Security-news

security-news@drupal.org

1 participants
1782 discussions

SA-CONTRIB-2015-004 - Context - Open Redirect
by security-news＠drupal.org 07 Jan '15

07 Jan '15

View online: https://www.drupal.org/node/2403351 * Advisory ID: DRUPAL-SA-CONTRIB-2015-004 * Project: Context [1] (third-party module) * Version: 7.x * Date: 2015-January-07 * Security risk: 9/25 ( Less Critical) AC:Basic/A:None/CI:None/II:None/E:Theoretical/TD:Default [2] * Vulnerability: Open Redirect -------- DESCRIPTION --------------------------------------------------------- Context allows you to manage contextual conditions and reactions for different portions of your site. Context UI module wasn't checking for external URLs in the HTTP GET destination parameter when redirecting users that are activating/deactivating the Context UI inline editor dialog, thereby leading to an Open Redirect vulnerability. This vulnerability is mitigated by the fact that the victim must have the permission "administer contexts" and that Context UI module must be enabled. -------- CVE IDENTIFIER(S) ISSUED -------------------------------------------- * /A CVE identifier [3] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ -------- VERSIONS AFFECTED --------------------------------------------------- * Context 7.x-3.x versions prior to 7.x-3.6 Drupal core is not affected. If you do not use the contributed Context [4] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the Context module for Drupal 7, upgrade to Context 7.x-3.6 [5] Also see the Context [6] project page. -------- REPORTED BY --------------------------------------------------------- * Pere Orga [7] provisional member of the Drupal Security Team -------- FIXED BY ------------------------------------------------------------ * Pere Orga [8] provisional member of the Drupal Security Team * Chris Johnson [9], module maintainer * Yonas Yanfa [10], module maintainer -------- COORDINATED BY ------------------------------------------------------ * Owen Barton [11] of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact [12]. Learn more about the Drupal Security team and their policies [13], writing secure code for Drupal [14], and securing your site [15]. Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity [16] [1] https://www.drupal.org/project/context [2] https://www.drupal.org/security-team/risk-levels [3] http://cve.mitre.org/ [4] https://www.drupal.org/project/context [5] https://www.drupal.org/node/2402779 [6] https://www.drupal.org/project/context [7] https://www.drupal.org/user/2301194 [8] https://www.drupal.org/user/2301194 [9] https://www.drupal.org/user/8134 [10] https://www.drupal.org/user/7089 [11] https://www.drupal.org/user/19668 [12] https://www.drupal.org/contact [13] https://www.drupal.org/security-team [14] https://www.drupal.org/writing-secure-code [15] https://www.drupal.org/security/secure-configuration [16] https://twitter.com/drupalsecurity

1 0

SA-CONTRIB-2015-003 - PHPlist Integration Module - SQL Injection
by security-news＠drupal.org 07 Jan '15

