED BY
---------------------------------------------------------
* Matt Vance [4] of the Drupal Security Team
-------- FIXED BY
------------------------------------------------------------
Not applicable
-------- CONTACT AND MORE INFORMATION
----------------------------------------
The Drupal security team can be reached at security at drupal.org or via
the contact form at https://www.drupal.org/contact [5].
Learn more about the Drupal Security team and their policies [6], writing
secure code for Drupal [7], and securing your site [8].
Follow the Drupal Security Team on Twitter at
https://twitter.com/drupalsecurity [9]
[1] https://www.drupal.org/project/landing_page
[2] https://www.drupal.org/project/landing_page
[3] https://www.drupal.org/project/landing_page
[4] https://www.drupal.org/u/matt-v
[5] https://www.drupal.org/contact
[6] https://www.drupal.org/security-team
[7] https://www.drupal.org/writing-secure-code
[8] https://www.drupal.org/security/secure-configuration
[9] https://twitter.com/drupalsecurity
View online: https://www.drupal.org/node/2881215
* Advisory ID: DRUPAL-SA-CONTRIB-2017-051
* Project: Site verification [1] (third-party module)
* Version: 7.x
* Date: 2017-May-24
* Security risk: 14/25 ( Moderately Critical)
AC:Basic/A:User/CI:Some/II:Some/E:Proof/TD:Default [2]
* Vulnerability: Multiple vulnerabilities
-------- DESCRIPTION
---------------------------------------------------------
The Site Verify module enables privilege users to verify a site with services
like Google Webmaster Tools using meta tags or file uploads.
The module doesn't sufficiently sanitize input or restrict uploads.
This vulnerability is mitigated by the fact that an attacker must have a role
with the permission "administer site verify".
-------- CVE IDENTIFIER(S) ISSUED
--------------------------------------------
* /A CVE identifier [3] will be requested, and added upon issuance, in
accordance with Drupal Security Team processes./
-------- VERSIONS AFFECTED
---------------------------------------------------
* Site Verify 7.x-1.x versions prior to 7.x-1.2.
Drupal core is not affected. If you do not use the contributed Site
verification [4] module, there is nothing you need to do.
-------- SOLUTION
------------------------------------------------------------
Install the latest version:
* If you use the Site Verify module for Drupal 7.x, upgrade to Site Verify
7.1-1.2 [5]
Also see the Site verification [6] project page.
-------- REPORTED BY
---------------------------------------------------------
* Kevin Reynen [7]
-------- FIXED BY
------------------------------------------------------------
* Kevin Reynen [8]
* Damien McKenna [9] of the Drupal Security Team
-------- COORDINATED BY
------------------------------------------------------
* Michael Hess [10] of the Drupal Security Team
-------- CONTACT AND MORE INFORMATION
----------------------------------------
The Drupal security team can be reached at security at drupal.org or via the
contact form at https://www.drupal.org/contact [11].
Learn more about the Drupal Security team and their policies [12], writing
secure code for Drupal [13], and securing your site [14].
Follow the Drupal Security Team on Twitter at
https://twitter.com/drupalsecurity [15]
[1] https://www.drupal.org/project/site_verify
[2] https://www.drupal.org/security-team/risk-levels
[3] http://cve.mitre.org/
[4] https://www.drupal.org/project/site_verify
[5] https://www.drupal.org/project/site_verify/releases/7.x-1.2
[6] https://www.drupal.org/project/site_verify
[7] https://www.drupal.org/u/kreynen
[8] https://www.drupal.org/u/kreynen
[9] https://www.drupal.org/u/DamienMcKenna
[10] https://www.drupal.org/u/mlhess
[11] https://www.drupal.org/contact
[12] https://www.drupal.org/security-team
[13] https://www.drupal.org/writing-secure-code
[14] https://www.drupal.org/security/secure-configuration
[15] https://twitter.com/drupalsecurity
View online: https://www.drupal.org/node/2879180
* Advisory ID: DRUPAL-SA-CONTRIB-2017-049
* Project: Display Suite [1] (third-party module)
* Version: 8.x
* Date: 2017-May-17
* Security risk: 13/25 ( Moderately Critical)
AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:Default [2]
* Vulnerability: Cross Site Scripting
-------- DESCRIPTION
---------------------------------------------------------
Display Suite allows you to take full control over how your content is
displayed using a drag and drop interface.
