July 2022 - Security-news - lists.drupal.org

Tagify - Moderately critical - Access bypass - SA-CONTRIB-2022-051
by security-news＠drupal.org 27 Jul '22

27 Jul '22

View online: https://www.drupal.org/sa-contrib-2022-051 Project: Tagify [1] Version: 1.0.41.0.31.0.2-beta11.0.1-beta11.0.0-beta1 Date: 2022-July-27 Security risk: *Moderately critical* 11∕25 AC:Complex/A:User/CI:None/II:Some/E:Exploit/TD:Uncommon [2] Vulnerability: Access bypass Description: This module provides a widget to transform entity reference fields into a more user-friendly tags input component with a great performance. The module doesn't sufficiently check access for the add operation. Users with permission to edit content can view and reference unpublished terms. The edit form may expose term data that users could not otherwise see, since there is no term view route by default. This vulnerability is slightly mitigated by the fact that an attacker must have a role with the permission "access content", so may not be accessible to anonymous users on all sites. Solution: Install the latest version: * If you use the Tagify module for Drupal 9.x, upgrade to Tagify 1.0.5 [3] Reported By: * Conrad Lara [4] Fixed By: * David Galeano [5] * Conrad Lara [6] Coordinated By: * Damien McKenna [7] of the Drupal Security Team * Greg Knaddison [8] of the Drupal Security Team [1] https://www.drupal.org/project/tagify [2] https://www.drupal.org/security-team/risk-levels [3] https://www.drupal.org/project/tagify/releases/1.0.5 [4] https://www.drupal.org/user/1790054 [5] https://www.drupal.org/user/3591999 [6] https://www.drupal.org/user/1790054 [7] https://www.drupal.org/user/108450 [8] https://www.drupal.org/user/36762

1 0

PDF generator API - Moderately critical - Remote Code Execution - SA-CONTRIB-2022-050
by security-news＠drupal.org 27 Jul '22

27 Jul '22

View online: https://www.drupal.org/sa-contrib-2022-050 Project: PDF generator API [1] Version: 2.2.12.2.02.1.02.0.0 Date: 2022-July-27 Security risk: *Moderately critical* 12∕25 AC:Complex/A:User/CI:Some/II:Some/E:Theoretical/TD:Default [2] Vulnerability: Remote Code Execution Description: This module enables you to generate PDF versions of content. Some installations of the module make use of the dompdf/dompdf third-party dependency. Security vulnerabilities exist for versions of dompdf/dompdf before 2.0.0 as described in the 2.0.0 release notes. [3] Solution: Install the latest version: * If you use the pdf_api module for Drupal 2.x, upgrade to pdf_api 2.2.2 [4] Reported By: * tedfordgif [5] * David Archuleta [6] Fixed By: * tedfordgif [7] * Nigel Cunningham [8] Coordinated By: * Damien McKenna [9] of the Drupal Security Team * Greg Knaddison [10] of the Drupal Security Team [1] https://www.drupal.org/project/pdf_api [2] https://www.drupal.org/security-team/risk-levels [3] https://github.com/dompdf/dompdf/releases/tag/v2.0.0 [4] https://www.drupal.org/project/pdf_api/releases/2.2.2 [5] https://www.drupal.org/user/215631 [6] https://www.drupal.org/user/3569928 [7] https://www.drupal.org/user/215631 [8] https://www.drupal.org/user/250105 [9] https://www.drupal.org/user/108450 [10] https://www.drupal.org/user/36762

1 0

Context - Moderately critical - Cross Site Scripting - SA-CONTRIB-2022-049
by security-news＠drupal.org 27 Jul '22

