October 2024 - Security-news - lists.drupal.org

Cookiebot + GTM - Moderately critical - Cross Site Scripting - SA-CONTRIB-2024-055
by security-news＠drupal.org 30 Oct '24

30 Oct '24

View online: https://www.drupal.org/sa-contrib-2024-055 Project: Cookiebot + GTM [1] Date: 2024-October-30 Security risk: *Moderately critical* 14 ∕ 25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:All [2] Vulnerability: Cross Site Scripting Affected versions: <1.0.18 Description: This module makes it possible for you to integrate Cookiebot and Google Tag Manager in a fast and simple way. The module doesn't sufficiently filter for malicious script leading to a persistent cross site scripting (XSS) vulnerability. Solution: Install the latest version and review settings: 1) If you use the Cookiebot + GTM module for Drupal, upgrade to Cookiebot + GTM 1.0.18 [3] 2) Additionally, the new codebase adds validation and permission changes so admins should re-save the configuration form at /admin/config/cookiebot_gtm and confirm which roles have permission to configure the module at /admin/people/permissions. Reported By: * Pierre Rudloff [4] Fixed By: * Fabian de Rijk [5] Coordinated By: * Greg Knaddison [6] of the Drupal Security Team * Juraj Nemec [7] of the Drupal Security Team * Cathy Theys [8] of the Drupal Security Team [1] https://www.drupal.org/project/cookiebot_gtm [2] https://www.drupal.org/security-team/risk-levels [3] https://www.drupal.org/project/cookiebot_gtm/releases/1.0.18 [4] https://www.drupal.org/user/3611858 [5] https://www.drupal.org/user/278745 [6] https://www.drupal.org/user/36762 [7] https://www.drupal.org/user/272316 [8] https://www.drupal.org/u/yesct

1 0

OhDear Integration - Moderately critical - Access bypass - SA-CONTRIB-2024-056
by security-news＠drupal.org 30 Oct '24

30 Oct '24

View online: https://www.drupal.org/sa-contrib-2024-056 Project: OhDear Integration [1] Date: 2024-October-30 Security risk: *Moderately critical* 13 ∕ 25 AC:None/A:None/CI:Some/II:None/E:Theoretical/TD:Uncommon [2] Vulnerability: Access bypass Affected versions: <2.0.4 Description: Integrates your Drupal website with the Oh Dear monitoring app. Cached data of monitoring results is accessible to non-logged in users when caching is enabled on the module. This vulnerability is mitigated by the fact that it only affects sites where caching is enabled for OhDear report healthcheck endpoint. It is not enabled by default and there's no UI option to do it. It has to be done directly in the ohdear_integration.settings.yml. Solution: Install the latest version: * If you use the OhDear Integration module, upgrade to 2.0.4 version. [3] Reported By: * casey [4] Fixed By: * casey [5] * Lio Novelli [6] Coordinated By: * Greg Knaddison [7] of the Drupal Security Team * Juraj Nemec [8] of the Drupal Security Team [1] https://www.drupal.org/project/ohdear_integration [2] https://www.drupal.org/security-team/risk-levels [3] https://www.drupal.org/project/ohdear_integration/releases/2.0.4 [4] https://www.drupal.org/user/32403 [5] https://www.drupal.org/user/32403 [6] https://www.drupal.org/user/3542704 [7] https://www.drupal.org/user/36762 [8] https://www.drupal.org/user/272316

1 0

Loft Data Grids - Moderately critical - Multiple vulnerabilities - SA-CONTRIB-2024-054
by security-news＠drupal.org 23 Oct '24

