Security-news February 2022

security-news@drupal.org

1 participants
8 discussions

Entity Reference Tree Widget - Moderately critical - Cross Site Scripting - SA-CONTRIB-2022-026
by security-news＠drupal.org 23 Feb '22

23 Feb '22

View online: https://www.drupal.org/sa-contrib-2022-026 Project: Entity Reference Tree Widget [1] Date: 2022-February-23 Security risk: *Moderately critical* 12∕25 AC:Complex/A:Admin/CI:Some/II:Some/E:Theoretical/TD:All [2] Vulnerability: Cross Site Scripting Description: This module provides an entity relationship hierarchy tree widget for an entity reference field. The module doesn't sufficiently filter on output, leading to a Cross Site Scripting vulnerability. This vulnerability is mitigated by the fact that an attacker must have a role with the permission to modify an entity that is the reference to a field. Solution: Install the latest version: * If you use the Entity Reference Tree Widget module for Drupal 8.x or 9.x, upgrade to entity_reference_tree 2.0.2 [3] Reported By: * Jeroen Vreuls [4] Fixed By: * Mingsong [5] * Jeroen Vreuls [6] Coordinated By: * Chris McCafferty [7] of the Drupal Security Team * Damien McKenna [8] of the Drupal Security Team [1] https://www.drupal.org/project/entity_reference_tree [2] https://www.drupal.org/security-team/risk-levels [3] https://www.drupal.org/project/entity_reference_tree/releases/2.0.2 [4] https://www.drupal.org/user/2700643 [5] https://www.drupal.org/user/2986445 [6] https://www.drupal.org/user/2700643 [7] https://www.drupal.org/user/1850070 [8] https://www.drupal.org/user/108450

1 0

GOV.UK Theme - Moderately critical - Cross site scripting - SA-CONTRIB-2022-027
by security-news＠drupal.org 23 Feb '22

23 Feb '22

View online: https://www.drupal.org/sa-contrib-2022-027 Project: GOV.UK Theme [1] Date: 2022-February-23 Security risk: *Moderately critical* 14∕25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:All [2] Vulnerability: Cross site scripting Description: The GOV.UK Theme (govuk_theme) is a Drupal theme for the GOV.UK Design System. The theme doesn't sanitize user input in certain cases, which leads to Cross-Site-Scripting (XSS) vulnerabilities. An attacker that can create or edit certain entities or configuration may be able to exploit one or more Cross-Site-Scripting (XSS) vulnerabilities to target visitors of the site, including site admins with privileged access. The vulnerability is mitigated by the facts, that: * An attacker must have one of several permissions, of which at least some are commonly only assigned to either editors, site builders or administrators. * For some of the vulnerabilities, certain contributed modules must be enabled. Solution: Install the latest version: * If you use the govuk_theme for Drupal 9.x, upgrade to govuk_theme 8.x-1.9 [3] Reported By: * Patrick Fey [4] Fixed By: * Andrew Hughes-Onslow [5] * Patrick Fey [6] Coordinated By: * Chris McCafferty [7] of the Drupal Security Team [1] https://www.drupal.org/project/govuk_theme [2] https://www.drupal.org/security-team/risk-levels [3] https://www.drupal.org/project/govuk_theme/releases/8.x-1.9 [4] https://www.drupal.org/user/998680 [5] https://www.drupal.org/user/2547946 [6] https://www.drupal.org/user/998680 [7] https://www.drupal.org/user/1850070

1 0

Drupal 7's End-of-Life extended to November 1, 2023 - PSA-2022-02-23
by security-news＠drupal.org 23 Feb '22