07 Jan '15

View online: https://www.drupal.org/node/2403343 * Advisory ID: DRUPAL-SA-CONTRIB-2015-003 * Project: PHPlist Integration Module [1] (third-party module) * Version: 6.x * Date: 2015-January-07 * Security risk: 13/25 ( Moderately Critical) AC:Basic/A:Admin/CI:Some/II:Some/E:Theoretical/TD:All [2] * Vulnerability: SQL Injection -------- DESCRIPTION --------------------------------------------------------- The PHPlist Integration module provides an integration between a Drupal website and phpList newsletter manager. The module provides two main features: user sync and sending a node as a newsletter. The module introduces a SQL Injection vulnerability to the phpList database. The Drupal database is not affected. This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer PHPlist". -------- CVE IDENTIFIER(S) ISSUED -------------------------------------------- * /A CVE identifier [3] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ -------- VERSIONS AFFECTED --------------------------------------------------- * PHPlist Integration Module 6.x-1.x versions prior to 6.x-1.7. Drupal core is not affected. If you do not use the contributed PHPlist Integration Module [4] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the PHPlist Integration Module for Drupal 6.x, upgrade to PHPlist Integration Module 6.x-1.7 [5] Also see the PHPlist Integration Module [6] project page. -------- REPORTED BY --------------------------------------------------------- * Pere Orga [7] provisional member of the Drupal Security Team -------- FIXED BY ------------------------------------------------------------ * Tarek Djebali [8] the module maintainer * Pere Orga [9] provisional member of the Drupal Security Team -------- COORDINATED BY ------------------------------------------------------ * Pere Orga [10] provisional member of the Drupal Security Team * Klaus Purer [11] of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact [12]. Learn more about the Drupal Security team and their policies [13], writing secure code for Drupal [14], and securing your site [15]. Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity [16] [1] https://www.drupal.org/project/phplist [2] https://www.drupal.org/security-team/risk-levels [3] http://cve.mitre.org/ [4] https://www.drupal.org/project/phplist [5] https://www.drupal.org/node/2402517 [6] https://www.drupal.org/project/phplist [7] https://www.drupal.org/user/2301194 [8] https://www.drupal.org/user/745218 [9] https://www.drupal.org/user/2301194 [10] https://www.drupal.org/user/2301194 [11] https://www.drupal.org/u/klausi [12] https://www.drupal.org/contact [13] https://www.drupal.org/security-team [14] https://www.drupal.org/writing-secure-code [15] https://www.drupal.org/security/secure-configuration [16] https://twitter.com/drupalsecurity

1 0

SA-CONTRIB-2015-002 - Course - Cross Site Scripting (XSS)
by security-news＠drupal.org 07 Jan '15

07 Jan '15

View online: https://www.drupal.org/node/2403333 * Advisory ID: DRUPAL-SA-CONTRIB-2015-002 * Project: Course [1] (third-party module) * Version: 6.x, 7.x * Date: 2015-January-07 * Security risk: 14/25 ( Moderately Critical) AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:All [2] * Vulnerability: Cross Site Scripting -------- DESCRIPTION --------------------------------------------------------- Course module enables you to create e-learning courses with any number of requirements for completion. The module doesn't sufficiently filter node title displays when being used in a course. This vulnerability is mitigated by the fact that an attacker must have a role with the permission to create course content. -------- CVE IDENTIFIER(S) ISSUED -------------------------------------------- * /A CVE identifier [3] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ -------- VERSIONS AFFECTED --------------------------------------------------- * Course 7.x-1.x versions prior to 7.x-1.4 * Course 6.x-1.x versions prior to 6.x-1.2 Drupal core is not affected. If you do not use the contributed Course [4] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the Course module for Drupal 7.x, upgrade to Course 7.x-1.4 [5] * If you use the Course module for Drupal 6.x, upgrade to Course 6.x-1.2 [6] Also see the Course [7] project page. -------- REPORTED BY --------------------------------------------------------- * Pere Orga [8] provisional member of the Drupal Security Team -------- FIXED BY ------------------------------------------------------------ * Pere Orga [9] provisional member of the Drupal Security Team * Devin Zuczek [10] the module maintainer -------- COORDINATED BY ------------------------------------------------------ * Pere Orga [11] provisional member of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact [12]. Learn more about the Drupal Security team and their policies [13], writing secure code for Drupal [14], and securing your site [15]. Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity [16] [1] https://www.drupal.org/project/course [2] https://www.drupal.org/security-team/risk-levels [3] http://cve.mitre.org/ [4] https://www.drupal.org/project/course [5] https://www.drupal.org/node/2403305 [6] https://www.drupal.org/node/2403309 [7] https://www.drupal.org/project/course [8] https://www.drupal.org/user/2301194 [9] https://www.drupal.org/user/2301194 [10] https://www.drupal.org/user/701754 [11] https://www.drupal.org/user/2301194 [12] https://www.drupal.org/contact [13] https://www.drupal.org/security-team [14] https://www.drupal.org/writing-secure-code [15] https://www.drupal.org/security/secure-configuration [16] https://twitter.com/drupalsecurity

