Security-news

security-news@drupal.org

1 participants
1782 discussions

SA-CONTRIB-2014-113 - Secure Password Hashes - Denial of Service
by security-news＠drupal.org 19 Nov '14

19 Nov '14

View online: https://www.drupal.org/node/2378367 * Advisory ID: DRUPAL-SA-CONTRIB-2014-113 * Project: Secure Password Hashes [1] (third-party module) * Version: 6.x * Date: 2014-11-19 * Security risk: 11/25 ( Moderately Critical) AC:Basic/A:None/CI:None/II:None/E:Proof/TD:All [2] * Vulnerability: Denial of Service -------- DESCRIPTION --------------------------------------------------------- This module enables a more secure password storage for Drupal 6 by back-porting the code used in Drupal 7 core. A vulnerability in this API allows an attacker to send specially crafted requests resulting in CPU and memory exhaustion. This may lead to the site becoming unavailable or unresponsive (denial of service). This vulnerability can be exploited by anonymous users See also: https://www.drupal.org/SA-CORE-2014-006 [3] -------- CVE IDENTIFIER(S) ISSUED -------------------------------------------- * /A CVE identifier [4] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ -------- VERSIONS AFFECTED --------------------------------------------------- * Secure Password Hashes 6.x-2.x versions prior to 6.x-2.1. Drupal core is not affected. If you do not use the contributed Secure Password Hashes [5] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the Secure Password Hashes module for Drupal 6.x, upgrade to Secure Password Hashes 6.x-2.1 [6] Also see the Secure Password Hashes [7] project page. -------- REPORTED BY --------------------------------------------------------- * Michael Cullum [8] * Javier Nieto [9] * Andrés Rojas Guerrero [10] -------- FIXED BY ------------------------------------------------------------ * Peter Wolanin [11] the module maintainer and Drupal Security Team member -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact [12]. Learn more about the Drupal Security team and their policies [13], writing secure code for Drupal [14], and securing your site [15]. Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity [16] [1] https://www.drupal.org/project/phpass [2] https://www.drupal.org/security-team/risk-levels [3] https://www.drupal.org/SA-CORE-2014-006 [4] http://cve.mitre.org/ [5] https://www.drupal.org/project/phpass [6] https://www.drupal.org/node/2378375 [7] https://www.drupal.org/project/phpass [8] https://www.drupal.org/u/MichaelCu [9] https://www.drupal.org/u/jnietotn [10] https://www.drupal.org/u/c0r3dump3d [11] https://www.drupal.org/user/49851 [12] https://www.drupal.org/contact [13] https://www.drupal.org/security-team [14] https://www.drupal.org/writing-secure-code [15] https://www.drupal.org/security/secure-configuration [16] https://twitter.com/drupalsecurity

1 0

SA-CONTRIB-2014-112 - Node Field - Cross Site Scripting (XSS)
by security-news＠drupal.org 19 Nov '14

19 Nov '14

View online: https://www.drupal.org/node/2378287 * Advisory ID: DRUPAL-SA-CONTRIB-2014-112 * Project: Node Field [1] (third-party module) * Version: 7.x * Date: 2014-November-19 * Security risk: 7/25 ( Less Critical) AC:Basic/A:User/CI:None/II:None/E:Theoretical/TD:Default [2] * Vulnerability: Cross Site Scripting -------- DESCRIPTION --------------------------------------------------------- Node Field module allows you to add custom extra fields to single Drupal nodes. The module doesn't sufficiently sanitize user input for some of the module's internal fields. This vulnerability is mitigated by the fact that an attacker must have a role with the permission to create nodes. -------- CVE IDENTIFIER(S) ISSUED -------------------------------------------- * /A CVE identifier [3] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ -------- VERSIONS AFFECTED --------------------------------------------------- * Node Field 7.x-2.x versions prior to 7.x-2.45. Drupal core is not affected. If you do not use the contributed Node Field [4] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the Node Field module for Drupal 7.x, upgrade to Node Field 7.x-2.45 [5] Also see the Node Field [6] project page. -------- REPORTED BY --------------------------------------------------------- * Matt Vance [7] -------- FIXED BY ------------------------------------------------------------ * Leonid Kuznetsov [8] the module maintainer * Leonid Mamaev [9] the module project manager * Matt Vance [10] -------- COORDINATED BY ------------------------------------------------------ * Greg Knaddison [11] of the Drupal Security Team * David Rothstein [12] of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact [13]. Learn more about the Drupal Security team and their policies [14], writing secure code for Drupal [15], and securing your site [16]. Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity [17] [1] https://www.drupal.org/project/node_field [2] https://www.drupal.org/security-team/risk-levels [3] http://cve.mitre.org/ [4] https://www.drupal.org/project/node_field [5] https://www.drupal.org/node/2373157 [6] https://www.drupal.org/project/node_field [7] https://www.drupal.org/user/88338 [8] https://www.drupal.org/user/2997345 [9] https://www.drupal.org/user/1992676 [10] https://www.drupal.org/user/88338 [11] https://www.drupal.org/user/36762 [12] https://www.drupal.org/user/124982 [13] https://www.drupal.org/contact [14] https://www.drupal.org/security-team [15] https://www.drupal.org/writing-secure-code [16] https://www.drupal.org/security/secure-configuration [17] https://twitter.com/drupalsecurity