27 Jul '22

View online: https://www.drupal.org/sa-contrib-2022-049 Project: Context [1] Version: 7.x-3.107.x-3.97.x-3.87.x-3.77.x-3.67.x-3.57.x-3.47.x-3.37.x-3.27.x-3.17.x-3.07.x-3.0-rc17.x-3.0-beta77.x-3.0-beta67.x-3.0-beta57.x-3.0-beta47.x-3.0-beta37.x-3.0-beta27.x-3.0-beta17.x-3.0-alpha37.x-3.0-alpha27.x-3.0-alpha1 Date: 2022-July-27 Security risk: *Moderately critical* 12∕25 AC:Basic/A:Admin/CI:Some/II:Some/E:Theoretical/TD:Default [2] Vulnerability: Cross Site Scripting Description: This module enables you to conditionally display blocks in particular theme regions. The module doesn't sufficiently sanitize the title of a block as displayed in the admin UI when a site administrator edits a context block reaction. This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer blocks". Solution: Install the latest version: * If you use the Context module for Drupal 7.x, upgrade to Context 7.x-3.11. [3] Reported By: * Harold Aling [4] Fixed By: * Harold Aling [5] * Bostjan Kovac [6] * Nedjo Rogers [7] Coordinated By: * Damien McKenna [8] of the Drupal Security Team * Greg Knaddison [9] of the Drupal Security Team * Michael Hess [10] of the Drupal Security Team [1] https://www.drupal.org/project/context [2] https://www.drupal.org/security-team/risk-levels [3] https://www.drupal.org/project/context/releases/7.x-3.11 [4] https://www.drupal.org/user/168440 [5] https://www.drupal.org/user/168440 [6] https://www.drupal.org/user/1773456 [7] https://www.drupal.org/user/4481 [8] https://www.drupal.org/user/108450 [9] https://www.drupal.org/user/36762 [10] https://www.drupal.org/user/102818

1 0

Drupal core - Moderately critical - Multiple vulnerabilities - SA-CORE-2022-015
by security-news＠drupal.org 20 Jul '22

20 Jul '22

View online: https://www.drupal.org/sa-core-2022-015 Project: Drupal core [1] Date: 2022-July-20 Security risk: *Moderately critical* 11∕25 AC:Complex/A:User/CI:Some/II:Some/E:Theoretical/TD:Uncommon [2] Vulnerability: Multiple vulnerabilities Description: The Media oEmbed iframe route does not properly validate the iframe domain setting, which allows embeds to be displayed in the context of the primary domain. Under certain circumstances, this could lead to cross-site scripting, leaked cookies, or other vulnerabilities. This advisory is not covered by Drupal Steward [3]. Solution: Install the latest version: * If you are using Drupal 9.4, update to Drupal 9.4.3 [4]. * If you are using Drupal 9.3, update to Drupal 9.3.19 [5]. All versions of Drupal 9 prior to 9.3.x are end-of-life and do not receive security coverage. Note that Drupal 8 has reached its end of life [6]. Drupal 7 core does not include the Media module and therefore is not affected. Reported By: * Heine [7] of the Drupal Security Team Fixed By: * Lee Rowlands [8] of the Drupal Security Team * Alex Pott [9] of the Drupal Security Team * Samuel Mortenson [10] * xjm [11] of the Drupal Security Team * Heine [12] of the Drupal Security Team * Joseph Zhao [13], provisional member of the Drupal Security Team * Vijay Mani [14], provisional member of the Drupal Security Team * Alex Bronstein [15] of the Drupal Security Team * Neil Drumm [16] of the Drupal Security Team * Benji Fisher [17], provisional member of the Drupal Security Team * Jen Lampton [18], provisional member of the Drupal Security Team * Dave Long [19], provisional member of the Drupal Security Team [1] https://www.drupal.org/project/drupal [2] https://www.drupal.org/security-team/risk-levels [3] https://www.drupal.org/steward [4] https://www.drupal.org/project/drupal/releases/9.4.3 [5] https://www.drupal.org/project/drupal/releases/9.3.19 [6] https://www.drupal.org/psa-2021-06-29 [7] https://www.drupal.org/user/17943 [8] https://www.drupal.org/user/395439 [9] https://www.drupal.org/user/157725 [10] https://www.drupal.org/user/2582268 [11] https://www.drupal.org/user/65776 [12] https://www.drupal.org/user/17943 [13] https://www.drupal.org/user/1987218 [14] https://www.drupal.org/user/93488 [15] https://www.drupal.org/user/78040 [16] https://www.drupal.org/user/3064 [17] https://www.drupal.org/user/683300 [18] https://www.drupal.org/user/85586 [19] https://www.drupal.org/user/246492

