Security-news

security-news@drupal.org

1 participants
1782 discussions

SA-CONTRIB-2013-089 - Node Access Keys - Access Bypass
by security-news＠drupal.org 06 Nov '13

06 Nov '13

View online: https://drupal.org/node/2129379 * Advisory ID: DRUPAL-SA-CONTRIB-2013-089 * Project: Node Access Keys [1] (third-party module) * Version: 7.x * Date: 2013-November-06 * Security risk: Moderately critical [2] * Exploitable from: Remote * Vulnerability: Access bypass -------- DESCRIPTION --------------------------------------------------------- Node Access Keys helps to grant users temporary view permissions to selected content types on a per user role basis. However, it only implements hook_node_access() and not hook_query_alter(), which means any listing of nodes does not respect the node view access. -------- CVE IDENTIFIER(S) ISSUED -------------------------------------------- * /A CVE identifier [3] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ -------- VERSIONS AFFECTED --------------------------------------------------- * Node Access Keys 7.x-1.0. Drupal core is not affected. If you do not use the contributed Node Access Keys [4] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the Node Access Keys module for Drupal 7.x, upgrade to Node Access Keys 7.x-1.1 [5] Also see the Node Access Keys [6] project page. -------- REPORTED BY --------------------------------------------------------- * Daniel Korte [7] the module maintainer -------- FIXED BY ------------------------------------------------------------ * Daniel Korte [8] the module maintainer -------- COORDINATED BY ------------------------------------------------------ * Greg Knaddison [9] of the Drupal Security Team * Ben Jeavons [10] of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [11]. Learn more about the Drupal Security team and their policies [12], writing secure code for Drupal [13], and securing your site [14]. [1] http://drupal.org/project/nodeaccesskeys [2] http://drupal.org/security-team/risk-levels [3] http://cve.mitre.org/ [4] http://drupal.org/project/nodeaccesskeys [5] https://drupal.org/node/2125239 [6] http://drupal.org/project/nodeaccesskeys [7] http://drupal.org/user/453668 [8] http://drupal.org/user/453668 [9] http://drupal.org/user/36762 [10] http://drupal.org/user/91990 [11] http://drupal.org/contact [12] http://drupal.org/security-team [13] http://drupal.org/writing-secure-code [14] http://drupal.org/security/secure-configuration

1 0

SA-CONTRIB-2013-088 - Secure Pages - Missing Encryption of Sensitive Data
by security-news＠drupal.org 06 Nov '13

06 Nov '13

View online: https://drupal.org/node/2129381 * Advisory ID: DRUPAL-SA-CONTRIB-2013-088 * Project: Secure Pages [1] (third-party module) * Version: 6.x * Date: 2013-November-06 * Security risk: Less critical [2] * Exploitable from: Remote * Vulnerability: Missing Encryption of Sensitive Data -------- DESCRIPTION --------------------------------------------------------- The Secure Pages module manages redirects between HTTP and HTTPS pages. A flaw in the URL path matching could lead some pages and forms to be transmitted via plain HTTP, even if the administrator intended those pages to use HTTPS. This flaw may surface either due to a malicious user enticing a user to land on a specially constructed page or through normal interactions with the site. -------- CVE IDENTIFIER(S) ISSUED -------------------------------------------- * /A CVE identifier [3] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ -------- VERSIONS AFFECTED --------------------------------------------------- * Secure Pages 6.x-2.x versions prior to 6.x-2.0. Drupal core is not affected. If you do not use the contributed Secure Pages [4] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the Secure Pages module for Drupal 6.x, upgrade to Secure Pages 6.x-2.0 [5] Also see the Secure Pages [6] project page. -------- REPORTED BY --------------------------------------------------------- * Balazs Nagykekesi [7] -------- FIXED BY ------------------------------------------------------------ * Balazs Nagykekesi [8] * Dylan Tack [9] of the Drupal Security Team, module maintainer -------- COORDINATED BY ------------------------------------------------------ * Klaus Purer [10] of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [11]. Learn more about the Drupal Security team and their policies [12], writing secure code for Drupal [13], and securing your site [14]. [1] http://drupal.org/project/securepages [2] http://drupal.org/security-team/risk-levels [3] http://cve.mitre.org/ [4] http://drupal.org/project/securepages [5] https://drupal.org/node/2128739 [6] http://drupal.org/project/securepages [7] http://drupal.org/user/21231 [8] http://drupal.org/user/21231 [9] http://drupal.org/user/96647 [10] http://drupal.org/user/262198 [11] http://drupal.org/contact [12] http://drupal.org/security-team [13] http://drupal.org/writing-secure-code [14] http://drupal.org/security/secure-configuration