1 0

SA-CONTRIB-2015-001 - OPAC - Cross-Site Request Forgery (CSRF)
by security-news＠drupal.org 07 Jan '15

07 Jan '15

View online: https://www.drupal.org/node/2403313 * Advisory ID: DRUPAL-SA-CONTRIB-2015-001 * Project: OPAC [1] (third-party module) * Version: 7.x * Date: 2015-January-07 * Security risk: 13/25 ( Moderately Critical) AC:Basic/A:None/CI:None/II:Some/E:Theoretical/TD:All [2] * Vulnerability: Cross Site Request Forgery -------- DESCRIPTION --------------------------------------------------------- OPAC module enables you to create mappings between node fields and ILS record fields. The module doesn't ask for confirmation when removing a mapping, leaving this operation vulnerable to cross-site request forgery (CSRF) attacks. -------- CVE IDENTIFIER(S) ISSUED -------------------------------------------- * /A CVE identifier [3] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ -------- VERSIONS AFFECTED --------------------------------------------------- * OPAC 7.x-2.x versions prior to 7.x-2.3. Drupal core is not affected. If you do not use the contributed OPAC [4] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the OPAC module 7.x-2.0, upgrade to OPAC 7.x-2.3 [5] Also see the OPAC [6] project page. -------- REPORTED BY --------------------------------------------------------- * Pere Orga [7] provisional member of the Drupal Security Team -------- FIXED BY ------------------------------------------------------------ * Julian Maurice [8] the module maintainer * Pere Orga [9] provisional member of the Drupal Security Team -------- COORDINATED BY ------------------------------------------------------ * Pere Orga [10] provisional member of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact [11]. Learn more about the Drupal Security team and their policies [12], writing secure code for Drupal [13], and securing your site [14]. Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity [15] [1] https://www.drupal.org/project/opac [2] https://www.drupal.org/security-team/risk-levels [3] http://cve.mitre.org/ [4] https://www.drupal.org/project/opac [5] https://www.drupal.org/node/2402393 [6] https://www.drupal.org/project/opac [7] https://www.drupal.org/user/2301194 [8] https://www.drupal.org/user/2221570 [9] https://www.drupal.org/user/2301194 [10] https://www.drupal.org/user/2301194 [11] https://www.drupal.org/contact [12] https://www.drupal.org/security-team [13] https://www.drupal.org/writing-secure-code [14] https://www.drupal.org/security/secure-configuration [15] https://twitter.com/drupalsecurity

1 0

SA-CONTRIB-2014-128 - Organic Groups Menu - Access bypass
by security-news＠drupal.org 17 Dec '14

