November 2023 - Security-news

Xsendfile - Moderately critical - Access bypass - SA-CONTRIB-2023-053
by security-news＠drupal.org 29 Nov '23

29 Nov '23

View online: https://www.drupal.org/sa-contrib-2023-053 Project: Xsendfile [1] Date: 2023-November-29 Security risk: *Moderately critical* 13∕25 AC:Basic/A:None/CI:Some/II:None/E:Theoretical/TD:All [2] Vulnerability: Access bypass Affected versions: <1.2.0 Description: The Xsendfile module enables fast transfer for private files in Drupal. In order to control private file downloads, the module overrides ImageStyleDownloadController, for which a vulnerability was disclosed in SA-CORE-2023-005 [3]. The Xsendfile module was still based on an insecure version of ImageStyleDownloadController. Solution: Install the latest version: * If you use the Xsendfile module for Drupal 8.x, upgrade to Xsendfile 8.x-1.2. [4] Reported By: * Pierre Rudloff [5] Fixed By: * Damien Norris [6] * Bruno De Bondt [7] * Pierre Rudloff [8] * Conrad Lara [9] Coordinated By: * Greg Knaddison [10] of the Drupal Security Team [1] https://www.drupal.org/project/xsendfile [2] https://www.drupal.org/security-team/risk-levels [3] https://www.drupal.org/sa-core-2023-005 [4] https://www.drupal.org/project/xsendfile/releases/8.x-1.2 [5] https://www.drupal.org/user/3611858 [6] https://www.drupal.org/user/97688 [7] https://www.drupal.org/user/33235 [8] https://www.drupal.org/user/3611858 [9] https://www.drupal.org/user/1790054 [10] https://www.drupal.org/user/36762

1 0

Mollie for Drupal - Moderately critical - Faulty payment confirmation logic - SA-CONTRIB-2023-052
by security-news＠drupal.org 15 Nov '23

15 Nov '23

View online: https://www.drupal.org/sa-contrib-2023-052 Project: Mollie for Drupal [1] Date: 2023-November-15 Security risk: *Moderately critical* 12∕25 AC:Complex/A:None/CI:None/II:Some/E:Theoretical/TD:All [2] Vulnerability: Faulty payment confirmation logic Affected versions: <2.2.1 Description: This module enables you to pay online via Mollie. The module might not properly load the correct order to update the payment status when Mollie redirects to the redirect URL. This can allow an attacker to apply other people's orders to their own, getting credit without paying. This vulnerability is mitigated by the fact that an attacker must have some knowledge about the module's internal functionality. The issue only affects installations that use the Mollie for Drupal Commerce submodule. Solution: Install the latest version: * If you use the Mollie for Drupal module, upgrade to Mollie for Drupal 2.2.1 [3]. Reported By: * Rico Van de Vin [4] * Norbert Arends [5] Fixed By: * Rico Van de Vin [6] * hoporr [7] * Norbert Arends [8] Coordinated By: * Greg Knaddison [9] of the Drupal Security Team * xjm [10] of the Drupal Security Team [1] https://www.drupal.org/project/mollie [2] https://www.drupal.org/security-team/risk-levels [3] https://www.drupal.org/project/mollie/releases/2.2.1 [4] https://www.drupal.org/user/1243726 [5] https://www.drupal.org/user/660798 [6] https://www.drupal.org/user/1243726 [7] https://www.drupal.org/user/444070 [8] https://www.drupal.org/user/660798 [9] https://www.drupal.org/user/36762 [10] https://www.drupal.org/u/xjm

1 0

GraphQL - Moderately critical - Cross Site Request Forgery - SA-CONTRIB-2023-051
by security-news＠drupal.org 08 Nov '23

08 Nov '23

View online: https://www.drupal.org/sa-contrib-2023-051 Project: GraphQL [1] Date: 2023-November-08 Security risk: *Moderately critical* 12∕25 AC:Basic/A:None/CI:None/II:Some/E:Theoretical/TD:Default [2] Vulnerability: Cross Site Request Forgery Affected versions: <3.4.0 || >=4.0.0 <4.6.0 Description: The GraphQL module enables you to build GraphQL APIs which can include data fetching through Queries and data updates (create, update, delete) through mutations. The module does not sufficiently validate incoming requests that are made from domains other than the one serving the GraphQL endpoint. In case a user visits a malicious site, that site may make requests on the users behalf which can lead to the execution of mutations, exposing a CSRF vulnerability. Whether data is returned to the malicious site depends on your sites CORS configuration. This vulnerability is mitigated by the fact that a user with access to the API must have an active session cookie while visiting a malicious site. This vulnerability is also mitigated by restricting session cookies with the SameSite attribute (see solution below). Solution: Install the latest version: * If you use the GraphQL module v4 upgrade to GraphQL 8.x-4.6 [3] * If you use the GraphQL module v3 upgrade to GraphQL 8.x-3.4 [4] This vulnerability can also be mitigated by setting the SameSite attribute on session cookies to Lax (recommended) or Strict. This might not be suitable for sites that need to share the Drupal session cookie in some way with other sites. Set the following in your site's services.yml file: parameters: session.storage.options: # Session cookies are only used for backend admin accounts, so we restrict # the cookies to be used only from the backend origin. We don't use "Strict" # because that also removes cookies whenever an admin navigates from an # email or chat app, which is inconvenient. See # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie#samesi… cookie_samesite: Lax Reported By: * Sam Becker [5] Fixed By: * Sam Becker [6] * Klaus Purer [7] * Alexander Varwijk [8] * Luis [9] * Lee Rowlands [10] of the Drupal Security Team Coordinated By: * Greg Knaddison [11] of the Drupal Security Team * Damien McKenna [12] of the Drupal Security Team [1] https://www.drupal.org/project/graphql [2] https://www.drupal.org/security-team/risk-levels [3] https://www.drupal.org/project/graphql/releases/8.x-4.6 [4] https://www.drupal.org/project/graphql/releases/8.x-3.4 [5] https://www.drupal.org/user/1485048 [6] https://www.drupal.org/user/1485048 [7] https://www.drupal.org/user/262198 [8] https://www.drupal.org/user/1868952 [9] https://www.drupal.org/user/1022312 [10] https://www.drupal.org/user/395439 [11] https://www.drupal.org/user/36762 [12] https://www.drupal.org/user/108450

