Security-news January 2018

security-news@drupal.org

1 participants
6 discussions

Taxonomy Term Reference Tree Widget - Moderately critical - Cross Site Scripting - SA-CONTRIB-2018-006
by security-news＠drupal.org 31 Jan '18

31 Jan '18

View online: https://www.drupal.org/sa-contrib-2018-006 Project: Taxonomy Term Reference Tree Widget [1] Date: 2018-January-31 Security risk: *Moderately critical* 13∕25 AC:Basic/A:Admin/CI:Some/II:Some/E:Theoretical/TD:All [2] Vulnerability: Cross Site Scripting Description: This module provides an expandable tree widget for the Taxonomy Term Reference field in Drupal 7. The module doesn't sufficiently sanitize the output of its own defined field formatter. This vulnerability is mitigated by the fact that an attacker must have a role with the permission that allows to edit terms of a taxonomy where the module handles its output. Solution: Install the latest version: * If you use the Taxonomy Term Reference Tree Widget module for Drupal 7.x, upgrade to its 7.x-1.11 [3] Reported By: * Tatar Balazs Janos [4] Fixed By: * Tatar Balazs Janos [5] * Sumit Madan [6] the module maintainer Coordinated By: * Stella Power [7] of the Drupal Security Team [1] https://www.drupal.org/project/term_reference_tree [2] https://www.drupal.org/security-team/risk-levels [3] https://www.drupal.org/project/term_reference_tree/releases/7.x-1.11 [4] https://www.drupal.org/u/tatarbj [5] https://www.drupal.org/u/tatarbj [6] https://www.drupal.org/user/1538790 [7] https://www.drupal.org/u/stella

1 0

Sagepay - Critical - Access Bypass - SA-CONTRIB-2018-005
by security-news＠drupal.org 31 Jan '18

31 Jan '18

View online: https://www.drupal.org/sa-contrib-2018-005 Project: Sagepay [1] Version: 7.x-1.4 Date: 2018-January-31 Security risk: *Critical* 15∕25 AC:None/A:None/CI:Some/II:None/E:Theoretical/TD:All [2] Vulnerability: Access Bypass Description: This module integrates the Sagepay payment service. Some of the URLs used while processing the payment are not sufficiently secured. This might allow attackers to resume a previously failed payment attempt or to view content that should only be shown after a succesful payment. This affects all payments in a Drupal installation with this module enabled (including payments made using other payment methods). Solution: Install the latest version: * If you use the sagepay_paymet module for Drupal 7.x, upgrade to sagepay_payment 7.x-1.5 [3] Also see the Sagepay [4] project page. Reported By: * Roman Zimmermann [5] Fixed By: * Roman Zimmermann [6] Coordinated By: * Greg Knaddison [7] of the Drupal Security Team [1] https://www.drupal.org/project/sagepay_payment [2] https://www.drupal.org/security-team/risk-levels [3] https://www.drupal.org/project/sagepay_payment/releases/7.x-1.5 [4] https://www.drupal.org/project/sagepay_payment [5] https://www.drupal.org/u/torotil [6] https://www.drupal.org/u/torotil [7] https://www.drupal.org/u/greggles

1 0

Backup and Migrate - Critical - Arbitrary PHP code execution - SA-CONTRIB-2018-004
by security-news＠drupal.org 24 Jan '18

24 Jan '18

View online: https://www.drupal.org/sa-contrib-2018-004 Project: Backup and Migrate [1] Date: 2018-January-24 Security risk: *Critical* 15∕25 AC:Basic/A:User/CI:Some/II:All/E:Theoretical/TD:Default [2] Vulnerability: Arbitrary PHP code execution Description: This module enables you to create manual and scheduled backups of a site, and restore the site from backup. The module doesn't sufficiently identify that its custom permissions are risky and should only be granted to highly trusted roles. Sites using this module should review the permissions page to verify only trusted users are granted permissions defined by the module. Solution: Install the latest version: * If you use the Backup and Migrate module for Drupal 7.x, upgrade to Backup and Migrate 7.x-3.4 [3]. Reported By: * John Bickar [4] * Cash Williams [5] of the Drupal Security Team. Fixed By: * Damien McKenna [6] the module maintainer. * Daniel Pickering [7] the module maintainer. * Pere Orga [8] of the Drupal Security Team. Coordinated By: * Damien McKenna [9] of the Drupal Security Team. [1] https://www.drupal.org/project/backup_migrate [2] https://www.drupal.org/security-team/risk-levels [3] https://www.drupal.org/project/backup_migrate/releases/7.x-3.4 [4] https://www.drupal.org/u/john-bickar [5] https://www.drupal.org/u/cashwilliams [6] https://www.drupal.org/u/damienmckenna [7] https://www.drupal.org/u/ikit-claw [8] https://www.drupal.org/u/pere-orga [9] https://www.drupal.org/u/damienmckenna

