Security-news October 2018

security-news@drupal.org

1 participants
13 discussions

Paragraphs - Moderately critical - Access Bypass - SA-CONTRIB-2018-073
by security-news＠drupal.org 31 Oct '18

31 Oct '18

View online: https://www.drupal.org/sa-contrib-2018-073 Project: Paragraphs [1] Version: 8.x-1.4 Date: 2018-October-31 Security risk: *Moderately critical* 10∕25 AC:Complex/A:None/CI:None/II:Some/E:Theoretical/TD:Uncommon [2] Vulnerability: Access Bypass Description: The Paragraphs module allows Drupal Site Builders to make content organization cleaner so that you can give more editing power to end-users. The module doesn't sufficiently check access to create new paragraph entities which can cause access bypass issues when used in combination with other contributed modules. Solution: Install the latest version: * If you use the Paragraphs module for Drupal 8.x, upgrade to Paragraphs 8.x-1.5 [3] Also see the Paragraphs [4] project page. Reported By: * Sam Becker [5] Fixed By: * Sam Becker [6] * Alex Pott [7] of the Drupal Security Team * Sascha Grossenbacher [8] * Alex Bronstein [9] of the Drupal Security Team * Mateu Aguiló Bosch [10] * Miro Dietiker [11] Coordinated By: * Greg Knaddison [12] of the Drupal Security Team [1] https://www.drupal.org/project/paragraphs [2] https://www.drupal.org/security-team/risk-levels [3] https://www.drupal.org/node/3010590 [4] https://www.drupal.org/project/paragraphs [5] https://www.drupal.org/user/1485048 [6] https://www.drupal.org/user/1485048 [7] https://www.drupal.org/user/157725 [8] https://www.drupal.org/user/214652 [9] https://www.drupal.org/user/78040 [10] https://www.drupal.org/user/550110 [11] https://www.drupal.org/user/227761 [12] https://www.drupal.org/u/greggles

1 0

Session Limit - Critical - Insecure Session Management - SA-CONTRIB-2018-072
by security-news＠drupal.org 31 Oct '18

31 Oct '18

View online: https://www.drupal.org/sa-contrib-2018-072 Project: Session Limit [1] Version: 7.x-2.28.x-1.0-beta2 Date: 2018-October-31 Security risk: *Critical* 15∕25 AC:Complex/A:None/CI:Some/II:Some/E:Theoretical/TD:All [2] Vulnerability: Insecure Session Management Description: The session limit module enables a site administrator to set a policy around the number of active sessions users of the site may have. This is typically set to one so that you can only be logged in once with the same user account. In one configuration of the module, when a user logs in with another session elsewhere already active, the module asks the user which session should be closed before they can proceed with login. The module does not sufficiently tokenise the list of sessions so that the user's session keys can be found through inspection of the form. This vulnerability is mitigated by the fact that an attacker must already be able to intercept the contents of the HTML page to exploit the issue. That ability to intercept may come from Cross Site Scripting. This makes a Cross Site Scripting vulnerability worse than it would normally be. Solution: Install the latest version: * If you use the Session Limit module for Drupal 7.x, upgrade to 7.x-2.3 [3] * If you use the Session Limit module for Drupal 8.x, upgrade to 8.x-1.0-beta3 [4] Also see the Session Limit [5] project page. Reported By: * Simon Kapadia [6] Fixed By: * John Ennew [7] Coordinated By: * Greg Knaddison [8] of the Drupal Security Team [1] https://www.drupal.org/project/session_limit [2] https://www.drupal.org/security-team/risk-levels [3] https://www.drupal.org/project/session_limit/releases/7.x-2.3 [4] https://www.drupal.org/project/session_limit/releases/8.x-1.0-beta3 [5] https://www.drupal.org/project/session_limit [6] https://www.drupal.org/user/3524044 [7] https://www.drupal.org/user/1150042 [8] https://www.drupal.org/u/greggles

1 0

Decoupled Router - Critical - Access bypass - SA-CONTRIB-2018- 071
by security-news＠drupal.org 31 Oct '18

