Security-news May 2024

security-news@drupal.org

1 participants
6 discussions

Drupal REST & JSON API Authentication - Moderately critical - Access bypass - SA-CONTRIB-2024-022
by security-news＠drupal.org 29 May '24

29 May '24

View online: https://www.drupal.org/sa-contrib-2024-022 Project: Drupal REST & JSON API Authentication [1] Date: 2024-May-29 Security risk: *Moderately critical* 11∕25 AC:Basic/A:User/CI:Some/II:None/E:Theoretical/TD:All [2] Vulnerability: Access bypass Affected versions: <2.0.13 Description: Drupal REST & JSON API Authentication module restricts and secures unauthorized access to your Drupal site APIs using different authentication methods including Basic Authentication , API Key Authentication , JWT Authentication , OAuth Authentication , External / Third-Party Provider Authentication, etc. The module doesn't sufficiently control user access when using Basic Authentication. Solution: Install the latest version: * If you use the 2.0.x branch, upgrade to Drupal REST & JSON API Authentication 2.0.13 [3] * If you use the 8.x-1.x branch, upgrade to Drupal REST & JSON API Authentication 2.0.13 [4], as the 8.x-1.x branch is now unsupported. Reported By: * Arek Suchecki [5] Fixed By: * solideogloria [6] * Shashank Thigale [7] * Arek Suchecki [8] * Greg Knaddison [9] of the Drupal Security Team Coordinated By: * Greg Knaddison [10] of the Drupal Security Team * Juraj Nemec [11] of the Drupal Security Team * David Rothstein [12] of the Drupal Security Team [1] https://www.drupal.org/project/rest_api_authentication [2] https://www.drupal.org/security-team/risk-levels [3] https://www.drupal.org/project/rest_api_authentication/releases/2.0.13 [4] https://www.drupal.org/project/rest_api_authentication/releases/2.0.13 [5] https://www.drupal.org/user/3553379 [6] https://www.drupal.org/user/3589277 [7] https://www.drupal.org/user/3632808 [8] https://www.drupal.org/user/3553379 [9] https://www.drupal.org/user/36762 [10] https://www.drupal.org/user/36762 [11] https://www.drupal.org/user/272316 [12] https://www.drupal.org/user/124982

1 0

Image Sizes - Moderately critical - Access bypass - SA-CONTRIB-2024-023
by security-news＠drupal.org 29 May '24

29 May '24

View online: https://www.drupal.org/sa-contrib-2024-023 Project: Image Sizes [1] Date: 2024-May-29 Security risk: *Moderately critical* 14∕25 AC:None/A:None/CI:Some/II:None/E:Theoretical/TD:Default [2] Vulnerability: Access bypass Affected versions: <3.0.2 Description: This module enables you to create responsive image styles that depend on the parent element's width. The module doesn't sufficiently check access to rendered images, resulting in access bypass vulnerabilities in specific scenarios. Solution: Install the latest version. * If you use the Image Sizes module for Drupal 10, upgrade to Image Sizes 3.0.2 [3] Reported By: * Dezső Biczó [4] Fixed By: * Dezső Biczó [5] * Pascal Crott [6] * Juraj Nemec [7] of the Drupal Security Team Coordinated By: * Juraj Nemec [8] of the Drupal Security Team * Neil Drumm [9] of the Drupal Security Team [1] https://www.drupal.org/project/image_sizes [2] https://www.drupal.org/security-team/risk-levels [3] https://www.drupal.org/project/image_sizes/releases/3.0.2 [4] https://www.drupal.org/user/315522 [5] https://www.drupal.org/user/315522 [6] https://www.drupal.org/user/647364 [7] https://www.drupal.org/user/272316 [8] https://www.drupal.org/user/272316 [9] https://www.drupal.org/user/3064

1 0

Migrate queue importer - Moderately critical - Cross Site Request Forgery - SA-CONTRIB-2024-024
by security-news＠drupal.org 29 May '24

29 May '24

View online: https://www.drupal.org/sa-contrib-2024-024 Project: Migrate queue importer [1] Date: 2024-May-29 Security risk: *Moderately critical* 10∕25 AC:Basic/A:Admin/CI:None/II:Some/E:Theoretical/TD:All [2] Vulnerability: Cross Site Request Forgery Affected versions: <2.1.1 Description: The Migrate queue importer module enables you to create cron migrations(configuration entities) with a reference towards migration entities in order to import them during cron runs. The module doesn't sufficiently protect against Cross Site Request Forgery under specific scenarios allowing an attacker to enable/disable a cron migration. This vulnerability is mitigated by the fact that an attacker must know the id of the migration. Solution: Install the latest version: * If you use Migrate queue importer module for Drupal 10, upgrade to Migrate queue importer 2.1.1 [3] Reported By: * Pierre Rudloff [4] Fixed By: * David Bätge [5] * Pierre Rudloff [6] Coordinated By: * Greg Knaddison [7] of the Drupal Security Team * Juraj Nemec [8] of the Drupal Security Team [1] https://www.drupal.org/project/migrate_queue_importer [2] https://www.drupal.org/security-team/risk-levels [3] https://www.drupal.org/project/migrate_queue_importer/releases/2.1.1 [4] https://www.drupal.org/user/3611858 [5] https://www.drupal.org/user/2526160 [6] https://www.drupal.org/user/3611858 [7] https://www.drupal.org/user/36762 [8] https://www.drupal.org/user/272316

