July 2023 - Security-news - lists.drupal.org

Drupal Symfony Mailer - Moderately critical - Cross site request forgery - SA-CONTRIB-2023-031
by security-news＠drupal.org 26 Jul '23

26 Jul '23

View online: https://www.drupal.org/sa-contrib-2023-031 Project: Drupal Symfony Mailer [1] Date: 2023-July-26 Security risk: *Moderately critical* 12∕25 AC:Basic/A:None/CI:None/II:Some/E:Theoretical/TD:Default [2] Vulnerability: Cross site request forgery Affected versions: <1.2.2 || >=1.3.0 <1.3.0-rc3 Description: The module doesn’t sufficiently protect against malicious links, which means an attacker can trick an administrator into performing unwanted actions. This vulnerability is mitigated by the fact that the set of unwanted actions is limited to specific configurations. Solution: * If you use Drupal Symfony Mailer module v1.2.x, upgrade to v1.2.2 [3]. * If you use Drupal Symfony Mailer module v1.3.x, upgrade to v1.3.0-rc3 [4]. Reported By: * Mingsong [5] Fixed By: * Mingsong [6] * Adam Shepherd [7] * Lee Rowlands [8] of the Drupal Security Team [1] https://www.drupal.org/project/symfony_mailer [2] https://www.drupal.org/security-team/risk-levels [3] https://www.drupal.org/project/symfony_mailer/releases/1.2.2 [4] https://www.drupal.org/project/symfony_mailer/releases/1.3.0-rc3 [5] https://www.drupal.org/user/2986445 [6] https://www.drupal.org/user/2986445 [7] https://www.drupal.org/user/2650563 [8] https://www.drupal.org/user/395439

1 0

Minify Source HTML - Moderately critical - Cross site scripting - SA-CONTRIB-2023-032
by security-news＠drupal.org 26 Jul '23

26 Jul '23

View online: https://www.drupal.org/sa-contrib-2023-032 Project: Minify Source HTML [1] Date: 2023-July-26 Security risk: *Moderately critical* 11∕25 AC:Basic/A:None/CI:None/II:None/E:Proof/TD:All [2] Vulnerability: Cross site scripting Affected versions: <1.13.0 || >=2.0.0 <2.0.3 Description: Carefully crafted input by an attacker will not be sanitized by this module, which can result in a script injection. Solution: Install the latest version: * If you use the Minify Source HTML module for Drupal 7.x, upgrade to Minify Source HTML 7.x-1.11 [3] * If you use the Minify Source HTML module for Drupal 8.x/9.x, upgrade to Minify Source HTML 8.x-1.13 [4] * If you use the Minify Source HTML module for Drupal 9.x/10.x, upgrade to Minify Source HTML 2.0.3 [5] Reported By: * Pierre Rudloff [6] Fixed By: * Scott Joudry [7] * Pierre Rudloff [8] [1] https://www.drupal.org/project/minifyhtml [2] https://www.drupal.org/security-team/risk-levels [3] https://www.drupal.org/project/minifyhtml/releases/7.x-1.11 [4] https://www.drupal.org/project/minifyhtml/releases/8.x-1.13 [5] https://www.drupal.org/project/minifyhtml/releases/2.0.3 [6] https://www.drupal.org/user/3611858 [7] https://www.drupal.org/user/1846786 [8] https://www.drupal.org/user/3611858

1 0

Last chance to adopt Drupal 7 contributed projects before they might be marked unsupported - PSA-2023-07-19
by security-news＠drupal.org 19 Jul '23