1 0

SA-CONTRIB-2013-087 - Payment for Webform - Access Bypass
by security-news＠drupal.org 06 Nov '13

06 Nov '13

View online: https://drupal.org/node/2129373 * Advisory ID: DRUPAL-SA-CONTRIB-2013-087 * Project: Payment for Webform [1] (third-party module) * Version: 7.x * Date: 2013-November-06 * Security risk: Not critical [2] * Exploitable from: Remote * Vulnerability: Access bypass -------- DESCRIPTION --------------------------------------------------------- This module enables you to ask for or require payments before users can submit webforms. It previously allowed anonymous users to sometimes use other anonymous users' payments when submitting a form. Payment for Webform never supported anonymous users, but there was also nothing that prevented them from using the Webform component. This vulnerability is mitigated by the fact that an attacker must be anonymous and that other anonymous users must have made payments that have not been used for submitting a webform yet. It does not compromise sites' security, nor does it allow anonymous users to do anything they would not have been able to do, if they had made a payment themselves. -------- CVE IDENTIFIER(S) ISSUED -------------------------------------------- * /A CVE identifier [3] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ -------- VERSIONS AFFECTED --------------------------------------------------- * Payment for Webform 7.x-1.x versions prior to 7.x-1.5. Drupal core is not affected. If you do not use the contributed Payment for Webform [4] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the Payment for Webform module for Drupal 7.x, upgrade to 7.x-1.5 [5] Additionally, if you have any forms that use the component and are accessible to anonymous users, you may need to update those to prevent form validation errors. Also see the Payment for Webform [6] project page. -------- REPORTED BY --------------------------------------------------------- * Herman van Rink [7] (helmo) * Clemens Tolboom [8] (clemens.tolboom) * Greg Knaddison [9] (greggles) of the security team -------- FIXED BY ------------------------------------------------------------ * Bart Feenstra [10] (Xano), the module maintainer -------- COORDINATED BY ------------------------------------------------------ * Greg Knaddison [11] of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [12]. Learn more about the Drupal Security team and their policies [13], writing secure code for Drupal [14], and securing your site [15]. [1] http://drupal.org/project/payment_webform [2] http://drupal.org/security-team/risk-levels [3] http://cve.mitre.org/ [4] http://drupal.org/project/payment_webform [5] https://drupal.org/node/2128345 [6] http://drupal.org/project/payment_webform [7] https://drupal.org/user/449000 [8] https://drupal.org/user/125814 [9] https://drupal.org/user/36762 [10] https://drupal.org/user/62965 [11] http://drupal.org/user/36762 [12] http://drupal.org/contact [13] http://drupal.org/security-team [14] http://drupal.org/writing-secure-code [15] http://drupal.org/security/secure-configuration

1 0

PSA-2013-002: Direct download links available even during Drupal.org upgrade window
by security-news＠drupal.org 30 Oct '13

