Security-news December 2022

security-news@drupal.org

1 participants
3 discussions

File (Field) Paths - Moderately critical - Access bypass - SA-CONTRIB-2022-065
by security-news＠drupal.org 14 Dec '22

14 Dec '22

View online: https://www.drupal.org/sa-contrib-2022-065 Project: File (Field) Paths [1] Date: 2022-December-14 Security risk: *Moderately critical* 12∕25 AC:Basic/A:None/CI:Some/II:None/E:Theoretical/TD:Default [2] Vulnerability: Access bypass Description: The File (Field) Paths module extends the default functionality of Drupal's core File module, by adding the ability to use entity-based tokens in destination paths and file names. The module's default configuration could temporarily expose private files to anonymous visitors. *Important note:* to fix the problem, database updates must be run in addition to updating the module. It's possible to make a configuration change to mitigate this problem in the admin UI at /admin/config/media/file-system/filefield-paths - the temp file location should use either the temporary:// or private:// stream wrapper if uploaded files should not be exposed publicly. This vulnerability is mitigated by the fact that an attacker must be able to guess the temporary path used for file upload. Solution: Install the latest version: * If you use the File (Field) Paths module for Drupal 7.x, upgrade to File (Field) Paths 7.x-1.2 [3] Reported By: * Hayato Goto [4] * Drew Webber [5] of the Drupal Security Team * Steve Bink [6] Fixed By: * Hayato Goto [7] * David Snopek [8] of the Drupal Security Team * Vijay Mani [9] provisional member of the Drupal Security Team * Drew Webber [10] of the Drupal Security Team * Oleh Vehera [11] * Damien McKenna [12] of the Drupal Security Team Coordinated By: * David Snopek [13] of the Drupal Security Team * Drew Webber [14] of the Drupal Security Team * Greg Knaddison [15] of the Drupal Security Team [1] https://www.drupal.org/project/filefield_paths [2] https://www.drupal.org/security-team/risk-levels [3] https://www.drupal.org/project/filefield_paths/releases/7.x-1.2 [4] https://www.drupal.org/user/2844385 [5] https://www.drupal.org/user/255969 [6] https://www.drupal.org/user/3427991 [7] https://www.drupal.org/user/2844385 [8] https://www.drupal.org/user/266527 [9] https://www.drupal.org/user/93488 [10] https://www.drupal.org/user/255969 [11] https://www.drupal.org/user/3260314 [12] https://www.drupal.org/user/108450 [13] https://www.drupal.org/u/dsnopek [14] https://www.drupal.org/u/mcdruid [15] https://www.drupal.org/user/36762

1 0

H5P - Create and Share Rich Content and Applications - Moderately critical - Remote Code Execution - SA-CONTRIB-2022-064
by security-news＠drupal.org 14 Dec '22

14 Dec '22

View online: https://www.drupal.org/sa-contrib-2022-064 Project: H5P - Create and Share Rich Content and Applications [1] Date: 2022-December-14 Security risk: *Moderately critical* 12∕25 AC:Complex/A:User/CI:Some/II:Some/E:Theoretical/TD:Default [2] Vulnerability: Remote Code Execution Description: This module enables you to create interactive content. The module doesn't sufficiently stop path traversal attacks through zipped filenames for the uploadable .h5p files. This vulnerability is mitigated by the fact that an attacker must have a role with the permission "update h5p libraries". In addition, it is only exploitable on Windows servers. Solution: Install the latest version: * If you use the H5P module for Drupal 7.x, upgrade to H5P 7.x-1.51 [3] Reported By: Disclosed publicly. Fixed By: * Frode Petterson [4] * paalj [5] Coordinated By: * Greg Knaddison [6] of the Drupal Security Team [1] https://www.drupal.org/project/h5p [2] https://www.drupal.org/security-team/risk-levels [3] https://www.drupal.org/project/h5p/releases/7.x-1.51 [4] https://www.drupal.org/user/823190 [5] https://www.drupal.org/user/1091732 [6] https://www.drupal.org/user/36762

1 0

Entity Registration - Moderately critical - Access bypass - SA-CONTRIB-2022-063
by security-news＠drupal.org 07 Dec '22

07 Dec '22

View online: https://www.drupal.org/sa-contrib-2022-063 Project: Entity Registration [1] Date: 2022-December-07 Security risk: *Moderately critical* 13∕25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:Default [2] Vulnerability: Access bypass Affected versions: >=7.1.0 <7.1.9 Description: This module enables you to create registration entities related to nodes. The module doesn't sufficiently restrict update access to a user's own registrations. This vulnerability is mitigated by the fact that an attacker must have the "update own [registration type]" permission. Solution: Install the latest version: * If you use the Entity Registration module for Drupal 7.x, upgrade to Entity Registration 7.x-1.9 [3] release *Note:* Sites that allow non-administrative users to manage registrations because the users can update the registration host entity and have "update own registration" permission for a given registration type, may need to give those users the "administer own registration" permission for them to retain the ability to manage registrations after installing this upgrade. Reported By: * Joël Pittet [4] Fixed By: * Joël Pittet [5] * Maria Fisher [6] * john.oltman [7] Coordinated By: * James Gilliland [8] of the Drupal Security Team Reported at: 20 November 2022 [1] https://www.drupal.org/project/registration [2] https://www.drupal.org/security-team/risk-levels [3] https://www.drupal.org/project/registration/releases/7.x-1.9 [4] https://www.drupal.org/user/160302 [5] https://www.drupal.org/user/160302 [6] https://www.drupal.org/user/2210776 [7] https://www.drupal.org/user/699926 [8] https://www.drupal.org/user/48673

1 0

2026

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

Security-news December 2022