Security-news June 2018

security-news@drupal.org

1 participants
7 discussions

TFA Basic plugins - Less critical - Insecure Randomness - SA-CONTRIB-2018-044
by security-news＠drupal.org 27 Jun '18

27 Jun '18

View online: https://www.drupal.org/sa-contrib-2018-044 Project: TFA Basic plugins [1] Version: 7.x-1.0 Date: 2018-June-27 Security risk: *Less critical* 9∕25 AC:Complex/A:User/CI:Some/II:None/E:Theoretical/TD:Default [2] Vulnerability: Insecure Randomness Description: The TFA Basic module enables you to use Two Factor Authentication via a variety of plugins including TOTP and one-time codes delivered via email or sms. The module doesn't use a strong source of randomness, creating weak and predictable one-time login codes that are then delivered using SMS. This weakness does not affect the more common TOTP second factor. This vulnerability is mitigated by the fact that the site must be configured to use SMS to deliver one-time login codes which is an uncommon configuration. Solution: * If you use the TFA Basic module for Drupal 7.x, upgrade to TFA Basic 7.x-1.1 [3] Also see the TFA Basic plugins [4] project page. Reported By: * Greg Knaddison [5] of the Drupal Security Team Fixed By: * Greg Knaddison [6] of the Drupal Security Team * Ben Jeavons [7] of the Drupal Security Team Coordinated By: * Greg Knaddison [8] of the Drupal Security Team [1] https://www.drupal.org/project/tfa_basic [2] https://www.drupal.org/security-team/risk-levels [3] https://www.drupal.org/project/tfa_basic/releases/7.x-1.1 [4] https://www.drupal.org/project/tfa_basic [5] https://www.drupal.org/user/36762 [6] https://www.drupal.org/user/36762 [7] https://www.drupal.org/user/91990 [8] https://www.drupal.org/u/greggles

1 0

Mass Password Reset - Less critical - Insecure Randomness - SA-CONTRIB-2018-043
by security-news＠drupal.org 27 Jun '18

27 Jun '18

View online: https://www.drupal.org/sa-contrib-2018-043 Project: Mass Password Reset [1] Version: 7.x-1.0 Date: 2018-June-27 Security risk: *Less critical* 9∕25 AC:Complex/A:User/CI:Some/II:None/E:Theoretical/TD:Default [2] Vulnerability: Insecure Randomness Description: This module enables you to reset passwords for all users based upon their user role. The module doesn't use a strong source of randomness, creating weak and predictable passwords. This vulnerability is mitigated by the fact that the site must be configured to reveal the password to the attacker, which is a common configuration. Solution: Install the latest version: * If you use the Mass Password Reset module for Drupal 7.x, upgrade to Mass Password Reset 7.x-1.1 [3]. Also see the Mass Password Reset [4] project page. Reported By: * Greg Knaddison [5] of the Drupal Security Team Fixed By: * Greg Knaddison [6] of the Drupal Security Team * Mark Shropshire [7] Coordinated By: * Greg Knaddison [8] of the Drupal Security Team [1] https://www.drupal.org/project/mass_pwreset [2] https://www.drupal.org/security-team/risk-levels [3] https://www.drupal.org/project/mass_pwreset/releases/7.x-1.1 [4] https://www.drupal.org/project/mass_pwreset [5] https://www.drupal.org/user/36762 [6] https://www.drupal.org/user/36762 [7] https://www.drupal.org/user/14767 [8] https://www.drupal.org/u/greggles

1 0

Generate Password - Less critical - Insecure Randomness - SA-CONTRIB-2018-042
by security-news＠drupal.org 27 Jun '18

27 Jun '18

View online: https://www.drupal.org/sa-contrib-2018-042 Project: Generate Password [1] Version: 7.x-1.x-dev Date: 2018-June-27 Security risk: *Less critical* 9∕25 AC:Complex/A:User/CI:Some/II:None/E:Theoretical/TD:Default [2] Vulnerability: Insecure Randomness Description: The Genpass module makes the password field optional (or hidden) on the add new user page (admin & registration). If the password field is not set during registration, the system generates a password. The module doesn't use a strong source of randomness, creating weak and predictable passwords. This vulnerability is mitigated by the fact that the site must be configured to reveal the password to the attacker which is a common configuration. -------- CVE IDENTIFIER(S) ISSUED -------------------------------------------- * /A CVE identifier [3] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ Solution: Install the latest version: * If you use the Genpass module for Drupal 7.x-1.x, upgrade to Genpass 7.x-1.1 [4] Also see the Generate Password [5] project page. Reported By: * Greg Knaddison [6] of the Drupal Security Team Fixed By: * Joel Stein [7] a module maintainer Coordinated By: * Greg Knaddison [8] of the Drupal Security Team [1] https://www.drupal.org/project/genpass [2] https://www.drupal.org/security-team/risk-levels [3] http://cve.mitre.org/ [4] https://www.drupal.org/project/genpass/releases/7.x-1.1 [5] https://www.drupal.org/project/genpass [6] https://www.drupal.org/user/36762 [7] https://www.drupal.org/user/36598 [8] https://www.drupal.org/u/greggles

1 0

Custom Tokens - Critical - Arbitrary PHP code execution - SA-CONTRIB-2018-041
by security-news＠drupal.org 13 Jun '18