31 Oct '18

View online: https://www.drupal.org/sa-contrib-2018-071 Project: Decoupled Router [1] Version: 8.x-1.18.x-1.0 Date: 2018-October-31 Security risk: *Critical* 15∕25 AC:None/A:None/CI:Some/II:None/E:Theoretical/TD:All [2] Vulnerability: Access bypass Description: This module enables you to resolve the provided Drupal path in order to find the canonical path and information about the resolved entity. This information includes entity type ID, entity ID, entity UUID and entity label. The module doesn't sufficiently check access before displaying entity labels. This leads to the display of labels on entities that are not be accessible, for example; titles of unpublished content. Solution: Install the latest version: * If you use the Decoupled Router module for Drupal 8.x, upgrade to Decoupled Router 8.x-1.2 [3] Also see the Decoupled Router [4] project page. Reported By: * Rainer Friederich [5] Fixed By: * Mateu Aguiló Bosch [6] Coordinated By: * Greg Knaddison (greggles) [7] of the Drupal Security Team * Michael Hess (mlhess) [8] of the Drupal Security Team [1] https://www.drupal.org/project/decoupled_router [2] https://www.drupal.org/security-team/risk-levels [3] https://www.drupal.org/project/decoupled_router/releases/8.x-1.2 [4] https://www.drupal.org/project/decoupled_router [5] https://www.drupal.org/user/3066367 [6] https://www.drupal.org/user/550110 [7] https://www.drupal.org/user/36762 [8] https://www.drupal.org/user/102818

1 0

Search Autocomplete - Moderately critical - Cross Site Scripting - SA-CONTRIB-2018-070
by security-news＠drupal.org 17 Oct '18

17 Oct '18

View online: https://www.drupal.org/sa-contrib-2018-070 Project: Search Autocomplete [1] Date: 2018-October-17 Security risk: *Moderately critical* 13∕25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:Default [2] Vulnerability: Cross Site Scripting CVE IDs: CVE-2018-7603 Description: This Search Autocomplete module enables you to autocomplete textfield using data from your website (nodes, comments, etc..). The module doesn't sufficiently filter user-entered text among the autocompletion items leading to a Cross Site Scripting (XSS) vulnerability. This vulnerability can be exploited by any user allowed to create one of the autocompletion item, for instance, nodes, users, comments. Solution: Install the latest version: * If you use the Search Autocomplete module for Drupal 7.x, upgrade to Search Autocomplete 7.x-4.8 [3] Also see the Search Autocomplete [4] project page. Reported By: * Simon Kapadia [5] Fixed By: * Dominique CLAUSE [6] Coordinated By: * Greg Knaddison [7] of the Drupal Security Team [1] https://www.drupal.org/project/search_autocomplete [2] https://www.drupal.org/security-team/risk-levels [3] https://www.drupal.org/project/search_autocomplete/releases/7.x-4.8 [4] https://www.drupal.org/project/search_autocomplete [5] https://www.drupal.org/user/3524044 [6] https://www.drupal.org/user/801982 [7] https://www.drupal.org/u/greggles

1 0

Workbench Moderation - Moderately critical - Access bypass - SA-CONTRIB-2018-067
by security-news＠drupal.org 17 Oct '18

17 Oct '18

View online: https://www.drupal.org/sa-contrib-2018-067 Project: Workbench Moderation [1] Date: 2018-October-17 Security risk: *Moderately critical* 11∕25 AC:Complex/A:User/CI:Some/II:Some/E:Theoretical/TD:Uncommon [2] Vulnerability: Access bypass Description: The Workbench Moderation module adds arbitrary moderation states to Drupal core's "unpublished" and "published" node states, and affects the behavior of node revisions when nodes are published. In some conditions, content moderation fails to check a users access to use certain transitions, leading to an access bypass. This issue is related to the Drupal Core release SA-CORE-2018-006 [3]. Solution: Install the latest version: * If you use the Workbench Moderation module for Drupal 8.x, upgrade to Workbench Moderation 8.x-1.4 [4] Also see the Drupal core [5] project page. Reported By: * Roland Kovacsics [6] Fixed By: * Wim Leers [7] * Daniel Wehner [8] * Sam Becker [9] * Tim Millwood [10] * Alex Pott [11] of the Drupal Security Team Coordinated By: * Greg Knaddison [12] of the Drupal Security Team * Lee Rowlands [13] of the Drupal Security Team [1] https://www.drupal.org/project/workbench_moderation [2] https://www.drupal.org/security-team/risk-levels [3] https://www.drupal.org/sa-core-2018-006 [4] https://www.drupal.org/project/workbench_moderation/releases/8.x-1.4 [5] https://www.drupal.org/project/drupal [6] https://www.drupal.org/user/3528385 [7] https://www.drupal.org/user/99777 [8] https://www.drupal.org/user/99340 [9] https://www.drupal.org/user/1485048 [10] https://www.drupal.org/user/227849 [11] https://www.drupal.org/user/157725 [12] https://www.drupal.org/u/greggles [13] https://www.drupal.org/u/larowlan

