View online: https://www.drupal.org/node/2910308
* Advisory ID: DRUPAL-SA-CONTRIB-2017-076
* Project: Skype Status [1] (third-party module)
* Version: 7.x
* Date: 2017-September-20
* Security risk: 14/25 ( Moderately Critical)
AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:All [2]
* Vulnerability: Cross Site Scripting
-------- DESCRIPTION
---------------------------------------------------------
This module enables you to obtain the status for a user's Skype account
The module doesn't sufficiently sanitize the user input for their Skype ID.
This vulnerability is mitigated by the fact that an attacker must have an
account on the site and be allowed to edit/input their Skype ID.
-------- CVE IDENTIFIER(S) ISSUED
--------------------------------------------
* /A CVE identifier [3] will be requested, and added upon issuance, in
accordance with Drupal Security Team processes./
-------- VERSIONS AFFECTED
---------------------------------------------------
* Skype Status (skype_status) 7.x-2.x versions prior to 7.x-1.2.
Drupal core is not affected. If you do not use the contributed Skype Status
[4] module, there is nothing you need to do.
-------- SOLUTION
------------------------------------------------------------
Install the latest version:
* If you use the Skype Status (skype_status) module for Drupal 7.x, upgrade
to Skype Status (skype_status) 7.x-1.2 [5].
Also see the Skype Status [6] project page.
-------- REPORTED BY
---------------------------------------------------------
* Tatár Balázs János (tatarbj) [7].
-------- FIXED BY
------------------------------------------------------------
* Tatár Balázs János (tatarbj) [8] provided patch.
* Nicholas Alipaz (nicholasalipaz) [9] the module maintainer.
-------- COORDINATED BY
------------------------------------------------------
* Michael Hess [10] of the Drupal Security Team
-------- CONTACT AND MORE INFORMATION
----------------------------------------
The Drupal security team can be reached at security at drupal.org or via the
contact form at https://www.drupal.org/contact [11].
Learn more about the Drupal Security team and their policies [12], writing
secure code for Drupal [13], and securing your site [14].
Follow the Drupal Security Team on Twitter at
https://twitter.com/drupalsecurity [15]
[1] https://www.drupal.org/project/skype_status
[2] https://www.drupal.org/security-team/risk-levels
[3] http://cve.mitre.org/
[4] https://www.drupal.org/project/skype_status
[5] https://www.drupal.org/project/skype_status/releases/7.x-1.2
[6] https://www.drupal.org/project/skype_status
[7] https://www.drupal.org/user/649590
[8] https://www.drupal.org/user/649590
[9] https://www.drupal.org/u/nicholasalipaz
[10] https://www.drupal.org/u/mlhess
[11] https://www.drupal.org/contact
[12] https://www.drupal.org/security-team
[13] https://www.drupal.org/writing-secure-code
[14] https://www.drupal.org/security/secure-configuration
[15] https://twitter.com/drupalsecurity
View online: https://www.drupal.org/node/2910306
* Advisory ID: DRUPAL-SA-CONTRIB-2017-75
* Project: Page Access [1] (third-party module)
* Date: 20-September-2017
-------- DESCRIPTION
---------------------------------------------------------
This module will provide the option to give the View and Edit access for
users and roles on each node pages.
The security team is marking this module unsupported. There is a known
security issue with the module that has not been fixed by the maintainer. If
you would like to maintain this module, please read:
https://www.drupal.org/node/251466
-------- VERSIONS AFFECTED
---------------------------------------------------
* All versions
Drupal core is not affected. If you do not use the contributed Page Access
[2] module, there is nothing you need to do.
-------- SOLUTION
------------------------------------------------------------
If you use the Page Access module for Drupal you should uninstall it.
Also see the Page Access [3] project page.
-------- REPORTED BY
---------------------------------------------------------
* Frédéric Buclin [4]
-------- FIXED BY
------------------------------------------------------------
Not applicable
-------- CONTACT AND MORE INFORMATION
----------------------------------------
The Drupal security team can be reached at security at drupal.org or via the
contact form at https://www.drupal.org/contact [5].
Learn more about the Drupal Security team and their policies [6], writing
secure code for Drupal [7], and securing your site [8].