1 0

SA-CONTRIB-2014-111 - Protected Pages - Password Protection Bypass
by security-news＠drupal.org 19 Nov '14

19 Nov '14

View online: https://www.drupal.org/node/2378279 * Advisory ID: DRUPAL-SA-CONTRIB-2014-111 * Project: Protected Pages [1] (third-party module) * Version: 7.x * Date: 2014-November-19 * Security risk: 11/25 ( Moderately Critical) AC:Basic/A:None/CI:Some/II:None/E:Theoretical/TD:Uncommon [2] * Vulnerability: Access bypass -------- DESCRIPTION --------------------------------------------------------- Protected Pages modules allows the administrator to secure any page in your website by password by configuring a add path and the associated password. The module did not sufficiently protect variations on the protected path. -------- CVE IDENTIFIER(S) ISSUED -------------------------------------------- * /A CVE identifier [3] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ -------- VERSIONS AFFECTED --------------------------------------------------- * Protected Pages 7.x-2.x versions prior to 7.x-2.2. Drupal core is not affected. If you do not use the contributed Protected Pages [4] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * Upgrade to protected_pages 7.x-2.4 [5] Also see the Protected Pages [6] project page. -------- REPORTED BY --------------------------------------------------------- * Olaf Grabienski [7] -------- FIXED BY ------------------------------------------------------------ * Varun Mishra [8] the module maintainer -------- COORDINATED BY ------------------------------------------------------ * Greg Knaddison [9] of the Drupal Security Team * Michael Hess [10] of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact [11]. Learn more about the Drupal Security team and their policies [12], writing secure code for Drupal [13], and securing your site [14]. Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity [15] [1] https://www.drupal.org/project/protected_pages [2] https://www.drupal.org/security-team/risk-levels [3] http://cve.mitre.org/ [4] https://www.drupal.org/project/protected_pages [5] https://www.drupal.org/node/2353451 [6] https://www.drupal.org/project/protected_pages [7] https://www.drupal.org/user/77861 [8] https://www.drupal.org/user/168948 [9] https://www.drupal.org/user/36762 [10] https://www.drupal.org/user/102818 [11] https://www.drupal.org/contact [12] https://www.drupal.org/security-team [13] https://www.drupal.org/writing-secure-code [14] https://www.drupal.org/security/secure-configuration [15] https://twitter.com/drupalsecurity

1 0

SA-CONTRIB-2014-109 - Freelinking - Cross Site Scripting (XSS)
by security-news＠drupal.org 12 Nov '14