23 Oct '24

View online: https://www.drupal.org/sa-contrib-2024-054 Project: Loft Data Grids [1] Date: 2024-October-23 Security risk: *Moderately critical* 11 ∕ 25 AC:Complex/A:User/CI:Some/II:Some/E:Theoretical/TD:Uncommon [2] Vulnerability: Multiple vulnerabilities Description: This module provides serialization formats for use by other modules. The module includes a version of phpoffice/phpspreadsheet which has multiple known security vulnerabilities. Solution: If you use the Loft Data Grids module for Drupal 7.x, install one of: * Loft Data Grids 7.x-2.7 [3] - which removes support for the XLSX format, as the patched version requires PHP 8. * Loft Data Grids 7.x-3.0 [4] - which includes XLSX support, by requiring PHP 8 and Composer installation. See the module's README-file for more information. Reported By: * Juraj Nemec [5] of the Drupal Security Team Fixed By: * Aaron Klump [6] Coordinated By: * Greg Knaddison [7] * Juraj Nemec [8] [1] https://www.drupal.org/project/loft_data_grids [2] https://www.drupal.org/security-team/risk-levels [3] https://www.drupal.org/project/loft_data_grids/releases/7.x-2.7 [4] https://www.drupal.org/project/loft_data_grids/releases/7.x-3.0 [5] https://www.drupal.org/user/272316 [6] https://www.drupal.org/user/142422 [7] https://www.drupal.org/u/greggles [8] https://www.drupal.org/u/poker10

1 0

Smartling Connector - Less critical - Multiple vulnerabilities - SA-CONTRIB-2024-053
by security-news＠drupal.org 23 Oct '24

23 Oct '24

View online: https://www.drupal.org/sa-contrib-2024-053 Project: Smartling Connector [1] Date: 2024-October-23 Security risk: *Less critical* 9 ∕ 25 AC:Complex/A:Admin/CI:Some/II:None/E:Theoretical/TD:All [2] Vulnerability: Multiple vulnerabilities Description: Smartling module allows you to translate content in Drupal 7 using the Smartling Translation Management Platform. The module includes an outdated version of the Guzzle package (guzzlehttp/guzzle 6.3.3), which has known security vulnerabilities [3]. Solution: Install the latest version: * If you use Smartling module for Drupal 7.x-4.x, upgrade to smartling 7.x-4.19 [4] * If you use Smartling module for Drupal 7.x-3.x, upgrade to smartling 7.x-3.8 [5] Reported By: * Pierre Rudloff [6] Fixed By: * Pavel Loparev [7] Coordinated By: * Juraj Nemec [8] of the Drupal Security Team [1] https://www.drupal.org/project/smartling [2] https://www.drupal.org/security-team/risk-levels [3] https://packagist.org/packages/guzzlehttp/guzzle/advisories?version=2122956 [4] https://www.drupal.org/project/smartling/releases/7.x-4.19 [5] https://www.drupal.org/project/smartling/releases/7.x-3.8 [6] https://www.drupal.org/user/3611858 [7] https://www.drupal.org/user/3158841 [8] https://www.drupal.org/u/poker10

1 0

Monster Menus - Critical - Arbitrary PHP code execution - SA-CONTRIB-2024-052
by security-news＠drupal.org 23 Oct '24

23 Oct '24

View online: https://www.drupal.org/sa-contrib-2024-052 Project: Monster Menus [1] Date: 2024-October-23 Security risk: *Critical* 19 ∕ 25 AC:Complex/A:None/CI:All/II:All/E:Theoretical/TD:All [2] Vulnerability: Arbitrary PHP code execution Affected versions: <9.3.4 || >=9.4.0 <9.4.2 Description: This module enables you to group nodes within pages that have a highly-granular, distributed permissions structure. In certain cases the module doesn't sufficiently sanitize data before passing it to PHP's unserialize() function, which can result in arbitrary code execution. Solution: Install the latest version: * If you use Monster Menus branch *9.4.x*, upgrade to monster_menus 9.4.2 [3] * If you use Monster Menus branch *9.3.x*, upgrade to monster_menus 9.3.4 [4] Reported By: * Drew Webber [5] of the Drupal Security Team Fixed By: * Drew Webber [6] of the Drupal Security Team * Dan Wilga [7] Coordinated By: * Greg Knaddison [8] of the Drupal Security Team * Juraj Nemec [9] of the Drupal Security Team * Drew Webber [10] of the Drupal Security Team [1] https://www.drupal.org/project/monster_menus [2] https://www.drupal.org/security-team/risk-levels [3] https://www.drupal.org/project/monster_menus/releases/9.4.2 [4] https://www.drupal.org/project/monster_menus/releases/9.3.4 [5] https://www.drupal.org/user/255969 [6] https://www.drupal.org/user/255969 [7] https://www.drupal.org/user/56892 [8] https://www.drupal.org/u/greggles [9] https://www.drupal.org/u/poker10 [10] https://www.drupal.org/user/255969