17 Dec '14

View online: https://www.drupal.org/node/2395049 * Advisory ID: DRUPAL-SA-CONTRIB-2014-128 * Project: OG Menu [1] (third-party module) * Version: 6.x, 7.x * Date: 2014-December-17 * Security risk: 14/25 ( Moderately Critical) AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:All [2] * Vulnerability: Access bypass, Information Disclosure -------- DESCRIPTION --------------------------------------------------------- This module enables you to associate menus with Organic Groups (OG). It allows you to create one or more menus per group, configure and apply menu permissions in a group context, add/edit menu links directly from the entity form, etc. The module doesn't sufficiently check the menu parameters passed in the path, creating an access bypass vulnerability allowing an attacker to edit or delete any menu link on the site. There is also an information disclosure vulnerability of menu info. This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer og menu". *This handles the same issue as SA-CONTRIB-2014-125 [3], but due to a mistake made in tagging the release, the fix did not get included.* -------- CVE IDENTIFIER(S) ISSUED -------------------------------------------- * /A CVE identifier [4] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ -------- VERSIONS AFFECTED --------------------------------------------------- * Organic Groups Menu (OG Menu) 6.x-2.x versions prior to 6.x-2.6 * Organic Groups Menu (OG Menu) 7.x-2.x versions prior to 7.x-2.4 Organic Groups Menu (OG Menu) 7.x-3.0 and later versions are not affected. Drupal core is not affected. If you do not use the contributed OG Menu [5] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the OG Menu module for Drupal 6.x, upgrade to OG Menu 6.x-2.6 [6] * If you use the OG Menu module for Drupal 7.x and the OG module 7.x-1.x, upgrade to OG Menu 7.x-2.4 [7] * If you use the OG Menu module for Drupal 7.x and the OG module 7.x-2.x, no action is needed. Also see the OG Menu [8] project page. -------- REPORTED BY --------------------------------------------------------- * Marjolein de Waal [9] -------- FIXED BY ------------------------------------------------------------ * Wim Vanheste [10] the module maintainer -------- COORDINATED BY ------------------------------------------------------ * Greg Knaddison [11] of the Drupal Security Team * Klaus Purer [12] of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact [13]. Learn more about the Drupal Security team and their policies [14], writing secure code for Drupal [15], and securing your site [16]. Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity [17] [1] https://www.drupal.org/project/og_menu [2] https://www.drupal.org/security-team/risk-levels [3] https://www.drupal.org/node/2390899 [4] http://cve.mitre.org/ [5] https://www.drupal.org/project/og_menu [6] https://www.drupal.org/node/2394845 [7] https://www.drupal.org/node/2394847 [8] https://www.drupal.org/project/og_menu [9] https://www.drupal.org/user/2862205 [10] https://www.drupal.org/u/rv0 [11] https://www.drupal.org/u/greggles [12] https://www.drupal.org/u/klausi [13] https://www.drupal.org/contact [14] https://www.drupal.org/security-team [15] https://www.drupal.org/writing-secure-code [16] https://www.drupal.org/security/secure-configuration [17] https://twitter.com/drupalsecurity

1 0

SA-CONTRIB-2014-127 - School Administration - Cross Site Scripting (XSS)
by security-news＠drupal.org 17 Dec '14

17 Dec '14

View online: https://www.drupal.org/node/2395015 * Advisory ID: DRUPAL-SA-CONTRIB-2014-127 * Project: (third-party module) * Version: 7.x * Date: 2014-December-17 * Security risk: 14/25 ( Moderately Critical) AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:All [1] * Vulnerability: Cross Site Scripting -------- DESCRIPTION --------------------------------------------------------- School Administration module enables you to keep records of all students and staff. With inner modules, it aims to be a complete school administration system. The module failed to sanitize some node titles in messages, leading to a Cross Site Scripting (XSS) vulnerability. This vulnerability is mitigated by the fact that an attacker must have a user with the permission to create or edit a class node. -------- CVE IDENTIFIER(S) ISSUED -------------------------------------------- * /A CVE identifier [2] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ -------- VERSIONS AFFECTED --------------------------------------------------- * School Administration 7.x-1.x versions prior to 7.x-1.8. Drupal core is not affected. If you do not use the contributed module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the School Administration module for Drupal 7.x, upgrade to School Administration 7.x-1.8 [3] Also see the project page. -------- REPORTED BY --------------------------------------------------------- * Pere Orga [4] -------- FIXED BY ------------------------------------------------------------ * Murat Tutumlu [5] the module maintainer -------- COORDINATED BY ------------------------------------------------------ * Greg Knaddison [6] of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact [7]. Learn more about the Drupal Security team and their policies [8], writing secure code for Drupal [9], and securing your site [10]. Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity [11] [1] https://www.drupal.org/security-team/risk-levels [2] http://cve.mitre.org/ [3] https://www.drupal.org/node/2391119 [4] https://www.drupal.org/user/2301194 [5] https://www.drupal.org/user/413570 [6] https://www.drupal.org/user/36762 [7] https://www.drupal.org/contact [8] https://www.drupal.org/security-team [9] https://www.drupal.org/writing-secure-code [10] https://www.drupal.org/security/secure-configuration [11] https://twitter.com/drupalsecurity