12 Nov '14

View online: https://www.drupal.org/node/2373981 * Advisory ID: DRUPAL-SA-CONTRIB-2014-109 * Project: Freelinking [1] (third-party module) * Version: 6.x, 7.x * Date: 2014-November-12 * Security risk: 16/25 ( Critical) AC:Basic/A:User/CI:All/II:All/E:Theoretical/TD:Uncommon [2] * Vulnerability: Cross Site Scripting -------- DESCRIPTION --------------------------------------------------------- The Freelinking module implements a filter framework for easier creation of HTML links to other pages on the site or to external sites. The module does not sanitize the node title when providing a link to the node, opening a Cross Site Scripting (XSS) vulnerability. This vulnerability is mitigated by the fact that the person creating the content containing the link must have a role that allows use of an unsafe text format (e.g. "Full HTML"), or the Freelinking filter must be placed /after/ all text sanitizion filters (e.g. "Limit allowed HTML tags") in an otherwise safe text format (e.g. "Filtered HTML"). Please note that this vulnerability also existed the freelinking_nodetitle.inc in versions prior to 6.x-3.4 and 7.x-3.4, but this was patched in releases 6.x-3.4 and 7.x-3.4. -------- CVE IDENTIFIER(S) ISSUED -------------------------------------------- * /A CVE identifier [3] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ -------- VERSIONS AFFECTED --------------------------------------------------- * Freelinking 6.x-x.x versions prior to 6.x-3.5. * Freelinking 7.x-x.x versions prior to 7.x-3.5. Drupal core is not affected. If you do not use the contributed Freelinking [4] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the Freelinking module for Drupal 6.x, upgrade to Freelinking 6.x-3.5 [5] * If you use the Freelinking module for Drupal 7.x, upgrade to Freelinking 7.x-3.5 [6] Please note that the plugin freelinking_path.inc contains multible vulnerabilities and was removed in the releases 6.x-3.3 and 7.x-3.3. You should check to see if this file is still present, and if it is: Remove it from the plugin sub-directory /before/ you install the latest version. Also see the Freelinking [7] project page. -------- REPORTED BY --------------------------------------------------------- * Cash Williams [8] of the Drupal Security Team -------- FIXED BY ------------------------------------------------------------ * Cash Williams [9] of the Drupal Security Team * Gisle Hannemyr [10], the module maintainer -------- COORDINATED BY ------------------------------------------------------ * Cash Williams [11] of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact [12]. Learn more about the Drupal Security team and their policies [13], writing secure code for Drupal [14], and securing your site [15]. [1] https://www.drupal.org/project/freelinking [2] https://www.drupal.org/security-team/risk-levels [3] http://cve.mitre.org/ [4] https://www.drupal.org/project/freelinking [5] https://www.drupal.org/node/2373117 [6] https://www.drupal.org/node/2373121 [7] https://www.drupal.org/project/freelinking [8] https://www.drupal.org/u/cashwilliams [9] https://www.drupal.org/u/cashwilliams [10] https://www.drupal.org/u/gisle [11] https://www.drupal.org/u/cashwilliams [12] https://www.drupal.org/contact [13] https://www.drupal.org/security-team [14] https://www.drupal.org/writing-secure-code [15] https://www.drupal.org/security/secure-configuration

1 0

SA-CONTRIB-2014-108 - Webform Component Roles - Access Bypass
by security-news＠drupal.org 12 Nov '14

12 Nov '14

View online: https://www.drupal.org/node/2373973 * Advisory ID: DRUPAL-SA-CONTRIB-2014-108 * Project: Webform Component Roles [1] (third-party module) * Version: 6.x, 7.x * Date: 2014-November-12 * Security risk: 13/25 ( Moderately Critical) AC:Basic/A:None/CI:None/II:Some/E:Theoretical/TD:All [2] * Vulnerability: Access bypass -------- DESCRIPTION --------------------------------------------------------- The Webform component module enables site admins to limit visibility or editability of webform components based on user roles. The module doesn't sufficiently check that disabled component values are not modified upon submission of the form. -------- CVE IDENTIFIER(S) ISSUED -------------------------------------------- * /A CVE identifier [3] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ -------- VERSIONS AFFECTED --------------------------------------------------- * Webform Component Roles 6.x-1.x versions prior to 6.x-1.8. * Webform Component Roles 7.x-1.x versions prior to 7.x-1.8. Drupal core is not affected. If you do not use the contributed Webform Component Roles [4] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the Webform Component Roles module for Drupal 6.x, upgrade to Webform Component Roles 6.x-1.8 [5] * If you use the Webform Component Roles module for Drupal 7.x, upgrade to Webform Component Roles 7.x-1.8 [6] Also see the Webform Component Roles [7] project page. -------- REPORTED BY --------------------------------------------------------- * Colleen Blaho [8] -------- FIXED BY ------------------------------------------------------------ * Shawn Sheridan [9] the module maintainer -------- COORDINATED BY ------------------------------------------------------ * David Rothstein [10] of the Drupal Security Team * Greg Knaddison [11] of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact [12]. Learn more about the Drupal Security team and their policies [13], writing secure code for Drupal [14], and securing your site [15]. [1] https://www.drupal.org/project/webform_component_roles [2] https://www.drupal.org/security-team/risk-levels [3] http://cve.mitre.org/ [4] https://www.drupal.org/project/webform_component_roles [5] https://www.drupal.org/node/2373471 [6] https://www.drupal.org/node/2373473 [7] https://www.drupal.org/project/webform_component_roles [8] https://www.drupal.org/user/3042419 [9] https://www.drupal.org/user/138669 [10] https://www.drupal.org/user/124982 [11] https://www.drupal.org/user/36762 [12] https://www.drupal.org/contact [13] https://www.drupal.org/security-team [14] https://www.drupal.org/writing-secure-code [15] https://www.drupal.org/security/secure-configuration