In certain situations, Display Suite does not properly sanitize some of the
output, allowing a malicious user to embed scripts within a page, resulting
in a Cross-site Scripting (XSS) vulnerability.
-------- VERSIONS AFFECTED
---------------------------------------------------
* Display Suite 8.x-2.x versions prior to 8.x-2.7.
* Display Suite 8.x-3.x versions prior to 8.x-3.0.
Drupal core is not affected. If you do not use the contributed Display Suite
[3] module, there is nothing you need to do.
-------- SOLUTION
------------------------------------------------------------
Install the latest version:
* If you use the Display Suite module for Drupal 8.x-2.x, upgrade to
Display
Suite 8.x-2.7 [4]
* If you use the Display Suite module for Drupal 8.x-3.x, upgrade to
Display
Suite 8.x-3.0 [5]
Also see the Display Suite [6] project page.
-------- REPORTED BY
---------------------------------------------------------
* Sascha Grossenbacher [7]
* Bram Goffings [8]
-------- FIXED BY
------------------------------------------------------------
* Bram Goffings [9] the module maintainer
-------- COORDINATED BY
------------------------------------------------------
* Michael Hess [10] of the Drupal Security Team
-------- CONTACT AND MORE INFORMATION
----------------------------------------
The Drupal security team can be reached at security at drupal.org or via the
contact form at https://www.drupal.org/contact [11].
Learn more about the Drupal Security team and their policies [12], writing
secure code for Drupal [13], and securing your site [14].
Follow the Drupal Security Team on Twitter at
https://twitter.com/drupalsecurity [15]
[1] https://www.drupal.org/project/ds
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/ds
[4] https://www.drupal.org/project/ds/releases/8.x-2.7
[5] https://www.drupal.org/project/ds/releases/8.x-3.0
[6] https://www.drupal.org/project/ds
[7] https://www.drupal.org/u/berdir
[8] https://www.drupal.org/u/aspilicious
[9] https://www.drupal.org/u/aspilicious
[10] https://www.drupal.org/u/mlhess
[11] https://www.drupal.org/contact
[12] https://www.drupal.org/security-team
[13] https://www.drupal.org/writing-secure-code
[14] https://www.drupal.org/security/secure-configuration
[15] https://twitter.com/drupalsecurity
View online: https://www.drupal.org/node/2877392
* Advisory ID: DRUPAL-SA-CONTRIB-2017-047
* Project: DRD agent [1] (third-party module)
* Version: 6.x, 7.x, 8.x
* Date: 2017-May-10
* Security risk: 19/25 ( Critical)
AC:Complex/A:None/CI:All/II:All/E:Theoretical/TD:All [2]
* Vulnerability: Cross Site Request Forgery, Open Redirect
-------- DESCRIPTION
---------------------------------------------------------
The Drupal Remote Dashboard (DRD) module enables you to manage and monitor
any remote Drupal site and, this module, the DRD Agent is the remote module
which responds to requests from authorised DRD sites.
The module doesn't sufficiently protect the URL used to configure itself from
CSRF attacks, which could allow a malicious user to craft a special URL that
would reconfigure the DRD Agent and redirect to any URL if visited by an
admin user.
-------- CVE IDENTIFIER(S) ISSUED
--------------------------------------------
* /A CVE identifier [3] will be requested, and added upon issuance, in
accordance with Drupal Security Team processes./
-------- VERSIONS AFFECTED
---------------------------------------------------
* DRD Agent 7.x-3.x versions prior to 7.x-3.1.
* DRD Agent 8.x-3.x versions prior to 8.x-3.1.
Drupal core is not affected. If you do not use the contributed DRD agent [4]
module, there is nothing you need to do.
-------- SOLUTION
------------------------------------------------------------
Install the latest version:
* If you use the DRD Agent module for Drupal 7.x, upgrade to DRD Agent
7.x-3.1 [5]
* If you use the DRD Agent module for Drupal 8.x, upgrade to DRD Agent
8.x-3.1 [6]
Also see the DRD agent [7] project page.
