Security-news February 2019

security-news@drupal.org

1 participants
23 discussions

Paragraphs - Critical - Remote Code Execution - SA-CONTRIB-2019-023
by security-news＠drupal.org 20 Feb '19

20 Feb '19

View online: https://www.drupal.org/sa-contrib-2019-023 Project: Paragraphs [1] Date: 2019-February-20 Security risk: *Critical* 18∕25 AC:None/A:User/CI:All/II:All/E:Theoretical/TD:Uncommon [2] Vulnerability: Remote Code Execution Description: This resolves issues described in SA-CORE-2019-003 [3] for this module. Not all configurations are affected. See SA-CORE-2019-003 [4] for details. Solution: * If you use the Paragraphs module for Drupal 8.x, upgrade to Paragraphs 8.x-1.6 [5]. [1] https://www.drupal.org/project/paragraphs [2] https://www.drupal.org/security-team/risk-levels [3] https://www.drupal.org/sa-core-2019-003 [4] https://www.drupal.org/sa-core-2019-003 [5] https://www.drupal.org/project/paragraphs/releases/8.x-1.6

1 0

Video - Critical - Remote Code Execution - SA-CONTRIB-2019-022
by security-news＠drupal.org 20 Feb '19

20 Feb '19

View online: https://www.drupal.org/sa-contrib-2019-022 Project: Video [1] Date: 2019-February-20 Security risk: *Critical* 18∕25 AC:None/A:User/CI:All/II:All/E:Theoretical/TD:Uncommon [2] Vulnerability: Remote Code Execution Description: This resolves issues described in SA-CORE-2019-003 [3] for this module. Not all configurations are affected. See SA-CORE-2019-003 [4] for details. Solution: Install the latest version: * If you use the Video module for Drupal 8, upgrade to Video 8.x-1.4 [5] [1] https://www.drupal.org/project/video [2] https://www.drupal.org/security-team/risk-levels [3] https://www.drupal.org/sa-core-2019-003 [4] https://www.drupal.org/sa-core-2019-003 [5] https://www.drupal.org/project/video/releases/8.x-1.4

1 0

Metatag - Critical - Remote code execution - SA-CONTRIB-2019-021
by security-news＠drupal.org 20 Feb '19

20 Feb '19

View online: https://www.drupal.org/sa-contrib-2019-021 Project: Metatag [1] Date: 2019-February-20 Security risk: *Critical* 18∕25 AC:None/A:User/CI:All/II:All/E:Theoretical/TD:Uncommon [2] Vulnerability: Remote code execution Description: This resolves issues described in SA-CORE-2019-003 [3] for this module. Not all configurations are affected. See SA-CORE-2019-003 [4] for details. Solution: * If you use the Metatag module for Drupal 8.x, upgrade to Metatag 8.x-1.8 [5]. [1] https://www.drupal.org/project/metatag [2] https://www.drupal.org/security-team/risk-levels [3] https://www.drupal.org/sa-core-2019-003 [4] https://www.drupal.org/sa-core-2019-003 [5] https://www.drupal.org/project/metatag/releases/8.x-1.8

1 0

Link - Critical - Remote Code Execution - SA-CONTRIB-2019-020
by security-news＠drupal.org 20 Feb '19

20 Feb '19

View online: https://www.drupal.org/sa-contrib-2019-020 Project: Link [1] Date: 2019-February-20 Security risk: *Critical* 18∕25 AC:None/A:User/CI:All/II:All/E:Theoretical/TD:Uncommon [2] Vulnerability: Remote Code Execution Description: This resolves issues described in SA-CORE-2019-003 [3] for this module. Not all configurations are affected. See SA-CORE-2019-003 [4] for details. Solution: Install the latest version: * If you use the Link module for Drupal 7.x, upgrade to Link 7.x-1.6 [5] [1] https://www.drupal.org/project/link [2] https://www.drupal.org/security-team/risk-levels [3] https://www.drupal.org/sa-core-2019-003 [4] https://www.drupal.org/sa-core-2019-003 [5] https://www.drupal.org/project/link/releases/7.x-1.6

1 0

JSON:API - Highly critical - Remote code execution - SA-CONTRIB-2019-019
by security-news＠drupal.org 20 Feb '19

