March 2020 - Security-news - lists.drupal.org

Svg Image - Critical - Cross site scripting - SA-CONTRIB-2020-008
by security-news＠drupal.org 25 Mar '20

25 Mar '20

View online: https://www.drupal.org/sa-contrib-2020-008 Project: Svg Image [1] Date: 2020-March-25 Security risk: *Critical* 15∕25 AC:Basic/A:User/CI:Some/II:Some/E:Proof/TD:All [2] Vulnerability: Cross site scripting Description: SVG Image module allows to upload SVG files. The module did not sufficiently protect against malicious code inside SVG files leading to a Cross Site Scripting vulnerability. This vulnerability is mitigated by the fact that an attacker must have permission to upload an SVG file. Solution: Install the latest version: * If you use the SVG Image module for Drupal 8.x, upgrade to Svg Image 8.x-1.10 [3] Also see the Svg Image [4] project page. Reported By: * Dmitry Kiselev [5] Fixed By: * Yaroslav Lushnikov [6] * Dmitry Kiselev [7] * Jeroen Tubex [8] Coordinated By: * Greg Knaddison [9] of the Drupal Security Team [1] https://www.drupal.org/project/svg_image [2] https://www.drupal.org/security-team/risk-levels [3] https://www.drupal.org/project/svg_image/releases/8.x-1.10 [4] https://www.drupal.org/project/svg_image [5] https://www.drupal.org/user/1945174 [6] https://www.drupal.org/user/2870933 [7] https://www.drupal.org/user/1945174 [8] https://www.drupal.org/user/2228934 [9] https://www.drupal.org/user/36762

1 0

CKEditor - WYSIWYG HTML editor - Moderately critical - Cross site scripting - SA-CONTRIB-2020-007
by security-news＠drupal.org 18 Mar '20

18 Mar '20

View online: https://www.drupal.org/sa-contrib-2020-007 Project: CKEditor - WYSIWYG HTML editor [1] Date: 2020-March-18 Security risk: *Moderately critical* 11∕25 AC:Complex/A:User/CI:Some/II:Some/E:Theoretical/TD:Uncommon [2] Vulnerability: Cross site scripting Description: The CKEditor module (and its predecessor, FCKeditor module) allows Drupal to replace textarea fields with CKEditor 3.x/4.x (FCKeditor 2.x in case of FCKeditor module) - a visual HTML editor, sometimes called WYSIWYG editor. Due to the usage of the JavaScript `eval()` function on non-filtered data in admin section, it was possible for a user with permission to create content visible in the admin area to inject specially crafted malicious script which causes Cross Site Scripting (XSS). The problem existed in CKEditor module for Drupal, not in JavaScript libraries with the same names. Solution: Install the latest version: * If you use the CKEditor module for Drupal 7.x, upgrade to CKEditor 7.x-1.19 [3] Also see the CKEditor- WYSIWYG HTML editor [4] project page Reported By: * Yonatan Offek [5] Fixed By: * Robert Mikołajuk [6] Coordinated By: * Greg Knaddison [7] of the Drupal Security Team [1] https://www.drupal.org/project/ckeditor [2] https://www.drupal.org/security-team/risk-levels [3] https://www.drupal.org/project/ckeditor/releases/7.x-1.19 [4] https://www.drupal.org/project/ckeditor [5] https://www.drupal.org/user/194009 [6] https://www.drupal.org/user/2793801 [7] https://www.drupal.org/user/36762

1 0

Drupal core - Moderately critical - Third-party library - SA-CORE-2020-001
by security-news＠drupal.org 18 Mar '20