1 0

Bible - Critical - Multiple Vulnerabilities - SA-CONTRIB-2018-003
by security-news＠drupal.org 17 Jan '18

17 Jan '18

View online: https://www.drupal.org/sa-contrib-2018-003 Project: Bible [1] Date: 2018-January-17 Security risk: *Critical* 17∕25 AC:Basic/A:User/CI:Some/II:All/E:Proof/TD:All [2] Vulnerability: Multiple Vulnerabilities Description: This module enables you to display a Bible on your website. Users can associate notes with a Bible version. This module has a vulnerability that would allow an attacker to wipe out, update or read notes from other users with a carefully crafted title. A user must have the "Access Bible content" privilege, which is most likely the default if you have enabled this module. The code appeared to allow other SQL injection vulnerabilities as well. Many lines of code were rewritten to make this module more secure. Therefore, even if you did not give users the "Access Bible content" privilege, there may have been other SQL vulnerabilities which could have been exploited. Solution: Install the latest version: * If you use the Bible module for Drupal 7.x, upgrade to Bible 7.x-1.7 [3] Reported By: * jfhovinne [4] Fixed By: * Berend de Boer [5] the module maintainer * László Csécsy (Boobaa) [6] the module maintainer Coordinated By: * Michael Hess [7] of the Drupal Security Team [1] https://www.drupal.org/project/bible [2] https://www.drupal.org/security-team/risk-levels [3] https://www.drupal.org/project/bible/releases/7.x-1.7 [4] https://www.drupal.org/user/77723 [5] https://www.drupal.org/user/143552 [6] https://www.drupal.org/user/199303 [7] https://www.drupal.org/u/mlhess

1 0

Node View Permissions - Moderately critical - Access Bypass - SA-CONTRIB-2018-002
by security-news＠drupal.org 10 Jan '18

10 Jan '18

View online: https://www.drupal.org/sa-contrib-2018-002 Project: Node View Permissions [1] Version: 8.x-1.x-dev7.x-1.x-dev Date: 2018-January-10 Security risk: *Moderately critical* 14∕25 AC:None/A:None/CI:Some/II:None/E:Theoretical/TD:Default [2] Vulnerability: Access Bypass Description: The Node view permissions module enables the "View own content" and "View any content" permissions for each content type on the permissions page. This module has a vulnerability that allows users with these permissions to view unpublished content that they are not otherwise authorized to view. * This issue was fixed by the maintainer outside of the normal security team protocols. Some issues were patched in 2014 for the 7.x version of this module. The 8.x release was updated within the last 6 months. Both are now flagged as security updates.* Solution: Install the latest version: * If you use the Node View Permissions module for Drupal 7.x, upgrade to Node View Permissions 7.x-1.5 [3] or higher. * If you use the Node View Permissions module for Drupal 8.x, upgrade to Node View Permissions 8.x-1.1 [4] or higher. Reported By: * Heikki Kesa [5] Fixed By: * The module maintainer Coordinated By: * David Rothstein [6] Of the Drupal Security Team [1] https://www.drupal.org/project/node_view_permissions [2] https://www.drupal.org/security-team/risk-levels [3] https://www.drupal.org/project/node_view_permissions/releases/7.x-1.5 [4] https://www.drupal.org/project/node_view_permissions/releases/8.x-1.1 [5] https://www.drupal.org/u/heikki [6] https://www.drupal.org/u/david_rothstein

1 0

Stacks - Critical - Arbitrary PHP code execution - SA-CONTRIB-2018-001
by security-news＠drupal.org 10 Jan '18

10 Jan '18

View online: https://www.drupal.org/sa-contrib-2018-001 Project: Stacks [1] Date: 2018-January-10 Security risk: *Critical* 18∕25 AC:None/A:None/CI:Some/II:Some/E:Theoretical/TD:All [2] Vulnerability: Arbitrary PHP code execution Description: This module enables content editors to create complex pages and layouts on the fly without the help from a developer, using reusable widgets. The module does not sufficiently filter values posted to its AJAX endpoint, which leads to the instantiation of an arbitrary PHP class. This vulnerability is mitigated by the fact that only sites with the Stacks - Content Feed submodule enabled are affected. Solution: Install the latest version: * If you use the Stacks module for Drupal 8.x, upgrade to Stacks 8.x-1.1 [3] Reported By: * Jean-François Hovinne [4] Fixed By: * Mauro Vigliotti [5] the module maintainer Coordinated By: * Michael Hess [6] of the Drupal Security Team [1] https://www.drupal.org/project/stacks [2] https://www.drupal.org/security-team/risk-levels [3] https://www.drupal.org/project/stacks/releases/8.x-1.1 [4] https://www.drupal.org/user/77723 [5] https://www.drupal.org/user/176620 [6] https://www.drupal.org/u/mlhess

1 0

2026

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

Security-news January 2018