Security-news

security-news@drupal.org

1 participants
1782 discussions

SA-CONTRIB-2015-064 - Ubercart Discount Coupons - Cross Site Scripting (XSS)
by security-news＠drupal.org 04 Mar '15

04 Mar '15

View online: https://www.drupal.org/node/2445953 * Advisory ID: DRUPAL-SA-CONTRIB-2015-064 * Project: Ubercart Discount Coupons [1] (third-party module) * Version: 6.x * Date: 2015-March-04 * Security risk: 14/25 ( Moderately Critical) AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:All [2] * Vulnerability: Cross Site Scripting -------- DESCRIPTION --------------------------------------------------------- Ubercart Discount Coupons module provides discount coupons for Ubercart stores. The module doesn't sufficiently sanitize user supplied text in some administration pages, thereby exposing a Cross Site Scripting vulnerability. The vulnerability is mitigated by the fact that an attacker must have a user with permission to create/edit taxonomy terms. Note that for vocabularies with free tagging enabled, this includes any user with permission to add/edit content of a type to which the vocabulary applies. -------- CVE IDENTIFIER(S) ISSUED -------------------------------------------- * /A CVE identifier [3] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ -------- VERSIONS AFFECTED --------------------------------------------------- * Ubercart Discount Coupons 6.x-1.x versions prior to 6.x-1.8 Drupal core is not affected. If you do not use the contributed Ubercart Discount Coupons [4] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the Ubercart Discount Coupons module for Drupal 6.x, upgrade to Ubercart Discount Coupons 6.x-1.8 [5] Also see the Ubercart Discount Coupons [6] project page. -------- REPORTED BY --------------------------------------------------------- * Pere Orga [7] of the Drupal Security Team -------- FIXED BY ------------------------------------------------------------ * wodenx [8] the module maintainer -------- COORDINATED BY ------------------------------------------------------ * Pere Orga [9] of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact [10]. Learn more about the Drupal Security team and their policies [11], writing secure code for Drupal [12], and securing your site [13]. Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity [14] [1] https://www.drupal.org/project/uc_coupon [2] https://www.drupal.org/security-team/risk-levels [3] http://cve.mitre.org/ [4] https://www.drupal.org/project/uc_coupon [5] https://www.drupal.org/node/2438357 [6] https://www.drupal.org/project/uc_coupon [7] https://www.drupal.org/user/2301194 [8] https://www.drupal.org/user/896508 [9] https://www.drupal.org/user/2301194 [10] https://www.drupal.org/contact [11] https://www.drupal.org/security-team [12] https://www.drupal.org/writing-secure-code [13] https://www.drupal.org/security/secure-configuration [14] https://twitter.com/drupalsecurity

1 0

SA-CONTRIB-2015-063 - Webform - Cross Site Scripting (XSS)
by security-news＠drupal.org 04 Mar '15