23 Feb '22

View online: https://www.drupal.org/psa-2022-02-23 Date: 2022-February-23 Description: *Drupal 7's End-of-Life extended to November 1, 2023 * More than a decade after its first release, Drupal 7 is still widely used across the web. It can be found powering civic engagement in government installations; managing vast amounts of content for faculty, students, and staff in educational institutions; and providing the digital backbone for many businesses and non-profit organizations. Drupal 9 is well-maintained, secure, stable, and feature-rich, but many organizations still rely on Drupal 7. The teams that built and still maintain these legacy Drupal installations, and the end users they serve, are important constituents of the Drupal community. Although these users should still plan their upgrade to a newer version of Drupal, if they are unable to upgrade before the currently announced end-of-life, it would not be responsible of us to leave them vulnerable. * Therefore, we are announcing that moving forward, the scheduled Drupal 7 End-of-Life date will be re-evaluated annually. As of today, we are extending the end-of-life by one year to November 1, 2023. * The Drupal project lead, Dries Buytaert, the Drupal Association, and the Drupal Security Working Group have been monitoring the Drupal 7 ecosystem since the previous end-of-life extension [1]. As a majority of all sites in the Drupal project are still on Drupal 7, we have decided that there is a clear need to provide additional support to the members of our community still using this version. At the end of the day, we have a moral imperative to keep as many of those sites secure as we can. We will announce by July 2023 whether we will extend Drupal 7 community support an additional year. Factors that we will consider are community support, Drupal 7 usage, and active Drupal 7 maintainers. Current support is made possible thanks to the many Drupal 7 maintainers and companies that are paying to support Drupal 7. You can donate to the Drupal Security Team on our Donations [2] page. For press contacts please email security-press(a)drupal.org [3] Coordinated By: The following people contributed to this public service announcement. Michael Hess Tim Lehnen Greg Knaddison Dries Buytaert xjm Gábor Hojtsy Madison Atkins [1] https://www.drupal.org/psa-2021-06-29 [2] https://donorbox.org/drupal-security [3] mailto:security-press@drupal.org

1 0

Quick Edit - Moderately critical - Access bypass - SA-CONTRIB-2022-025
by security-news＠drupal.org 16 Feb '22

16 Feb '22

View online: https://www.drupal.org/sa-contrib-2022-025 Project: Quick Edit [1] Date: 2022-February-16 Security risk: *Moderately critical* 12∕25 AC:None/A:User/CI:Some/II:None/E:Theoretical/TD:Default [2] Vulnerability: Access bypass Description: This advisory addresses a similar issue to Drupal core - Moderately critical - Information disclosure - SA-CORE-2022-004 [3]. The Quick Edit module does not properly check entity access in some circumstances. This could result in users with the "access in-place editing" permission viewing some content they are are not authorized to access. Solution: Install the latest version: * If you use the Quick Edit module for Drupal 9.x, upgrade to Quick Edit 1.0.1 [4] Reported By: * Samuel Mortenson [5] Fixed By: * Théodore Biadala [6] * xjm [7] of the Drupal Security Team * Alex Bronstein [8] of the Drupal Security Team * Adam G-H [9] * Drew Webber [10] of the Drupal Security Team * Wim Leers [11] * Ted Bowman [12] * Dave Long [13] * Derek Wright [14] * Lee Rowlands [15] of the Drupal Security Team * Samuel Mortenson [16] * Joseph Zhao [17] [1] https://www.drupal.org/project/quickedit [2] https://www.drupal.org/security-team/risk-levels [3] https://www.drupal.org/sa-core-2022-004 [4] https://www.drupal.org/project/quickedit/releases/1.0.1 [5] https://www.drupal.org/user/2582268 [6] https://www.drupal.org/user/598310 [7] https://www.drupal.org/user/65776 [8] https://www.drupal.org/user/78040 [9] https://www.drupal.org/user/205645 [10] https://www.drupal.org/user/255969 [11] https://www.drupal.org/user/99777 [12] https://www.drupal.org/user/240860 [13] https://www.drupal.org/user/246492 [14] https://www.drupal.org/user/46549 [15] https://www.drupal.org/user/395439 [16] https://www.drupal.org/user/2582268 [17] https://www.drupal.org/user/1987218

1 0

Drupal core - Moderately critical - Information disclosure - SA-CORE-2022-004
by security-news＠drupal.org 16 Feb '22