-------- REPORTED BY
---------------------------------------------------------
* David Snopek [8] of the Drupal Security Team
-------- FIXED BY
------------------------------------------------------------
* Jürgen Haas [9] the module maintainer
-------- COORDINATED BY
------------------------------------------------------
* David Snopek [10] of the Drupal Security Team
-------- CONTACT AND MORE INFORMATION
----------------------------------------
The Drupal security team can be reached at security at drupal.org or via the
contact form at https://www.drupal.org/contact [11].
Learn more about the Drupal Security team and their policies [12], writing
secure code for Drupal [13], and securing your site [14].
Follow the Drupal Security Team on Twitter at
https://twitter.com/drupalsecurity [15]
[1] https://www.drupal.org/project/drd_agent
[2] https://www.drupal.org/security-team/risk-levels
[3] http://cve.mitre.org/
[4] https://www.drupal.org/project/drd_agent
[5] https://www.drupal.org/node/2877367
[6] https://www.drupal.org/node/2877369
[7] https://www.drupal.org/project/drd_agent
[8] https://www.drupal.org/user/266527
[9] https://www.drupal.org/user/168924
[10] https://www.drupal.org/user/266527
[11] https://www.drupal.org/contact
[12] https://www.drupal.org/security-team
[13] https://www.drupal.org/writing-secure-code
[14] https://www.drupal.org/security/secure-configuration
[15] https://twitter.com/drupalsecurity
View online: https://www.drupal.org/node/2877388
* Advisory ID: DRUPAL-SA-CONTRIB-2017-046
* Project: Drupal Remote Dashboard [1] (third-party module)
* Version: 8.x
* Date: 2017-May-10
* Security risk: 17/25 ( Critical)
AC:Complex/A:None/CI:All/II:All/E:Theoretical/TD:Uncommon [2]
* Vulnerability: Access bypass, Information Disclosure
-------- DESCRIPTION
---------------------------------------------------------
This module enables you to remotely access remote Drupal sites to monitor and
manage them all from one central place.
The module doesn't sufficiently ensure that the system administrator uses a
strong enough encryption key per the requirements of the encryption type,
which leads to weak encryption for the communication between the management
dashboard and the remote site which could be decrypted by an adequately
equipped attacker.
-------- CVE IDENTIFIER(S) ISSUED
--------------------------------------------
* /A CVE identifier [3] will be requested, and added upon issuance, in
accordance with Drupal Security Team processes./
-------- VERSIONS AFFECTED
---------------------------------------------------
* DRD 8.x-3.x versions prior to 8.x-3.2.
Drupal core is not affected. If you do not use the contributed Drupal Remote
Dashboard [4] module, there is nothing you need to do.
-------- SOLUTION
------------------------------------------------------------
Install the latest version:
* If you use the DRD module for Drupal 8.x, upgrade to DRD 8.x-3.2 [5]
Also see the Drupal Remote Dashboard [6] project page.
-------- REPORTED BY
---------------------------------------------------------
* David Snopek [7] of the Drupal Security Team
-------- FIXED BY
------------------------------------------------------------
* Jürgen Haas [8] the module maintainer
-------- COORDINATED BY
------------------------------------------------------
* David Snopek [9] of the Drupal Security Team
-------- CONTACT AND MORE INFORMATION
----------------------------------------
The Drupal security team can be reached at security at drupal.org or via the
contact form at https://www.drupal.org/contact [10].
Learn more about the Drupal Security team and their policies [11], writing
secure code for Drupal [12], and securing your site [13].