04 Mar '15

View online: https://www.drupal.org/node/2445935 * Advisory ID: DRUPAL-SA-CONTRIB-2015-063 * Project: Webform [1] (third-party module) * Version: 6.x, 7.x * Date: 2015-March-04 * Security risk: 13/25 ( Moderately Critical) AC:Basic/A:Admin/CI:Some/II:Some/E:Theoretical/TD:All [2] * Vulnerability: Cross Site Scripting -------- DESCRIPTION --------------------------------------------------------- Webform enables you to create surveys, personalized contact forms, contests, and the like. -------- CROSS SITE SCRIPTING RELATED TO WEBFORM SUBMISSIONS ----------------- The module doesn't sufficiently escape user data presented to administrative users in the webform results table. This issue affects the 7.x-4.x branch only. This vulnerability is mitigated by the fact that an attacker must have a role with permission to submit a webform and the administrative user must subsequently visit the webform's results table tab. To mitigate this vulnerability, you can disable the view-based results table and restore the legacy hard-coded results table by adding this line to your settings.php file: <?php $conf['webform_table'] = TRUE; ?> -------- CROSS SITE SCRIPTING RELATED TO BLOCKS ------------------------------ The module doesn't sufficiently escape node titles of webforms which administrators may make available as blocks and displayed to any user. This issue affects all 6.x and 7.x branches of the module. This vulnerability is mitigated by the fact that an attacker must have a role with permission to administer blocks and create or edit webform nodes. -------- CVE IDENTIFIER(S) ISSUED -------------------------------------------- * /A CVE identifier [3] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ -------- VERSIONS AFFECTED --------------------------------------------------- * webform 6.x versions prior to 6.x-3.22. * webform 7.x-3.x versions prior to 7.x-3.22. * webform 7.x-4.x versions prior to 7.x-4.4. Drupal core is not affected. If you do not use the contributed Webform [4] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the webform module for Drupal 6.x, upgrade to webform 6.x-3.22 [5] * If you use the webform module for Drupal 7.x, upgrade to webform 7.x-3.22 [6] or webform 7.x-4.4 [7] Also see the Webform [8] project page. -------- REPORTED BY --------------------------------------------------------- * Dan Chadwick [9], the module maintainer -------- FIXED BY ------------------------------------------------------------ * Dan Chadwick [10], the module maintainer -------- COORDINATED BY ------------------------------------------------------ * Greg Knaddison [11] of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact [12]. Learn more about the Drupal Security team and their policies [13], writing secure code for Drupal [14], and securing your site [15]. Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity [16] [1] https://www.drupal.org/project/webform [2] https://www.drupal.org/security-team/risk-levels [3] http://cve.mitre.org/ [4] https://www.drupal.org/project/webform [5] http://drupal.org/node/2445291 [6] http://drupal.org/node/2445295 [7] http://drupal.org/node/2445297 [8] https://www.drupal.org/project/webform [9] https://www.drupal.org/user/504278 [10] https://www.drupal.org/user/504278 [11] https://www.drupal.org/user/36762 [12] https://www.drupal.org/contact [13] https://www.drupal.org/security-team [14] https://www.drupal.org/writing-secure-code [15] https://www.drupal.org/security/secure-configuration [16] https://twitter.com/drupalsecurity

1 0

SA-CONTRIB-2015-062 - Watchdog Aggregator - Cross Site Request Forgery (CSRF) - Unsupported
by security-news＠drupal.org 25 Feb '15

25 Feb '15

View online: https://www.drupal.org/node/2437993 * Advisory ID: DRUPAL-SA-CONTRIB-2015-062 * Project: Watchdog Aggregator [1] (third-party module) * Version: 6.x, 7.x * Date: 2015-February-25 * Security risk: 13/25 ( Moderately Critical) AC:Basic/A:None/CI:None/II:Some/E:Theoretical/TD:All [2] * Vulnerability: Cross Site Request Forgery -------- DESCRIPTION --------------------------------------------------------- Watchdog Aggregator collects watchdog messages from external sites. The module doesn't sufficiently protect some URLs against CSRF. A malicious user can cause an administrator to enable and disable monitoring sites by getting their browser to make a request to a specially-crafted URL. -------- CVE IDENTIFIER(S) ISSUED -------------------------------------------- * /A CVE identifier [3] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ -------- VERSIONS AFFECTED --------------------------------------------------- All versions of Watchdog Aggregator module. Drupal core is not affected. If you do not use the contributed Watchdog Aggregator [4] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ If you use the Watchdog Aggregator module you should uninstall it. Also see the Watchdog Aggregator [5] project page. -------- REPORTED BY --------------------------------------------------------- * Pere Orga [6] of the Drupal Security Team -------- FIXED BY ------------------------------------------------------------ Not applicable. -------- COORDINATED BY ------------------------------------------------------ * Pere Orga [7] of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact [8]. Learn more about the Drupal Security team and their policies [9], writing secure code for Drupal [10], and securing your site [11]. Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity [12] [1] https://www.drupal.org/project/watchdog_aggregator [2] https://www.drupal.org/security-team/risk-levels [3] http://cve.mitre.org/ [4] https://www.drupal.org/project/watchdog_aggregator [5] https://www.drupal.org/project/watchdog_aggregator [6] https://www.drupal.org/user/2301194 [7] https://www.drupal.org/user/2301194 [8] https://www.drupal.org/contact [9] https://www.drupal.org/security-team [10] https://www.drupal.org/writing-secure-code [11] https://www.drupal.org/security/secure-configuration [12] https://twitter.com/drupalsecurity

