Security-news October 2024

security-news@drupal.org

1 participants
16 discussions

Facets - Critical - Cross Site Scripting - SA-CONTRIB-2024-047
by security-news＠drupal.org 09 Oct '24

09 Oct '24

View online: https://www.drupal.org/sa-contrib-2024-047 Project: Facets [1] Date: 2024-October-09 Security risk: *Critical* 15 ∕ 25 AC:Basic/A:None/CI:Some/II:Some/E:Theoretical/TD:Default [2] Vulnerability: Cross Site Scripting Affected versions: <2.0.9 Description: This module enables you to to easily create and manage faceted search interfaces. The module doesn't sufficiently filter for malicious script leading to a reflected cross site scripting (XSS) vulnerability. Solution: Install the latest version: * If you use the Facets module, upgrade to Facets 2.0.9 [3] Reported By: * Andrea Racco [4] Fixed By: * Andrea Racco [5] * Markus Kalkbrenner [6] * Joris Vercammen [7] * Jimmy Henderickx [8] Coordinated By: * Greg Knaddison [9] of the Drupal Security Team * Juraj Nemec [10] of the Drupal Security Team [1] https://www.drupal.org/project/facets [2] https://www.drupal.org/security-team/risk-levels [3] https://www.drupal.org/project/facets/releases/2.0.9 [4] https://www.drupal.org/user/2950843 [5] https://www.drupal.org/user/2950843 [6] https://www.drupal.org/user/124705 [7] https://www.drupal.org/user/2393360 [8] https://www.drupal.org/user/462700 [9] https://www.drupal.org/u/greggles [10] https://www.drupal.org/u/poker10

1 0

Gutenberg - Moderately critical - Cross Site Request Forgery - SA-CONTRIB-2024-048
by security-news＠drupal.org 09 Oct '24

09 Oct '24

View online: https://www.drupal.org/sa-contrib-2024-048 Project: Gutenberg [1] Date: 2024-October-09 Security risk: *Moderately critical* 12 ∕ 25 AC:Basic/A:None/CI:None/II:Some/E:Theoretical/TD:Default [2] Vulnerability: Cross Site Request Forgery Affected versions: <2.13.0 || >=3.0.0 <3.0.5 Description: This module provides a new UI experience for node editing using the Gutenberg Editor library. The module did not sufficiently protect some routes against a Cross Site Request Forgery attack. This vulnerability is mitigated by the fact that the tricked user needs to have an active session with the "use gutenberg" permission. Solution: Install the latest version: * If you use the Gutenberg module versions 8.x-2.x, upgrade to Gutenberg 8.x-2.13 [3] * If you use the Gutenberg module versions 3.0.x, upgrade to Gutenberg 3.0.5 [4] Reported By: * Mingsong [5] Fixed By: * Mingsong [6] * Lee Rowlands [7] of the Drupal Security Team * Eirik Morland [8] * Stephan Zeidler [9] * Cathy Theys [10] of the Drupal Security Team * codebymikey [11] * Marco Fernandes [12] Coordinated By: * Greg Knaddison [13] of the Drupal Security Team * Juraj Nemec [14] of the Drupal Security Team [1] https://www.drupal.org/project/gutenberg [2] https://www.drupal.org/security-team/risk-levels [3] https://www.drupal.org/project/gutenberg/releases/8.x-2.13 [4] https://www.drupal.org/project/gutenberg/releases/3.0.5 [5] https://www.drupal.org/user/2986445 [6] https://www.drupal.org/user/2986445 [7] https://www.drupal.org/user/395439 [8] https://www.drupal.org/user/1014468 [9] https://www.drupal.org/user/767652 [10] https://www.drupal.org/user/258568 [11] https://www.drupal.org/user/3573206 [12] https://www.drupal.org/user/2127558 [13] https://www.drupal.org/u/greggles [14] https://www.drupal.org/u/poker10

