Security-news September 2024

security-news@drupal.org

1 participants
8 discussions

Smart IP Ban - Critical - Access bypass - SA-CONTRIB-2024-041
by security-news＠drupal.org 18 Sep '24

18 Sep '24

View online: https://www.drupal.org/sa-contrib-2024-041 Project: Smart IP Ban [1] Date: 2024-September-18 Security risk: *Critical* 18 ∕ 25 AC:None/A:None/CI:Some/II:Some/E:Theoretical/TD:All [2] Vulnerability: Access bypass Description: The Smart IP Ban module enables a site to automatically ban an IP address based upon too many failed authentications. The module doesn't sufficiently protect access to certain paths provided by the module allowing a malicious user to view and modify the settings. Solution: Install the latest version: * If you use the Smart IP Ban module for Drupal 7.x, upgrade to Smart IP Ban 7.x-1.1 [3] Reported By: * Shawn Gants [4] Fixed By: * Sivaji Ganesh Jojodae [5] Coordinated By: * Greg Knaddison [6] of the Drupal Security Team * Damien McKenna [7] of the Drupal Security Team * Juraj Nemec [8] of the Drupal Security Team [1] https://www.drupal.org/project/smart_ip_ban [2] https://www.drupal.org/security-team/risk-levels [3] https://www.drupal.org/project/smart_ip_ban/releases/7.x-1.1 [4] https://www.drupal.org/user/2351786 [5] https://www.drupal.org/user/328724 [6] https://www.drupal.org/user/36762 [7] https://www.drupal.org/u/DamienMcKenna [8] https://www.drupal.org/u/poker10

1 0

File Entity (fieldable files) - Moderately critical - Information Disclosure - SA-CONTRIB-2024-040
by security-news＠drupal.org 11 Sep '24

11 Sep '24

View online: https://www.drupal.org/sa-contrib-2024-040 Project: File Entity (fieldable files) [1] Date: 2024-September-11 Security risk: *Moderately critical* 10 ∕ 25 AC:Basic/A:User/CI:Some/II:None/E:Theoretical/TD:Default [2] Vulnerability: Information Disclosure Description: This module enables you to store and manage both private and public files, provides the ability to add fieldable metadata for file_entity bundle types in addition to core file_managed data. The module doesn't sufficiently ensure private destination folders exist prior to writing to them. If the folder doesn't exist, the module places the file in a publicly accessible directory. This vulnerability only affects sites with private files. Solution: Install the latest version: * If you use the file_entity module for Drupal 7, upgrade to file_entity 7.x-2.39 [3] or newer. Reported By: * Devin Zuczek [4] Fixed By: * Devin Zuczek [5] * Joseph Olstad [6] Coordinated By: * Greg Knaddison [7] of the Drupal Security Team * Damien McKenna [8] of the Drupal Security Team * Juraj Nemec [9] of the Drupal Security Team [1] https://www.drupal.org/project/file_entity [2] https://www.drupal.org/security-team/risk-levels [3] https://www.drupal.org/project/file_entity/releases/7.x-2.39 [4] https://www.drupal.org/user/701754 [5] https://www.drupal.org/user/701754 [6] https://www.drupal.org/user/1321830 [7] https://www.drupal.org/user/36762 [8] https://www.drupal.org/u/DamienMcKenna [9] https://www.drupal.org/u/poker10

1 0

Security Kit - Less critical - Denial of Service - SA-CONTRIB-2024-039
by security-news＠drupal.org 11 Sep '24

11 Sep '24

View online: https://www.drupal.org/sa-contrib-2024-039 Project: Security Kit [1] Date: 2024-September-11 Security risk: *Less critical* 9 ∕ 25 AC:Basic/A:None/CI:None/II:None/E:Theoretical/TD:Default [2] Vulnerability: Denial of Service Affected versions: <2.0.3 Description: This module provides Drupal with various security-hardening options, for example by emitting various configurable HTTP response headers. The module doesn't sufficiently validate input in Content Security Policy (CSP) violation reports. This can cause errors when a logging module (e.g. dblog or syslog) attempts to parse the resulting log message which contains invalid data. This vulnerability is mitigated by the fact that to be affected a site must have seckit's CSP reporting functionality enabled. Recent versions of Drupal 10 and 11 core are not vulnerable due to improved parsing of log messages [3]. Solution: Install the latest version: * If you use the 7.x-1.x branch of the seckit module, upgrade to seckit 7.x-1.13 [4] * If you use the 2.0.x branch of the seckit module, upgrade to seckit 2.0.3 [5] Reported By: * _b0lli [6] Fixed By: * jweowu [7] * Drew Webber [8] of the Drupal Security Team Coordinated By: * Greg Knaddison [9] of the Drupal Security Team * Drew Webber [10] of the Drupal Security Team * Heine Deelstra [11] of the Drupal Security Team [1] https://www.drupal.org/project/seckit [2] https://www.drupal.org/security-team/risk-levels [3] https://www.drupal.org/project/drupal/issues/2481349 [4] https://www.drupal.org/project/seckit/releases/7.x-1.13 [5] https://www.drupal.org/project/seckit/releases/2.0.3 [6] https://www.drupal.org/user/3827467 [7] https://www.drupal.org/user/152788 [8] https://www.drupal.org/user/255969 [9] https://www.drupal.org/u/greggles [10] https://www.drupal.org/u/mcdruid [11] https://www.drupal.org/user/17943