1 0

SA-CONTRIB-2015-061 - Ubercart Webform Integration - Cross Site Scripting (XSS) - Unsupported
by security-news＠drupal.org 25 Feb '15

25 Feb '15

View online: https://www.drupal.org/node/2437991 * Advisory ID: DRUPAL-SA-CONTRIB-2015-061 * Project: Ubercart Webform Integration [1] (third-party module) * Version: 6.x, 7.x * Date: 2015-February-25 * Security risk: 14/25 ( Moderately Critical) AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:All [2] * Vulnerability: Cross Site Scripting -------- DESCRIPTION --------------------------------------------------------- Ubercart Webform Integration module integrates Webform and Ubercart modules. The module doesn't sufficiently sanitize user supplied text in some pages, thereby exposing a Cross Site Scripting vulnerability. This vulnerability is mitigated by the fact that an attacker must have permission to create/edit nodes. -------- CVE IDENTIFIER(S) ISSUED -------------------------------------------- * /A CVE identifier [3] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ -------- VERSIONS AFFECTED --------------------------------------------------- * All versions of Ubercart Webform Integration module. Drupal core is not affected. If you do not use the contributed Ubercart Webform Integration [4] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ If you use the Ubercart Webform Integration module you should uninstall it. Also see the Ubercart Webform Integration [5] project page. -------- REPORTED BY --------------------------------------------------------- * Pere Orga [6] of the Drupal Security Team -------- FIXED BY ------------------------------------------------------------ Not applicable. -------- COORDINATED BY ------------------------------------------------------ * Pere Orga [7] of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact [8]. Learn more about the Drupal Security team and their policies [9], writing secure code for Drupal [10], and securing your site [11]. Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity [12] [1] https://www.drupal.org/project/uc_webform [2] https://www.drupal.org/security-team/risk-levels [3] http://cve.mitre.org/ [4] https://www.drupal.org/project/uc_webform [5] https://www.drupal.org/project/uc_webform [6] https://www.drupal.org/user/2301194 [7] https://www.drupal.org/user/2301194 [8] https://www.drupal.org/contact [9] https://www.drupal.org/security-team [10] https://www.drupal.org/writing-secure-code [11] https://www.drupal.org/security/secure-configuration [12] https://twitter.com/drupalsecurity

1 0

SA-CONTRIB-2015-060 - Custom Sitemap - Cross Site Request Forgery (CSRF) - Unsupported
by security-news＠drupal.org 25 Feb '15

25 Feb '15

View online: https://www.drupal.org/node/2437985 * Advisory ID: DRUPAL-SA-CONTRIB-2015-060 * Project: Custom Sitemap [1] (third-party module) * Version: 7.x * Date: 2015-February-25 * Security risk: 13/25 ( Moderately Critical) AC:Basic/A:None/CI:None/II:Some/E:Theoretical/TD:All [2] * Vulnerability: Cross Site Request Forgery -------- DESCRIPTION --------------------------------------------------------- The Custom Sitemap module enables you to add custom sitemaps to a site. The module doesn't sufficiently protect some URLs against CSRF. A malicious user could trick an administrator into deleting sitemaps by getting their browser to make a request to a specially-crafted URL. -------- CVE IDENTIFIER(S) ISSUED -------------------------------------------- * /A CVE identifier [3] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ -------- VERSIONS AFFECTED --------------------------------------------------- All versions of Custom Sitemap module. Drupal core is not affected. If you do not use the contributed Custom Sitemap [4] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ If you use the Custom Sitemap module you should uninstall it. Also see the Custom Sitemap [5] project page. -------- REPORTED BY --------------------------------------------------------- * Pere Orga [6] of the Drupal Security Team -------- FIXED BY ------------------------------------------------------------ Not applicable. -------- COORDINATED BY ------------------------------------------------------ * Pere Orga [7] of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact [8]. Learn more about the Drupal Security team and their policies [9], writing secure code for Drupal [10], and securing your site [11]. Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity [12] [1] https://www.drupal.org/project/custom_sitemap [2] https://www.drupal.org/security-team/risk-levels [3] http://cve.mitre.org/ [4] https://www.drupal.org/project/custom_sitemap [5] https://www.drupal.org/project/custom_sitemap [6] https://www.drupal.org/user/2301194 [7] https://www.drupal.org/user/2301194 [8] https://www.drupal.org/contact [9] https://www.drupal.org/security-team [10] https://www.drupal.org/writing-secure-code [11] https://www.drupal.org/security/secure-configuration [12] https://twitter.com/drupalsecurity