Follow the Drupal Security Team on Twitter at
https://twitter.com/drupalsecurity [14]
[1] https://www.drupal.org/project/drd
[2] https://www.drupal.org/security-team/risk-levels
[3] http://cve.mitre.org/
[4] https://www.drupal.org/project/drd
[5] https://www.drupal.org/project/drd/releases/8.x-3.2
[6] https://www.drupal.org/project/drd
[7] https://www.drupal.org/user/266527
[8] https://www.drupal.org/user/168924
[9] https://www.drupal.org/user/266527
[10] https://www.drupal.org/contact
[11] https://www.drupal.org/security-team
[12] https://www.drupal.org/writing-secure-code
[13] https://www.drupal.org/security/secure-configuration
[14] https://twitter.com/drupalsecurity
View online: https://www.drupal.org/node/2877356
* Advisory ID: DRUPAL-SA-CONTRIB-2017-045
* Project: Webform Multiple File Upload [1] (third-party module)
* Version: 7.x
* Date: 2017-May-10
* Security risk: 10/25 ( Moderately Critical)
AC:Basic/A:User/CI:None/II:Some/E:Theoretical/TD:Default [2]
* Vulnerability: Access bypass
-------- DESCRIPTION
---------------------------------------------------------
This module enables you to upload multiple files at once in a webform.
The module doesn't sufficiently check access to file deletion urls.
This vulnerability is mitigated by the fact that an attacker must have a role
with the permission to edit all or their own webform submissions.
-------- CVE IDENTIFIER(S) ISSUED
--------------------------------------------
* /A CVE identifier [3] will be requested, and added upon issuance, in
accordance with Drupal Security Team processes./
-------- VERSIONS AFFECTED
---------------------------------------------------
* webform_multifile 7.x-1.x versions prior to 7.x-1.5.
Drupal core is not affected. If you do not use the contributed Webform
Multiple File Upload [4] module, there is nothing you need to do.
-------- SOLUTION
------------------------------------------------------------
Install the latest version:
* If you use the Webform Multiple File Upload module for Drupal 7.x,
upgrade
to Webform Multiple File Upload 7.x-1.6 [5]
Also see the Webform Multiple File Upload [6] project page.
-------- REPORTED BY
---------------------------------------------------------
* Ben Dougherty [7] of the Drupal Security Team
-------- FIXED BY
------------------------------------------------------------
* Jelle Sebreghts [8] the module maintainer
-------- COORDINATED BY
------------------------------------------------------
* Michael Hess [9] of the Drupal Security Team
-------- CONTACT AND MORE INFORMATION
----------------------------------------
The Drupal security team can be reached at security at drupal.org or via the
contact form at https://www.drupal.org/contact [10].
Learn more about the Drupal Security team and their policies [11], writing
secure code for Drupal [12], and securing your site [13].
Follow the Drupal Security Team on Twitter at
https://twitter.com/drupalsecurity [14]
[1] https://www.drupal.org/project/webform_multifile
[2] https://www.drupal.org/security-team/risk-levels
[3] http://cve.mitre.org/
[4] https://www.drupal.org/project/webform_multifile
[5] https://www.drupal.org/project/webform_multifile/releases/7.x-1.6
[6] https://www.drupal.org/project/webform_multifile
[7] https://security.drupal.org/user/32553
[8] https://www.drupal.org/user/829198
[9] https://www.drupal.org/u/mlhess
[10] https://www.drupal.org/contact
[11] https://www.drupal.org/security-team
[12] https://www.drupal.org/writing-secure-code
[13] https://www.drupal.org/security/secure-configuration
[14] https://twitter.com/drupalsecurity
View online: https://www.drupal.org/node/2877316
* Advisory ID: DRUPAL-SA-CONTRIB-2017-044
* Project: Media [1] (third-party module)
* Version: 7.x
* Date: 2017-May-10
* Security risk: 16/25 ( Critical)
AC:Complex/A:User/CI:All/II:All/E:Theoretical/TD:Default [2]
* Vulnerability: Information Disclosure, Arbitrary PHP code execution,
Multiple vulnerabilities
-------- DESCRIPTION
---------------------------------------------------------
This module provides intuitive ways to manage large libraries of media,
insert or display or import various types of media either through fields or a
wysiwyg interface.
Versions of this module prior to 7.x-2.1 or 7.x-3.0-alpha5 did not
sufficiently whitelist input parameters for the media browser.
This vulnerability in the versions of media prior to those aforementioned is
mitigated by the fact that an attacker must have a role with the permission
upload files and view media browser.
-------- VERSIONS AFFECTED
---------------------------------------------------
* Media 7.x-2.x versions prior to 7.x-2.1.
* Media 7.x-3.x versions prior to 7.x-3.0-alpha4.
