View online: https://www.drupal.org/sa-contrib-2021-005
Project: Fast Autocomplete [1]
Version: 8.x-1.78.x-1.68.x-1.58.x-1.48.x-1.38.x-1.28.x-1.18.x-1.0
Date: 2021-March-17
Security risk: *Moderately critical* 12∕25
AC:Basic/A:None/CI:Some/II:None/E:Theoretical/TD:Default [2]
Vulnerability: Access bypass
Description:
The Fast Autocomplete module [3] provides fast IMDB-like suggestions below a
text input field. Suggestions are stored as JSON files in the public files
folder so that they can be provided to the browser relatively fast without
the need for Drupal to be bootstrapped.
The module doesn't correctly generate certain hashes when the configuration
option "Perform search as anonymous user only" is switched from the default
on value to off.
This enables a malicious user to read search results generated by users with
other roles, disclosing search results the user normally has no access to.
Solution:
Install the latest version:
* If you use the Fast Autocomplete module for Drupal 8.x, upgrade to Fast
Autocomplete 8.x-1.8 [4]
Alternatively, re-enable the setting "Perform search as anonymous user only"
to only display anonymous search results and delete the generated files by
using the "Delete json files" option in all Fast Autocomplete configurations.
Fast Autocomplete for Drupal 7.x is not affected.
Reported By:
* Heine Deelstra [5] of the Drupal Security Team
Fixed By:
* Heine Deelstra [6] of the Drupal Security Team
* Martijn Vermeulen [7]
Coordinated By:
* Heine Deelstra [8] of the Drupal Security Team
[1] https://www.drupal.org/project/fac
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/fac
[4] https://www.drupal.org/node/3204029
[5] https://www.drupal.org/user/17943
[6] https://www.drupal.org/user/17943
[7] https://www.drupal.org/user/960720
[8] https://www.drupal.org/user/17943
View online: https://www.drupal.org/sa-contrib-2021-004
Project: Webform [1]
Date: 2021-March-03
Security risk: *Moderately critical* 12∕25
AC:Basic/A:None/CI:None/II:None/E:Exploit/TD:Default [2]
Vulnerability: Access bypass
Description:
The Webform module for Drupal 8/9 [3] includes a default Contact webform,
which sends a notification email to the site owner and a confirmation email
to the email address supplied via the form.
The confirmation email can be used as an open mail relay to send an email to
any email address.
This vulnerability is mitigated by the fact that the site owner's email
address is also receiving a notification email, which should alert the site
owner to the exploitation. If the site owner's mailbox is not monitored, the
open mail relay can be more easily exploited.
With the Webform module's latest release, the default Contact's confirmation
email will only be sent to an authenticated user's email address. Anonymous
users will no longer receive a confirmation email.
If anonymous users need to receive a confirmation email, we recommend you add
SPAM protection to the form and update the email handler.
Solution:
Install the latest version:
* If you use the Webform module module for Drupal 8/9 upgrade to Webform
8.x-5.25 [4] or Webform 6.0.2 [5]
If you are using a previous release of the Webform module you can immediately
do one of several options.
1) Delete the default Contact form. (/form/contact)
2) Delete the default Contact form's confirmation email
handler.(/admin/structure/webform/manage/contact/handlers)
3) Update the default Contact form's confirmation email to only email the
current user's email address using the [current-user:mail] token.
(/admin/structure/webform/manage/contact/handlers/email_confirmation/edit)
4) Add SPAM protection [6] to the default Contact form.
Reported By:
* KarinG [7]
Fixed By:
* Jacob Rockowitz [8]
* Dan Chadwick [9]
* KarinG [10]
Coordinated By:
* Greg Knaddison [11] of the Drupal Security Team
[1] https://www.drupal.org/project/webform
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/webform
[4] https://www.drupal.org/project/webform/releases/8.x-5.25
[5] https://www.drupal.org/project/webform/releases/6.0.2
[6]
https://www.drupal.org/docs/contributed-modules/webform/webform-add-ons#spam
[7] https://www.drupal.org/user/787114
[8] https://www.drupal.org/user/371407
[9] https://www.drupal.org/user/504278
[10] https://www.drupal.org/user/787114
[11] https://www.drupal.org/user/36762