Security-news September 2017

security-news@drupal.org

1 participants
5 discussions

Skype Status - Moderately Critical - Cross Site Scripting - DRUPAL-SA-CONTRIB-2017-076
by security-news＠drupal.org 20 Sep '17

20 Sep '17

View online: https://www.drupal.org/node/2910308 * Advisory ID: DRUPAL-SA-CONTRIB-2017-076 * Project: Skype Status [1] (third-party module) * Version: 7.x * Date: 2017-September-20 * Security risk: 14/25 ( Moderately Critical) AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:All [2] * Vulnerability: Cross Site Scripting -------- DESCRIPTION --------------------------------------------------------- This module enables you to obtain the status for a user's Skype account The module doesn't sufficiently sanitize the user input for their Skype ID. This vulnerability is mitigated by the fact that an attacker must have an account on the site and be allowed to edit/input their Skype ID. -------- CVE IDENTIFIER(S) ISSUED -------------------------------------------- * /A CVE identifier [3] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ -------- VERSIONS AFFECTED --------------------------------------------------- * Skype Status (skype_status) 7.x-2.x versions prior to 7.x-1.2. Drupal core is not affected. If you do not use the contributed Skype Status [4] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the Skype Status (skype_status) module for Drupal 7.x, upgrade to Skype Status (skype_status) 7.x-1.2 [5]. Also see the Skype Status [6] project page. -------- REPORTED BY --------------------------------------------------------- * Tatár Balázs János (tatarbj) [7]. -------- FIXED BY ------------------------------------------------------------ * Tatár Balázs János (tatarbj) [8] provided patch. * Nicholas Alipaz (nicholasalipaz) [9] the module maintainer. -------- COORDINATED BY ------------------------------------------------------ * Michael Hess [10] of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact [11]. Learn more about the Drupal Security team and their policies [12], writing secure code for Drupal [13], and securing your site [14]. Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity [15] [1] https://www.drupal.org/project/skype_status [2] https://www.drupal.org/security-team/risk-levels [3] http://cve.mitre.org/ [4] https://www.drupal.org/project/skype_status [5] https://www.drupal.org/project/skype_status/releases/7.x-1.2 [6] https://www.drupal.org/project/skype_status [7] https://www.drupal.org/user/649590 [8] https://www.drupal.org/user/649590 [9] https://www.drupal.org/u/nicholasalipaz [10] https://www.drupal.org/u/mlhess [11] https://www.drupal.org/contact [12] https://www.drupal.org/security-team [13] https://www.drupal.org/writing-secure-code [14] https://www.drupal.org/security/secure-configuration [15] https://twitter.com/drupalsecurity

1 0

Page Access - Unsupported - SA-CONTRIB-2017-75
by security-news＠drupal.org 20 Sep '17

20 Sep '17

View online: https://www.drupal.org/node/2910306 * Advisory ID: DRUPAL-SA-CONTRIB-2017-75 * Project: Page Access [1] (third-party module) * Date: 20-September-2017 -------- DESCRIPTION --------------------------------------------------------- This module will provide the option to give the View and Edit access for users and roles on each node pages. The security team is marking this module unsupported. There is a known security issue with the module that has not been fixed by the maintainer. If you would like to maintain this module, please read: https://www.drupal.org/node/251466 -------- VERSIONS AFFECTED --------------------------------------------------- * All versions Drupal core is not affected. If you do not use the contributed Page Access [2] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ If you use the Page Access module for Drupal you should uninstall it. Also see the Page Access [3] project page. -------- REPORTED BY --------------------------------------------------------- * Frédéric Buclin [4] -------- FIXED BY ------------------------------------------------------------ Not applicable -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact [5]. Learn more about the Drupal Security team and their policies [6], writing secure code for Drupal [7], and securing your site [8]. Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity [9] [1] https://www.drupal.org/project/page_access [2] https://www.drupal.org/project/page_access [3] https://www.drupal.org/project/page_access [4] https://www.drupal.org/u/lpsolit [5] https://www.drupal.org/contact [6] https://www.drupal.org/security-team [7] https://www.drupal.org/writing-secure-code [8] https://www.drupal.org/security/secure-configuration [9] https://twitter.com/drupalsecurity