1 0

Monster Menus - Moderately critical - Access bypass, Information Disclosure - SA-CONTRIB-2024-045
by security-news＠drupal.org 09 Oct '24

09 Oct '24

View online: https://www.drupal.org/sa-contrib-2024-045 Project: Monster Menus [1] Date: 2024-October-09 Security risk: *Moderately critical* 13 ∕ 25 AC:None/A:None/CI:Some/II:None/E:Theoretical/TD:Uncommon [2] Vulnerability: Access bypass, Information Disclosure Affected versions: <9.3.2 Description: This module enables you to group nodes within pages that have a highly-granular, distributed permissions structure. A function which can be used by third-party code does not return valid data under certain rare circumstances. If the third-party code relies on this data to decide whether to grant access to content, it may grant more access than was intended. This vulnerability is only present in sites that have custom code calling the mm_content_get_uids_in_group() function with a single UID of zero (0) in the second parameter. Solution: Install the latest version: * If you use the monster_menus module for Drupal 7.x, upgrade to monster_menus 7.x-1.34 [3]. * If you use the monster_menus module version *9.3.x*, upgrade to monster_menus 9.3.2 [4]. * If you use the monster_menus module version *9.4.0 or newer*, no change is needed. Reported By: * Dan Wilga [5] Fixed By: * Dan Wilga [6] * Ian McBride [7] Coordinated By: * Greg Knaddison [8] of the Drupal Security Team * Juraj Nemec [9] of the Drupal Security Team * Damien McKenna [10] of the Drupal Security Team [1] https://www.drupal.org/project/monster_menus [2] https://www.drupal.org/security-team/risk-levels [3] https://www.drupal.org/project/monster_menus/releases/7.x-1.34 [4] https://www.drupal.org/project/monster_menus/releases/9.3.2 [5] https://www.drupal.org/user/56892 [6] https://www.drupal.org/user/56892 [7] https://www.drupal.org/user/539500 [8] https://www.drupal.org/u/greggles [9] https://www.drupal.org/u/poker10 [10] https://www.drupal.org/u/damienmckenna

1 0

Diff - Moderately critical - Access bypass, Information Disclosure - SA-CONTRIB-2024-042
by security-news＠drupal.org 02 Oct '24

02 Oct '24

View online: https://www.drupal.org/sa-contrib-2024-042 Project: Diff [1] Date: 2024-October-02 Security risk: *Moderately critical* 11 ∕ 25 AC:Basic/A:User/CI:Some/II:None/E:Theoretical/TD:All [2] Vulnerability: Access bypass, Information Disclosure Affected versions: <1.8.0 || >=2.0.0 <2.0.0-beta3 Description: This module adds a tab for sufficiently permissioned users. The tab shows all revisions like standard Drupal but it also allows pretty viewing of all added/changed/deleted words between revisions. The module doesn't sufficiently check revision access before rendering a diff report for 1) nodes or 2) general entities that support diff. This vulnerability is mitigated by the fact that an attacker must have a role with the permission from the general node permission to "view all revisions", one of the more specific node type permissions, "view %bundle revisions" or the equivalent for other general entity types. Solution: Install the latest version: * If you use the Diff module for Drupal, upgrade to Diff 8.x-1.8 [3] Reported By: * Matthias Vogel [4] Fixed By: * Matthias Vogel [5] * Lucas Hedding [6] * Adam Bramley [7] Coordinated By: * Greg Knaddison [8] of the Drupal Security Team * Juraj Nemec [9] of the Drupal Security Team [1] https://www.drupal.org/project/diff [2] https://www.drupal.org/security-team/risk-levels [3] https://www.drupal.org/project/diff/releases/8.x-1.8 [4] https://www.drupal.org/user/3319139 [5] https://www.drupal.org/user/3319139 [6] https://www.drupal.org/user/1463982 [7] https://www.drupal.org/user/1036766 [8] https://www.drupal.org/u/greggles [9] https://www.drupal.org/u/poker10