18 Mar '20

View online: https://www.drupal.org/sa-core-2020-001 Project: Drupal core [1] Version: 8.8.x-dev8.7.x-dev Date: 2020-March-18 Security risk: *Moderately critical* 13∕25 AC:Complex/A:User/CI:Some/II:Some/E:Proof/TD:Default [2] Vulnerability: Third-party library Description: The Drupal project uses the third-party library CKEditor [3], which has released a security improvement [4] that is needed to protect some Drupal configurations. Vulnerabilities are possible if Drupal is configured to use the WYSIWYG CKEditor for your site’s users. When multiple people can edit content, the vulnerability can be used to execute XSS attacks against other people, including site admins with more access. The latest versions of Drupal update CKEditor to 4.14 to mitigate the vulnerabilities. Solution: Install the latest version: * If you are using Drupal 8.8.x, upgrade to Drupal 8.8.4 [5]. * If you are using Drupal 8.7.x, upgrade to Drupal 8.7.12 [6]. Versions of Drupal 8 prior to 8.7.x have reached end-of-life and do not receive security coverage. The CKEditor module can also be disabled to mitigate the vulnerability until the site is updated. .... Note for Drupal 7 users Drupal 7 core is not affected by this release; however, users who have installed the third-party CKEditor library (for example, with a contributed module) should ensure that the downloaded library is updated to CKEditor 4.14 or higher, or that CDN URLs point to a version of CKEditor 4.14 or higher. Disabling all WYSIWYG modules can mitigate the vulnerability until the site is updated. [1] https://www.drupal.org/project/drupal [2] https://www.drupal.org/security-team/risk-levels [3] https://github.com/ckeditor/ckeditor4 [4] https://ckeditor.com/blog/CKEditor-4.14-with-Paste-from-LibreOffice-release… [5] https://www.drupal.org/project/drupal/releases/8.8.4 [6] https://www.drupal.org/project/drupal/releases/8.7.12

1 0

SAML Service Provider - Critical - Access bypass - SA-CONTRIB-2020-006
by security-news＠drupal.org 11 Mar '20

11 Mar '20

View online: https://www.drupal.org/sa-contrib-2020-006 Project: SAML Service Provider [1] Date: 2020-March-11 Security risk: *Critical* 15∕25 AC:Basic/A:None/CI:Some/II:Some/E:Theoretical/TD:Default [2] Vulnerability: Access bypass Description: This module enables you to authenticate Drupal users using an external SAML Identity Provider. If the site is configured to allow visitors to register for user accounts but administrator approval is required, the module doesn't sufficiently enforce the administrative approval requirement, in the case where the requesting user has already authenticated through SAML. This vulnerability is mitigated by the fact that user accounts created in this way have only default roles, which may not have access significantly beyond that of an anonymous user. To mitigate the vulnerability without upgrading sites could disable public registration. Solution: Install the latest version: * If you use the SAML Service Provider module for Drupal 8.x, upgrade to SAML Service Provider 8.x-3.7 [3] Also see the SAML Service Provider [4] project page. Reported By: * J Proctor [5] Fixed By: * J Proctor [6] * James Glasgow [7] Coordinated By: * Greg Knaddison [8] of the Drupal Security Team [1] https://www.drupal.org/project/saml_sp [2] https://www.drupal.org/security-team/risk-levels [3] https://www.drupal.org/project/saml_sp/releases/8.x-3.7 [4] https://www.drupal.org/project/saml_sp [5] https://www.drupal.org/user/1194192 [6] https://www.drupal.org/user/1194192 [7] https://www.drupal.org/user/36590 [8] https://www.drupal.org/user/36762

1 0

SVG Formatter - Critical - Cross site scripting - SA-CONTRIB-2020-005
by security-news＠drupal.org 04 Mar '20

04 Mar '20

View online: https://www.drupal.org/sa-contrib-2020-005 Project: SVG Formatter [1] Date: 2020-March-04 Security risk: *Critical* 15∕25 AC:Basic/A:User/CI:Some/II:Some/E:Proof/TD:All [2] Vulnerability: Cross site scripting Description: SVG Formatter module provides support for using SVG images on your website. This security release fixes third-party dependencies included in or required by SVG Formatter. XSS bypass using entities and tab [3]. This vulnerability is mitigated by the fact that an attacker must be able to upload SVG files. Solution: Install the latest version: * If you use the SVG Formatter module for Drupal 8.x, upgrade to SVG Formatter 8.x-1.12 [4] Also see the SVG Formatter [5] project page. Reported By: * Jeroen Tubex [6] Fixed By: * Goran Nikolovski [7] Coordinated By: * Greg Knaddison [8] of the Drupal Security Team [1] https://www.drupal.org/project/svg_formatter [2] https://www.drupal.org/security-team/risk-levels [3] https://github.com/darylldoyle/svg-sanitizer/issues/31 [4] https://www.drupal.org/project/svg_formatter/releases/8.x-1.12 [5] https://www.drupal.org/project/svg_formatter [6] https://www.drupal.org/user/2228934 [7] https://www.drupal.org/user/3451979 [8] https://www.drupal.org/user/36762

1 0