1 0

Views SVG Animation - Moderately critical - Cross Site Scripting - SA-CONTRIB-2024-051
by security-news＠drupal.org 23 Oct '24

23 Oct '24

View online: https://www.drupal.org/sa-contrib-2024-051 Project: Views SVG Animation [1] Date: 2024-October-23 Security risk: *Moderately critical* 13 ∕ 25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:Default [2] Vulnerability: Cross Site Scripting Affected versions: <1.0.1 Description: This module enables you to animate an SVG graphic by selecting certain rows in a view. The module doesn't sufficiently sanitize the SVG file before embedding it into the html. This vulnerability is mitigated by the fact that an attacker must have a role with the permission to upload SVG files. Solution: Install the latest version: * If you use the views_svg_animation module for Drupal 10 or 11, upgrade to views_svg_animation 1.0.1 [3] Reported By: * Pierre Rudloff [4] Fixed By: * Jürgen Haas [5] Coordinated By: * Juraj Nemec [6] of the Drupal Security Team [1] https://www.drupal.org/project/views_svg_animation [2] https://www.drupal.org/security-team/risk-levels [3] https://www.drupal.org/project/views_svg_animation/releases/1.0.1 [4] https://www.drupal.org/user/3611858 [5] https://www.drupal.org/user/168924 [6] https://www.drupal.org/u/poker10

1 0

SVG Embed - Moderately critical - Cross site scripting - SA-CONTRIB-2024-050
by security-news＠drupal.org 23 Oct '24

23 Oct '24

View online: https://www.drupal.org/sa-contrib-2024-050 Project: SVG Embed [1] Date: 2024-October-23 Security risk: *Moderately critical* 13 ∕ 25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:Default [2] Vulnerability: Cross site scripting Affected versions: <2.1.2 Description: This module enables you to embed the content of an SVG file into the body html of a node and optionally allows to translate text contained within the image. The module doesn't sufficiently sanitize the SVG file before embedding it into the html. This vulnerability is mitigated by the fact that an attacker must have a role with the permission to upload SVG files, and the permission to use a text format that includes the SVG embed filter. Solution: Install the latest version: * If you use the svg_embed module for Drupal 7.x, upgrade to svg_embed 7.x-1.3 [3] * If you use the svg_embed module for Drupal 10 or 11, upgrade to svg_embed 2.1.2 [4] Reported By: * Pierre Rudloff [5] Fixed By: * Ivo Van Geertruyen [6] of the Drupal Security Team * Jürgen Haas [7] Coordinated By: * Ivo Van Geertruyen [8] of the Drupal Security Team [1] https://www.drupal.org/project/svg_embed [2] https://www.drupal.org/security-team/risk-levels [3] https://www.drupal.org/project/svg_embed/releases/7.x-1.3 [4] https://www.drupal.org/project/svg_embed/releases/2.1.2 [5] https://www.drupal.org/user/3611858 [6] https://www.drupal.org/user/383424 [7] https://www.drupal.org/user/168924 [8] https://www.drupal.org/user/383424

1 0

Drupal core - Moderately critical - Improper error handling - SA-CORE-2024-002
by security-news＠drupal.org 16 Oct '24