30 Oct '13

View online: https://drupal.org/node/2124407 This is a short addition to the security announcements released on October 30th. Due to Drupal.org's scheduled downtime on October 31, not all links in those mails may be available when you need them. If you encounter this situation, please use the following direct URLs to the archives containing the updates. -------- QUIZ: [1] ----------------------------------------------------------- * http://ftp.drupal.org/files/projects/quiz-6.x-4.5.tar.gz * http://ftp.drupal.org/files/projects/quiz-6.x-4.5.zip -------- FILEFIELD SOURCES: [2] ---------------------------------------------- * http://ftp.drupal.org/files/projects/filefield_sources-6.x-1.9.tar.gz * http://ftp.drupal.org/files/projects/filefield_sources-6.x-1.9.zip * http://ftp.drupal.org/files/projects/filefield_sources-7.x-1.9.tar.gz * http://ftp.drupal.org/files/projects/filefield_sources-7.x-1.9.zip -------- MONSTER MENUS: [3] -------------------------------------------------- * http://ftp.drupal.org/files/projects/monster_menus-7.x-1.15.tar.gz * http://ftp.drupal.org/files/projects/monster_menus-7.x-1.15.zip [1] https://drupal.org/node/2123995 [2] https://drupal.org/node/2124241 [3] https://drupal.org/node/2124289

1 0

SA-CONTRIB-2013-086 - Monster Menus - Access bypass
by security-news＠drupal.org 30 Oct '13

30 Oct '13

View online: https://drupal.org/node/2124289 * Advisory ID: DRUPAL-SA-CONTRIB-2013-086 * Project: Monster Menus [1] (third-party module) * Version: 7.x * Date: 2013-October-30 * Security risk: Critical [2] * Exploitable from: Remote * Vulnerability: Access bypass -------- DESCRIPTION --------------------------------------------------------- Monster Menus includes the ability to protect the visibility of comments for each node based on hierarchical permissions. However, a carefully-crafted URL could be used to bypass these permissions, allowing an anonymous user to view the comments associated with certain nodes. In order for this flaw to be relevant and exploited, the node itself must be readable by the attacker. Furthermore, the "Who can read comments" setting for the node must be something other than "Everyone". -------- CVE IDENTIFIER(S) ISSUED -------------------------------------------- * /A CVE identifier [3] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ -------- VERSIONS AFFECTED --------------------------------------------------- * monster_menus 7.x-1.x versions prior to 7.x-1.15. Drupal core is not affected. If you do not use the contributed Monster Menus [4] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the monster_menus module for Drupal 7.x, upgrade to monster_menus 7.x-1.15 [5] Also see the Monster Menus [6] project page. -------- REPORTED BY --------------------------------------------------------- * Dan Wilga [7] -------- FIXED BY ------------------------------------------------------------ * Dan Wilga [8] the module maintainer -------- COORDINATED BY ------------------------------------------------------ * Greg Knaddison [9] of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [10]. Learn more about the Drupal Security team and their policies [11], writing secure code for Drupal [12], and securing your site [13]. [1] http://drupal.org/project/monster_menus [2] http://drupal.org/security-team/risk-levels [3] http://cve.mitre.org/ [4] http://drupal.org/project/monster_menus [5] https://drupal.org/node/2123287 [6] http://drupal.org/project/monster_menus [7] https://drupal.org/user/56892 [8] https://drupal.org/user/56892 [9] http://drupal.org/user/36762 [10] http://drupal.org/contact [11] http://drupal.org/security-team [12] http://drupal.org/writing-secure-code [13] http://drupal.org/security/secure-configuration

1 0

SA-CONTRIB-2013-085 - Feed Element Mapper - Cross Site Scripting
by security-news＠drupal.org 30 Oct '13