1 0

SA-CONTRIB-2015-059 - Spider Video Player - Multiple vulnerabilities - Unsupported
by security-news＠drupal.org 25 Feb '15

25 Feb '15

View online: https://www.drupal.org/node/2437981 * Advisory ID: DRUPAL-SA-CONTRIB-2015-059 * Project: Spider Video Player [1] (third-party module) * Version: 6.x, 7.x * Date: 2015-February-25 * Security risk: 15/25 ( Critical) AC:None/A:None/CI:None/II:Some/E:Theoretical/TD:All [2] * Vulnerability: Access bypass, Cross Site Request Forgery, Multiple vulnerabilities -------- DESCRIPTION --------------------------------------------------------- Spider Video Player module enables you to add HTML5 and Flash videos to your site. The module doesn't sufficiently check user input when deleting files. A malicious user could delete arbitrary files by making a request to a specially-crafted URL. This vulnerability is mitigated by the fact that the attacker must have a role with the permission "access Spider Video Player administration". Additionally, the module doesn't sufficiently protect some URLs against CSRF. A malicious user could trick an administrator into deleting videos by getting their browser to make a request to a specially-crafted URL. -------- CVE IDENTIFIER(S) ISSUED -------------------------------------------- * /A CVE identifier [3] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ -------- VERSIONS AFFECTED --------------------------------------------------- All versions of Spider Video Player module. Drupal core is not affected. If you do not use the contributed Spider Video Player [4] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ If you use the Spider Video Player module you should uninstall it. Also see the Spider Video Player [5] project page. -------- REPORTED BY --------------------------------------------------------- * Pere Orga [6] of the Drupal Security Team -------- FIXED BY ------------------------------------------------------------ Not applicable. -------- COORDINATED BY ------------------------------------------------------ * Pere Orga [7] of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact [8]. Learn more about the Drupal Security team and their policies [9], writing secure code for Drupal [10], and securing your site [11]. Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity [12] [1] https://www.drupal.org/project/player [2] https://www.drupal.org/security-team/risk-levels [3] http://cve.mitre.org/ [4] https://www.drupal.org/project/player [5] https://www.drupal.org/project/player [6] https://www.drupal.org/user/2301194 [7] https://www.drupal.org/user/2301194 [8] https://www.drupal.org/contact [9] https://www.drupal.org/security-team [10] https://www.drupal.org/writing-secure-code [11] https://www.drupal.org/security/secure-configuration [12] https://twitter.com/drupalsecurity

1 0

SA-CONTRIB-2015-058 - Spider Catalog - Cross Site Request Forgery (CSRF) - Unsupported
by security-news＠drupal.org 25 Feb '15