1 0

Two-factor Authentication (TFA) - Critical - Access bypass - SA-CONTRIB-2024-043
by security-news＠drupal.org 02 Oct '24

02 Oct '24

View online: https://www.drupal.org/sa-contrib-2024-043 Project: Two-factor Authentication (TFA) [1] Date: 2024-October-02 Security risk: *Critical* 15 ∕ 25 AC:Complex/A:None/CI:Some/II:Some/E:Theoretical/TD:All [2] Vulnerability: Access bypass Affected versions: <1.8.0 Description: This module enables you to allow and/or require users to use a second authentication method in addition to password authentication. The module does not sufficiently migrate sessions before prompting for a second factor token. This vulnerability is mitigated by the fact that an attacker must fixate a session on a victim system that is then authenticated with username and password without completing Two Factor authentication. An attacker must gather additional information regarding the entry form after authentication. An attacker must still present a valid token to complete authentication. Solution: Install the latest version: * If you use the Two-factor Authentication (TFA) module for Drupal 8+ upgrade to Two-factor Authentication (TFA) 8.x-1.8 [3] * If you use the Two-factor Authentication (TFA) module for Drupal 7 upgrade to Two-factor Authentication (TFA) 7.x-2.4 [4] Reported By: * Francesco Placella [5] Fixed By: * Francesco Placella [6] * Juraj Nemec [7] of the Drupal Security Team * Conrad Lara [8] Coordinated By: * Greg Knaddison [9] of the Drupal Security Team * Juraj Nemec [10] of the Drupal Security Team [1] https://www.drupal.org/project/tfa [2] https://www.drupal.org/security-team/risk-levels [3] https://www.drupal.org/project/tfa/releases/8.x-1.8 [4] https://www.drupal.org/project/tfa/releases/7.x-2.4 [5] https://www.drupal.org/user/183211 [6] https://www.drupal.org/user/183211 [7] https://www.drupal.org/user/272316 [8] https://www.drupal.org/user/1790054 [9] https://www.drupal.org/u/greggles [10] https://www.drupal.org/u/poker10

1 0

Persistent Login - Moderately critical - Access bypass - SA-CONTRIB-2024-044
by security-news＠drupal.org 02 Oct '24

02 Oct '24

View online: https://www.drupal.org/sa-contrib-2024-044 Project: Persistent Login [1] Date: 2024-October-02 Security risk: *Moderately critical* 11 ∕ 25 AC:Basic/A:User/CI:Some/II:None/E:Theoretical/TD:All [2] Vulnerability: Access bypass Affected versions: <1.8.0 || >=2.2.0 <2.2.2 || 2.0.* || 2.1.* Description: This module enables users to remain logged in separately from session timeouts. The module doesn't sufficiently check a user's disabled status when validating cookies. This vulnerability is mitigated by the fact that an attacker must have an unexpired cookie from a previous successful login. Solution: Install the latest version: * If you use the Persistent Login 8.x-1.x, upgrade to Persistent Login 8.x-1.8 [3] * If you use the Persistent Login 2.x, upgrade to Persistent Login 2.2.2 [4] Reported By: * Geoff Appleby [5] Fixed By: * Geoff Appleby [6] Coordinated By: * Greg Knaddison [7] of the Drupal Security Team * Juraj Nemec [8] of the Drupal Security Team * Drew Webber [9] of the Drupal Security Team [1] https://www.drupal.org/project/persistent_login [2] https://www.drupal.org/security-team/risk-levels [3] https://www.drupal.org/project/persistent_login/releases/8.x-1.8 [4] https://www.drupal.org/project/persistent_login/releases/2.2.2 [5] https://www.drupal.org/user/490940 [6] https://www.drupal.org/user/490940 [7] https://www.drupal.org/u/greggles [8] https://www.drupal.org/u/poker10 [9] https://www.drupal.org/u/mcdruid

1 0

2026

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

Security-news October 2024