1 0

Drupal core - Critical - Arbitrary PHP code execution - SA-CORE-2022-014
by security-news＠drupal.org 20 Jul '22

20 Jul '22

View online: https://www.drupal.org/sa-core-2022-014 Project: Drupal core [1] Date: 2022-July-20 Security risk: *Critical* 15∕25 AC:Basic/A:Admin/CI:All/II:All/E:Theoretical/TD:Uncommon [2] Vulnerability: Arbitrary PHP code execution Description: Drupal core sanitizes filenames with dangerous extensions upon upload (reference: SA-CORE-2020-012 [3]) and strips leading and trailing dots from filenames to prevent uploading server configuration files (reference: SA-CORE-2019-010 [4]). However, the protections for these two vulnerabilities previously did not work correctly together. As a result, if the site were configured to allow the upload of files with an htaccess extension, these files' filenames would not be properly sanitized. This could allow bypassing the protections provided by Drupal core's default .htaccess files and possible remote code execution. This issue is mitigated by the fact that it requires a field administrator to explicitly configure a file field to allow htaccess as an extension (a restricted permission), or a contributed module or custom code that overrides allowed file uploads. Solution: Install the latest version: * If you are using Drupal 9.4, update to Drupal 9.4.3 [5]. * If you are using Drupal 9.3, update to Drupal 9.3.19 [6]. All versions of Drupal 9 prior to 9.3.x are end-of-life and do not receive security coverage. Note that Drupal 8 has reached its end of life [7]. Drupal 7 core is not affected. .... Auditing your files directory's .htaccess to ensure it has not been overwritten or overridden in a subdirectory If your web server uses Apache httpd with AllowOverride, you should check within your files directories and subdirectories to ensure that any .htaccess files present are intentional. You can search for files named .htaccess by running the following command in the roots of both your public and private files directory: find ./ -name ".htaccess" -print Drupal automatically creates .htaccess files like the following in the root of the public files directory: # Turn off all options we don't need. Options -Indexes -ExecCGI -Includes -MultiViews # Set the catch-all handler to prevent scripts from being executed. SetHandler Drupal_Security_Do_Not_Remove_See_SA_2006_006 # Override the handler again if we're run later in the evaluation list. SetHandler Drupal_Security_Do_Not_Remove_See_SA_2013_003 # If we know how to do it safely, disable the PHP engine entirely. php_flag engine off php_flag engine off Check with your system administrator for the correct .htaccess configuration for the given files directory. This advisory is not covered by Drupal Steward [8]. Reported By: * elarlang [9] Fixed By: * Peter Wolanin [10] of the Drupal Security Team * xjm [11] of the Drupal Security Team * Drew Webber [12] of the Drupal Security Team * Alex Bronstein [13] of the Drupal Security Team * Greg Knaddison [14] of the Drupal Security Team * Jen Lampton [15], provisional member of the Drupal Security Team * Lee Rowlands [16] of the Drupal Security Team * Dave Long [17], provisional member of the Drupal Security Team [1] https://www.drupal.org/project/drupal [2] https://www.drupal.org/security-team/risk-levels [3] https://www.drupal.org/sa-core-2020-012 [4] https://www.drupal.org/sa-core-2019-010 [5] https://www.drupal.org/project/drupal/releases/9.4.3 [6] https://www.drupal.org/project/drupal/releases/9.3.19 [7] https://www.drupal.org/psa-2021-06-29 [8] https://www.drupal.org/steward [9] https://www.drupal.org/user/3583903 [10] https://www.drupal.org/user/49851 [11] https://www.drupal.org/user/65776 [12] https://www.drupal.org/user/255969 [13] https://www.drupal.org/user/78040 [14] https://www.drupal.org/user/36762 [15] https://www.drupal.org/user/85586 [16] https://www.drupal.org/user/395439 [17] https://www.drupal.org/user/246492