1 0

SA-CONTRIB-2014-107 - Scheduler - Cross Site Scripting
by security-news＠drupal.org 12 Nov '14

12 Nov '14

View online: https://www.drupal.org/node/2373961 * Advisory ID: DRUPAL-SA-CONTRIB-2014-107 * Project: Scheduler [1] (third-party module) * Version: 6.x, 7.x * Date: 2014-November-12 * Security risk: 14/25 ( Moderately Critical) AC:None/A:Admin/CI:Some/II:Some/E:Theoretical/TD:Default [2] * Vulnerability: Cross Site Scripting -------- DESCRIPTION --------------------------------------------------------- The Scheduler module allows nodes to be published and unpublished on specified dates. The module allows administrators to provide additional help text on the content editing form when scheduling is enabled. The module doesn't sufficiently filter the help text which could lead to a Cross Site Scripting (XSS) attack. This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer scheduler". -------- CVE IDENTIFIER(S) ISSUED -------------------------------------------- * /A CVE identifier [3] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ -------- VERSIONS AFFECTED --------------------------------------------------- * Scheduler 6.x-1.x versions prior to 6.x-1.10. * Scheduler 7.x-1.x versions prior to 7.x-1.3. Drupal core is not affected. If you do not use the contributed Scheduler [4] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the Scheduler module for Drupal 6.x, upgrade to Scheduler 6.x-1.10 [5] * If you use the Scheduler module for Drupal 7.x, upgrade to Scheduler 7.x-1.3 [6] Also see the Scheduler [7] project page. -------- REPORTED BY --------------------------------------------------------- * Matt Vance [8] of the Drupal Security Team -------- FIXED BY ------------------------------------------------------------ * Matt Vance [9] of the Drupal Security Team * Lee Rowlands [10] of the Drupal Security Team -------- COORDINATED BY ------------------------------------------------------ * Lee Rowlands [11] of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact [12]. Learn more about the Drupal Security team and their policies [13], writing secure code for Drupal [14], and securing your site [15]. [1] https://www.drupal.org/project/scheduler [2] https://www.drupal.org/security-team/risk-levels [3] http://cve.mitre.org/ [4] https://www.drupal.org/project/scheduler [5] http://www.drupal.org/node/2373385 [6] https://www.drupal.org/node/2373369 [7] https://www.drupal.org/project/scheduler [8] https://www.drupal.org/user/88338 [9] https://www.drupal.org/user/88338 [10] https://www.drupal.org/u/larowlan [11] https://www.drupal.org/u/larowlan [12] https://www.drupal.org/contact [13] https://www.drupal.org/security-team [14] https://www.drupal.org/writing-secure-code [15] https://www.drupal.org/security/secure-configuration

1 0

SA-CONTRIB-2014-106 - Commerce Authorize.Net SIM/DPM Payment Methods - Access Bypass
by security-news＠drupal.org 29 Oct '14