Follow the Drupal Security Team on Twitter at
https://twitter.com/drupalsecurity [9]
[1] https://www.drupal.org/project/page_access
[2] https://www.drupal.org/project/page_access
[3] https://www.drupal.org/project/page_access
[4] https://www.drupal.org/u/lpsolit
[5] https://www.drupal.org/contact
[6] https://www.drupal.org/security-team
[7] https://www.drupal.org/writing-secure-code
[8] https://www.drupal.org/security/secure-configuration
[9] https://twitter.com/drupalsecurity
View online: https://www.drupal.org/node/2908592
* Advisory ID: DRUPAL-SA-CONTRIB-2017-074
* Project: Flag clear [1] (third-party module)
* Version: 7.x
* Date: 2017-September-13
* Security risk: 14/25 ( Moderately Critical)
AC:None/A:None/CI:None/II:Some/E:Theoretical/TD:Default [2]
* Vulnerability: Cross Site Request Forgery
-------- DESCRIPTION
---------------------------------------------------------
The Flag clear module allows administrators to remove user flags for content.
This functionality is often useful in user-submission use-cases, where users
do not necessarily need to unflag things on their own.
The module doesn't sufficiently confirm a user's intent to take unflagging
actions.
-------- CVE IDENTIFIER(S) ISSUED
--------------------------------------------
* /A CVE identifier [3] will be requested, and added upon issuance, in
accordance with Drupal Security Team processes./
-------- VERSIONS AFFECTED
---------------------------------------------------
* All Flag clear module versions prior to 7.x-1.10.
Drupal core is not affected. If you do not use the contributed Flag clear [4]
module, there is nothing you need to do.
-------- SOLUTION
------------------------------------------------------------
Install the latest version:
* If you use the Flag clear module for Drupal 7.x, upgrade to Flag clear
7.x-1.10 [5]
Also see the Flag clear [6] project page.
-------- REPORTED BY
---------------------------------------------------------
* Neil Drumm [7] of the Drupal Security Team
-------- FIXED BY
------------------------------------------------------------
* Zak Huber [8] the module maintainer
-------- COORDINATED BY
------------------------------------------------------
* Peter Wolanin [9] of the Drupal Security Team
-------- CONTACT AND MORE INFORMATION
----------------------------------------
The Drupal security team can be reached at security at drupal.org or via the
contact form at https://www.drupal.org/contact [10].
Learn more about the Drupal Security team and their policies [11], writing
secure code for Drupal [12], and securing your site [13].
Follow the Drupal Security Team on Twitter at
https://twitter.com/drupalsecurity [14]
[1] https://www.drupal.org/project/flag_clear
[2] https://www.drupal.org/security-team/risk-levels
[3] http://cve.mitre.org/
[4] https://www.drupal.org/project/flag_clear
[5] https://www.drupal.org/project/flag_clear/releases/7.x-1.10
[6] https://www.drupal.org/project/flag_clear
[7] https://www.drupal.org/u/drumm
[8] https://www.drupal.org/user/1437276/
[9] https://www.drupal.org/user/49851
[10] https://www.drupal.org/contact
[11] https://www.drupal.org/security-team
[12] https://www.drupal.org/writing-secure-code
[13] https://www.drupal.org/security/secure-configuration
[14] https://twitter.com/drupalsecurity
View online: https://www.drupal.org/node/2907137
* Advisory ID: DRUPAL-SA-CONTRIB-2017-073
* Project: CAPTCHA [1] (third-party module)
* Version: 7.x
* Date: 2017-September-06
* Security risk: 10/25 ( Moderately Critical)
AC:Basic/A:None/CI:None/II:None/E:Proof/TD:Default [2]
* Vulnerability: Denial of Service
-------- DESCRIPTION
---------------------------------------------------------
This module enables you to use various techniques to block automated scripts
/ robots from submitting content to a site, e.g. to block spam comments.
The module doesn't properly store the session ID of visitors who are given a
session which could lead to a Denial of Service attack.
This vulnerability is mitigated by the fact that Drupal does not give a
session to all visitors, especially when used with advanced caching systems
like Varnish.
-------- CVE IDENTIFIER(S) ISSUED
--------------------------------------------
* /A CVE identifier [3] will be requested, and added upon issuance, in
accordance with Drupal Security Team processes./
-------- VERSIONS AFFECTED
---------------------------------------------------
* CAPTCHA 7.x-1.x versions prior to 7.x-1.5.
Drupal core is not affected. If you do not use the contributed CAPTCHA [4]
module, there is nothing you need to do.
-------- SOLUTION
------------------------------------------------------------
Install the latest version:
* If you use the CATPCHA module for Drupal 7.x, upgrade to CAPTCHA 7.x-1.5.
[5]
Also see the CAPTCHA [6] project page.
-------- REPORTED BY
---------------------------------------------------------
* Nightwalker3000 [7]
-------- FIXED BY
------------------------------------------------------------
* Fabiano Sant'Ana [8], the module's maintainer.
-------- COORDINATED BY
------------------------------------------------------
* Lee Rowlands [9] of the Drupal Security Team.
