View online: https://www.drupal.org/sa-core-2022-002
Project: Drupal core [1]
Date: 2022-January-19
Security risk: *Moderately critical* 14∕25
AC:Basic/A:User/CI:Some/II:Some/E:Proof/TD:Default [2]
Vulnerability: Cross site scripting
Description:
jQuery UI is a third-party library used by Drupal. This library was
previously thought to be end-of-life.
Late in 2021, jQuery UI announced that they would be continuing development,
and released a jQuery UI 1.13.0 [3] version. In addition to the issue covered
by SA-CORE-20220-001 [4], further security vulnerabilities disclosed in
jQuery UI 1.13.0 may affect Drupal 7 only:
* CVE-2021-41182: XSS in the altField option of the Datepicker widget [5]
* CVE-2021-41183: XSS in *Text options of the Datepicker widget [6]
Furthermore, other vulnerabilities listed below were previously unaddressed
in the version of jQuery UI included in Drupal 7 or in the jQuery Update [7]
module:
* CVE-2016-7103: XSS in closeText option of Dialog [8]
* CVE-2010-5312: XSS in the title option of Dialog [9] (applicable only to
the jQuery UI version included in D7 core)
It is possible that these vulnerabilities are exploitable via contributed
Drupal modules or custom code. As a precaution, this Drupal security release
applies the fix for the above cross-site scripting issues, without making
other changes to the jQuery UI version that is included in Drupal.
This advisory is not covered by Drupal Steward [10].
.... Important note regarding the jQuery Update contrib module
These backport fixes in D7 have also been tested with the version of jQuery
UI provided by the most recent releases of the jQuery Update module (jQuery
UI 1.10.2) and the fixes confirmed. Therefore, there is no accompanying
security release for jQuery Update.
However, in early 2022 the currently supported release of jQuery Update
(7.x-2.7 from 2015) will be deprecated and replaced by a new release from the
7.x-4.x branch. The stable release from that branch will then be the only
release considered by Drupal Security Team when new jQuery security issues
arise.
Please check the jQuery Update project page [11] for more details, and for
announcements when the changes are made to supported releases.
Solution:
Install the latest version:
* If you are using Drupal 7, update to Drupal 7.86 [12]
Reported By:
* Lauri Eskola [13]
Fixed By:
* Drew Webber [14] of the Drupal Security Team
* Alex Bronstein [15] of the Drupal Security Team
* Lauri Eskola [16]
[1] https://www.drupal.org/project/drupal
[2] https://www.drupal.org/security-team/risk-levels
[3] https://blog.jqueryui.com/2021/10/jquery-ui-1-13-0-released/
[4] https://www.drupal.org/sa-core-2022-011
[5]
https://github.com/jquery/jquery-ui/security/advisories/GHSA-9gj3-hwp5-pmwc
[6]
https://github.com/jquery/jquery-ui/security/advisories/GHSA-j7qv-pgf6-hvh4
[7] https://www.drupal.org/project/jquery_update
[8] https://nvd.nist.gov/vuln/detail/CVE-2016-7103
[9] https://nvd.nist.gov/vuln/detail/CVE-2010-5312
[10] https://www.drupal.org/steward
[11] https://www.drupal.org/project/jquery_update
[12] https://www.drupal.org/project/drupal/releases/7.86
[13] https://www.drupal.org/user/1078742
[14] https://www.drupal.org/user/255969
[15] https://www.drupal.org/user/78040
[16] https://www.drupal.org/user/1078742
View online: https://www.drupal.org/sa-contrib-2022-003
Project: Wysiwyg [1]
Date: 2022-January-05
Security risk: *Moderately critical* 14∕25
AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:All [2]
Vulnerability: Cross site scripting
Description:
This module enables you to integrate various What-You-See-Is-What-You-Get
(WYSIWYG) rich text editors into Drupal fields with text formats allowing
markup for easier editing.
The module doesn't sufficiently sanitize user input before attaching a
WYSIWYG editor to an input field such as a textarea. If the editor used has
an XSS vulnerability this would allow for example a commenter to put
specially crafted markup which could trigger the vulnerability when viewed in
the editor by an administrator.
This vulnerability is mitigated by the fact that an attacker must have a role
with the permission to create content using a text format with an attached
and XSS vulnerable rich text editor.