1 0

Flag clear - Moderately Critical - CSRF - DRUPAL-SA-CONTRIB-2017-074
by security-news＠drupal.org 13 Sep '17

13 Sep '17

View online: https://www.drupal.org/node/2908592 * Advisory ID: DRUPAL-SA-CONTRIB-2017-074 * Project: Flag clear [1] (third-party module) * Version: 7.x * Date: 2017-September-13 * Security risk: 14/25 ( Moderately Critical) AC:None/A:None/CI:None/II:Some/E:Theoretical/TD:Default [2] * Vulnerability: Cross Site Request Forgery -------- DESCRIPTION --------------------------------------------------------- The Flag clear module allows administrators to remove user flags for content. This functionality is often useful in user-submission use-cases, where users do not necessarily need to unflag things on their own. The module doesn't sufficiently confirm a user's intent to take unflagging actions. -------- CVE IDENTIFIER(S) ISSUED -------------------------------------------- * /A CVE identifier [3] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ -------- VERSIONS AFFECTED --------------------------------------------------- * All Flag clear module versions prior to 7.x-1.10. Drupal core is not affected. If you do not use the contributed Flag clear [4] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the Flag clear module for Drupal 7.x, upgrade to Flag clear 7.x-1.10 [5] Also see the Flag clear [6] project page. -------- REPORTED BY --------------------------------------------------------- * Neil Drumm [7] of the Drupal Security Team -------- FIXED BY ------------------------------------------------------------ * Zak Huber [8] the module maintainer -------- COORDINATED BY ------------------------------------------------------ * Peter Wolanin [9] of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact [10]. Learn more about the Drupal Security team and their policies [11], writing secure code for Drupal [12], and securing your site [13]. Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity [14] [1] https://www.drupal.org/project/flag_clear [2] https://www.drupal.org/security-team/risk-levels [3] http://cve.mitre.org/ [4] https://www.drupal.org/project/flag_clear [5] https://www.drupal.org/project/flag_clear/releases/7.x-1.10 [6] https://www.drupal.org/project/flag_clear [7] https://www.drupal.org/u/drumm [8] https://www.drupal.org/user/1437276/ [9] https://www.drupal.org/user/49851 [10] https://www.drupal.org/contact [11] https://www.drupal.org/security-team [12] https://www.drupal.org/writing-secure-code [13] https://www.drupal.org/security/secure-configuration [14] https://twitter.com/drupalsecurity

1 0

CAPTCHA - Moderately Critical - Denial of Service - SA-CONTRIB-2017-073
by security-news＠drupal.org 06 Sep '17

06 Sep '17

View online: https://www.drupal.org/node/2907137 * Advisory ID: DRUPAL-SA-CONTRIB-2017-073 * Project: CAPTCHA [1] (third-party module) * Version: 7.x * Date: 2017-September-06 * Security risk: 10/25 ( Moderately Critical) AC:Basic/A:None/CI:None/II:None/E:Proof/TD:Default [2] * Vulnerability: Denial of Service -------- DESCRIPTION --------------------------------------------------------- This module enables you to use various techniques to block automated scripts / robots from submitting content to a site, e.g. to block spam comments. The module doesn't properly store the session ID of visitors who are given a session which could lead to a Denial of Service attack. This vulnerability is mitigated by the fact that Drupal does not give a session to all visitors, especially when used with advanced caching systems like Varnish. -------- CVE IDENTIFIER(S) ISSUED -------------------------------------------- * /A CVE identifier [3] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ -------- VERSIONS AFFECTED --------------------------------------------------- * CAPTCHA 7.x-1.x versions prior to 7.x-1.5. Drupal core is not affected. If you do not use the contributed CAPTCHA [4] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the CATPCHA module for Drupal 7.x, upgrade to CAPTCHA 7.x-1.5. [5] Also see the CAPTCHA [6] project page. -------- REPORTED BY --------------------------------------------------------- * Nightwalker3000 [7] -------- FIXED BY ------------------------------------------------------------ * Fabiano Sant'Ana [8], the module's maintainer. -------- COORDINATED BY ------------------------------------------------------ * Lee Rowlands [9] of the Drupal Security Team. * Damien McKenna [10] of the Drupal Security Team. -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact [11]. Learn more about the Drupal Security team and their policies [12], writing secure code for Drupal [13], and securing your site [14]. Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity [15] [1] https://www.drupal.org/project/captcha [2] https://www.drupal.org/security-team/risk-levels [3] http://cve.mitre.org/ [4] https://www.drupal.org/project/captcha [5] https://www.drupal.org/project/captcha/releases/7.x-1.5 [6] https://www.drupal.org/project/captcha [7] https://www.drupal.org/u/nightwalker3000 [8] https://www.drupal.org/u/wundow [9] https://www.drupal.org/u/larowlan [10] https://www.drupal.org/u/damienmckenna [11] https://www.drupal.org/contact [12] https://www.drupal.org/security-team [13] https://www.drupal.org/writing-secure-code [14] https://www.drupal.org/security/secure-configuration [15] https://twitter.com/drupalsecurity