1 0

GraphQL - Moderately critical - Access bypass - SA-CONTRIB-2023-050
by security-news＠drupal.org 08 Nov '23

08 Nov '23

View online: https://www.drupal.org/sa-contrib-2023-050 Project: GraphQL [1] Date: 2023-November-08 Security risk: *Moderately critical* 11∕25 AC:Basic/A:None/CI:Some/II:None/E:Theoretical/TD:Uncommon [2] Vulnerability: Access bypass Affected versions: <3.4.0 || >=4.0.0 <4.6.0 Description: This module lets you craft and expose a GraphQL schema for Drupal 9 and 10. The module currently does not adequately verify whether a given user has the necessary permissions to access an entity's label creating an access bypass vulnerability. This vulnerability is mitigated by the fact that entity view and entity label access are usually handled by the same access check; developers have to opt-in for supporting different logic on entity types. Additionally your schema must make use of the EntityLabel DataProducer to be affected. Solution: Install the latest version: * If you use the GraphQL module v4 upgrade to GraphQL 8.x-4.6 [3] * If you use the GraphQL module v3 upgrade to GraphQL 8.x-3.4 [4] Reported By: * Dezső Biczó [5] Fixed By: * Dezső Biczó [6] * Klaus Purer [7] * Alexander Varwijk [8] * Luis [9] Coordinated By: * Greg Knaddison [10] of the Drupal Security Team [1] https://www.drupal.org/project/graphql [2] https://www.drupal.org/security-team/risk-levels [3] https://www.drupal.org/project/graphql/releases/8.x-4.6 [4] https://www.drupal.org/project/graphql/releases/8.x-3.4 [5] https://www.drupal.org/user/315522 [6] https://www.drupal.org/user/315522 [7] https://www.drupal.org/user/262198 [8] https://www.drupal.org/user/1868952 [9] https://www.drupal.org/user/1022312 [10] https://www.drupal.org/user/36762

1 0

Paragraphs admin - Moderately critical - - SA-CONTRIB-2023-049
by security-news＠drupal.org 01 Nov '23

01 Nov '23

View online: https://www.drupal.org/sa-contrib-2023-049 Project: Paragraphs admin [1] Date: 2023-November-01 Security risk: *Moderately critical* 14∕25 AC:None/A:None/CI:Some/II:None/E:Theoretical/TD:Default [2] Affected versions: <1.5.0 Description: This module enables you to view all paragraph entities in an admin view. The module contains an access bypass that allows non admin users to access the view. The vulnerability can be mitigated by editing the view to change the permission required to access the page. Solution: Install the latest version: * If you use the paragraphs_admin module for Drupal 8.x, upgrade to paragraphs_admin 8.x-1.5 [3] Reported By: * Jen M [4] Fixed By: * Vladimir Roudakov [5] Coordinated By: * Lee Rowlands [6] of the Drupal Security Team * Greg Knaddison [7] of the Drupal Security Team * Damien McKenna [8] of the Drupal Security Team [1] https://www.drupal.org/project/paragraphs_admin [2] https://www.drupal.org/security-team/risk-levels [3] https://www.drupal.org/project/paragraphs_admin/releases/8.x-1.5 [4] https://www.drupal.org/user/3085703 [5] https://www.drupal.org/user/673120 [6] https://www.drupal.org/user/395439 [7] https://www.drupal.org/user/36762 [8] https://www.drupal.org/user/108450

1 0

Drupal 9 is end of life - PSA-2023-11-01
by security-news＠drupal.org 01 Nov '23

01 Nov '23

View online: https://www.drupal.org/psa-2023-11-01 Date: 2023-November-01 Description: -------- DRUPAL 9 IS END OF LIFE AS OF NOVEMBER 1ST, 2023 -------------------- Drupal 9 relies on several other software projects, including Symfony, CKEditor, and Twig. With Symfony 4's end of life, CKEditor 4's end of life, and Twig 2's end of life all coming up soon, Drupal 9 went end of life on November 1st, 2023. There will be no further releases of Drupal 9. Two changes for Drupal contributed projects will occur before the end of January 2024. One is that the automated testing platform DrupalCI support for Drupal 9 will stop. The other is that release branches of contributed projects that only support Drupal 9 will be marked unsupported (see the tracking issue for details [1]). Thanks to everyone who helped create and maintain Drupal 9. -------- IT IS TIME TO UPDATE TO DRUPAL 10 COMPATIBLE RELEASES -------------- Check the documentation on updating a site to Drupal 10 [2]. If a contributed project is not yet compatible with Drupal 10, now is a good time to update it. Check for existing Drupal 10 compatibility issues relevant for your projects. If your project is already compatible with Drupal 10 but does not yet have a stable release, please tag a release, once you are confident in your project's stability. Where possible, tag a minor release supporting both Drupal 9 and 10 to ensure users have a smooth upgrade path. [1] https://www.drupal.org/project/drupalorg/issues/3398253 [2] https://www.drupal.org/docs/upgrading-drupal/upgrading-from-drupal-8-or-lat…

1 0