13 Jun '18

View online: https://www.drupal.org/sa-contrib-2018-041 Project: Custom Tokens [1] Date: 2018-June-13 Security risk: *Critical* 16∕25 AC:Basic/A:Admin/CI:All/II:All/E:Theoretical/TD:Default [2] Vulnerability: Arbitrary PHP code execution Description: The Custom Tokens module enables you to create custom tokens for specific replacements that can improve other modules relying on the token API. The module doesn't sufficiently identify that its custom permissions are risky and should only be granted to highly trusted roles. This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer custom tokens". -------- CVE IDENTIFIER(S) ISSUED -------------------------------------------- * /A CVE identifier [3] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ Solution: Install the latest version and review your permissions. *Note, after upgrading, additional configuration steps required.* Sites using this module should review the permissions page at Administration » People » Permissions to verify only trusted users are granted permissions defined by the module such as "administer custom tokens". * If you use the Custom Tokens module (1.x) for Drupal 7.x, upgrade to Custom Tokens 7.x-1.2 [4]. * If you use the Custom Tokens module (2.x) for Drupal 7.x, upgrade to Custom Tokens 7.x-2.0 [5]. Also see the Custom Tokens [6] project page. Reported By: * Matt Glaman [7] Fixed By: * Ariel Barreiro [8] Coordinated By: * Michael Hess [9] of the Drupal Security Team * Greg Knaddison [10] of the Drupal Security Team [1] https://www.drupal.org/project/token_custom [2] https://www.drupal.org/security-team/risk-levels [3] http://cve.mitre.org/ [4] https://www.drupal.org/project/token_custom/releases/7.x-1.2 [5] https://www.drupal.org/project/token_custom/releases/7.x-2.0 [6] https://www.drupal.org/project/token_custom [7] https://www.drupal.org/user/2416470 [8] https://www.drupal.org/user/23157 [9] https://www.drupal.org/u/mlhess [10] https://www.drupal.org/u/greggles

1 0

Entity Delete - Critical - Multiple Vulnerabilities - SA-CONTRIB-2018-040
by security-news＠drupal.org 06 Jun '18

06 Jun '18

View online: https://www.drupal.org/sa-contrib-2018-040 Project: Entity Delete [1] Date: 2018-June-06 Security risk: *Critical* 18∕25 AC:None/A:None/CI:Some/II:Some/E:Theoretical/TD:All [2] Vulnerability: Multiple Vulnerabilities Description: This module enables you to delete any types of entities in bulk. The module doesn't sufficiently verify access permissions under its use cases, leading to access bypass. The module also does not protect against Cross Site Request Forgeries on its delete process. The access bypass vulnerability is mitigated by the fact that an attacker must have a role with the permission "access content". There is no additional mitigation for the Cross Site Request Forgery vulnerability. Solution: Install the latest version: * If you use the Entity Delete module for Drupal 8.x, upgrade to Entity Delete 8.x-1.4 [3] Also see the Entity Delete [4] project page. Reported By: * Balazs Janos Tatar [5]Provisional Security Team Member Fixed By: * Balazs Janos Tatar [6]Provisional Security Team Member * A Ajay Kumar Reddy [7] Coordinated By: * Balazs Janos Tatar [8]Provisional Security Team Member [1] https://www.drupal.org/project/entity_delete [2] https://www.drupal.org/security-team/risk-levels [3] https://www.drupal.org/node/2977685 [4] https://www.drupal.org/project/entity_delete [5] https://www.drupal.org/user/649590 [6] https://www.drupal.org/user/649590 [7] https://www.drupal.org/user/3261994 [8] https://www.drupal.org/user/649590

1 0

AdTego SiteIntel - AdBlocker Detect - Critical - Unsupported - SA-CONTRIB-2018-039
by security-news＠drupal.org 06 Jun '18

06 Jun '18

View online: https://www.drupal.org/sa-contrib-2018-039 Project: AdTego SiteIntel - AdBlocker Detect [1] Date: 2018-June-06 Security risk: *Critical* 15∕25 AC:Basic/A:User/CI:Some/II:Some/E:Proof/TD:All [2] Vulnerability: Unsupported Description: The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: https://www.drupal.org/node/251466 [3]. Solution: If you use this project, you should uninstall it. Reported By: * Jean-Francois Hovinne [4] [1] https://www.drupal.org/project/adtego_siteintel [2] https://www.drupal.org/security-team/risk-levels [3] https://www.drupal.org/node/251466 [4] https://www.drupal.org/u/jfhovinne

1 0

Mollom - Critical - Unsupported - SA-CONTRIB-2018-038
by security-news＠drupal.org 06 Jun '18

06 Jun '18

View online: https://www.drupal.org/sa-contrib-2018-038 Project: Mollom [1] Date: 2018-June-06 Security risk: *Critical* 15∕25 AC:Basic/A:User/CI:Some/II:Some/E:Proof/TD:All [2] Vulnerability: Unsupported Description: The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: https://www.drupal.org/node/251466 [3]. The security team marks all unsupported projects critical by default. Solution: If you use this project, you should uninstall it. Reported By: * Stéphane Corlosquet [4] Fixed By: N/A Coordinated By: N/A [1] https://www.drupal.org/project/mollom [2] https://www.drupal.org/security-team/risk-levels [3] https://www.drupal.org/node/251466 [4] https://www.drupal.org/u/scor

1 0

2026

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

Security-news June 2018