1 0

HTML Mail - Critical - Remote Code Execution - SA-CONTRIB-2018-069
by security-news＠drupal.org 17 Oct '18

17 Oct '18

View online: https://www.drupal.org/sa-contrib-2018-069 Project: HTML Mail [1] Date: 2018-October-17 Security risk: *Critical* 17∕25 AC:Basic/A:Admin/CI:All/II:All/E:Theoretical/TD:All [2] Vulnerability: Remote Code Execution Description: The HTML Mail module lets you theme your messages the same way you theme the rest of your website. When sending email some variables were not being sanitized for shell arguments, which could lead to remote code execution. This issue is related to the Drupal Core release SA-CORE-2018-006 [3]. Solution: Install the latest version: * If you are running Drupal 7.x, * update to 7.x-2.71 [4]. * In case you're still using 7.x-2.65, there is a version 7.x-2.66 [5] which has only the security patch applied, but you must realize that you are running old code and you're missing a number of bug fixes. Also see the HTML Mail [6] project page. Reported By: * Damien Tournoud [7] Fixed By: * Hans Salvisberg [8] Coordinated By: * Greg Knaddison [9] of the Drupal Security Team [1] https://www.drupal.org/project/htmlmail [2] https://www.drupal.org/security-team/risk-levels [3] https://www.drupal.org/sa-core-2018-006 [4] https://www.drupal.org/project/htmlmail/releases/7.x-2.71 [5] https://www.drupal.org/project/htmlmail/releases/7.x-2.66 [6] https://www.drupal.org/project/htmlmail [7] https://www.drupal.org/user/22211 [8] https://www.drupal.org/user/82964 [9] https://www.drupal.org/u/greggles

1 0

Mime Mail - Critical - Remote Code Execution - SA-CONTRIB-2018-068
by security-news＠drupal.org 17 Oct '18

17 Oct '18

View online: https://www.drupal.org/sa-contrib-2018-068 Project: Mime Mail [1] Date: 2018-October-17 Security risk: *Critical* 17∕25 AC:Basic/A:User/CI:All/II:All/E:Theoretical/TD:Default [2] Vulnerability: Remote Code Execution Description: The MIME Mail module allows to send MIME-encoded e-mail messages with embedded images and attachments. The module doesn't sufficiently sanitized some variables for shell arguments when sending email, which could lead to arbitrary remote code execution. This issue is related to the Drupal Core release SA-CORE-2018-006 [3]. Solution: Install the latest version: * If you use the Mime Mail module for Drupal 7.x, upgrade to Mime Mail 7.x-1.1 [4] Also see the Mime Mail [5] project page. Reported By: * RainbowLyte [6] Fixed By: * sgabe [7] Coordinated By: * Greg Knaddison [8] of the Drupal Security Team [1] https://www.drupal.org/project/mimemail [2] https://www.drupal.org/security-team/risk-levels [3] https://www.drupal.org/sa-core-2018-006 [4] https://www.drupal.org/node/3007375 [5] https://www.drupal.org/project/mimemail [6] https://www.drupal.org/user/3518785 [7] https://www.drupal.org/user/232117 [8] https://www.drupal.org/u/greggles

1 0

Drupal Core - Multiple Vulnerabilities - SA-CORE-2018-006
by security-news＠drupal.org 17 Oct '18