29 Oct '14

View online: https://www.drupal.org/node/2365809 * Advisory ID: DRUPAL-SA-CONTRIB-2014-106 * Project: Commerce Authorize.Net SIM/DPM Payment Methods [1] (third-party module) * Version: 7.x * Date: 2014-October-29 * Security risk: 12/25 ( Moderately Critical) AC:Complex/A:None/CI:None/II:Some/E:Theoretical/TD:All [2] * Vulnerability: Access bypass -------- DESCRIPTION --------------------------------------------------------- This module provides payment methods for the Drupal Commerce [3] package to permit the use of the Authorize.Net payment gateway's SIM and DPM payment protocols. .... Access Bypass The module doesn't sufficiently protect the Drupal Commerce order number passed to the Authorize.Net payment gateway, allowing a specially modified payment POST transaction to Authorize.Net to be applied to a previous order still in the checkout state. This could allow the previous transaction to be marked as paid despite the fact that the payment applied was smaller than its outstanding balance. -------- CVE IDENTIFIER(S) ISSUED -------------------------------------------- * /A CVE identifier [4] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ -------- VERSIONS AFFECTED --------------------------------------------------- * Commerce Authorize.Net SIM/DPM Payment Methods 7.x-1.x versions prior to 7.x-1.1. Drupal core is not affected. If you do not use the contributed Commerce Authorize.Net SIM/DPM Payment Methods [5] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the Commerce Authorize.Net SIM/DPM Payment Methods module for Drupal 7.x, upgrade to Commerce Authorize.Net SIM/DPM Payment Methods 7.x-1.1 [6] Also see the Commerce Authorize.Net SIM/DPM Payment Methods [7] project page. -------- REPORTED BY --------------------------------------------------------- * Vadim Mirgorod [8] -------- FIXED BY ------------------------------------------------------------ * Vadim Mirgorod [9] * Jerry Hudgins [10] the module maintainer -------- COORDINATED BY ------------------------------------------------------ * Lee Rowlands [11] of the Drupal Security Team * Rick Manelius [12] of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact [13]. Learn more about the Drupal Security team and their policies [14], writing secure code for Drupal [15], and securing your site [16]. [1] https://www.drupal.org/project/commerce_authnet_simdpm [2] https://www.drupal.org/security-team/risk-levels [3] https://www.drupal.org/project/commerce [4] http://cve.mitre.org/ [5] https://www.drupal.org/project/commerce_authnet_simdpm [6] https://www.drupal.org/node/2361849 [7] https://www.drupal.org/project/commerce_authnet_simdpm [8] https://www.drupal.org/user/243418 [9] https://www.drupal.org/user/243418 [10] https://www.drupal.org/user/96266 [11] https://www.drupal.org/u/larowlan [12] https://www.drupal.org/user/680072 [13] https://www.drupal.org/contact [14] https://www.drupal.org/security-team [15] https://www.drupal.org/writing-secure-code [16] https://www.drupal.org/security/secure-configuration

1 0

SA-CONTRIB-2014-105 - OG Menu - Access Bypass
by security-news＠drupal.org 29 Oct '14

29 Oct '14

View online: https://www.drupal.org/node/2365685 * Advisory ID: DRUPAL-SA-CONTRIB-2014-105 * Project: OG Menu [1] (third-party module) * Version: 7.x * Date: 2014-October-29 * Security risk: 13/25 ( Moderately Critical) AC:Basic/A:Admin/CI:Some/II:Some/E:Theoretical/TD:All [2] * Vulnerability: Access bypass, Information Disclosure -------- DESCRIPTION --------------------------------------------------------- OG Menu allows using menus within Organic Groups. The permissions for accessing the module settings were to broad, possibly granting access to users who would normally not be able to change the OG Menu configuration. This vulnerability is mitigated by the fact that an attacker must have a role with the permission "access administration pages". -------- CVE IDENTIFIER(S) ISSUED -------------------------------------------- * /A CVE identifier [3] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ -------- VERSIONS AFFECTED --------------------------------------------------- * OG Menu 7.x-2.x versions prior to 7.x-2.2. Drupal core is not affected. If you do not use the contributed OG Menu [4] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version of the 7.x-2.x branch: * If you use the OG Menu module for Drupal 7.x, upgrade to OG Menu 7.x-2.2 [5] The OG Menu 7.x-3.x branch is not affected. Also see the OG Menu [6] project page. -------- REPORTED BY --------------------------------------------------------- * Lucas D Hedding [7] -------- FIXED BY ------------------------------------------------------------ * Wim Vanheste [8] the module maintainer -------- COORDINATED BY ------------------------------------------------------ * Greg Knaddison [9] of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact [10]. Learn more about the Drupal Security team and their policies [11], writing secure code for Drupal [12], and securing your site [13]. [1] https://www.drupal.org/project/og_menu [2] https://www.drupal.org/security-team/risk-levels [3] http://cve.mitre.org/ [4] https://www.drupal.org/project/og_menu [5] https://www.drupal.org/node/2365259 [6] https://www.drupal.org/project/og_menu [7] https://www.drupal.org/user/1463982 [8] https://www.drupal.org/user/655596 [9] https://www.drupal.org/user/36762 [10] https://www.drupal.org/contact [11] https://www.drupal.org/security-team [12] https://www.drupal.org/writing-secure-code [13] https://www.drupal.org/security/secure-configuration

1 0

SA-CONTRIB-2014-104 - Addressfield Tokens - Cross Site Scripting
by security-news＠drupal.org 29 Oct '14