30 Oct '13

View online: https://drupal.org/node/2124279 * Advisory ID: DRUPAL-SA-CONTRIB-2013-085 * Project: Feed Element Mapper [1] (third-party module) * Version: 6.x * Date: 2013-October-30 * Security risk: Less critical [2] * Exploitable from: Remote * Vulnerability: Cross Site Scripting -------- DESCRIPTION --------------------------------------------------------- Feed Element Mapper is an add-on module for FeedAPI that maps elements on a feed item such as tags or the author name to taxonomy or CCK fields. The module doesn't sufficiently filter text when displaying options to users. This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer taxonomy". -------- CVE IDENTIFIER(S) ISSUED -------------------------------------------- * /A CVE identifier [3] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ -------- VERSIONS AFFECTED --------------------------------------------------- All versions of the module. Drupal core is not affected. If you do not use the contributed Feed Element Mapper [4] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Users of the module are encouraged to evaluate the risks and mitigating factors and remove the module. There is no release with a fix available. The module is generally unsupported and users are encouraged to switch to FeedAPI suite of modules. Also see the Feed Element Mapper [5] project page. -------- REPORTED BY --------------------------------------------------------- * Justin Klein-Keane [6] -------- FIXED BY ------------------------------------------------------------ Not applicable. -------- COORDINATED BY ------------------------------------------------------ * Greg Knaddison [7] of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [8]. Learn more about the Drupal Security team and their policies [9], writing secure code for Drupal [10], and securing your site [11]. [1] http://drupal.org/project/feedapi_mapper [2] http://drupal.org/security-team/risk-levels [3] http://cve.mitre.org/ [4] http://drupal.org/project/feedapi_mapper [5] http://drupal.org/project/feedapi_mapper [6] http://drupal.org/user/302225 [7] http://drupal.org/user/36762 [8] http://drupal.org/contact [9] http://drupal.org/security-team [10] http://drupal.org/writing-secure-code [11] http://drupal.org/security/secure-configuration

1 0

SA-CONTRIB-2013-083 - Quiz - Access Bypass
by security-news＠drupal.org 30 Oct '13

30 Oct '13

View online: https://drupal.org/node/2123995 * Advisory ID: DRUPAL-SA-CONTRIB-2013-083 * Project: Quiz [1] (third-party module) * Version: 6.x * Date: 2013-October-30 * Security risk: Moderately critical [2] * Exploitable from: Remote * Vulnerability: Access bypass, Information Disclosure, Multiple vulnerabilities -------- DESCRIPTION --------------------------------------------------------- .... Access bypass on deleting quiz results The Quiz module provides tools for authoring and administering quizzes through Drupal. A quiz is given as a series of questions, with only one question appearing per page. Scores are then stored in the database. The module doesn't sufficiently check the delete quiz results permission. All users who have the permission to view Quiz results can access the delete option in the results page irrespective of "delete any quiz results" and "delete results for own quiz" permissions. This vulnerability is mitigated by the fact that an attacker must have a role with the permission "view any quiz results" or "view results for own quiz". .... Access bypass in viewing quiz views The Quiz module has Views integration including default Views. These default views provided by the module do not have proper access control. If the Views are enabled and the access controls are left unchanged then information about users quiz results may be disclosed. -------- CVE IDENTIFIER(S) ISSUED -------------------------------------------- * /A CVE identifier [3] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ -------- VERSIONS AFFECTED --------------------------------------------------- * Quiz 6.x-4.x versions prior to 6.x-4.5. Drupal core is not affected. If you do not use the contributed Quiz [4] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the Quiz module for Drupal 6.x, upgrade to Quiz 6.x-4.5 [5] * For both versions: Review the Quiz results view and delete permissions and ensure it is working as expected for intended users Also see the Quiz [6] project page. -------- REPORTED BY --------------------------------------------------------- * nirvanajyothi [7] * Cat Hirst [8] -------- FIXED BY ------------------------------------------------------------ * Wouter Admiraal [9] * Sivaji Ganesh [10] the module co-maintainer * Falcon [11] the module maintainer -------- COORDINATED BY ------------------------------------------------------ * Dan Smith [12], Jakub Suchy [13], Ned McClain [14], Greg Knaddison [15] of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [16]. Learn more about the Drupal Security team and their policies [17], writing secure code for Drupal [18], and securing your site [19]. [1] http://drupal.org/project/quiz [2] http://drupal.org/security-team/risk-levels [3] http://cve.mitre.org/ [4] http://drupal.org/project/quiz [5] https://drupal.org/node/2123727 [6] http://drupal.org/project/quiz [7] https://drupal.org/user/252387 [8] https://drupal.org/user/162748 [9] https://drupal.org/user/440510 [10] https://drupal.org/user/328724 [11] https://drupal.org/user/530912 [12] https://drupal.org/user/241220 [13] https://drupal.org/user/31977 [14] https://drupal.org/user/798324 [15] https://drupal.org/user/36762 [16] http://drupal.org/contact [17] http://drupal.org/security-team [18] http://drupal.org/writing-secure-code [19] http://drupal.org/security/secure-configuration