1 0

SA-CONTRIB-2014-126 - Open Atrium - Multiple vulnerabilities
by security-news＠drupal.org 17 Dec '14

17 Dec '14

View online: https://www.drupal.org/node/2394979 * Advisory ID: DRUPAL-SA-CONTRIB-2014-126 * Project: Open Atrium [1] (third-party module) * Version: 7.x * Date: 2014-12-17 * Security risk: 13/25 ( Moderately Critical) AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:Default [2] * Vulnerability: Access bypass, Cross Site Request Forgery, Multiple vulnerabilities -------- DESCRIPTION --------------------------------------------------------- This distribution enables you to create an intranet. Several of the sub modules included do not prevent CSRF on several menu callbacks. Open Atrium Discussion also does not exit correctly after checking access on a several ajax callbacks, allowing anyone with "access content" to update and delete nodes. Also, (alpha) module OG Subgroups contained a vulnerability that allowed access to child groups even if membership inheritance was disabled. The vulnerabilities are mitigated by needing the sub modules enabled -- Open Atrium Sitemap [3], Open Atrium Discussion [4], and OpenA trium Admin Role and OA Teams, modules bundled with of Open Atrium Core [5]. -------- CVE IDENTIFIER(S) ISSUED -------------------------------------------- * /A CVE identifier [6] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ -------- VERSIONS AFFECTED --------------------------------------------------- * Open Atrium 7.x-2.x versions prior to 7.x-2.26 Drupal core is not affected. If you do not use the contributed Open Atrium [7] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the Open Atrium Distro for Drupal 7.x, upgrade to Open Atrium 7.x-2.26 [8] Also see the Open Atrium [9] project page. -------- REPORTED BY --------------------------------------------------------- * Hunter Fox [10] of the Drupal Security Team & an Open Atrium maintainer * Pere Orga [11] -------- FIXED BY ------------------------------------------------------------ * Hunter Fox [12] of the Drupal Security Team & an Open Atrium maintainer -------- COORDINATED BY ------------------------------------------------------ * Hunter Fox [13] of the Drupal Security Team & an Open Atrium maintainer -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact [14]. Learn more about the Drupal Security team and their policies [15], writing secure code for Drupal [16], and securing your site [17]. Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity [18] [1] https://www.drupal.org/project/openatrium [2] https://www.drupal.org/security-team/risk-levels [3] https://www.drupal.org/project/oa_sitemap [4] https://www.drupal.org/project/oa_discussion [5] https://www.drupal.org/project/oa_core [6] http://cve.mitre.org/ [7] https://www.drupal.org/project/openatrium [8] https://www.drupal.org/node/2395045 [9] https://www.drupal.org/project/openatrium [10] https://www.drupal.org/user/426416 [11] https://www.drupal.org/user/2301194 [12] https://www.drupal.org/user/426416 [13] https://www.drupal.org/user/426416 [14] https://www.drupal.org/contact [15] https://www.drupal.org/security-team [16] https://www.drupal.org/writing-secure-code [17] https://www.drupal.org/security/secure-configuration [18] https://twitter.com/drupalsecurity

1 0

SA-CONTRIB-2014-125 - Organic Groups Menu - Access bypass
by security-news＠drupal.org 10 Dec '14

