March 2022 - Security-news - lists.drupal.org

Anti Spam by CleanTalk - Moderately critical - SQL Injection - SA-CONTRIB-2022-032
by security-news＠drupal.org 30 Mar '22

30 Mar '22

View online: https://www.drupal.org/sa-contrib-2022-032 Project: Anti Spam by CleanTalk [1] Date: 2022-March-30 Security risk: *Moderately critical* 14∕25 AC:Basic/A:None/CI:None/II:All/E:Theoretical/TD:Default [2] Vulnerability: SQL Injection Description: This module provides integration with the CleanTalk spam protection service. The module does not properly filter data in certain circumstances. Solution: Install the latest version: * If you use the Anti Spam by CleanTalk module for Drupal 8.x, upgrade to Anti Spam by CleanTalk 8.x-4.13 [3] * If you use the Anti Spam by CleanTalk module for Drupal 9.x, upgrade to Anti Spam by CleanTalk 9.1.19 [4] Reported By: * Glomberg [5] * Heine [6] of the Drupal Security Team Fixed By: * Glomberg [7] Coordinated By: * Chris McCaffrey [8] of the Drupal Security Team * Greg Knaddison [9] of the Drupal Security Team [1] https://www.drupal.org/project/cleantalk [2] https://www.drupal.org/security-team/risk-levels [3] https://www.drupal.org/project/cleantalk/releases/8.x-4.13 [4] https://www.drupal.org/project/cleantalk/releases/9.1.19 [5] https://www.drupal.org/user/3624869 [6] https://www.drupal.org/user/17943 [7] https://www.drupal.org/user/3624869 [8] https://www.drupal.org/user/1850070 [9] https://www.drupal.org/user/36762

1 0

Role Delegation - Moderately critical - Privilege escalation - SA-CONTRIB-2022-031
by security-news＠drupal.org 23 Mar '22

23 Mar '22

View online: https://www.drupal.org/sa-contrib-2022-031 Project: Role Delegation [1] Date: 2022-March-23 Security risk: *Moderately critical* 14∕25 AC:Basic/A:User/CI:Some/II:Some/E:Proof/TD:Default [2] Vulnerability: Privilege escalation Description: This module allows site administrators to grant specific roles the authority to assign selected roles to users, without them needing the administer permissions permission. The module contains an access bypass vulnerability when used in combination with the Views Bulk Operations module. An authenticated user is able to assign the administrator role to his own user. This vulnerability is mitigated by the fact that an attacker must have access to an overview of users with the views bulk operations module enabled. E.g. The admin_views module provides such a view. Solution: Install the latest version: * If you use the Role Delegation module for Drupal 7.x, upgrade to Role Delegation 7.x-1.3 [3] Reported By: * Michael Forbes [4] * Jeroen Tubex [5] * Stein Setvik [6] Fixed By: * Michael Forbes [7] * Jeroen Tubex [8] * Stein Setvik [9] Coordinated By: * Greg Knaddison [10] of the Drupal Security Team [1] https://www.drupal.org/project/role_delegation [2] https://www.drupal.org/security-team/risk-levels [3] https://www.drupal.org/project/role_delegation/releases/7.x-1.3 [4] https://www.drupal.org/user/1810100 [5] https://www.drupal.org/user/2228934 [6] https://www.drupal.org/user/77805 [7] https://www.drupal.org/user/1810100 [8] https://www.drupal.org/user/2228934 [9] https://www.drupal.org/user/77805 [10] https://www.drupal.org/user/36762

1 0

Colorbox Node - Critical - Unsupported - SA-CONTRIB-2022-030
by security-news＠drupal.org 23 Mar '22

23 Mar '22

View online: https://www.drupal.org/sa-contrib-2022-030 Project: Colorbox Node [1] Date: 2022-March-23 Security risk: *Critical* 15∕25 AC:Basic/A:User/CI:Some/II:Some/E:Proof/TD:All [2] Vulnerability: Unsupported Description: The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: https://www.drupal.org/node/251466#procedure---own-project---unsupported [3] /This module was unsupported on 2022-01-26, however, the SA was missed in publishing them at that time./ Solution: If you use this project, you should uninstall it. To take over maintainership, please read https://www.drupal.org/node/251466#procedure---own-project---unsupported [4] in full. [1] https://www.drupal.org/project/colorbox_node [2] https://www.drupal.org/security-team/risk-levels [3] https://www.drupal.org/node/251466#procedure---own-project---unsupported [4] https://www.drupal.org/node/251466#procedure---own-project---unsupported

1 0

Drupal core - Moderately critical - Third-party libraries - SA-CORE-2022-006
by security-news＠drupal.org 21 Mar '22