Solution:
Install the latest version:
* If you use the Wysiwyg module for Drupal 7.x, upgrade to WYSIWYG 7.x-2.9
[3]
After upgrading verify that text formats which have a WYSIWYG editor profile
also uses a text filter, such as Core's "Limit allowed HTML tags", if
accessible by untrusted users.
A list of known compatible input filters that will be applied is shown when
configuring a WYSIWYG editor profile along with a status indicator.
It is recommended to always be using the latest stable version of any
installed editor libraries.
Reported By:
* r0ng [4]
Fixed By:
* Daniel Kudwien [5]
* Henrik Danielsson [6]
* r0ng [7]
* Wim Leers [8]
* Mori Sugimoto [9] of the Drupal Security Team
* Damien McKenna [10] of the Drupal Security Team
Coordinated By:
* Greg Knaddison [11] of the Drupal Security Team
* Damien McKenna [12] of the Drupal Security Team
* Chris [13] of the Drupal Security Team
[1] https://www.drupal.org/project/wysiwyg
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/wysiwyg/releases/7.x-2.9
[4] https://www.drupal.org/user/2462440
[5] https://www.drupal.org/user/54136
[6] https://www.drupal.org/user/244227
[7] https://www.drupal.org/user/2462440
[8] https://www.drupal.org/user/99777
[9] https://www.drupal.org/user/82971
[10] https://www.drupal.org/user/108450
[11] https://www.drupal.org/user/36762
[12] https://www.drupal.org/user/108450
[13] https://www.drupal.org/user/1850070
View online: https://www.drupal.org/sa-contrib-2022-002
Project: Simple OAuth (OAuth2) & OpenID Connect [1]
Date: 2022-January-05
Security risk: *Moderately critical* 13∕25
AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:Default [2]
Vulnerability: Access bypass
Description:
This module enables you to implement OAuth 2.0 authentication for Drupal.
The module doesn't sufficiently verify client secret keys for "confidential"
OAuth 2.0 clients when using certain grant types. The token refresh and
client credentials grants are not affected.
This vulnerability is mitigated by the fact that the vast majority of OAuth
2.0 clients in the wild are public, not confidential. Furthermore, all
affected grant types still require users to authenticate to Drupal during the
OAuth flow.
The implicit grant type is insecure for other reasons (and still requires
user authentication) and is disabled by default.
Sites at risk of information disclosure would be specifically configured to
restrict access based on the OAuth client's confidentiality status and
configured scopes, not only traditional Drupal user permissions and roles.
Further mitigation includes configuring allowed redirect URIs for clients
[3]. This is an OAuth best practice for guarding against man-in-the-middle
attacks on authorization codes, and prevents redirection to imposter clients.
Anyone implementing OAuth 2.0 on their Drupal site is also encouraged to
review the relevant RFCs and Internet-Drafts [4] pertaining to OAuth
security.
Solution:
Install the latest version:
* If you use the simple_oauth module for Drupal 9.x, upgrade to
simple_oauth-8.x-4.6 [5], 5.0.6 [6] or 5.2.0 [7].
*Important note*: 8.x-4.6 will be the last release for the 8.x-4.x branch.
Support for this major version will end February 28, 2022. The upgrade path
to 5.x is easy, supported and well-tested. All users of versions < 5 should
upgrade to 5.2.0.
The 5.0.x version will be supported until July 31, 2022. Read the 5.2.0
change record [8] for information about changes to previously
non-spec-compliant response codes and messages.
Reported By:
* Simon Bäse [9]
Fixed By:
* Brad Jones [10]
* Simon Bäse [11]
Coordinated By:
* Greg Knaddison [12] of the Drupal Security Team
[1] https://www.drupal.org/project/simple_oauth
[2] https://www.drupal.org/security-team/risk-levels
[3] https://tools.ietf.org/html/rfc6819#section-5.2.3.5
[4] https://oauth.net/security/
[5] https://www.drupal.org/project/simple_oauth/releases/8.x-4.6
[6] https://www.drupal.org/project/simple_oauth/releases/5.0.6
[7] https://www.drupal.org/project/simple_oauth/releases/5.2.0
[8] https://www.drupal.org/node/3255523
[9] https://www.drupal.org/user/3686593
[10] https://www.drupal.org/user/405824
[11] https://www.drupal.org/user/3686593
[12] https://www.drupal.org/user/36762