19 Jul '23

View online: https://www.drupal.org/psa-2023-07-19 Date: 2023-July-19 Description: Reminder: As we get ready for the End-of-life (EOL) of Drupal 7 in January 2025 [1], changes are coming to the Drupal 7 ecosystem. .... Drupal 7 branches of unsupported modules and themes will no longer be eligible for new maintainership Community support for contributed modules and themes will continue as it has to date. However, beginning August 1, 2023, once the Drupal 7 branch of a contributed module or theme is marked unsupported, it will not be eligible for new maintainership and will not be marked supported again. This will occur if an existing maintainer marks the module or theme unsupported, or if the Security Team marks it unsupported for lack of response. If there are Drupal 7 modules or themes that you or your clients rely on, then *we strongly encourage you to proactively adopt these projects [2].* The Drupal Security Team will not issue security advisories for any unsupported third-party libraries that Drupal 7 contributed modules or themes rely on, such as CKEditor 4. .... Other Drupal 7 support changes For a full list of upcoming Drupal 7 support changes, see End-of-life (EOL) Drupal 7 in January 2025 [3]. [1] https://www.drupal.org/psa-2023-06-07 [2] https://www.drupal.org/docs/develop/managing-a-drupalorg-theme-module-or-di… [3] https://www.drupal.org/psa-2023-06-07

1 0

Two-factor Authentication (TFA) - Critical - Access bypass - SA-CONTRIB-2023-030
by security-news＠drupal.org 12 Jul '23

12 Jul '23

View online: https://www.drupal.org/sa-contrib-2023-030 Project: Two-factor Authentication (TFA) [1] Date: 2023-July-12 Security risk: *Critical* 17∕25 AC:Basic/A:None/CI:Some/II:Some/E:Proof/TD:All [2] Vulnerability: Access bypass Affected versions: ^1 <= 1.0.0 Description: This module enables you to allow and/or require users to use a second authentication method in addition to password authentication. The module doesn't sufficiently ensure all core login routes, including the password reset page, require a second factor credential. This vulnerability is mitigated by the fact that an attacker must obtain a first-factor login credential. Solution: Install the latest version: * If you use the Two-factor Authentication (TFA) module for Drupal 8/9 please upgrade to TFA 8.x-1.1 [3] Ensure all additional external forms of authentication, such as REST, have been disabled. Reported By: * Conrad Lara [4] * Benji Fisher [5] of the Drupal Security Team Fixed By: * Lee Rowlands [6] of the Drupal Security Team * João Ventura [7] * Conrad Lara [8] * Benji Fisher [9] of the Drupal Security Team * Mingsong [10] * Jonathan Daggerhart [11] * Vitaliy Bogomazyuk [12] * Giles Birch [13] * N Cantrell [14] * Reinder Venema [15] * Rory Downes [16] Coordinated By: * Damien McKenna [17] of the Drupal Security Team * Greg Knaddison [18] of the Drupal Security Team [1] https://www.drupal.org/project/tfa [2] https://www.drupal.org/security-team/risk-levels [3] https://www.drupal.org/project/tfa/releases/8.x-1.1 [4] https://www.drupal.org/user/1790054 [5] https://www.drupal.org/user/683300 [6] https://www.drupal.org/user/395439 [7] https://www.drupal.org/user/122464 [8] https://www.drupal.org/user/1790054 [9] https://www.drupal.org/user/683300 [10] https://www.drupal.org/user/2986445 [11] https://www.drupal.org/user/167806 [12] https://www.drupal.org/user/3514011 [13] https://www.drupal.org/user/512726 [14] https://www.drupal.org/user/3593195 [15] https://www.drupal.org/user/3669405 [16] https://www.drupal.org/user/2998173 [17] https://www.drupal.org/user/108450 [18] https://www.drupal.org/user/36762

1 0

Announcement: Drupal core issues with some risk levels may be treated as bugs in the public issue queue, not as private security issues - PSA-2023-07-12
by security-news＠drupal.org 12 Jul '23