1 0

Drupal core - Moderately critical - Access Bypass - SA-CORE-2022-013
by security-news＠drupal.org 20 Jul '22

20 Jul '22

View online: https://www.drupal.org/sa-core-2022-013 Project: Drupal core [1] Date: 2022-July-20 Security risk: *Moderately critical* 12∕25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:Uncommon [2] Vulnerability: Access Bypass Description: Under certain circumstances, the Drupal core form API evaluates form element access incorrectly. This may lead to a user being able to alter data they should not have access to. No forms provided by Drupal core are known to be vulnerable. However, forms added through contributed or custom modules or themes may be affected. This advisory is not covered by Drupal Steward [3]. Solution: Install the latest version: * If you are using Drupal 9.4, update to Drupal 9.4.3 [4]. * If you are using Drupal 9.3, update to Drupal 9.3.19 [5]. All versions of Drupal 9 prior to 9.3.x are end-of-life and do not receive security coverage. Note that Drupal 8 has reached its end of life [6]. Drupal 7 core is not affected. Reported By: * Pierre Rudloff [7] Fixed By: * Pierre Rudloff [8] * Tim Plunkett [9] * Heine [10] of the Drupal Security Team * Alex Bronstein [11] of the Drupal Security Team * xjm [12] of the Drupal Security Team * Lauri Eskola [13], provisional member of the Drupal Security Team * Dave Long [14], provisional member of the Drupal Security Team * Lee Rowlands [15] of the Drupal Security Team [1] https://www.drupal.org/project/drupal [2] https://www.drupal.org/security-team/risk-levels [3] https://www.drupal.org/steward [4] https://www.drupal.org/project/drupal/releases/9.4.3 [5] https://www.drupal.org/project/drupal/releases/9.3.19 [6] https://www.drupal.org/psa-2021-06-29 [7] https://www.drupal.org/user/3611858 [8] https://www.drupal.org/user/3611858 [9] https://www.drupal.org/user/241634 [10] https://www.drupal.org/user/17943 [11] https://www.drupal.org/user/78040 [12] https://www.drupal.org/user/65776 [13] https://www.drupal.org/user/1078742 [14] https://www.drupal.org/user/246492 [15] https://www.drupal.org/user/395439

1 0

Drupal core - Moderately critical - Information Disclosure - SA-CORE-2022-012
by security-news＠drupal.org 20 Jul '22