16 Feb '22

View online: https://www.drupal.org/sa-core-2022-004 Project: Drupal core [1] Date: 2022-February-16 Security risk: *Moderately critical* 12∕25 AC:None/A:User/CI:Some/II:None/E:Theoretical/TD:Default [2] Vulnerability: Information disclosure Description: The Quick Edit module does not properly check entity access in some circumstances. This could result in users with the "access in-place editing" permission viewing some content they are are not authorized to access. Sites are only affected if the QuickEdit module (which comes with the Standard profile) is installed. This advisory is not covered by Drupal Steward [3]. Solution: Install the latest version: * If you are using Drupal 9.3, update to Drupal 9.3.6 [4]. * If you are using Drupal 9.2, update to Drupal 9.2.13 [5]. All versions of Drupal 9 prior to 9.2.x are end-of-life and do not receive security coverage. Note that Drupal 8 has reached its end of life [6]. Drupal 7 core does not include the QuickEdit module and therefore is not affected. Uninstalling the QuickEdit module will also mitigate the vulnerability. Site owners may wish to consider this option as the QuickEdit module will be removed from core in Drupal 10 [7]. Reported By: * Samuel Mortenson [8] Fixed By: * Théodore Biadala [9] * xjm [10] of the Drupal Security Team * Alex Bronstein [11] of the Drupal Security Team * Adam G-H [12] * Drew Webber [13] of the Drupal Security Team * Wim Leers [14] * Ted Bowman [15] * Dave Long [16] * Derek Wright [17] * Lee Rowlands [18] of the Drupal Security Team * Samuel Mortenson [19] * Joseph Zhao [20] [1] https://www.drupal.org/project/drupal [2] https://www.drupal.org/security-team/risk-levels [3] https://www.drupal.org/steward [4] https://www.drupal.org/project/drupal/releases/9.3.6 [5] https://www.drupal.org/project/drupal/releases/9.2.13 [6] https://www.drupal.org/psa-2021-06-29 [7] https://www.drupal.org/node/3227039 [8] https://www.drupal.org/user/2582268 [9] https://www.drupal.org/user/598310 [10] https://www.drupal.org/user/65776 [11] https://www.drupal.org/user/78040 [12] https://www.drupal.org/user/205645 [13] https://www.drupal.org/user/255969 [14] https://www.drupal.org/user/99777 [15] https://www.drupal.org/user/240860 [16] https://www.drupal.org/user/246492 [17] https://www.drupal.org/user/46549 [18] https://www.drupal.org/user/395439 [19] https://www.drupal.org/user/2582268 [20] https://www.drupal.org/user/1987218

1 0

Drupal core - Moderately critical - Improper input validation - SA-CORE-2022-003
by security-news＠drupal.org 16 Feb '22

16 Feb '22

View online: https://www.drupal.org/sa-core-2022-003 Project: Drupal core [1] Date: 2022-February-16 Security risk: *Moderately critical* 14∕25 AC:Basic/A:None/CI:Some/II:Some/E:Theoretical/TD:Uncommon [2] Vulnerability: Improper input validation Description: Drupal core's form API has a vulnerability where certain contributed or custom modules' forms may be vulnerable to improper input validation. This could allow an attacker to inject disallowed values or overwrite data. Affected forms are uncommon, but in certain cases an attacker could alter critical or sensitive data. Also see Quick Edit - Moderately critical - Access bypass - SA-CONTRIB-2022-025 [3] which addresses the same vulnerability for the contributed module. This advisory is not covered by Drupal Steward [4]. Solution: Install the latest version: * If you are using Drupal 9.3, update to Drupal 9.3.6 [5]. * If you are using Drupal 9.2, update to Drupal 9.2.13 [6]. * If you are using Drupal 7, update to Drupal 7.88 [7]. All versions of Drupal 9 prior to 9.2.x are end-of-life and do not receive security coverage. Note that Drupal 8 has reached its end of life [8]. Reported By: * Fabian Iwand [9] Fixed By: * xjm [10] of the Drupal Security Team * Lee Rowlands [11] of the Drupal Security Team * Ben Dougherty [12] of the Drupal Security Team * Drew Webber [13] of the Drupal Security Team * Jen Lampton [14] * Nate Lampton [15] * Fabian Franz [16] * Alex Bronstein [17] of the Drupal Security Team [1] https://www.drupal.org/project/drupal [2] https://www.drupal.org/security-team/risk-levels [3] https://www.drupal.org/sa-contrib-2022-025 [4] https://www.drupal.org/steward [5] https://www.drupal.org/project/drupal/releases/9.3.6 [6] https://www.drupal.org/project/drupal/releases/9.2.13 [7] https://www.drupal.org/project/drupal/releases/7.88 [8] https://www.drupal.org/psa-2021-06-29 [9] https://www.drupal.org/user/1632364 [10] https://www.drupal.org/user/65776 [11] https://www.drupal.org/user/395439 [12] https://www.drupal.org/user/1852732 [13] https://www.drupal.org/user/255969 [14] https://www.drupal.org/user/85586 [15] https://www.drupal.org/user/35821 [16] https://www.drupal.org/user/693738 [17] https://www.drupal.org/user/78040