29 Oct '14

View online: https://www.drupal.org/node/2365673 * Advisory ID: DRUPAL-SA-CONTRIB-2014-104 * Project: Addressfield Tokens [1] (third-party module) * Version: 7.x * Date: 2014-October-29 * Security risk: 14/25 ( Moderately Critical) AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:All [2] * Vulnerability: Cross Site Scripting -------- DESCRIPTION --------------------------------------------------------- The Addressfield Tokens module extends the Addressfield module by adding full token support. The module doesn't sufficiently filter malicious user input, opening a Cross Site Scripting (XSS) vulnerability. This vulnerability is mitigated by the fact that an attacker must have a role with the permission "create content" or "edit content". -------- CVE IDENTIFIER(S) ISSUED -------------------------------------------- * /A CVE identifier [3] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ -------- VERSIONS AFFECTED --------------------------------------------------- * Addressfield Tokens 7.x-1.x versions prior to 7.x-1.5. Drupal core is not affected. If you do not use the contributed Addressfield Tokens [4] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the Addressfield Tokens module for Drupal 7.x, upgrade to Addressfield Tokens 7.x-1.5 [5] Also see the Addressfield Tokens [6] project page. -------- REPORTED BY --------------------------------------------------------- * Markus Sipilä [7] -------- FIXED BY ------------------------------------------------------------ * Markus Sipilä [8] * Stéphane Corlosquet [9] * Mark Casias [10] the module maintainer -------- COORDINATED BY ------------------------------------------------------ * Stéphane Corlosquet [11] of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact [12]. Learn more about the Drupal Security team and their policies [13], writing secure code for Drupal [14], and securing your site [15]. [1] https://www.drupal.org/project/addressfield_tokens [2] https://www.drupal.org/security-team/risk-levels [3] http://cve.mitre.org/ [4] https://www.drupal.org/project/addressfield_tokens [5] https://www.drupal.org/node/2365663 [6] https://www.drupal.org/project/addressfield_tokens [7] https://www.drupal.org/user/109674 [8] https://www.drupal.org/user/109674 [9] https://www.drupal.org/user/52142 [10] https://www.drupal.org/user/206687 [11] https://www.drupal.org/user/52142 [12] https://www.drupal.org/contact [13] https://www.drupal.org/security-team [14] https://www.drupal.org/writing-secure-code [15] https://www.drupal.org/security/secure-configuration

1 0

SA-CONTRIB-2014-103 - Passwordless - Cross Site Scripting (XSS)
by security-news＠drupal.org 29 Oct '14

29 Oct '14

View online: https://www.drupal.org/node/2365645 * Advisory ID: DRUPAL-SA-CONTRIB-2014-103 * Project: Passwordless [1] (third-party module) * Version: 7.x * Date: 2014-October-29 * Security risk: 13/25 ( Moderately Critical) AC:Basic/A:Admin/CI:Some/II:Some/E:Theoretical/TD:All [2] * Vulnerability: Cross Site Scripting -------- DESCRIPTION --------------------------------------------------------- This module replaces the regular Drupal login form with a modification of the password-request form, to give the possibility to log in without using a password. The module doesn't sufficiently sanitize user-generated text entered in the module's configuration form. This vulnerability is mitigated by the fact that an attacker must have a role with the permission "configure passwordless settings". -------- CVE IDENTIFIER(S) ISSUED -------------------------------------------- * /A CVE identifier [3] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ -------- VERSIONS AFFECTED --------------------------------------------------- * Passwordless 7.x-1.x versions up to 7.x-1.8. Drupal core is not affected. If you do not use the contributed Passwordless [4] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * Upgrade to Passwordless 7.x-1.8 [5] Also see the Passwordless [6] project page. -------- REPORTED BY --------------------------------------------------------- * Ubani Balogun [7] -------- FIXED BY ------------------------------------------------------------ * Antonio Savorelli [8] the module maintainer * Ubani Balogun [9] -------- COORDINATED BY ------------------------------------------------------ * Greg Knaddison [10] of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact [11]. Learn more about the Drupal Security team and their policies [12], writing secure code for Drupal [13], and securing your site [14]. [1] https://www.drupal.org/project/passwordless [2] https://www.drupal.org/security-team/risk-levels [3] http://cve.mitre.org/ [4] https://www.drupal.org/project/passwordless [5] https://www.drupal.org/node/2361665 [6] https://www.drupal.org/project/passwordless [7] https://www.drupal.org/user/2858707 [8] https://www.drupal.org/user/121829 [9] https://www.drupal.org/user/2858707 [10] https://www.drupal.org/user/36762 [11] https://www.drupal.org/contact [12] https://www.drupal.org/security-team [13] https://www.drupal.org/writing-secure-code [14] https://www.drupal.org/security/secure-configuration

1 0

Jump to page:

2026

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

Security-news