* Damien McKenna [10] of the Drupal Security Team.
-------- CONTACT AND MORE INFORMATION
----------------------------------------
The Drupal security team can be reached at security at drupal.org or via the
contact form at https://www.drupal.org/contact [11].
Learn more about the Drupal Security team and their policies [12], writing
secure code for Drupal [13], and securing your site [14].
Follow the Drupal Security Team on Twitter at
https://twitter.com/drupalsecurity [15]
[1] https://www.drupal.org/project/captcha
[2] https://www.drupal.org/security-team/risk-levels
[3] http://cve.mitre.org/
[4] https://www.drupal.org/project/captcha
[5] https://www.drupal.org/project/captcha/releases/7.x-1.5
[6] https://www.drupal.org/project/captcha
[7] https://www.drupal.org/u/nightwalker3000
[8] https://www.drupal.org/u/wundow
[9] https://www.drupal.org/u/larowlan
[10] https://www.drupal.org/u/damienmckenna
[11] https://www.drupal.org/contact
[12] https://www.drupal.org/security-team
[13] https://www.drupal.org/writing-secure-code
[14] https://www.drupal.org/security/secure-configuration
[15] https://twitter.com/drupalsecurity
View online: https://www.drupal.org/node/2907118
* Advisory ID: DRUPAL-SA-CONTRIB-2017-072
* Project: Clientside Validation [1] (third-party module)
* Version: 7.x
* Date: 2017-September-06
* Security risk: 16/25 ( Critical)
AC:Basic/A:None/CI:Some/II:Some/E:Theoretical/TD:All [2]
* Vulnerability: Arbitrary PHP code execution
-------- DESCRIPTION
---------------------------------------------------------
The Clientside Validation module enables you to have clientside (Javascript)
validation on your forms.
The module does not sufficiently validate parameters of a POST request made
when validating a CAPTCHA.
For the 1.x version of this module, this vulnerability is mitigated by the
fact that the CAPTCHA module must be enabled and the 'validate captcha'
option of the Clientside Validation module must be enabled (this option is
enabled by default).
For the 2.x version of this module, this vulnerability is mitigated by the
fact that the CAPTCHA module must be enabled and the Clientside Validation
captcha submodule must be enabled.
-------- CVE IDENTIFIER(S) ISSUED
--------------------------------------------
* /A CVE identifier [3] will be requested, and added upon issuance, in
accordance with Drupal Security Team processes./
-------- VERSIONS AFFECTED
---------------------------------------------------
* Clientside Validation 7.x-1.x versions prior to 7.x-1.44.
* Clientside Validation 7.x-2.x versions prior to 7.x-2.0-beta1.
Drupal core is not affected. If you do not use the contributed Clientside
Validation [4] module, there is nothing you need to do.
-------- SOLUTION
------------------------------------------------------------
Install the latest version:
* If you use the 1.x version of Clientside Validation module for Drupal
7.x,
upgrade to Clientside Validation 7.x-1.45 [5]
* If you use the 2.x version of Clientside Validation module for Drupal
7.x,
upgrade to Clientside Validation 7.x-2.0-beta2 [6]
Also see the Clientside Validation [7] project page.
-------- REPORTED BY
---------------------------------------------------------
* Daniel-SCRT [8]
-------- FIXED BY
------------------------------------------------------------
* Jelle Sebreghts [9] the module maintainer
-------- COORDINATED BY
------------------------------------------------------
* Greg Knaddison [10] of the Drupal Security Team
-------- CONTACT AND MORE INFORMATION
----------------------------------------
The Drupal security team can be reached at security at drupal.org or via the
contact form at https://www.drupal.org/contact [11].
Learn more about the Drupal Security team and their policies [12], writing
secure code for Drupal [13], and securing your site [14].
Follow the Drupal Security Team on Twitter at
https://twitter.com/drupalsecurity [15]
[1] https://www.drupal.org/project/clientside_validation
[2] https://www.drupal.org/security-team/risk-levels
[3] http://cve.mitre.org/
[4] https://www.drupal.org/project/clientside_validation
[5] https://www.drupal.org/project/clientside_validation/releases/7.x-1.45
[6]
https://www.drupal.org/project/clientside_validation/releases/7.x-2.0-beta2
[7] https://www.drupal.org/project/clientside_validation
[8] https://www.drupal.org/u/daniel-scrt
[9] https://www.drupal.org/u/jelle_s
[10] https://www.drupal.org/u/greggles
[11] https://www.drupal.org/contact
[12] https://www.drupal.org/security-team
[13] https://www.drupal.org/writing-secure-code
[14] https://www.drupal.org/security/secure-configuration
[15] https://twitter.com/drupalsecurity