25 Feb '15

View online: https://www.drupal.org/node/2437977 * Advisory ID: DRUPAL-SA-CONTRIB-2015-058 * Project: Spider Catalog [1] (third-party module) * Version: 6.x, 7.x * Date: 2015-February-25 * Security risk: 13/25 ( Moderately Critical) AC:Basic/A:None/CI:None/II:Some/E:Theoretical/TD:All [2] * Vulnerability: Cross Site Request Forgery -------- DESCRIPTION --------------------------------------------------------- Spider Catalog module enables you to build product catalogs. The module doesn't sufficiently protect some URLs against CSRF. A malicious user can cause an administrator to delete products, ratings and categories by getting their browser to make a request to a specially-crafted URL. -------- CVE IDENTIFIER(S) ISSUED -------------------------------------------- * /A CVE identifier [3] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ -------- VERSIONS AFFECTED --------------------------------------------------- All versions of Spider Catalog module. Drupal core is not affected. If you do not use the contributed Spider Catalog [4] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ If you use the Spider Catalog module you should uninstall it. Also see the Spider Catalog [5] project page. -------- REPORTED BY --------------------------------------------------------- * Pere Orga [6] of the Drupal Security Team -------- FIXED BY ------------------------------------------------------------ Not applicable. -------- COORDINATED BY ------------------------------------------------------ * Pere Orga [7] of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact [8]. Learn more about the Drupal Security team and their policies [9], writing secure code for Drupal [10], and securing your site [11]. Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity [12] [1] https://www.drupal.org/project/spider-catalog [2] https://www.drupal.org/security-team/risk-levels [3] http://cve.mitre.org/ [4] https://www.drupal.org/project/spider-catalog [5] https://www.drupal.org/project/spider-catalog [6] https://www.drupal.org/user/2301194 [7] https://www.drupal.org/user/2301194 [8] https://www.drupal.org/contact [9] https://www.drupal.org/security-team [10] https://www.drupal.org/writing-secure-code [11] https://www.drupal.org/security/secure-configuration [12] https://twitter.com/drupalsecurity

1 0

SA-CONTRIB-2015-057 - Spider Contacts - Multiple vulnerabilities - Unsupported
by security-news＠drupal.org 25 Feb '15

25 Feb '15

View online: https://www.drupal.org/node/2437973 * Advisory ID: DRUPAL-SA-CONTRIB-2015-057 * Project: Spider Contacts [1] (third-party module) * Version: 6.x, 7.x * Date: 2015-February-25 * Security risk: 20/25 ( Highly Critical) AC:Basic/A:None/CI:All/II:All/E:Theoretical/TD:All [2] * Vulnerability: Cross Site Request Forgery, SQL Injection, Multiple vulnerabilities -------- DESCRIPTION --------------------------------------------------------- Spider Contacts module provides a user-friendly way to manage and display contacts. The module doesn't use Drupal's Database API properly, not sanitizing user input on SQL queries and thereby exposing a SQL Injection vulnerability. This vulnerability is mitigated by the fact that the attacker must have a role with the permission "access Spider Contacts category administration". Additionally, the module doesn't sufficiently protect some URLs against CSRF. A malicious user could trick an administrator into deleting contact categories by getting their browser to make a request to a specially-crafted URL. -------- CVE IDENTIFIER(S) ISSUED -------------------------------------------- * /A CVE identifier [3] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ -------- VERSIONS AFFECTED --------------------------------------------------- All versions of Spider Contacts module. Drupal core is not affected. If you do not use the contributed Spider Contacts [4] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ If you use the Spider Contacts module you should uninstall it. Also see the Spider Contacts [5] project page. -------- REPORTED BY --------------------------------------------------------- * Pere Orga [6] of the Drupal Security Team -------- FIXED BY ------------------------------------------------------------ Not applicable. -------- COORDINATED BY ------------------------------------------------------ * Pere Orga [7] of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact [8]. Learn more about the Drupal Security team and their policies [9], writing secure code for Drupal [10], and securing your site [11]. Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity [12] [1] https://www.drupal.org/project/spider-contacts [2] https://www.drupal.org/security-team/risk-levels [3] http://cve.mitre.org/ [4] https://www.drupal.org/project/spider-contacts [5] https://www.drupal.org/project/spider-contacts [6] https://www.drupal.org/user/2301194 [7] https://www.drupal.org/user/2301194 [8] https://www.drupal.org/contact [9] https://www.drupal.org/security-team [10] https://www.drupal.org/writing-secure-code [11] https://www.drupal.org/security/secure-configuration [12] https://twitter.com/drupalsecurity

1 0

SA-CONTRIB-2015-056 - inLinks Integration - Cross Site Scripting (XSS) - Unsupported
by security-news＠drupal.org 25 Feb '15