1 0

Clientside Validation - Critical - Arbitary PHP Execution - DRUPAL-SA-CONTRIB-2017-072
by security-news＠drupal.org 06 Sep '17

06 Sep '17

View online: https://www.drupal.org/node/2907118 * Advisory ID: DRUPAL-SA-CONTRIB-2017-072 * Project: Clientside Validation [1] (third-party module) * Version: 7.x * Date: 2017-September-06 * Security risk: 16/25 ( Critical) AC:Basic/A:None/CI:Some/II:Some/E:Theoretical/TD:All [2] * Vulnerability: Arbitrary PHP code execution -------- DESCRIPTION --------------------------------------------------------- The Clientside Validation module enables you to have clientside (Javascript) validation on your forms. The module does not sufficiently validate parameters of a POST request made when validating a CAPTCHA. For the 1.x version of this module, this vulnerability is mitigated by the fact that the CAPTCHA module must be enabled and the 'validate captcha' option of the Clientside Validation module must be enabled (this option is enabled by default). For the 2.x version of this module, this vulnerability is mitigated by the fact that the CAPTCHA module must be enabled and the Clientside Validation captcha submodule must be enabled. -------- CVE IDENTIFIER(S) ISSUED -------------------------------------------- * /A CVE identifier [3] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ -------- VERSIONS AFFECTED --------------------------------------------------- * Clientside Validation 7.x-1.x versions prior to 7.x-1.44. * Clientside Validation 7.x-2.x versions prior to 7.x-2.0-beta1. Drupal core is not affected. If you do not use the contributed Clientside Validation [4] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the 1.x version of Clientside Validation module for Drupal 7.x, upgrade to Clientside Validation 7.x-1.45 [5] * If you use the 2.x version of Clientside Validation module for Drupal 7.x, upgrade to Clientside Validation 7.x-2.0-beta2 [6] Also see the Clientside Validation [7] project page. -------- REPORTED BY --------------------------------------------------------- * Daniel-SCRT [8] -------- FIXED BY ------------------------------------------------------------ * Jelle Sebreghts [9] the module maintainer -------- COORDINATED BY ------------------------------------------------------ * Greg Knaddison [10] of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact [11]. Learn more about the Drupal Security team and their policies [12], writing secure code for Drupal [13], and securing your site [14]. Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity [15] [1] https://www.drupal.org/project/clientside_validation [2] https://www.drupal.org/security-team/risk-levels [3] http://cve.mitre.org/ [4] https://www.drupal.org/project/clientside_validation [5] https://www.drupal.org/project/clientside_validation/releases/7.x-1.45 [6] https://www.drupal.org/project/clientside_validation/releases/7.x-2.0-beta2 [7] https://www.drupal.org/project/clientside_validation [8] https://www.drupal.org/u/daniel-scrt [9] https://www.drupal.org/u/jelle_s [10] https://www.drupal.org/u/greggles [11] https://www.drupal.org/contact [12] https://www.drupal.org/security-team [13] https://www.drupal.org/writing-secure-code [14] https://www.drupal.org/security/secure-configuration [15] https://twitter.com/drupalsecurity

1 0

2026

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

Security-news September 2017