20 Feb '19

View online: https://www.drupal.org/sa-contrib-2019-019 Project: JSON:API [1] Date: 2019-February-20 Security risk: *Highly critical* 22∕25 AC:None/A:None/CI:All/II:All/E:Theoretical/TD:All [2] Vulnerability: Remote code execution Description: This resolves issues described in SA-CORE-2019-003 [3] for this module. Solution: Install the latest version: * If you use the *2.x* version of the JSON:API module for Drupal 8.x, upgrade to JSON:API 8.x-2.3 [4] * If you use the *1.x* version of the JSON:API module for Drupal 8.x, upgrade to JSON:API 8.x-1.25 [5] [1] https://www.drupal.org/project/jsonapi [2] https://www.drupal.org/security-team/risk-levels [3] https://www.drupal.org/sa-core-2019-003 [4] https://www.drupal.org/node/3034433 [5] https://www.drupal.org/node/3034431

1 0

RESTful Web Services - Critical - Access bypass - SA-CONTRIB-2019-018
by security-news＠drupal.org 20 Feb '19

20 Feb '19

View online: https://www.drupal.org/sa-contrib-2019-018 Project: RESTful Web Services [1] Date: 2019-February-20 Security risk: *Critical* 19∕25 AC:None/A:User/CI:All/II:All/E:Theoretical/TD:Default [2] Vulnerability: Access bypass Description: This resolves issues described in SA-CORE-2019-003 [3] for this module. Not all configurations are affected. See SA-CORE-2019-003 [4] for details. Solution: Install the latest version: * If you use the RESTful Web Services module for Drupal 7.x, upgrade to restws 7.x-2.8 [5] [1] https://www.drupal.org/project/restws [2] https://www.drupal.org/security-team/risk-levels [3] https://www.drupal.org/sa-core-2019-003 [4] https://www.drupal.org/sa-core-2019-003 [5] https://www.drupal.org/project/restws/releases/7.x-2.8

1 0

Critical Release - PSA-2019-02-19
by security-news＠drupal.org 19 Feb '19

19 Feb '19

View online: https://www.drupal.org/psa-2019-02-19 Date: 2019-February-19 Security risk: *Highly critical* 20∕25 AC:None/A:None/CI:All/II:All/E:Theoretical/TD:Uncommon [1] Vulnerability: Critical Release Description: There will be a *security release of 8.5.x and 8.6.x on February 20th 2019 between 1PM to 5PM America/New York* (1800 to 2200 UTC). (To see this in your local timezone, refer to the Drupal Core Calendar [2]) . The risk on this is currently rated at 20/25 (Highly critical) AC:None/A:None/CI:All/II:All/E:Theoretical/TD:Uncommon. Not all configurations are affected. Reserve time on February 20 during the release window to determine whether your sites are affected and in need of an immediate update. Mitigation information will be included in the advisory. Contributed module security updates may also be required. *If you are running Drupal 7*, no core update is required, but you may need to update contributed modules if you are using an affected module. We are unable to provide the list of those modules at this time. Neither the Security Team nor any other party is able to release any more information about this vulnerability until the announcement is made. The announcement will be made public at https://www.drupal.org/security [3], over Twitter, and in email for those who have subscribed to our email list. To subscribe to the email list: log in on Drupal.org, go to your user profile page and subscribe to the security newsletter on the Edit » My newsletters tab. Security release announcements will appear on the Drupal.org security advisory page. [1] https://www.drupal.org/security-team/risk-levels [2] https://calendar.google.com/calendar/r?cid=drupalcorecalendar@association.d… [3] https://www.drupal.org/security

1 0

Entity Registration - Critical - Multiple Vulnerabilities - SA-CONTRIB-2019-017
by security-news＠drupal.org 13 Feb '19