1 0

Custom Breadcrumbs - Less critical - Cross Site Scripting - SA-CONTRIB-2022-024
by security-news＠drupal.org 09 Feb '22

09 Feb '22

View online: https://www.drupal.org/sa-contrib-2022-024 Project: Custom Breadcrumbs [1] Date: 2022-February-09 Security risk: *Less critical* 8∕25 AC:Basic/A:User/CI:None/II:None/E:Theoretical/TD:All [2] Vulnerability: Cross Site Scripting Description: The Custom Breadcrumbs module provides a variety of options for customizing the breadcrumb trail. The module doesn't sufficiently filter on output, leading to a Cross Site Scripting vulnerability. This vulnerability is mitigated by the fact that an attacker must have a role with the permission "Administer custom breadcrumbs" permission. Solution: Install the latest version: * If you use the Custom Breadcrumbs module for Drupal 8.x or 9.x, upgrade to Custom Breadcrumbs 1.0.1 [3] Reported By: * Krzysztof Domański [4] Fixed By: * Paulo Henrique Cota Starling [5] * Krzysztof Domański [6] Coordinated By: * Chris McCafferty [7] of the Drupal Security Team [1] https://www.drupal.org/project/custom_breadcrumbs [2] https://www.drupal.org/security-team/risk-levels [3] https://www.drupal.org/project/custom_breadcrumbs/releases/1.0.1 [4] https://www.drupal.org/user/3572982 [5] https://www.drupal.org/user/3640109 [6] https://www.drupal.org/user/3572982 [7] https://www.drupal.org/user/1850070

1 0

Fancy File Delete - Moderately critical - Access Bypass - SA-CONTRIB-2022-023
by security-news＠drupal.org 09 Feb '22

09 Feb '22

View online: https://www.drupal.org/sa-contrib-2022-023 Project: Fancy File Delete [1] Date: 2022-February-09 Security risk: *Moderately critical* 14∕25 AC:None/A:None/CI:Some/II:None/E:Theoretical/TD:Default [2] Vulnerability: Access Bypass Description: This module enables you to manage and delete files. The module doesn't sufficiently protect unmanaged files from view under the scenario unauthenticated user knows path to visit the view and can attempt to delete files which results in duplicate files being created. To mitigate this issue without deploying code, review all views that are based on Fancy File Delete and ensure they have an access control set to use the permission "administer unmanaged files entities". Solution: Install the latest version *and do check your views configuration*: 1) If you use the Fancy File Delete module for Drupal ^8.x , upgrade to Fancy File Delete 2.0.7 [3] 2) Review all views that are based on Fancy File Delete and ensure they have an access control set to use the permission "administer unmanaged files entities". Reported By: * Ambient.Impact [4] Fixed By: * Daniel Pickering [5] * Jaime Seuma [6] Coordinated By: * Chris McCafferty [7] of the Drupal Security Team [1] https://www.drupal.org/project/fancy_file_delete [2] https://www.drupal.org/security-team/risk-levels [3] https://www.drupal.org/project/fancy_file_delete/releases/2.0.7 [4] https://www.drupal.org/user/1131532 [5] https://www.drupal.org/user/3285813 [6] https://www.drupal.org/user/3589760 [7] https://www.drupal.org/user/1850070

1 0

2026

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

Security-news February 2022