View online: https://www.drupal.org/sa-contrib-2019-093
Project: Taxonomy access fix [1]
Version: 8.x-2.68.x-2.58.x-2.4
Date: 2019-December-11
Security risk: *Moderately critical* 13∕25
AC:None/A:User/CI:Some/II:None/E:Theoretical/TD:All [2]
Vulnerability: Access bypass
Description:
This module extends access handling of Drupal Core's Taxonomy module.
The module doesn't sufficiently check,
* if a given entity should be access controlled, defaulting to allowing
access even to unpublished Taxonomy Terms.
* if certain administrative routes should be access controlled, defaulting
to allowing access even to users without permission to access these
administrative routes.
The vulnerability is mitigated by the facts, that
* the user interface to change the status of Taxonomy Terms has been
released in Drupal Core 8.8 and a custom or contributed module is
required
in earlier versions of Drupal Core to mark Taxonomy Terms as unpublished.
* all entity operations (except the view operation) available on affected
administrative routes still require appropriate permissions.
* an attacker must have a role with permission to either access content or
view a Taxonomy Term in a vocabulary.
Solution:
Install the latest version:
* If you use taxonomy_access_fix 8.x-2.4 or later, upgrade to Taxonomy
Access Fix 8.x-2.7 [3]
Also see the Taxonomy Access Fix project page [4].
Reported By:
* guedressel [5]
Fixed By:
* Julian Pustkuchen [6]
* Patrick Fey [7]
* Oleh Vehera [8]
* guedressel [9]
Coordinated By:
* Greg Knaddison [10] of the Drupal Security Team
* Damien McKenna [11] of the Drupal Security Team
[1] https://www.drupal.org/project/taxonomy_access_fix
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/taxonomy_access_fix/releases/8.x-2.7
[4] https://www.drupal.org/project/taxonomy_access_fix
[5] https://www.drupal.org/user/266710
[6] https://www.drupal.org/user/291091
[7] https://www.drupal.org/user/998680
[8] https://www.drupal.org/user/3260314
[9] https://www.drupal.org/user/266710
[10] https://www.drupal.org/u/greggles
[11] https://www.drupal.org/u/damienmckenna
View online: https://www.drupal.org/sa-contrib-2019-095
Project: Permissions by Term [1]
Date: 2019-December-11
Security risk: *Moderately critical* 13∕25
AC:None/A:None/CI:Some/II:None/E:Theoretical/TD:Uncommon [2]
Vulnerability: Access bypass
Description:
The Permissions by Term module extends Drupal by functionality for
restricting access to single nodes via taxonomy terms.
The module doesn't sufficiently restrict access to node previews, when the
Search API module is used to display nodes in search result lists.
Solution:
Install the latest version:
* If you use the Permissions by Term module for Drupal 8.x, upgrade to
Version 8.x-2.0 [3]
* The settings have been refactored. They are now bundled in the
"permissions_by_term.settings.yml" file. There are not so many settings,
so you can simply visit PbT's settings page and set the settings
manually.
Like the setting for "single term restriction".
Also see the Permissions by Term [4] project page.
Reported By:
* Tamás Nagy [5]
Fixed By:
* Peter Majmesku [6]
Coordinated By:
* Greg Knaddison [7] of the Drupal Security Team
[1] https://www.drupal.org/project/permissions_by_term
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/permissions_by_term/releases/8.x-2.0
[4] https://www.drupal.org/project/permissions_by_term
[5] https://www.drupal.org/user/2252152
[6] https://www.drupal.org/user/786132
[7] https://www.drupal.org/u/greggles
View online: https://www.drupal.org/sa-contrib-2019-096
Project: Webform [1]
Version: 7.x-4.207.x-4.20-rc17.x-4.197.x-4.19-rc17.x-4.187.x-4.18-rc17.x-4.177.x-4.17-rc17.x-4.167.x-4.16-rc17.x-4.157.x-4.15-rc17.x-4.147.x-4.137.x-4.127.x-4.117.x-4.107.x-4.97.x-4.87.x-4.77.x-4.67.x-4.57.x-4.47.x-4.37.x-4.27.x-4.17.x-4.07.x-4.0-rc67.x-4.0-rc57.x-4.0-rc47.x-4.0-rc37.x-4.0-rc27.x-4.0-rc17.x-4.0-beta37.x-4.0-beta27.x-4.0-beta17.x-4.0-alpha107.x-4.0-alpha97.x-4.0-alpha87.x-4.0-alpha77.x-4.0-alpha67.x-4.0-alpha57.x-4.0-alpha47.x-4.0-alpha37.x-4.0-alpha27.x-4.0-alpha17.x-3.28-rc17.x-3.277.x-3.27-rc17.x-3.267.x-3.26-rc17.x-3.257.x-3.247.x-3.237.x-3.227.x-3.217.x-3.207.x-3.197.x-3.187.x-3.177.x-3.167.x-3.157.x-3.137.x-3.127.x-3.117.x-3.107.x-3.97.x-3.87.x-3.77.x-3.67.x-3.4-beta17.x-3.3-beta17.x-3.0-beta87.x-3.0-beta77.x-3.0-beta67.x-3.0-beta57.x-3.0-beta47.x-3.0-beta37.x-3.0-beta2
Date: 2019-December-11
Security risk: *Critical* 15∕25
AC:Basic/A:None/CI:Some/II:Some/E:Theoretical/TD:Default [2]
Vulnerability: Multiple vulnerabilities
Description:
This module enables you to create forms to collect information from users and
report, analyze and distribute it by email.
The 7.x-3.x module doesn't sufficiently sanitize token values taken from
query strings. If a query string token is used as the value of a markup
component, an attacker can inject JavaScript into a page.
The 7.x-4.x module doesn't sufficiently protect against an attacker changing
the submission identifier of a draft webform, thereby overwriting another
user's submission. Confidential information is not disclosed, but information
can be overwritten and therefore lost or forged.
The 7.x-4.x vulnerability is mitigated by the fact that an attacker must have
a role with permission to submit a webform and the webform must have the
advanced form setting of either 'Show "Save draft" button' and/or
"Automatically save as draft between pages and when there are validation
errors". Neither of these two options are enabled by default. Anonymous users
cannot submit drafts and therefore cannot exploit this vulnerability.
Solution:
Install the latest version:
* If you use the Webform 3.x module for Drupal 7.x, upgrade to Webform
7.x-3.29 [3] or to Webform 7.x-4.21.
* If you use the Webform 4.x module for Drupal 7.x, upgrade to Webform
7.x-4.21 [4]
Reported By:
* Robin De Herdt [5]
* Ayesh Karunaratne [6]
Fixed By:
* Robin De Herdt [7]
* Ayesh Karunaratne [8]
* Liam Morland [9]
* Dan Chadwick [10]
* Roman Zimmermann [11]
Coordinated By:
* Greg Knaddison [12] of the Drupal Security Team
* Michael Hess [13] of the Drupal Security Team
[1] https://www.drupal.org/project/webform
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/webform/releases/7.x-3.29
[4] https://www.drupal.org/project/webform/releases/7.x-4.21
[5] https://www.drupal.org/user/3555113
[6] https://www.drupal.org/user/796148
[7] https://www.drupal.org/user/3555113
[8] https://www.drupal.org/user/796148
[9] https://www.drupal.org/user/493050
[10] https://www.drupal.org/user/504278
[11] https://www.drupal.org/user/865256
[12] https://www.drupal.org/u/greggles
[13] https://www.drupal.org/u/mlhess