17 Oct '18

View online: https://www.drupal.org/sa-core-2018-006 * Advisory ID: DRUPAL-SA-CONTRIB-2018-006 * Project: Drupal core [1] * Version: 7.x, 8.x * Date: 2018-October-17 -------- DESCRIPTION --------------------------------------------------------- *Content moderation - Moderately critical - Access bypass - Drupal 8 * In some conditions, content moderation fails to check a users access to use certain transitions, leading to an access bypass. In order to fix this issue, the following changes have been made to content moderation which may have implications for backwards compatibility: ModerationStateConstraintValidator Two additional services have been injected into this service. Anyone subclassing this service must ensure these additional dependencies are passed to the constructor, if the constructor has been overridden. StateTransitionValidationInterface An additional method has been added to this interface. Implementations of this interface which do not extend the StateTransitionValidation should implement this method. Implementations which /do/ extend from the StateTransitionValidation should ensure any behavioural changes they have made are also reflected in this new method. User permissions Previously users who didn't have access to use any content moderation transitions were granted implicit access to update content provided the state of the content did not change. Now access to an associated transition will be validated for all users in scenarios where the state of content does not change between revisions. Reported by * Roland Kovacsics [2] * attilatilman [3] Fixed by * Jess [4] of the Drupal Security Team * Lee Rowlands [5] of the Drupal Security Team * Wim Leers [6] * Daniel Wehner [7] * Sam Becker [8] * Tim Millwood [9] * Alex Pott [10] of the Drupal Security Team *External URL injection through URL aliases - Moderately Critical - Open Redirect - Drupal 7 and Drupal 8 * The path module allows users with the 'administer paths' to create pretty URLs for content. In certain circumstances the user can enter a particular path that triggers an open redirect to a malicious url. The issue is mitigated by the fact that the user needs the administer paths permission to exploit. Reported by * dyates [11] Fixed by * Dave Reid [12] of the Drupal Security Team * David Rothstein [13] of the Drupal Security Team * Peter Wolanin [14] of the Drupal Security Team * Jess [15] of the Drupal Security Team * Alex Bronstein [16] of the Drupal Security Team * Nathaniel Catchpole [17] of the Drupal Security Team * Lee Rowlands [18] of the Drupal Security Team * Ted Bowman [19]Provisional member of the Drupal Security Team *Anonymous Open Redirect - Moderately Critical - Open Redirect - Drupal 8 * Drupal core and contributed modules frequently use a "destination" query string parameter in URLs to redirect users to a new destination after completing an action on the current page. Under certain circumstances, malicious users can use this parameter to construct a URL that will trick users into being redirected to a 3rd party website, thereby exposing the users to potential social engineering attacks. This vulnerability has been publicly documented. .... RedirectResponseSubscriber event handler removal As part of the fix, \Drupal\Core\EventSubscriber\RedirectResponseSubscriber::sanitizeDestination has been removed, although this is a public function, it is not considered an API as per our API policy for event subscribers [20]. If you have extended that class or are calling that method, you should review your implementation in line with the changes in the patch. The existing function has been removed to prevent a false sense of security. Reported by * Brian Osborne [21] Fixed by * Michael Hess [22] of the Drupal Security Team * Wim Leers [23] * Alex Pott [24] of the Drupal Security Team * Grant Gaudet [25] * Lee Rowlands [26] of the Drupal Security Team * Nathaniel Catchpole [27] of the Drupal Security Team * Jess [28] of the Drupal Security Team *Injection in DefaultMailSystem::mail() - Critical - Remote Code Execution - Drupal 7 and Drupal 8* When sending email some variables were not being sanitized for shell arguments, which could lead to remote code execution. Reported by * Damien Tournoud [29] Fixed by * Lee Rowlands [30] of the Drupal Security Team * Sascha Grossenbacher [31] * Daniel Wehner [32] * Klaus Purer [33] * Damien Tournoud [34] * Stefan Ruijsenaars [35] of the Drupal Security Team * David Rothstein [36] of the Drupal Security Team * David Snopek [37] of the Drupal Security Team * Jess [38] of the Drupal Security Team * Wim Leers [39] * Peter Wolanin [40] of the Drupal Security Team * Ted Bowman [41]Provisional member of the Drupal Security Team *Contextual Links validation - Critical - Remote Code Execution - Drupal 8 * The Contextual Links module doesn't sufficiently validate the requested contextual links. This vulnerability is mitigated by the fact that an attacker must have a role with the permission "access contextual links". Reported by * Nick Booher [42] Fixed by * Lee Rowlands [43] of the Drupal Security Team * Nick Booher [44] * Samuel Mortenson [45] of the Drupal Security Team * Wim Leers [46] * Alex Pott [47] of the Drupal Security Team -------- SOLUTION ------------------------------------------------------------ Upgrade to the most recent version of Drupal 7 or 8 core. * If you are running 7.x, upgrade to Drupal 7.60 [48]. * If you are running 8.6.x, upgrade to Drupal 8.6.2 [49]. * If you are running 8.5.x or earlier, upgrade to Drupal 8.5.8 [50]. Minor versions of Drupal 8 prior to 8.5.x are not supported and do not receive security coverage, so sites running older versions should update to the above 8.5.x release immediately. 8.5.x will receive security coverage until May 2019. [1] https://www.drupal.org/project/drupal [2] https://www.drupal.org/user/3528385 [3] https://www.drupal.org/u/attilatilman [4] https://www.drupal.org/user/65776 [5] https://www.drupal.org/user/395439 [6] https://www.drupal.org/user/99777 [7] https://www.drupal.org/user/99340 [8] https://www.drupal.org/user/1485048 [9] https://www.drupal.org/user/227849 [10] https://www.drupal.org/user/157725 [11] https://www.drupal.org/user/3426845 [12] https://www.drupal.org/user/53892 [13] https://www.drupal.org/user/124982 [14] https://www.drupal.org/user/49851 [15] https://www.drupal.org/user/65776 [16] https://www.drupal.org/user/78040 [17] https://www.drupal.org/user/35733 [18] https://www.drupal.org/user/395439 [19] https://www.drupal.org/user/240860 [20] https://www.drupal.org/core/d8-bc-policy#paramconverters [21] https://www.drupal.org/user/788032 [22] https://www.drupal.org/user/102818 [23] https://www.drupal.org/user/99777 [24] https://www.drupal.org/user/157725 [25] https://www.drupal.org/user/360002 [26] https://www.drupal.org/user/395439 [27] https://www.drupal.org/user/35733 [28] https://www.drupal.org/user/65776 [29] https://www.drupal.org/user/22211 [30] https://www.drupal.org/user/395439 [31] https://www.drupal.org/user/214652 [32] https://www.drupal.org/user/99340 [33] https://www.drupal.org/user/262198 [34] https://www.drupal.org/user/22211 [35] https://www.drupal.org/user/551886 [36] https://www.drupal.org/user/124982 [37] https://www.drupal.org/user/266527 [38] https://www.drupal.org/user/65776 [39] https://www.drupal.org/user/99777 [40] https://www.drupal.org/user/49851 [41] https://www.drupal.org/user/240860 [42] https://www.drupal.org/user/809346 [43] https://www.drupal.org/user/395439 [44] https://www.drupal.org/user/809346 [45] https://www.drupal.org/user/2582268 [46] https://www.drupal.org/user/99777 [47] https://www.drupal.org/user/157725 [48] https://www.drupal.org/project/drupal/releases/7.60 [49] http://www.drupal.org/project/drupal/releases/8.6.2 [50] http://www.drupal.org/project/drupal/releases/8.5.8