21 Mar '22

View online: https://www.drupal.org/sa-core-2022-006 Project: Drupal core [1] Date: 2022-March-21 Security risk: *Moderately critical* 11∕25 AC:Complex/A:None/CI:None/II:Some/E:Theoretical/TD:Default [2] Vulnerability: Third-party libraries CVE IDs: CVE-2022-24775 Description: Drupal uses the third-party Guzzle library for handling HTTP requests and responses to external services. Guzzle has released a security update [3] which may affect some Drupal sites. We are issuing this security advisory outside our regular Drupal security release window schedule [4] since Guzzle has already published information about the vulnerability, and vulnerabilities might exist with core, contributed modules, or custom modules that use Guzzle for outgoing requests. Guzzle has rated this vulnerability as low-risk. This advisory is not covered by Drupal Steward. Solution: Install the latest version: * If you are using Drupal 9.3, update to Drupal 9.3.9 [5]. * If you are using Drupal 9.2, update to Drupal 9.2.16 [6]. All versions of Drupal 9 prior to 9.2.x are end-of-life and do not receive security coverage. Note that Drupal 8 has reached its end of life [7]. Drupal 7 is not affected. Reported By: * Jeroen Tubex [8] * Damien McKenna [9] of the Drupal Security Team Fixed By: * Jess [10] of the Drupal Security Team * Alex Pott [11] of the Drupal Security Team * Lee Rowlands [12] of the Drupal Security Team * Greg Knaddison [13] of the Drupal Security Team * Peter Wolanin [14] of the Drupal Security Team [1] https://www.drupal.org/project/drupal [2] https://www.drupal.org/security-team/risk-levels [3] https://github.com/guzzle/psr7/security/advisories/GHSA-q7rv-6hp3-vh96 [4] https://www.drupal.org/node/1173280 [5] https://www.drupal.org/project/drupal/releases/9.3.9 [6] https://www.drupal.org/project/drupal/releases/9.2.16 [7] https://www.drupal.org/psa-2021-06-29 [8] https://www.drupal.org/user/2228934 [9] https://www.drupal.org/user/108450 [10] https://www.drupal.org/user/65776 [11] https://www.drupal.org/user/157725 [12] https://www.drupal.org/user/395439 [13] https://www.drupal.org/user/36762 [14] https://www.drupal.org/user/49851

1 0

Drupal core - Moderately critical - Third-party libraries - SA-CORE-2022-005
by security-news＠drupal.org 16 Mar '22

16 Mar '22

View online: https://www.drupal.org/sa-core-2022-005 Project: Drupal core [1] Date: 2022-March-16 Security risk: *Moderately critical* 13∕25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:Default [2] Vulnerability: Third-party libraries CVE IDs: CVE-2022-24728CVE-2022-24729 Description: The Drupal project uses the CKEditor [3] library for WYSIWYG editing. CKEditor has released a security update that impacts Drupal [4]. Vulnerabilities are possible if Drupal is configured to allow use of the CKEditor library for WYSIWYG editing. An attacker that can create or edit content (even without access to CKEditor themselves) may be able to exploit one or more Cross-Site Scripting (XSS) vulnerabilities to target users with access to the WYSIWYG CKEditor, including site admins with privileged access. For more information, see CKEditor's security advisories: * CVE-2022-24728: HTML processing vulnerability allowing to execute JavaScript code [5] * CVE-2022-24729: Regular expression Denial of Service in dialog plugin [6] This advisory is not covered by Drupal Steward [7]. Solution: Install the latest version: * If you are using Drupal 9.3, update to Drupal 9.3.8 [8]. * If you are using Drupal 9.2, update to Drupal 9.2.15 [9]. All versions of Drupal 9 prior to 9.2.x are end-of-life and do not receive security coverage. Note that Drupal 8 has reached its end of life [10]. .... Instructions for Drupal 7 and contributed modules Drupal 7 core is not affected, although Drupal 7, 8, and 9 site owners should review their site following the protocol for managing external libraries and plugins [11] previously suggested by the Drupal Security Team, as contributed projects may use additional CKEditor plugins not packaged in Drupal core. Users of the Webform module should ensure Webform's version of CKEditor 4 is also up-to-date after updating Drupal core and libraries for any affected contributed modules. If it is not, Webform users can try the following steps to update it: 1) If using Composer, run drush webform:libraries:composer > DRUPAL_ROOT/composer.libraries.json and run composer update 2) If using Drush without Composer, run drush webform:libraries:update. Learn more about updating Webform libraries. [12] Reported By: * Jacek Bogdański [13] Fixed By: * Jess [14] of the Drupal Security Team * Wim Leers [15] * Lee Rowlands [16] of the Drupal Security Team [1] https://www.drupal.org/project/drupal [2] https://www.drupal.org/security-team/risk-levels [3] https://github.com/ckeditor/ckeditor4 [4] https://ckeditor.com/blog/ckeditor-4.18.0-browser-bugfix-and-security-patch… [5] https://github.com/ckeditor/ckeditor4/security/advisories/GHSA-4fc4-4p5g-6w… [6] https://github.com/ckeditor/ckeditor4/security/advisories/GHSA-f6rf-9m92-x2… [7] https://www.drupal.org/steward [8] https://www.drupal.org/project/drupal/releases/9.3.8 [9] https://www.drupal.org/project/drupal/releases/9.2.15 [10] https://www.drupal.org/psa-2021-06-29 [11] https://www.drupal.org/psa-2011-002 [12] https://www.drupal.org/docs/contributed-modules/webform/webform-libraries [13] https://www.drupal.org/user/3683355 [14] https://www.drupal.org/user/65776 [15] https://www.drupal.org/user/99777 [16] https://www.drupal.org/user/395439