10 Dec '14

View online: https://www.drupal.org/node/2390899 * Advisory ID: DRUPAL-SA-CONTRIB-2014-125 * Project: OG Menu [1] (third-party module) * Version: 6.x, 7.x * Date: 2014-December-10 * Security risk: 14/25 ( Moderately Critical) AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:All [2] * Vulnerability: Access bypass, Information Disclosure -------- DESCRIPTION --------------------------------------------------------- This module enables you to associate menus with Organic Groups (OG). It allows you to create one or more menus per group, configure and apply menu permissions in a group context, add/edit menu links directly from the entity form, etc. The module doesn't sufficiently check the menu parameters passed in the path, creating an access bypass vulnerability allowing an attacker to edit or delete any menu link on the site. There is also an information disclosure vulnerability of menu info. This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer og menu". -------- CVE IDENTIFIER(S) ISSUED -------------------------------------------- * /A CVE identifier [3] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ -------- VERSIONS AFFECTED --------------------------------------------------- * Organic Groups Menu (OG Menu) 6.x-2.x versions prior to 6.x-2.5. * Organic Groups Menu (OG Menu) 7.x-2.x versions prior to 7.x-2.3. * Organic Groups Menu (OG Menu) 7.x-3.x versions prior to 7.x-3.0 Drupal core is not affected. If you do not use the contributed OG Menu [4] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the OG Menu module for Drupal 6.x, upgrade to OG Menu 6.x-2.5 [5] * If you use the OG Menu module for Drupal 7.x and the OG module 7.x-1.x, upgrade to OG Menu 7.x-2.3 [6] * If you use the OG Menu module for Drupal 7.x, and the OG module 7.x-2.x upgrade to OG Menu 7.x-3.0 [7] Also see the OG Menu [8] project page. -------- REPORTED BY --------------------------------------------------------- * Lars Schröter [9] -------- FIXED BY ------------------------------------------------------------ * Wim Vanheste [10] the module maintainer * Lars Schröter [11] -------- COORDINATED BY ------------------------------------------------------ * Ben Dougherty [12] provisional member of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact [13]. Learn more about the Drupal Security team and their policies [14], writing secure code for Drupal [15], and securing your site [16]. Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity [17] [1] https://www.drupal.org/project/og_menu [2] https://www.drupal.org/security-team/risk-levels [3] http://cve.mitre.org/ [4] https://www.drupal.org/project/og_menu [5] https://drupal.org/node/2390187 [6] https://www.drupal.org/node/2390193 [7] https://www.drupal.org/node/2390195 [8] https://www.drupal.org/project/og_menu [9] https://www.drupal.org/u/osopolar [10] https://www.drupal.org/u/rv0 [11] https://www.drupal.org/u/osopolar [12] https://www.drupal.org/user/1852732 [13] https://www.drupal.org/contact [14] https://www.drupal.org/security-team [15] https://www.drupal.org/writing-secure-code [16] https://www.drupal.org/security/secure-configuration [17] https://twitter.com/drupalsecurity

1 0

SA-CONTRIB-2014-124 - Poll Chart - Cross Site Scripting (XSS)
by security-news＠drupal.org 10 Dec '14