13 Feb '19

View online: https://www.drupal.org/sa-contrib-2019-017 Project: Entity Registration [1] Date: 2019-February-13 Security risk: *Critical* 18∕25 AC:Basic/A:None/CI:Some/II:Some/E:Exploit/TD:Default [2] Vulnerability: Multiple Vulnerabilities Description: This module enables you to take registrations for events, gathering information from registrants including email address and any other questions you wish to configure. In some cases, an anonymous user may view, edit, or delete other anonymous registrations by guessing the URL of that registration based on a simple pattern. If anonymous users are allowed to register and: * anonymous users have the "View" permission, information included in the registration can be accessed. * anonymous users have the "Edit" permission, information included in the registration can be altered. * anonymous users have the "Delete" permission, the registration itself can be deleted. This vulnerability is mitigated by the fact that it only applies to cases where the anonymous user role has specifically been given View, Edit, or Delete access to the specific Registration Type. Solution: Install the latest version: * If you use the Registration 1.x module for Drupal 7.x, upgrade to Registration 7.x-1.7 [3] * If you use the Registration 2.x module for Drupal 7.x, upgrade to Registration 7.x-2.0-beta3 [4] Reported By: * gaele [5] Fixed By: * Gabriel Carleton-Barnes [6] Coordinated By: * Michael Hess [7]of the Drupal Security Team [1] https://www.drupal.org/project/registration [2] https://www.drupal.org/security-team/risk-levels [3] https://www.drupal.org/project/registration/releases/7.x-1.7 [4] https://www.drupal.org/project/registration/releases/7.x-2.0-beta3 [5] https://www.drupal.org/user/1765 [6] https://www.drupal.org/user/1682976 [7] https://www.drupal.org/u/mlhess

1 0

OAuth 2.0 Client Login (Single Sign-On) - Critical - Multiple Vulnerabilities - SA-CONTRIB-2019-016
by security-news＠drupal.org 13 Feb '19

13 Feb '19

View online: https://www.drupal.org/sa-contrib-2019-016 Project: OAuth 2.0 Client Login (Single Sign-On) [1] Date: 2019-February-13 Security risk: *Critical* 17∕25 AC:Basic/A:None/CI:Some/II:Some/E:Proof/TD:All [2] Vulnerability: Multiple Vulnerabilities Description: This module enables you to allow login into the Drupal websites through an external provider over the OAuth 2.0 protocol. The module sets a Drupal variable used for redirection based on unsanitised user input, leading to an Open Redirect vulnerability. It also fails to sanitise user input which is displayed as part of an error message by a test authentication endpoint which is accessible by anonymous users, leading to an XSS vulnerability. Solution: Install the latest version: * If you use the miniOrange OAuth Client module for Drupal 7.x, upgrade to miniOrange OAuth Client 7.x-1.21 [3] Reported By: * Drew Webber [4] Fixed By: * Drew Webber [5] provisional security team member * Gaurav Sood [6] Coordinated By: * Drew Webber [7] provisional security team member [1] https://www.drupal.org/project/miniorange_oauth_client [2] https://www.drupal.org/security-team/risk-levels [3] https://www.drupal.org/project/miniorange_oauth_client/releases/7.x-1.21 [4] https://www.drupal.org/user/255969 [5] https://www.drupal.org/user/255969 [6] https://www.drupal.org/user/3288491 [7] https://www.drupal.org/user/255969

1 0

Focal Point - Moderately critical - Cross site scripting - SA-CONTRIB-2019-015
by security-news＠drupal.org 13 Feb '19

13 Feb '19

View online: https://www.drupal.org/sa-contrib-2019-015 Project: Focal Point [1] Version: 7.x-1.17.x-1.0 Date: 2019-February-13 Security risk: *Moderately critical* 13∕25 AC:Complex/A:User/CI:Some/II:Some/E:Theoretical/TD:All [2] Vulnerability: Cross site scripting Description: This module enables a privileged user to specify the important part of an image for the purposes of cropping. The module doesn't sufficiently sanitize certain form element attributes when the focal point widget is displayed on a form. This vulnerability is mitigated by the fact that an attacker must have the ability to generate markup (e.g. with a field that accepts "filtered html") AND they must have permission to edit a node or entity whose add/edit form contains the focal point widget. Solution: Install the latest version: * If you use the focal_point module for Drupal 7.x, upgrade to Focal Point 7.x-1.2 [3] Also see the Focal Point [4] project page. Reported By: * poiu [5] Fixed By: * Alexander Ross [6] Coordinated By: * Greg Knaddison [7] of the Drupal Security Team [1] https://www.drupal.org/project/focal_point [2] https://www.drupal.org/security-team/risk-levels [3] https://www.drupal.org/project/focal_point/releases/7.x-1.2 [4] https://www.drupal.org/project/focal_point [5] https://www.drupal.org/user/194009 [6] https://www.drupal.org/user/77375 [7] https://www.drupal.org/user/36762

1 0

2026

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

Security-news February 2019