View online: https://www.drupal.org/sa-contrib-2024-006
Project: Swift Mailer [1]
Date: 2024-January-24
Security risk: *Moderately critical* 12∕25
AC:Basic/A:None/CI:Some/II:None/E:Theoretical/TD:Default [2]
Vulnerability: Access bypass
Description:
The Drupal Swift Mailer module extends the basic e-mail sending functionality
provided by Drupal by delegating all e-mail handling to the Swift Mailer
library. This enables your site to take advantage of the many features which
the Swift Mailer library provides.
The module could allow an attacker to gain widespread access to a Drupal
site. This vulnerability is mitigated by the fact that an attacker must have
a means to trigger sending an email with a body that they can control, which
would requires either another contributed module or custom integration.
Solution:
Uninstall this module immediately. The swiftmailer library has been
unsupported for a year, and this module is now also unsupported.
Changing to a replacement module is suggested, the following were
specifically suggested by the module maintainers:
* Drupal Symfony Mailer Lite [3]
* Drupal Symfony Mailer [4]
Reported By:
* Adam Shepherd [5]
Fixed By:
* Adam Shepherd [6]
* Wayne Eaker [7]
Coordinated By:
* Damien McKenna [8] of the Drupal Security Team
* Greg Knaddison [9] of the Drupal Security Team
[1] https://www.drupal.org/project/swiftmailer
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/symfony_mailer_lite
[4] https://www.drupal.org/project/symfony_mailer
[5] https://www.drupal.org/user/2650563
[6] https://www.drupal.org/user/2650563
[7] https://www.drupal.org/user/326925
[8] https://www.drupal.org/user/108450
[9] https://www.drupal.org/user/36762
View online: https://www.drupal.org/sa-contrib-2024-005
Project: Open Social [1]
Date: 2024-January-24
Security risk: *Moderately critical* 13∕25
AC:None/A:User/CI:Some/II:None/E:Proof/TD:Default [2]
Vulnerability: Information Disclosure
Affected versions: <12.0.5
Description:
Open Social is a Drupal distribution for online communities.
The included optional social_group_flexible_group module doesn't sufficiently
validate group updates. The lack of validation makes it possible to have
content inside the group changing it's visibility, which could lead to that
content being shown to a broader audience than intended.
This vulnerability is mitigated by the fact the module
social_group_flexible_group needs to be enabled.
Solution:
Install the latest version of Open Social:
* If you use the Open Social distribution for Drupal 12.x, upgrade to Open
Social 12.0.5 [3]
Reported By:
* Taras Kruts [4]
Fixed By:
* Taras Kruts [5]
* Ronald te Brake [6]
Coordinated By:
* Damien McKenna [7] of the Drupal Security Team
* Greg Knaddison [8] of the Drupal Security Team
[1] https://www.drupal.org/project/social
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/social/releases/12.0.5
[4] https://www.drupal.org/user/1449610
[5] https://www.drupal.org/user/1449610
[6] https://www.drupal.org/user/2314038
[7] https://www.drupal.org/user/108450
[8] https://www.drupal.org/user/36762
View online: https://www.drupal.org/sa-contrib-2024-003
Project: Two-factor Authentication (TFA) [1]
Date: 2024-January-24
Security risk: *Moderately critical* 14∕25
AC:Complex/A:None/CI:Some/II:Some/E:Proof/TD:Uncommon [2]
Vulnerability: Access bypass
Affected versions: <1.5.0
Description:
This module enables you to allow and/or require users to use a second
authentication method in addition to password authentication.
In some cases, the module allows users to log in with an authentication
plugin that an administrator has disabled.
This vulnerability is mitigated by the fact that an attacker must obtain a
valid first-factor login credential, that an administrator must enable and
then disable an authentication plugin, and that an attacker must obtain the
valid second factor credential for the disabled plugin.
Solution:
Install the latest 8.x-1.2 version:
* If you use the Two-factor Authentication (TFA) for Drupal 8, 9, or 10
upgrade to TFA 8.x-1.5 [3]
After installing this update disabled plugins will no longer be offered or
accepted as a second factor option.
If an account is configured with only disabled plugins login will be
prohibited and the the configured TFA "Help text" displayed instead of a
second factor prompt.
To allow access for a locked out user site owners may consider enabling the
plugin (admin/config/people/tfa) or may use their existing procedures for
granting access to accounts where the user has forgotten/lost their second
factor tokens.
Accounts with both enabled and disabled plugins will prompt the account owner
with one of the remaining enabled plugins.
Reported By:
* Ide Braakman [4]
Fixed By:
* Conrad Lara [5]
* Juraj Nemec [6] of the Drupal Security Team
* João Ventura [7]
Coordinated By:
* Damien McKenna [8] of the Drupal Security Team
* Greg Knaddison [9] of the Drupal Security Team
* Benji Fisher [10] of the Drupal Security Team
[1] https://www.drupal.org/project/tfa
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/tfa/releases/8.x-1.5
[4] https://www.drupal.org/user/1879760
[5] https://www.drupal.org/user/1790054
[6] https://www.drupal.org/user/272316
[7] https://www.drupal.org/user/122464
[8] https://www.drupal.org/user/108450
[9] https://www.drupal.org/user/36762
[10] https://www.drupal.org/user/683300
View online: https://www.drupal.org/sa-contrib-2024-002
Project: Typogrify [1]
Date: 2024-January-10
Security risk: *Moderately critical* 12∕25
AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:Uncommon [2]
Vulnerability: Cross Site Scripting
Affected versions: <1.3.0
Description:
The Typogrify module brings the typographic refinements of Typogrify to
Drupal. It provides a text filter and a Twig filter.
The typogrify Twig filter can be used to bypass the Twig auto-escape feature,
leading to a persistent Cross Site Scripting (XSS) vulnerability.
This vulnerability is mitigated by the fact that it is only exposed when the
twig filter is specifically used in a template to render content.
Solution:
Install the latest version:
* If you use the Typogrify module for Drupal 10.x, upgrade to Typogrify
8.x-1.3 [3]
If you use the typogrify Twig filter provided by this module, then this
update may cause double-encoding of text. See the updated README for best
practices.
Reported By:
* Pierre Rudloff [4]
Fixed By:
* Benji Fisher [5] of the Drupal Security Team
Coordinated By:
* Damien McKenna [6] of the Drupal Security Team
* Greg Knaddison [7] of the Drupal Security Team
[1] https://www.drupal.org/project/typogrify
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/typogrify/releases/8.x-1.3
[4] https://www.drupal.org/user/3611858
[5] https://www.drupal.org/user/683300
[6] https://www.drupal.org/user/108450
[7] https://www.drupal.org/user/36762