10 Dec '14

View online: https://www.drupal.org/node/2390897 * Advisory ID: DRUPAL-SA-CONTRIB-2014-124 * Project: Poll Chart Block [1] (third-party module) * Version: 7.x * Date: 2014-December-10 * Security risk: 14/25 ( Moderately Critical) AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:All [2] * Vulnerability: Cross Site Scripting -------- DESCRIPTION --------------------------------------------------------- This module enables users to have a block displaying the result of the last poll as a chart. The module doesn't sufficiently sanitize poll node titles when displaying the block. This vulnerability is mitigated by the fact that an attacker must have a role with the permission to create polls and the poll chart block must be enabled. -------- CVE IDENTIFIER(S) ISSUED -------------------------------------------- * /A CVE identifier [3] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ -------- VERSIONS AFFECTED --------------------------------------------------- * poll_chart 7.x-1.x versions prior to 7.x-1.2. Drupal core is not affected. If you do not use the contributed Poll Chart Block [4] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the Poll Chart module for Drupal 7.x, upgrade to Poll Chart 7.x-1.2 [5] Also see the Poll Chart Block [6] project page. -------- REPORTED BY --------------------------------------------------------- * Pere Orga [7] -------- FIXED BY ------------------------------------------------------------ * CSÉCSY László [8] the module maintainer -------- COORDINATED BY ------------------------------------------------------ * Ben Dougherty [9] provisional member of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact [10]. Learn more about the Drupal Security team and their policies [11], writing secure code for Drupal [12], and securing your site [13]. Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity [14] [1] https://www.drupal.org/project/poll_chart [2] https://www.drupal.org/security-team/risk-levels [3] http://cve.mitre.org/ [4] https://www.drupal.org/project/poll_chart [5] https://www.drupal.org/node/2390097 [6] https://www.drupal.org/project/poll_chart [7] https://www.drupal.org/user/2301194 [8] https://www.drupal.org/user/199303 [9] https://www.drupal.org/user/1852732 [10] https://www.drupal.org/contact [11] https://www.drupal.org/security-team [12] https://www.drupal.org/writing-secure-code [13] https://www.drupal.org/security/secure-configuration [14] https://twitter.com/drupalsecurity

1 0

SA-CONTRIB-2014-123 - Postal Code - Cross Site Scripting (XSS)
by security-news＠drupal.org 10 Dec '14

10 Dec '14

View online: https://www.drupal.org/node/2390857 * Advisory ID: DRUPAL-SA-CONTRIB-2014-123 * Project: Postal Code [1] (third-party module) * Version: 7.x * Date: 2014-December-10 * Security risk: 14/25 ( Moderately Critical) AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:All [2] * Vulnerability: Cross Site Scripting -------- DESCRIPTION --------------------------------------------------------- The Postal Code module enables you to implement postal code validation for several countries. The module doesn't sufficiently sanitize certain data in the admin thereby opening a Cross Site Scripting (XSS) vulnerability. This vulnerability is mitigated by the fact that an attacker must have a role with a permission that allows adding or editing fields to entity types such as "administer taxonomy terms" or "administer content types". -------- CVE IDENTIFIER(S) ISSUED -------------------------------------------- * /A CVE identifier [3] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ -------- VERSIONS AFFECTED --------------------------------------------------- * Postal Code 7.x-1.x versions prior to 7.x-1.9. Drupal core is not affected. If you do not use the contributed Postal Code [4] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the Postal Code module for Drupal 7.x, upgrade to Postal Code 7.x-1.9 [5] Also see the Postal Code [6] project page. -------- REPORTED BY --------------------------------------------------------- * Matt Vance [7] (provisional member of the Drupal Security Team) -------- FIXED BY ------------------------------------------------------------ * Jeremy Edgell [8] the module maintainer * Matt Vance [9] (provisional member of the Drupal Security Team) -------- COORDINATED BY ------------------------------------------------------ * Lee Rowlands [10] of the Drupal Security Team * Ben Dougherty [11] provisional member of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact [12]. Learn more about the Drupal Security team and their policies [13], writing secure code for Drupal [14], and securing your site [15]. Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity [16] [1] https://www.drupal.org/project/postal_code [2] https://www.drupal.org/security-team/risk-levels [3] http://cve.mitre.org/ [4] https://www.drupal.org/project/postal_code [5] https://www.drupal.org/node/2390323 [6] https://www.drupal.org/project/postal_code [7] https://www.drupal.org/user/88338 [8] https://www.drupal.org/user/1854054 [9] https://www.drupal.org/user/88338 [10] https://www.drupal.org/user/395439 [11] https://www.drupal.org/user/1852732 [12] https://www.drupal.org/contact [13] https://www.drupal.org/security-team [14] https://www.drupal.org/writing-secure-code [15] https://www.drupal.org/security/secure-configuration [16] https://twitter.com/drupalsecurity

1 0

Jump to page:

2026

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

Security-news