1 0

Opigno Learning path - Moderately critical - Access bypass - SA-CONTRIB-2022-029
by security-news＠drupal.org 09 Mar '22

09 Mar '22

View online: https://www.drupal.org/sa-contrib-2022-029 Project: Opigno Learning path [1] Date: 2022-March-09 Security risk: *Moderately critical* 13∕25 AC:Basic/A:None/CI:Some/II:None/E:Theoretical/TD:All [2] Vulnerability: Access bypass Description: This module is used as part of the Opigno LMS distribution and implements learning paths for the LMS. The module was providing too much user information about users such as the list of groups a uid is in. Solution: Install the latest version: * If you use the opigno_learning_path module for Drupal 9.x, upgrade to 3.0.1 opigno_learning_path 3.0.1 [3] Reported By: * Aaron Bauman [4] Fixed By: * Aaron Bauman [5] * James Aparicio [6] [1] https://www.drupal.org/project/opigno_learning_path [2] https://www.drupal.org/security-team/risk-levels [3] https://www.drupal.org/project/opigno_learning_path/releases/3.0.1 [4] https://www.drupal.org/user/384578 [5] https://www.drupal.org/user/384578 [6] https://www.drupal.org/user/2547544

1 0

SVG Formatter - Critical - Cross Site Scripting - SA-CONTRIB-2022-028
by security-news＠drupal.org 09 Mar '22

09 Mar '22

View online: https://www.drupal.org/sa-contrib-2022-028 Project: SVG Formatter [1] Date: 2022-March-09 Security risk: *Critical* 15∕25 AC:Basic/A:User/CI:Some/II:Some/E:Proof/TD:All [2] Vulnerability: Cross Site Scripting Description: SVG Formatter module provides support for using SVG images on your website. Our dependency library enshrined/svg-sanitize has a cross-site scripting vulnerability. This vulnerability is mitigated by the fact that an attacker must have a role with permission that enables them to upload SVG images. Solution: Update the module (8.x-1.17 [3] or 2.0.1 [4]) which will enable updating to the enshrined/svg-sanitize to version 0.15 or newer library. The updated library is most easily installed with Composer. To update the module and library it's possible to run the following Composer command: composer update --with-dependencies drupal/svg_formatterReported By: * Jeroen Tubex [5] Fixed By: * Goran Nikolovski [6] Coordinated By: * Damien McKenna [7] of the Drupal Security Team * Lee Rowlands [8] of the Drupal Security Team * Greg Knaddison [9] of the Drupal Security Team [1] https://www.drupal.org/project/svg_formatter [2] https://www.drupal.org/security-team/risk-levels [3] https://www.drupal.org/project/svg_formatter/releases/8.x-1.17 [4] https://www.drupal.org/project/svg_formatter/releases/2.0.1 [5] https://www.drupal.org/user/2228934 [6] https://www.drupal.org/user/3451979 [7] https://www.drupal.org/user/108450 [8] https://www.drupal.org/user/395439 [9] https://www.drupal.org/user/36762

1 0

End of Drupal 6 vendor support - PSA-2022-03-09
by security-news＠drupal.org 09 Mar '22

09 Mar '22

View online: https://www.drupal.org/psa-2022-03-09 Date: 2022-March-09 Description: Drupal 6 LTS vendor-provided support will end on October 22, 2022. On February 24th, 2016, Drupal 6 was marked end-of-life (EOL). The Drupal 6 Long-Term-Support (LTS) program added more than 6 years of additional coverage for program participants and the community. On behalf of the community the Drupal Security Team would like to thank all the vendors that participated in this program: Tag1 [1], Acquia [2], and myDropWizard [3]. After the Drupal 6 LTS program ends, security issues for Drupal 6 may be disclosed in public, and zero-days (i.e, security vulnerabilities being exploited in the wild without advanced warning) may occur. Patches for Drupal 6 security issues will no longer be provided by any vendor. Drupal 6.x Update Status module data and package distribution may be disabled or removed as Drupal.org prepares to update to newer infrastructure. Solution: If you are still maintaining a Drupal 6 site, we recommend migrating to Drupal 7 or Drupal 9 before the program ends. Learn more about upgrading from Drupal 6 to Drupal 9 [4]. [1] https://www.drupal.org/tag1-consulting [2] https://www.drupal.org/acquia [3] https://www.drupal.org/mydropwizard [4] https://www.drupal.org/docs/upgrading-drupal/upgrading-from-drupal-6-or-7-t…

1 0