20 Jul '22

View online: https://www.drupal.org/sa-core-2022-012 Project: Drupal core [1] Date: 2022-July-20 Security risk: *Moderately critical* 13∕25 AC:None/A:None/CI:Some/II:None/E:Theoretical/TD:Uncommon [2] Vulnerability: Information Disclosure Description: In some situations, the Image module does not correctly check access to image files not stored in the standard public files directory when generating derivative images using the image styles system. Access to a non-public file is checked only if it is stored in the "private" file system. However, some contributed modules provide additional file systems, or schemes, which may lead to this vulnerability. This vulnerability is mitigated by the fact that it only applies when the site sets (Drupal 9) $config['image.settings']['allow_insecure_derivatives'] or (Drupal 7) $conf['image_allow_insecure_derivatives'] to TRUE. The recommended and default setting is FALSE, and Drupal core does not provide a way to change that in the admin UI. Some sites may require configuration changes following this security release. Review the release notes for your Drupal version if you have issues accessing files or image styles after updating. Solution: Install the latest version: * If you are using Drupal 9.4, update to Drupal 9.4.3 [3]. * If you are using Drupal 9.3, update to Drupal 9.3.19 [4]. * If you are using Drupal 7, update to Drupal 7.91 [5]. All versions of Drupal 9 prior to 9.3.x are end-of-life and do not receive security coverage. Note that Drupal 8 has reached its end of life [6]. Reported By: * Guy Elsmore-Paddock [7] * Conrad Lara [8] Fixed By: * Lee Rowlands [9] of the Drupal Security Team * Conrad Lara [10] * mondrake [11] * Alex Bronstein [12] of the Drupal Security Team * Dave Reid [13] of the Drupal Security Team * xjm [14] of the Drupal Security Team * Guy Elsmore-Paddock [15] * Dave Long [16] Provisional Member of the Drupal Security Team * Lauri Eskola [17] Provisional Member of the Drupal Security Team * David Strauss [18] of the Drupal Security Team * Benji Fisher [19] Provisional Member of the Drupal Security Team * Alex Pott [20] of the Drupal Security Team * Drew Webber [21] of the Drupal Security Team * Fabian Franz [22] [1] https://www.drupal.org/project/drupal [2] https://www.drupal.org/security-team/risk-levels [3] https://www.drupal.org/project/drupal/releases/9.4.3 [4] https://www.drupal.org/project/drupal/releases/9.3.19 [5] https://www.drupal.org/project/drupal/releases/7.91 [6] https://www.drupal.org/psa-2021-06-29 [7] https://www.drupal.org/user/156932 [8] https://www.drupal.org/user/1790054 [9] https://www.drupal.org/user/395439 [10] https://www.drupal.org/user/1790054 [11] https://www.drupal.org/user/1307444 [12] https://www.drupal.org/user/78040 [13] https://www.drupal.org/user/53892 [14] https://www.drupal.org/user/65776 [15] https://www.drupal.org/user/156932 [16] https://www.drupal.org/user/246492 [17] https://www.drupal.org/user/1078742 [18] https://www.drupal.org/user/93254 [19] https://www.drupal.org/user/683300 [20] https://www.drupal.org/user/157725 [21] https://www.drupal.org/user/255969 [22] https://www.drupal.org/user/693738

1 0

Entity Print - Moderately critical - Multiple: Remote Code Execution, Information disclosure - SA-CONTRIB-2022-048
by security-news＠drupal.org 13 Jul '22

13 Jul '22

View online: https://www.drupal.org/sa-contrib-2022-048 Project: Entity Print [1] Date: 2022-July-13 Security risk: *Moderately critical* 13∕25 AC:Complex/A:User/CI:Some/II:Some/E:Proof/TD:Default [2] Vulnerability: Multiple: Remote Code Execution, Information disclosure Description: This module enables you to generate print versions of content. Some installations of the module make use of the dompdf/dompdf third-party dependency. Security vulnerabilities exist for versions of dompdf/dompdf < 2.0.0 See the library release notes for more detail: https://github.com/dompdf/dompdf/releases/tag/v2.0.0 [3] .... Note on 3rd party vulnerabilities This security advisory corresponds to a 3rd party vulnerability. Normally the Drupal Security Team would not issue advisories related to 3rd party code that is shipped separately from a module per our policy (most recent update is PSA-2019-09-04 [4]). In this case, because the module required a specific version and could not be updated without a change to the Drupal module we do issue an advisory. Solution: Install the latest version (8.x-2.6 [5]) of this module and update dompdf/dompdf at the same time. It is recommended to use composer to do the update using commands similar to the following: composer update drupal/entity_print composer require dompdf/dompdf:~2 Reported By: * szato [6] * Munavir P k [7] Fixed By: * Lee Rowlands [8] of the Drupal Security Team * Carlos Santana [9] * Manoj Selvan [10] Coordinated By: * Lee Rowlands [11] of the Drupal Security Team * Greg Knaddison [12] of the Drupal Security Team [1] https://www.drupal.org/project/entity_print [2] https://www.drupal.org/security-team/risk-levels [3] https://github.com/dompdf/dompdf/releases/tag/v2.0.0 [4] https://www.drupal.org/psa-2019-09-04 [5] https://www.drupal.org/project/entity_print/releases/8.x-2.6 [6] https://www.drupal.org/user/389677 [7] https://www.drupal.org/user/3604066 [8] https://www.drupal.org/user/395439 [9] https://www.drupal.org/user/1781526 [10] https://www.drupal.org/user/3693487 [11] https://www.drupal.org/user/395439 [12] https://www.drupal.org/user/36762

1 0