1 0

SA-CONTRIB-2013-084 - FileField Sources - Access Bypass
by security-news＠drupal.org 30 Oct '13

30 Oct '13

View online: https://drupal.org/node/2124241 * Advisory ID: DRUPAL-SA-CONTRIB-2013-084 * Project: FileField Sources [1] (third-party module) * Version: 6.x, 7.x * Date: 2013-Oct-30 * Security risk: Moderately critical [2] * Exploitable from: Remote * Vulnerability: Access bypass -------- DESCRIPTION --------------------------------------------------------- This module expands on the FileField module by allowing you to select new or existing files through additional means, such as re-using files with an auto-complete textfield, attaching server-side files uploaded via FTP, transferring file files from a remote server, pasting a file directly from the clipboard, and selecting existing files through the IMCE file browser. The module doesn't sufficiently check file access permissions when attaching an existing file. Any existing file could be re-used and the user would then be granted access to that file. This vulnerability is mitigated by the fact that an attacker must have a permission granting the ability to create content which has a file field using the module. -------- CVE IDENTIFIER(S) ISSUED -------------------------------------------- * /A CVE identifier [3] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ -------- VERSIONS AFFECTED --------------------------------------------------- * Filefield Sources 6.x-1.x versions prior to 6.x-1.9. * Filefield Sources 7.x-1.x versions prior to 7.x-1.9. Drupal core is not affected. If you do not use the contributed FileField Sources [4] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the FileField Sources module for Drupal 6.x, upgrade to FileField Sources 6.x-1.9 [5] * If you use the FileField Sources module for Drupal 7.x, upgrade to FileField Sources 7.x-1.9 [6] Also see the FileField Sources [7] project page. -------- REPORTED BY --------------------------------------------------------- * Joseph Lee [8] -------- FIXED BY ------------------------------------------------------------ * Nathan Haug [9] the module maintainer * Cash Williams [10] provisional member of the Drupal Security Team -------- COORDINATED BY ------------------------------------------------------ * Cash Williams [11] provisional member of the Drupal Security Team * David Stoline [12] of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [13]. Learn more about the Drupal Security team and their policies [14], writing secure code for Drupal [15], and securing your site [16]. [1] http://drupal.org/project/filefield_sources [2] http://drupal.org/security-team/risk-levels [3] http://cve.mitre.org/ [4] http://drupal.org/project/filefield_sources [5] https://drupal.org/node/2124217 [6] https://drupal.org/node/2124219 [7] http://drupal.org/project/filefield_sources [8] http://drupal.org/user/32743 [9] http://drupal.org/user/6399 [10] http://drupal.org/user/29938 [11] http://drupal.org/user/29938 [12] http://drupal.org/user/329570‎ [13] http://drupal.org/contact [14] http://drupal.org/security-team [15] http://drupal.org/writing-secure-code [16] http://drupal.org/security/secure-configuration

1 0

SA-CONTRIB-2013-082 - Bean - Cross Site Scripting (XSS)
by security-news＠drupal.org 23 Oct '13