1 0

Open Social - Moderately critical - Denial of Service - SA-CONTRIB-2024-038
by security-news＠drupal.org 04 Sep '24

04 Sep '24

View online: https://www.drupal.org/sa-contrib-2024-038 Project: Open Social [1] Date: 2024-September-04 Security risk: *Moderately critical* 10∕25 AC:Basic/A:None/CI:None/II:None/E:Theoretical/TD:All [2] Vulnerability: Denial of Service Affected versions: <12.3.8 || >=12.4.0 <12.4.5 || >=13.0.0 <13.0.0-alpha11 Description: Open Social is a Drupal distribution for online communities. The distribution didn't validate the flood control limits on the password reset form correctly resulting in a potential attacker flooding the password reset which could result in a Denial of Service. Fortunately the message does not disclose any information to the attacker. Solution: Install the latest version: * If you use Open Social 12.3.x, upgrade to Open Social 12.3.8 [3] * If you use Open Social 12.4.x, upgrade to Open Social 12.4.5 [4] Reported By: * vnech [5] Fixed By: * Ronald te Brake [6] * vnech [7] Coordinated By: * Greg Knaddison [8] of the Drupal Security Team * Juraj Nemec [9] of the Drupal Security Team * Heine Deelstra [10] of the Drupal Security Team [1] https://www.drupal.org/project/social [2] https://www.drupal.org/security-team/risk-levels [3] https://www.drupal.org/project/social/releases/12.3.8 [4] https://www.drupal.org/project/social/releases/12.4.5 [5] https://www.drupal.org/user/3545979 [6] https://www.drupal.org/user/2314038 [7] https://www.drupal.org/user/3545979 [8] https://www.drupal.org/u/greggles [9] https://www.drupal.org/u/poker10 [10] https://www.drupal.org/user/17943

1 0

Open Social - Moderately critical - Cross Site Scripting, Denial of Service - SA-CONTRIB-2024-037
by security-news＠drupal.org 04 Sep '24

04 Sep '24

View online: https://www.drupal.org/sa-contrib-2024-037 Project: Open Social [1] Date: 2024-September-04 Security risk: *Moderately critical* 13∕25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:Default [2] Vulnerability: Cross Site Scripting, Denial of Service Affected versions: <12.3.8 || >=12.4.0 <12.4.5 || >=13.0.0 <13.0.0-alpha11 Description: Open Social is a Drupal distribution for online communities, which ships with an optional module called Social Embed. This module allows a website to display embedded content (such as photos or videos) when a user posts a link to that resource, without having to parse the resource directly. Added URL's were not sufficiently validated which could lead to a DoS via Blind SSRF and/or Application Takeover via Stored XSS. This vulnerability is mitigated by the fact that social_embed submodule needs to be enabled. Solution: Install the latest version: * If you use Open Social 12.3.x, upgrade to Open Social 12.3.8 [3] * If you use Open Social 12.4.x, upgrade to Open Social 12.4.5 [4] Reported By: * Thiago Régis [5] Fixed By: * Thiago Régis [6] * Ronald te Brake [7] Coordinated By: * Greg Knaddison [8] of the Drupal Security Team * Juraj Nemec [9] of the Drupal Security Team [1] https://www.drupal.org/project/social [2] https://www.drupal.org/security-team/risk-levels [3] https://www.drupal.org/project/social/releases/12.3.8 [4] https://www.drupal.org/project/social/releases/12.4.5 [5] https://www.drupal.org/user/277221 [6] https://www.drupal.org/user/277221 [7] https://www.drupal.org/user/2314038 [8] https://www.drupal.org/u/greggles [9] https://www.drupal.org/u/poker10

1 0

Paragraphs table - Critical - Access bypass, Information Disclosure - SA-CONTRIB-2024-036
by security-news＠drupal.org 04 Sep '24