Drupal core is not affected. If you do not use the contributed Media [3]
module, there is nothing you need to do.
-------- SOLUTION
------------------------------------------------------------
Install the latest version:
* If you use the media module, it is recommended to upgrade to media
version
7.x-2.1 (stable) or to 7.x-3.0-alpha5 (cutting edge) or newer.
Also see the Media [4] project page.
-------- REPORTED BY
---------------------------------------------------------
* Richard Thomas [5] of the Drupal Security Team
-------- FIXED BY
------------------------------------------------------------
* Joseph Olstad [6] the module maintainer
* Richard Thomas [7] of the Drupal Security Team
-------- COORDINATED BY
------------------------------------------------------
* Michael Hess [8] of the Drupal Security Team
-------- CONTACT AND MORE INFORMATION
----------------------------------------
The Drupal security team can be reached at security at drupal.org or via the
contact form at https://www.drupal.org/contact [9].
Learn more about the Drupal Security team and their policies [10], writing
secure code for Drupal [11], and securing your site [12].
Follow the Drupal Security Team on Twitter at
https://twitter.com/drupalsecurity [13]
[1] https://www.drupal.org/project/media
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/media
[4] https://www.drupal.org/project/media
[5] https://www.drupal.org/u/richard.thomas
[6] https://www.drupal.org/u/joseph.olstad
[7] https://www.drupal.org/u/richard.thomas
[8] https://www.drupal.org/u/mlhess
[9] https://www.drupal.org/contact
[10] https://www.drupal.org/security-team
[11] https://www.drupal.org/writing-secure-code
[12] https://www.drupal.org/security/secure-configuration
[13] https://twitter.com/drupalsecurity
View online: https://www.drupal.org/node/2875366
* Advisory ID: DRUPAL-SA-CONTRIB-2017-043
* Project: Shibboleth authentication [1] (third-party module)
* Version: 7.x
* Date: 2017-May-03
* Security risk: 13/25 ( Moderately Critical)
AC:None/A:None/CI:Some/II:None/E:Theoretical/TD:Uncommon [2]
* Vulnerability: Access bypass, Information Disclosure
-------- DESCRIPTION
---------------------------------------------------------
This module enables you to login via Shibboleth.
The module doesn't sufficiently logout the user when the shib session
expires, which depending on the caching mechanism makes private data public.
This vulnerability is mitigated by the fact that shib_auth would have to be
used in combination with a caching mechanism which caches content for
authenticated users.
-------- VERSIONS AFFECTED
---------------------------------------------------
* 7.x-4.x versions prior to 7.x-4.4.
Drupal core is not affected. If you do not use the contributed Shibboleth
authentication [3] module, there is nothing you need to do.
-------- SOLUTION
------------------------------------------------------------
Install the latest version:
* If you use the shib_auth module for Drupal 7.x, upgrade to shib_auth
7.x-4.4 [4]
Also see the Shibboleth authentication [5] project page.
-------- REPORTED BY
---------------------------------------------------------
* Bart Vanderstukken [6]
-------- FIXED BY
------------------------------------------------------------
* Kristof Bajnok [7] The module maintainer
-------- COORDINATED BY
------------------------------------------------------
* Michael Hess [8] of the Drupal Security Team
-------- CONTACT AND MORE INFORMATION
----------------------------------------
The Drupal security team can be reached at security at drupal.org or via the
contact form at https://www.drupal.org/contact [9].
Learn more about the Drupal Security team and their policies [10], writing
secure code for Drupal [11], and securing your site [12].
Follow the Drupal Security Team on Twitter at
https://twitter.com/drupalsecurity [13]
[1] https://www.drupal.org/project/shib_auth
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/shib_auth
[4] https://www.drupal.org/project/shib_auth/releases/7.x-4.4
[5] https://www.drupal.org/project/shib_auth
[6] https://www.drupal.org/u/sneakyvv
[7] https://www.drupal.org/u/bajnokk
[8] https://www.drupal.org/u/mlhess
[9] https://www.drupal.org/contact
[10] https://www.drupal.org/security-team
[11] https://www.drupal.org/writing-secure-code
[12] https://www.drupal.org/security/secure-configuration
[13] https://twitter.com/drupalsecurity