23 Oct '13

View online: https://drupal.org/node/2118873 * Advisory ID: DRUPAL-SA-CONTRIB-2013-082 * Project: Bean [1] (third-party module) * Version: 7.x * Date: 2013-10-23 * Security risk: Highly critical [2] * Exploitable from: Remote * Vulnerability: Cross Site Scripting -------- DESCRIPTION --------------------------------------------------------- This module enables you to create block entities a.k.a. beans. The module did not sufficiently filter bean titles for dangerous html. This vulnerability is mitigated by the fact that an attacker must have permission to create or edit beans. -------- CVE IDENTIFIER(S) ISSUED -------------------------------------------- * /A CVE identifier [3] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ -------- VERSIONS AFFECTED --------------------------------------------------- * Bean 7.x-1.x versions prior to 7.x-1.5 Drupal core is not affected. If you do not use the contributed Bean [4] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the Bean module for Drupal 7.x, upgrade to Bean 7.x-1.5 [5] Also see the Bean [6] project page. -------- REPORTED BY --------------------------------------------------------- * Francesco Quagliati [7] -------- FIXED BY ------------------------------------------------------------ * Damien McKenna [8] the module maintainer -------- COORDINATED BY ------------------------------------------------------ * Hunter Fox [9] of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [10]. Learn more about the Drupal Security team and their policies [11], writing secure code for Drupal [12], and securing your site [13]. [1] http://drupal.org/project/bean [2] http://drupal.org/security-team/risk-levels [3] http://cve.mitre.org/ [4] http://drupal.org/project/bean [5] https://drupal.org/node/2118867 [6] http://drupal.org/project/bean [7] http://drupal.org/user/1977720 [8] https://drupal.org/user/108450 [9] http://drupal.org/user/426416 [10] http://drupal.org/contact [11] http://drupal.org/security-team [12] http://drupal.org/writing-secure-code [13] http://drupal.org/security/secure-configuration

1 0

SA-CONTRIB-2013-081 - Spaces - Access bypass
by security-news＠drupal.org 23 Oct '13

23 Oct '13

View online: https://drupal.org/node/2118717 * Advisory ID: DRUPAL-SA-CONTRIB-2013-081 * Project: Spaces [1] (third-party module) * Version: 6.x * Date: 2013-10-23 * Security risk: Less critical [2] * Exploitable from: Remote * Vulnerability: Access bypass -------- DESCRIPTION --------------------------------------------------------- This module enables you to make configuration options generally available only at the sitewide level to be configurable and overridden by individual "spaces" on a Drupal site. The spaces submodule, Spaces OG, doesn't properly handle deleting of organic group group spaces when the option to move to a new group is selected. Instead of moving the content to a new group, the content is left orphaned, and for deleted private groups, that content will then be viewable by anyone with "access content" permission when the site's or content's access is rebuilt. The issue is mitigated by needing to be using the submodule spaces OG, and needing the site users to be in the situation of deleting a group and using that move option, and needing the content's access to be rebuilt. -------- CVE IDENTIFIER(S) ISSUED -------------------------------------------- * /A CVE identifier [3] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ -------- VERSIONS AFFECTED --------------------------------------------------- * Spaces 6.x-3.x versions prior to 6.x-3.7. Drupal core is not affected. If you do not use the contributed Spaces [4] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the Spaces module for Drupal 6.x, upgrade to Spaces 6.x-3.7 [5] Also see the Spaces [6] project page. -------- REPORTED BY --------------------------------------------------------- * Hunter Fox [7] of the Drupal Security Team -------- FIXED BY ------------------------------------------------------------ * Tobby Hagler [8] a module maintainer * Hunter Fox [9] of the Drupal Security Team, module maintainer. -------- COORDINATED BY ------------------------------------------------------ * Hunter Fox [10] of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [11]. Learn more about the Drupal Security team and their policies [12], writing secure code for Drupal [13], and securing your site [14]. [1] http://drupal.org/project/spaces [2] http://drupal.org/security-team/risk-levels [3] http://cve.mitre.org/ [4] http://drupal.org/project/spaces [5] https://drupal.org/node/2118745 [6] http://drupal.org/project/spaces [7] http://drupal.org/user/426416 [8] http://drupal.org/user/154797 [9] http://drupal.org/user/426416 [10] http://drupal.org/user/426416 [11] http://drupal.org/contact [12] http://drupal.org/security-team [13] http://drupal.org/writing-secure-code [14] http://drupal.org/security/secure-configuration

1 0

Jump to page:

2026

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

Security-news