04 Sep '24

View online: https://www.drupal.org/sa-contrib-2024-036 Project: Paragraphs table [1] Date: 2024-September-04 Security risk: *Critical* 15∕25 AC:None/A:User/CI:Some/II:Some/E:Theoretical/TD:Default [2] Vulnerability: Access bypass, Information Disclosure Affected versions: <1.23.0 || >=2.0.0 <2.0.2 Description: This module enables field collections to be displayed as tables. It supports display suite and field permissions and provides operations (modify, delete, duplicate). This module has multiple vulnerabilities due to the requirements on the routes it provides not being restrictive enough. -------- INFORMATION DISCLOSURE ---------------------------------------------- Several routes /only/ checked for the 'access content' permission before displaying a paragraph, and did not check whether the user should actually have access to view the paragraph in question. -------- ACCESS BYPASS ------------------------------------------------------- The paragraphs_item.add_page route previously allowed anyone with the 'access content' permission to add paragraphs to any content regardless of permissions to be able to edit the host field or content, or any other hooks for adjusting access to add paragraphs of that type. These vulnerabilities are mitigated by the fact that an attacker must have a role with the permission "access content" which is commonly assigned to all roles. Solution: Install the latest version: * If you use the paragraphs_table module 8.x-1.x, upgrade to paragraphs_table 8.x-1.23 [3] * If you use the paragraphs_table module 2.0.x, upgrade to paragraphs_table 2.0.2 [4] or newer Reported By: * James Williams [5] Fixed By: * James Williams [6] * NGUYEN Bao [7] * Steven Jones [8] * Joseph Olstad [9] Coordinated By: * Greg Knaddison [10] of the Drupal Security Team * Jess [11] of the Drupal Security Team * Juraj Nemec [12] of the Drupal Security Team [1] https://www.drupal.org/project/paragraphs_table [2] https://www.drupal.org/security-team/risk-levels [3] https://www.drupal.org/project/paragraphs_table/releases/8.x-1.23 [4] https://www.drupal.org/project/paragraphs_table/releases/2.0.2 [5] https://www.drupal.org/user/592268 [6] https://www.drupal.org/user/592268 [7] https://www.drupal.org/user/2896581 [8] https://www.drupal.org/user/99644 [9] https://www.drupal.org/user/1321830 [10] https://www.drupal.org/u/greggles [11] https://www.drupal.org/u/xjm [12] https://www.drupal.org/u/poker10

1 0

Content Entity Clone - Moderately critical - Information Disclosure - SA-CONTRIB-2024-035
by security-news＠drupal.org 04 Sep '24

04 Sep '24

View online: https://www.drupal.org/sa-contrib-2024-035 Project: Content Entity Clone [1] Date: 2024-September-04 Security risk: *Moderately critical* 11∕25 AC:Basic/A:User/CI:Some/II:None/E:Theoretical/TD:All [2] Vulnerability: Information Disclosure Affected versions: <1.0.4 Description: This module enables you to "clone" a content entity, i.e. to create a new content pre-filled with data from another entity of the same type and bundle. The module doesn't properly check the user access to the original entity, allowing users to create a new entity (they have permission to create) pre-filled with content from another entity of the same type and bundle that they would normally not have access to. This vulnerability is mitigated by the fact that an attacker must have the permission to create content of the type of the entity to clone. Solution: Install the latest version: * If you use the content_entity_clone module prior to version 1.0.4, upgrade to content_entity_clone 1.0.4 [3] Reported By: * Vojislav Jovanovic [4] Fixed By: * orakili [5] * Vojislav Jovanovic [6] Coordinated By: * Greg Knaddison [7] of the Drupal Security Team * Juraj Nemec [8] of the Drupal Security Team [1] https://www.drupal.org/project/content_entity_clone [2] https://www.drupal.org/security-team/risk-levels [3] https://www.drupal.org/project/content_entity_clone/releases/1.0.4 [4] https://www.drupal.org/user/92189 [5] https://www.drupal.org/user/1287634 [6] https://www.drupal.org/user/92189 [7] https://www.drupal.org/u/greggles [8] https://www.drupal.org/user/272316

1 0

Freelinking - Moderately critical - Information Disclosure - SA-CONTRIB-2024-034
by security-news＠drupal.org 04 Sep '24

04 Sep '24

View online: https://www.drupal.org/sa-contrib-2024-034 Project: Freelinking [1] Date: 2024-September-04 Security risk: *Moderately critical* 12∕25 AC:None/A:User/CI:Some/II:None/E:Theoretical/TD:Default [2] Vulnerability: Information Disclosure Affected versions: <4.0.1 Description: This module enables you to configure a wiki-like input filter that allows users to create links to site and external content. The module doesn't sufficiently check if a user has access to some URLs before rendering them as links. This vulnerability is mitigated by the fact that an attacker must have a role with the permission "access content" (which is commonly assigned to all roles), and the site must be configured to disallow access to certain content. Solution: Install the latest version: * If you use the freelinking module 4.0.x, upgrade to freelinking 4.0.1 [3] * If you use the freelinking module 8.x-3.x, upgrade to freelinking 4.0.1 [4], as the 8.x-3.x branch is now unsupported Reported By: * Matthew Radcliffe [5] Fixed By: * Matthew Radcliffe [6] * Gisle Hannemyr [7] Coordinated By: * Greg Knaddison [8] of the Drupal Security Team * Damien McKenna [9] of the Drupal Security Team * Juraj Nemec [10] of the Drupal Security Team [1] https://www.drupal.org/project/freelinking [2] https://www.drupal.org/security-team/risk-levels [3] https://www.drupal.org/project/freelinking/releases/4.0.1 [4] https://www.drupal.org/project/freelinking/releases/4.0.1 [5] https://www.drupal.org/user/157079 [6] https://www.drupal.org/user/157079 [7] https://www.drupal.org/user/409554 [8] https://www.drupal.org/u/greggles [9] https://www.drupal.org/u/damienmckenna [10] https://www.drupal.org/user/272316

1 0

2026

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

Security-news September 2024