1 0

Drupal 7.x and 8.x release on Oct 17th, 2018 - DRUPAL-PSA-2018-10-17
by security-news＠drupal.org 17 Oct '18

17 Oct '18

View online: https://www.drupal.org/psa-2018-10-17 The Drupal Security team has a core and contrib release window on the 3rd Wednesday of the month. This window normally ends at 5pm Eastern (9PM UTC) . Due to unforeseen circumstances, we are extending the current window we are in by 4 hours until *Oct 17th, 2018 at 8pm Eastern (11:59PM UTC) *.

1 0

NVP field - Moderately critical - Cross Site Scripting - SA-CONTRIB-2018-066
by security-news＠drupal.org 10 Oct '18

10 Oct '18

View online: https://www.drupal.org/sa-contrib-2018-066 Project: NVP field [1] Date: 2018-October-10 Security risk: *Moderately critical* 14∕25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:All [2] Vulnerability: Cross Site Scripting Description: NVP field module allows you to create a field type of name/value pairs, with custom titles and easily editable rendering with customizable HTML/text surrounding the pairs. The module doesn't sufficiently handle sanitization of its field formatter's output. This vulnerability is mitigated by the fact that an attacker must have a role with the permission of creating/editing content where the module defined fields are in use. Solution: Install the latest version: * If you use the NVP field module for Drupal 7.x, upgrade to NVP field 7.x-1.1 [3] Also see the NVP field [4] project page. Reported By: * Balazs Janos Tatar [5] Provisional Security Team Member Fixed By: * John Avery [6] Coordinated By: * Michael Hess [7] of the Drupal Security Team [1] https://www.drupal.org/project/nvp [2] https://www.drupal.org/security-team/risk-levels [3] project/nvp/releases/7.x-1.1 [4] https://www.drupal.org/project/nvp [5] https://www.drupal.org/user/649590 [6] https://www.drupal.org/user/2573976 [7] https://www.drupal.org/u/mlhess

1 0

2026

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

Security-news October 2018