View online: https://www.drupal.org/sa-contrib-2023-036
Project: Flexi Access [1]
Date: 2023-August-23
Security risk: *Critical* 17∕25
AC:Basic/A:Admin/CI:All/II:All/E:Theoretical/TD:All [2]
Vulnerability: Arbitrary PHP code execution
Description:
The Flexi Access module will provide a simple and flexible interface to the
ACL (Access Control List) module. It will let you set up and mange ACLs
naming individual users that are allowed access to a particular node.
The module processes user input in a way that could be unsafe. This can lead
to Remote Code Execution via Object Injection.
This vulnerability is mitigated by the fact that known exploit paths require
an attacker to have a combination of permissions provided by the module; for
example "access flexiaccess" and "flexiaccess view". See
_flexiaccess_node_access() for details. The "administer flexiaccess"
permission alone does not grant access to the vulnerable functionality.
This Security Advisory is being released in coordination with
SA-CONTRIB-2023-034 [3] for the ACL module, on which Flexi Access depends.
Solution:
Install the latest version:
* If you use the Flexi Access module for Drupal 7.x, upgrade to Flexi
Access
7.x-1.3 [4].
The ACL module (a dependency) must also be updated.
Reported By:
* Drew Webber [5] of the Drupal Security Team
Fixed By:
* Drew Webber [6] of the Drupal Security Team
* Gisle Hannemyr [7]
Coordinated By:
* Drew Webber [8] of the Drupal Security Team
* Cathy Theys [9] of the Drupal Security Team
* Damien McKenna [10] of the Drupal Security Team
[1] https://www.drupal.org/project/flexiaccess
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/sa-contrib-2023-034
[4] https://www.drupal.org/project/flexiaccess/releases/7.x-1.3
[5] https://www.drupal.org/user/255969
[6] https://www.drupal.org/user/255969
[7] https://www.drupal.org/user/409554
[8] https://www.drupal.org/user/255969
[9] https://www.drupal.org/user/258568
[10] https://www.drupal.org/user/108450
View online: https://www.drupal.org/sa-contrib-2023-034
Project: ACL [1]
Date: 2023-August-23
Security risk: *Critical* 17∕25
AC:Basic/A:Admin/CI:All/II:All/E:Theoretical/TD:All [2]
Vulnerability: Arbitrary PHP code execution
Affected versions: <1.0.0
Description:
The ACL module, short for Access Control Lists, is an API for other modules
to create lists of users and give them access to nodes.
The module processes user input in a way that could be unsafe. This can lead
to Remote Code Execution via Object Injection.
As this is an API module, it is only exploitable if a "client" module exposes
the vulnerability. Details of some contributed client modules are given
below. Custom modules using ACL could also expose the vulnerability.
This vulnerability is mitigated by the fact that an attacker typically needs
an "admin"-type permission provided by one of ACL's client modules.
Known client modules include:
* Forum Access
* Flexi Access
* Content Access
Coordinated Security Advisories are being released for those client modules
that have Security coverage.
Solution:
Install the latest version:
* If you use the ACL module for Drupal 7.x, upgrade to ACL 7.x-1.4 [3]
* If you use the ACL module 8.x-1.0-beta3 or below, upgrade to ACL 8.x-1.0
[4]
Any client modules that depend on ACL should also be updated.
Reported By:
* Drew Webber [5] of the Drupal Security Team
* Samuel Mortenson [6]
Fixed By:
* Drew Webber [7] of the Drupal Security Team
* Hans Salvisberg [8]
* Jen Lampton [9] Provisional Member of the Drupal Security Team
* xeM8VfDh [10]
Coordinated By:
* Drew Webber [11] of the Drupal Security Team
* Damien McKenna [12] of the Drupal Security Team
* Greg Knaddison [13] of the Drupal Security Team
* Michael Hess [14] of the Drupal Security Team
[1] https://www.drupal.org/project/acl
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/acl/releases/7.x-1.4
[4] https://www.drupal.org/project/acl/releases/8.x-1.0
[5] https://www.drupal.org/user/255969
[6] https://www.drupal.org/user/2582268
[7] https://www.drupal.org/user/255969
[8] https://www.drupal.org/user/82964
[9] https://www.drupal.org/user/85586
[10] https://www.drupal.org/user/3446669
[11] https://www.drupal.org/user/255969
[12] https://www.drupal.org/user/108450
[13] https://www.drupal.org/user/36762
[14] https://www.drupal.org/user/102818
View online: https://www.drupal.org/sa-contrib-2023-033
Project: Matomo Analytics [1]
Date: 2023-August-02
Security risk: *Less critical* 8∕25
AC:Complex/A:Admin/CI:Some/II:None/E:Theoretical/TD:Default [2]
Vulnerability: Cross Site Scripting
Affected versions: <1.22.0
Description:
This module enables you to add the Matomo web statistics tracking system to
your website.
The module does not check the Matomo JS code loaded on the website. So a user
could configure the module to load JS from a malicious website.
This vulnerability is mitigated by the fact that an attacker must have a role
with the permission "administer matomo" or "administer matomo tag manager"
(D8+ only) to access the settings forms where this can be configured.
Solution:
Install the latest version:
* If you use the Matomo Analytics module for Drupal 7, upgrade to Matomo
Analytics 7.x-2.15 [3]
* If you use the Matomo Analytics module for Drupal 8, upgrade to Matomo
Analytics 8.x-1.22 [4]
Sites are encouraged to review which roles have that permission and which
users have that role, to ensure that only trusted users have that permission.
Reported By:
* Pierre Rudloff [5]
Fixed By:
* Damien McKenna [6] of the Drupal Security Team
* Carsten Logemann [7]
* Florent Torregrosa [8]
* Pierre Rudloff [9]
Coordinated By:
* Neil Drumm [10] of the Drupal Security Team
[1] https://www.drupal.org/project/matomo
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/matomo/releases/7.x-2.15
[4] https://www.drupal.org/project/matomo/releases/8.x-1.22
[5] https://www.drupal.org/user/3611858
[6] https://www.drupal.org/user/108450
[7] https://www.drupal.org/user/218368
[8] https://www.drupal.org/user/2388214
[9] https://www.drupal.org/user/3611858
[10] https://www.drupal.org/user/3064