25 Feb '15

View online: https://www.drupal.org/node/2437969 * Advisory ID: DRUPAL-SA-CONTRIB-2015-056 * Project: inLinks Integration [1] (third-party module) * Version: 6.x, 7.x * Date: 2015-February-25 * Security risk: 16/25 ( Critical) AC:Basic/A:None/CI:Some/II:Some/E:Theoretical/TD:All [2] * Vulnerability: Cross Site Scripting -------- DESCRIPTION --------------------------------------------------------- inLinks Integration module enables you to use inLinks product from Text Link Ads third-party service. The module doesn't sufficiently sanitize user input in some path arguments, thereby exposing a Cross Site Scripting vulnerability. -------- CVE IDENTIFIER(S) ISSUED -------------------------------------------- * /A CVE identifier [3] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ -------- VERSIONS AFFECTED --------------------------------------------------- All versions of inLinks Integration module. Drupal core is not affected. If you do not use the contributed inLinks Integration [4] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ If you use the inLinks Integration module you should uninstall it. Also see the inLinks Integration [5] project page. -------- REPORTED BY --------------------------------------------------------- * Pere Orga [6] of the Drupal Security Team -------- FIXED BY ------------------------------------------------------------ Not applicable. -------- COORDINATED BY ------------------------------------------------------ * Pere Orga [7] of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact [8]. Learn more about the Drupal Security team and their policies [9], writing secure code for Drupal [10], and securing your site [11]. Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity [12] [1] https://www.drupal.org/project/inlinks [2] https://www.drupal.org/security-team/risk-levels [3] http://cve.mitre.org/ [4] https://www.drupal.org/project/inlinks [5] https://www.drupal.org/project/inlinks [6] https://www.drupal.org/user/2301194 [7] https://www.drupal.org/user/2301194 [8] https://www.drupal.org/contact [9] https://www.drupal.org/security-team [10] https://www.drupal.org/writing-secure-code [11] https://www.drupal.org/security/secure-configuration [12] https://twitter.com/drupalsecurity

1 0

SA-CONTRIB-2015-055 - Services single sign-on server helper - Open Redirect - Unsupported
by security-news＠drupal.org 25 Feb '15

25 Feb '15

View online: https://www.drupal.org/node/2437965 * Advisory ID: DRUPAL-SA-CONTRIB-2015-055 * Project: Services single sign-on server helper [1] (third-party module) * Version: 7.x * Date: 2015-February-25 * Security risk: 10/25 ( Moderately Critical) AC:Basic/A:None/CI:None/II:None/E:Theoretical/TD:All [2] * Vulnerability: Open Redirect -------- DESCRIPTION --------------------------------------------------------- Services single sign-on server helper module provides functionality to facilitate account information editing on a remote SSO site. The module doesn't validate some user supplied URLs in parameters used for page redirection. An attacker could trick users to visit malicious sites without realizing it. -------- CVE IDENTIFIER(S) ISSUED -------------------------------------------- * /A CVE identifier [3] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ -------- VERSIONS AFFECTED --------------------------------------------------- All versions of Services single sign-on server helper module. Drupal core is not affected. If you do not use the contributed Services single sign-on server helper [4] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ If you use the Services single sign-on server helper module you should uninstall it. Also see the Services single sign-on server helper [5] project page. -------- REPORTED BY --------------------------------------------------------- * Pere Orga [6] of the Drupal Security Team -------- FIXED BY ------------------------------------------------------------ Not applicable. -------- COORDINATED BY ------------------------------------------------------ * Pere Orga [7] of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact [8]. Learn more about the Drupal Security team and their policies [9], writing secure code for Drupal [10], and securing your site [11]. Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity [12] [1] https://www.drupal.org/project/services_sso_server_helper [2] https://www.drupal.org/security-team/risk-levels [3] http://cve.mitre.org/ [4] https://www.drupal.org/project/services_sso_server_helper [5] https://www.drupal.org/project/services_sso_server_helper [6] https://www.drupal.org/user/2301194 [7] https://www.drupal.org/user/2301194 [8] https://www.drupal.org/contact [9] https://www.drupal.org/security-team [10] https://www.drupal.org/writing-secure-code [11] https://www.drupal.org/security/secure-configuration [12] https://twitter.com/drupalsecurity

1 0

Jump to page:

2026

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

Security-news