1 0

Commerce View Receipt - Moderately critical - Access bypass - SA-CONTRIB-2024-021
by security-news＠drupal.org 22 May '24

22 May '24

View online: https://www.drupal.org/sa-contrib-2024-021 Project: Commerce View Receipt [1] Date: 2024-May-22 Security risk: *Moderately critical* 13∕25 AC:None/A:User/CI:Some/II:None/E:Theoretical/TD:All [2] Vulnerability: Access bypass Affected versions: <1.0.3 Description: The Commerce View Receipts module enables you to view commerce order receipts in the browser. The module doesn't sufficiently check access permissions, allowing a malicious to view the private information of other customers. Solution: Install the latest version. * If you use the Commerce View Receipts module for Drupal, upgrade to Commerce View Receipts 1.0.3 [3]. Sites may wish to temporarily revoke the "view receipts" permission from most roles until the site can be upgraded to the latest version. Reported By: * Norman Kämper-Leymann [4] Fixed By: * Norman Kämper-Leymann [5] * Greg Mack [6] * Greg Knaddison [7] of the Drupal Security Team * Drew Webber [8] of the Drupal Security Team Coordinated By: * Greg Knaddison [9] of the Drupal Security Team * Juraj Nemec [10] of the Drupal Security Team * xjm [11] of the Drupal Security Team [1] https://www.drupal.org/project/commerce_view_receipt [2] https://www.drupal.org/security-team/risk-levels [3] https://www.drupal.org/project/commerce_view_receipt/releases/1.0.3 [4] https://www.drupal.org/user/2482808 [5] https://www.drupal.org/user/2482808 [6] https://www.drupal.org/user/336930 [7] https://www.drupal.org/user/36762 [8] https://www.drupal.org/user/255969 [9] https://www.drupal.org/user/36762 [10] https://www.drupal.org/u/poker10 [11] https://www.drupal.org/u/xjm

1 0

Email Contact - Moderately critical - Access bypass - SA-CONTRIB-2024-020
by security-news＠drupal.org 22 May '24

22 May '24

View online: https://www.drupal.org/sa-contrib-2024-020 Project: Email Contact [1] Date: 2024-May-22 Security risk: *Moderately critical* 12∕25 AC:Basic/A:None/CI:Some/II:None/E:Theoretical/TD:Default [2] Vulnerability: Access bypass Affected versions: <2.0.4 Description: The Email Contact module provides email field display formatters that can display the field as a link to the contact form, or as an inline contact form. The module does not sufficiently handle restricted entity or field access to the mail sending form, when the "Email contact link" formatter is used. This vulnerability is mitigated by the fact that it requires the "Email contact link" formatter to be used. Solution: Install the latest version: * If you use the 2.0.x branch, upgrade to email_contact 2.0.4 [3]. * If you use the 8.x-1.x branch, upgrade to email_contact 2.0.4 [4], as the 8.x-1.x branch is now unsupported. Reported By: * Claudiu Cristea [5] Fixed By: * Claudiu Cristea [6] * Bálint Nagy [7] * Greg Knaddison [8] of the Drupal Security Team * Juraj Nemec [9] of the Drupal Security Team * xjm [10] of the Drupal Security Team Coordinated By: * Greg Knaddison [11] of the Drupal Security Team * xjm [12] of the Drupal Security Team * Juraj Nemec [13] of the Drupal Security Team [1] https://www.drupal.org/project/email_contact [2] https://www.drupal.org/security-team/risk-levels [3] https://www.drupal.org/project/email_contact/releases/2.0.4 [4] https://www.drupal.org/project/email_contact/releases/2.0.4 [5] https://www.drupal.org/user/56348 [6] https://www.drupal.org/user/56348 [7] https://www.drupal.org/user/1763952 [8] https://www.drupal.org/user/36762 [9] https://www.drupal.org/user/272316 [10] https://www.drupal.org/user/65776 [11] https://www.drupal.org/u/greggles [12] https://www.drupal.org/u/xjm [13] https://www.drupal.org/user/272316

1 0

RESTful Web Services - Critical - Access bypass - SA-CONTRIB-2024-019
by security-news＠drupal.org 15 May '24

15 May '24

View online: https://www.drupal.org/sa-contrib-2024-019 Project: RESTful Web Services [1] Date: 2024-May-15 Security risk: *Critical* 16∕25 AC:None/A:None/CI:Some/II:None/E:Proof/TD:All [2] Vulnerability: Access bypass Description: This module exposes Drupal resources (e.g. entities) as RESTful web services. The module doesn't sufficiently restrict access for user resources. Solution: Install the latest version: * If you use the RESTful Web Services module for Drupal 7, upgrade to RESTful Web Services 7.x-2.10 [3] Reported By: * Fran Garcia-Linares [4] Fixed By: * Neil Drumm [5] of the Drupal Security Team * Fran Garcia-Linares [6] Coordinated By: * Neil Drumm [7] of the Drupal Security Team [1] https://www.drupal.org/project/restws [2] https://www.drupal.org/security-team/risk-levels [3] https://www.drupal.org/project/restws/releases/7.x-2.10 [4] https://www.drupal.org/user/2495842 [5] https://www.drupal.org/user/3064 [6] https://www.drupal.org/user/2495842 [7] https://www.drupal.org/user/3064

1 0

2026

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

Security-news May 2024