16 Oct '24

View online: https://www.drupal.org/sa-core-2024-002 Project: Drupal core [1] Date: 2024-October-16 Security risk: *Moderately critical* 13 ∕ 25 AC:Basic/A:None/CI:None/II:All/E:Theoretical/TD:Uncommon [2] Vulnerability: Improper error handling Affected versions: >=10.0 < 10.2.10 Description: Under certain uncommon site configurations, a bug in the CKEditor 5 module can cause some image uploads to move the entire webroot to a different location on the file system. This could be exploited by a malicious user to take down a site. The issue is mitigated by the fact that several non-default site configurations must exist simultaneously for this to occur. Solution: Install the latest version: * If you are using Drupal 10.2, update to Drupal 10.2.10 [3]. * Drupal 10.3 and above are not affected, nor is Drupal 7. All versions of Drupal 10 prior to 10.2 are end-of-life and do not receive security coverage. (Drupal 8 [4] and Drupal 9 [5] have both reached end-of-life.) This advisory is not covered by Drupal Steward [6]. Reported By: * Pierre Rudloff [7] Fixed By: * catch [8] of the Drupal Security Team * Lee Rowlands [9] of the Drupal Security Team * Benji Fisher [10] of the Drupal Security Team * Kim Pepper [11] * Wim Leers [12] * xjm [13] of the Drupal Security Team Coordinated By: * xjm [14] of the Drupal Security Team * Dave Long [15] of the Drupal Security Team * Juraj Nemec [16] of the Drupal Security Team [1] https://www.drupal.org/project/drupal [2] https://www.drupal.org/security-team/risk-levels [3] https://www.drupal.org/project/drupal/releases/10.2.10 [4] https://www.drupal.org/psa-2021-06-29 [5] https://www.drupal.org/psa-2023-11-01 [6] https://www.drupal.org/steward [7] https://www.drupal.org/user/3611858 [8] https://www.drupal.org/user/35733 [9] https://www.drupal.org/user/395439 [10] https://www.drupal.org/user/683300 [11] https://www.drupal.org/user/370574 [12] https://www.drupal.org/user/99777 [13] https://www.drupal.org/user/65776 [14] https://www.drupal.org/user/65776 [15] https://www.drupal.org/u/longwave [16] https://www.drupal.org/u/poker10

1 0

wkhtmltopdf - Highly critical - Unsupported - SA-CONTRIB-2024-049
by security-news＠drupal.org 09 Oct '24

09 Oct '24

View online: https://www.drupal.org/sa-contrib-2024-049 Project: wkhtmltopdf [1] Date: 2024-October-09 Security risk: *Highly critical* 23 ∕ 25 AC:None/A:None/CI:All/II:All/E:Proof/TD:All [2] Vulnerability: Unsupported Affected versions: * Description: The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: https://www.drupal.org/node/251466#procedure---own-project---unsupported [3] Solution: If you use this project, you should uninstall it. To take over maintainership, please read https://www.drupal.org/node/251466#procedure---own-project---unsupported [4] in full. [1] https://www.drupal.org/project/wkhtmltopdf [2] https://www.drupal.org/security-team/risk-levels [3] https://www.drupal.org/node/251466#procedure---own-project---unsupported [4] https://www.drupal.org/node/251466#procedure---own-project---unsupported

1 0

Block permissions - Moderately critical - Access bypass - SA-CONTRIB-2024-046
by security-news＠drupal.org 09 Oct '24

09 Oct '24

View online: https://www.drupal.org/sa-contrib-2024-046 Project: Block permissions [1] Date: 2024-October-09 Security risk: *Moderately critical* 13 ∕ 25 AC:Basic/A:Admin/CI:Some/II:Some/E:Theoretical/TD:All [2] Vulnerability: Access bypass Affected versions: >=1.0.0 <1.2.0 Description: This module enables you to manage blocks from specific modules in the specific themes. The module doesn't sufficiently check permissions under the scenario when a block is added using the form "/admin/structure/block/add/{plugin_id}/{theme}" (route "block.admin_add"). The attacker can add the block to the theme where they can't manage blocks. This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer blocks provided by [provider]". Solution: Install the latest version: * If you use the block_permissions module for Drupal 8.x, upgrade to block_permissions version at least 8.x-1.2 [3] or the more recent 8.x-1.3 [4] Reported By: * Francesco Sardara [5] Fixed By: * Francesco Sardara [6] * Evgenii Nikitin [7] Coordinated By: * Greg Knaddison [8] of the Drupal Security Team * Juraj Nemec [9] of the Drupal Security Team [1] https://www.drupal.org/project/block_permissions [2] https://www.drupal.org/security-team/risk-levels [3] https://www.drupal.org/project/block_permissions/releases/8.x-1.2 [4] https://www.drupal.org/project/block_permissions/releases/8.x-1.3 [5] https://www.drupal.org/user/2353864 [6] https://www.drupal.org/user/2353864 [7] https://www.drupal.org/user/682600 [8] https://www.drupal.org/u/greggles [9] https://www.drupal.org/u/poker10

1 0