Security-news December 2023

security-news@drupal.org

1 participants
2 discussions

Data Visualisation Framework - Moderately critical - Cross Site Scripting - SA-CONTRIB-2023-055
by security-news＠drupal.org 20 Dec '23

20 Dec '23

View online: https://www.drupal.org/sa-contrib-2023-055 Project: Data Visualisation Framework [1] Date: 2023-December-20 Security risk: *Moderately critical* 14∕25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:All [2] Vulnerability: Cross Site Scripting Affected versions: < 2.0.2 Description: This module allows you to turn various data sources (Eg CSV or JSON file) into interactive visualisation. The DVF module provides a field (storage, widget & formatter) that can be added to any entity. This module uses two third-party JS libraries having from low to medium vulnerabilities. One of the vulnerabilities is a Cross Site Scripting vulnerability that may affect Drupal sites as a Persistent Cross Site Scripting vulnerability (i.e. not reflected). This release updates the libraries. The issue is mitigated by the fact an attacker needs the permission to create or edit content that is displayed using the Data Visualization Framework. Solution: Install the latest version: * If you use the Data Visualisation Framework for Drupal module (DVF for short), upgrade to dvf 2.0.2 [3] Reported By: * Joseph Zhao [4] Fixed By: * Joseph Zhao [5] Coordinated By: * Damien McKenna [6] of the Drupal Security Team * Greg Knaddison [7] of the Drupal Security Team * cilefen [8] of the Drupal Security Team * Lee Rowlands [9] of the Drupal Security Team [1] https://www.drupal.org/project/dvf [2] https://www.drupal.org/security-team/risk-levels [3] https://www.drupal.org/project/dvf/releases/2.0.2 [4] https://www.drupal.org/user/1987218 [5] https://www.drupal.org/user/1987218 [6] https://www.drupal.org/u/DamienMcKenna [7] https://www.drupal.org/user/36762 [8] https://www.drupal.org/u/cilefen [9] https://www.drupal.org//www.drupal.org/u/larowlan

1 0

Group - Less critical - Access bypass - SA-CONTRIB-2023-054
by security-news＠drupal.org 06 Dec '23

06 Dec '23

View online: https://www.drupal.org/sa-contrib-2023-054 Project: Group [1] Date: 2023-December-06 Security risk: *Less critical* 8∕25 AC:Complex/A:User/CI:Some/II:None/E:Theoretical/TD:Uncommon [2] Vulnerability: Access bypass Affected versions: >=2.0.0 <2.2.2 || >=3.0.0 <3.2.2 Description: The Group module has the ability to make content private to specific groups. When viewing a list of entities, e.g. nodes, a visitor should only see those entities that are either not attached to a group or that they have group access to. The module doesn't sufficiently enforce list access under the scenario where two users have the same outsider and insider permissions, but are members of different groups without any individual roles being assigned to said memberships. In such a scenario, the permissions hash for both will be the same even though it should differ. This vulnerability is mitigated by the fact that an attacker must have the same hash as someone else, which is quite rare yet not unthinkable. Solution: Install the latest version: * Sites using Group version 2 should upgrade to Group v2.2.2 [3] * Sites using Group version 3 should upgrade to Group v3.2.2 [4] Reported By: * Dylan Donkersgoed [5] Fixed By: * Dylan Donkersgoed [6] * Péter Keszthelyi [7] * Austin Mitchell [8] * Ian Bullock [9] Coordinated By: * Damien McKenna [10] of the Drupal Security Team * Greg Knaddison [11] of the Drupal Security Team [1] https://www.drupal.org/project/group [2] https://www.drupal.org/security-team/risk-levels [3] https://www.drupal.org/project/group/releases/2.2.2 [4] https://www.drupal.org/project/group/releases/3.2.2 [5] https://www.drupal.org/user/2803351 [6] https://www.drupal.org/user/2803351 [7] https://www.drupal.org/user/1939064 [8] https://www.drupal.org/user/3534491 [9] https://www.drupal.org/user/1291942 [10] https://www.drupal.org/user/108450 [11] https://www.drupal.org/user/36762

1 0

2026

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

Security-news December 2023