12 Jul '23

View online: https://www.drupal.org/psa-2023-07-12 Date: 2023-July-11 Description: Beginning today, Drupal core issues reported to the Security Team with risk levels [1] that are "Not Critical", "Less Critical", or "Moderately Critical" may be treated as bugs in the public issue queue, not as private security issues requiring a security advisory and CVE. .... Policy Change The Security Team will use its discretion to handle some issues in public depending on the risk score, the severity of the impact, the difficulty to exploit, and any other mitigating factors. We still encourage all security researchers to start by filing a private issue [2] that can then be moved public later. Members of the Security Team also will sometimes unpublish a public issue and move it private as needed. Drupal core issues with risk levels [3] of "Critical" or "Highly Critical" will continue to be private security issues. Some issues with lower risk scores will also be handled privately at Security Team discretion, depending on their impact. .... What are some examples? Exactly which issues are moved into the public queue will be at the discretion of the Security Team members triaging the issue. Some examples of common categories follow. .. Information disclosure Information disclosure is when information that should be private can be seen outside of the intended private context. A key difference between this and other kinds of security issues is that the circumstances in which it is a security risk often greatly reduce the risk of information being disclosed publicly. Sometimes, the information being disclosed is already public on the internet without any explicit action from users. For example, if unpublished article teasers accidentally show in a listing accessible to anonymous users, these will be visible to anyone visiting the page including search engines and other crawlers. Keeping the information disclosure /bug/ private does not keep the information itself private in these cases; it is already public. Other times, metadata about an article like its title or URL is leaked only to users who already have content editing or similar permissions on a site, and via their normal workflows. The potential audience for the leaked information is very small, they may already be seeing it, the impact of learning that secret is likely low. These issues often require significant active effort against an individual site to exploit. The amount of effort and individual-site nature make them less likely to be exploited. Scenarios that would make the issue a security vulnerability are extremely uncommon. For example, a vulnerability might expose the content of a field under very specific circumstances. The contents of that field might only be considered important in rare circumstances. In those situations we would tend toward fixing the bug in public. In scenarios when the information disclosure would represent a great risk to many sites we will not disclose publicly. For example, if you could get access to the passwords of users, or secret keys as an anonymous user, those issues would be handled privately with a security advisory. .. Content injection Content injection vulnerabilities exist when information from a URL ends up reflected in the HTML page, which can result in unwanted content being accessible from a domain. While these bugs are embarrassing, they do not allow other kinds of access unless paired with a cross-site scripting (XSS) or similar vulnerability. .. Denial of service Denial of service is an attack intended to render a site unusable, usually by saturating it with traffic. Certain categories of bugs sometimes make these attacks easier (for example, triggering code that takes a long time to run). However, they are often symptoms of scalability issues or type checking errors, which are routinely fixed in public. .... What if sites I manage are concerned about these kinds of issues? You should monitor the Drupal core issue queue for the 'Security' and 'Security improvements' [4] tags and dedicate resources to helping fix those issues. .... What should I do if I find a security issue that might fall under the above? You should still report the issue privately to the Security Team so that they can verify it is not a symptom of a different security issue (such as access bypass or privilege escalation) and that it meets the guidelines above that allow it to be handled in public. The Security Team may then have you open a public issue and close the private report. .... What will happen to issues meeting these criteria that are already open in the private issue tracker? These will be transferred to the public issue queues for their respective projects over time. Coordinated By: The following people contributed to this public service announcement. * xjm [5] of the Drupal Security Team * Michael Hess [6] of the Drupal Security Team * Nathaniel Catchpole [7] of the Drupal Security Team * Greg Knaddison [8] of the Drupal Security Team * Lee Rowlands [9] of the Drupal Security Team * cilefen [10] of the Drupal Security Team * Cathy Theys [11] of the Drupal Security Team [1] https://www.drupal.org/drupal-security-team/security-risk-levels-defined [2] https://www.drupal.org/docs/develop/issues/issue-procedures-and-etiquette/r… [3] https://www.drupal.org/drupal-security-team/security-risk-levels-defined [4] https://www.drupal.org/project/issues/search/drupal?project_issue_followers… [5] https://www.drupal.org/user/65776 [6] https://www.drupal.org/user/102818 [7] https://www.drupal.org/user/35733 [8] https://www.drupal.org/user/36762 [9] https://www.drupal.org/user/395439 [10] https://www.drupal.org/user/1850070 [11] https://www.drupal.org/user/258568

1 0