Security-news

security-news@drupal.org

1 participants
1782 discussions

SA-CONTRIB-2012-150 - Twitter Pull - Cross Site Scripting (XSS)
by security-news＠drupal.org 03 Oct '12

03 Oct '12

View online: http://drupal.org/node/1802230 * Advisory ID: DRUPAL-SA-CONTRIB-2012-150 * Project: Twitter Pull [1] (third-party module) * Version: 6.x, 7.x * Date: 2012-October-03 * Security risk: Less critical [2] * Exploitable from: Remote * Vulnerability: Cross Site Scripting -------- DESCRIPTION --------------------------------------------------------- Twitter Pull allows you to retrieve tweets from Twitter based on a user or search and display them on your site. It also includes integration with the boxes module to allow for simple placement of twitter feeds on various pages. The module doesn't sufficiently filter the data coming from Twitter which could result in script injection and XSS attacks. This vulnerability is mitigated by the fact that Twitter is a generally trusted source and is unlikely to serve malicious content. CVE: Requested -------- VERSIONS AFFECTED --------------------------------------------------- * Twitter Pull 6.x-1.x versions prior to 6.x-1.3. * Twitter Pull 7.x-1.x versions prior to 7.x-1.0-rc3. Drupal core is not affected. If you do not use the contributed Twitter Pull [3] module, there is nothing you need to do. Drupal core is not affected. If you do not use the contributed Twitter Pull [4] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the Twitter Pull module for Drupal 6.x, upgrade to Twitter Pull 6.x-1.3 [5] * If you use the Twitter Pull module for Drupal 7.x, upgrade to Twitter Pull 7.x-1.0-rc3 [6] Also see the Twitter Pull [7] project page. -------- REPORTED BY --------------------------------------------------------- * Sylvain Delbosc [8] * Alex Pott [9] * Tom Phethean [10] -------- FIXED BY ------------------------------------------------------------ * Sylvain Delbosc [11] * Josh Caldwell [12] the module maintainer -------- COORDINATED BY ------------------------------------------------------ * Greg Knaddison [13] of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [14]. Learn more about the Drupal Security team and their policies [15], writing secure code for Drupal [16], and securing your site [17]. [1] http://drupal.org/project/twitter_pull [2] http://drupal.org/security-team/risk-levels [3] http://drupal.org/project/twitter_pull [4] http://drupal.org/project/twitter_pull [5] http://drupal.org/node/1801442 [6] http://drupal.org/node/1801444 [7] http://drupal.org/project/twitter_pull [8] http://drupal.org/user/174778 [9] http://drupal.org/user/157725 [10] http://drupal.org/user/881620 [11] http://drupal.org/user/174778 [12] http://drupal.org/user/855980 [13] http://drupal.org/user/27 [14] http://drupal.org/contact [15] http://drupal.org/security-team [16] http://drupal.org/writing-secure-code [17] http://drupal.org/security/secure-configuration

1 0

SA-CONTRIB-2012-149 - Hostip - Cross Site Scripting (XSS)
by security-news＠drupal.org 03 Oct '12

03 Oct '12

View online: http://drupal.org/node/1802218 * Advisory ID: DRUPAL-SA-CONTRIB-2012-149 * Project: Hostip [1] (third-party module) * Version: 6.x, 7.x * Date: 2012-October-03 * Security risk: Moderately critical [2] * Exploitable from: Remote * Vulnerability: Cross Site Scripting -------- DESCRIPTION --------------------------------------------------------- Hostip enables you to query the http://www.hostip.info/ [3] API to get the country / state information based on the user's IP address or a specific IP passed to it. The module fails to sanitize data retrieved from an untrusted third party source, thereby exposing an arbitrary script injection vulnerability (XSS). This vulnerability is mitigated by the fact that an attacker must have either gained access to that third party source or use techniques such as DNS spoofing in order to inject malicious data. CVE: Requested -------- VERSIONS AFFECTED --------------------------------------------------- * Hostip 6.x-2.x versions prior to 6.x-2.2. * Hostip 7.x-2.x versions prior to 7.x-2.2. Drupal core is not affected. If you do not use the contributed Hostip [4] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the Hostip module for Drupal 6.x, upgrade to Hostip 6.x-1.2 [5] * If you use the Hostip module for Drupal 7.x, upgrade to Hostip 7.x-1.2 [6] Also see the Hostip [7] project page. -------- REPORTED BY --------------------------------------------------------- * Klaus Purer [8] of the Drupal Security Team -------- FIXED BY ------------------------------------------------------------ * Vaibhav Jain [9] the module maintainer -------- COORDINATED BY ------------------------------------------------------ * Klaus Purer [10] of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [11]. Learn more about the Drupal Security team and their policies [12], writing secure code for Drupal [13], and securing your site [14]. [1] http://drupal.org/project/hostip [2] http://drupal.org/security-team/risk-levels [3] http://www.hostip.info/ [4] http://drupal.org/project/hostip [5] http://drupal.org/node/1802046 [6] http://drupal.org/node/1802048 [7] http://drupal.org/project/hostip [8] http://drupal.org/user/262198 [9] http://drupal.org/user/1159692 [10] http://drupal.org/user/262198 [11] http://drupal.org/contact [12] http://drupal.org/security-team [13] http://drupal.org/writing-secure-code [14] http://drupal.org/security/secure-configuration

1 0

SA-CONTRIB-2012-148 - OG - Access Bypass
by security-news＠drupal.org 26 Sep '12

26 Sep '12

View online: http://drupal.org/node/1796036 * Advisory ID: DRUPAL-SA-CONTRIB-2012-148 * Project: Organic groups [1] (third-party module) * Version: 7.x * Date: 2012-September-26 * Security risk: Moderately critical [2] * Exploitable from: Remote * Vulnerability: Access bypass -------- DESCRIPTION --------------------------------------------------------- OG (Organic groups) enables users to create and manage their own 'groups'. Each group can have subscribers, and maintains a group home page where subscribers communicate amongst themselves. A group membership can be given immediately upon subscribing, or be pending - waiting for a group administrator to approve it. OG doesn't properly maintain pending memberships if the user is allowed to edit their own account. In addition, under certain circumstances, a user was able to post to a group which they were not a member of. There are no additional mitigating factors for these issues. CVE: Requested -------- VERSIONS AFFECTED --------------------------------------------------- * OG (Organic groups) 7.x-1.x versions prior to 7.x-1.5. Drupal core is not affected. If you do not use the contributed Organic groups [3] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the OG 7.x-1.x module for Drupal 7.x, upgrade to OG (Organic groups) 7.x-1.5 [4] Also see the Organic groups [5] project page. -------- REPORTED BY --------------------------------------------------------- * Zoltán Tóth [6] * John Takousis [7] -------- FIXED BY ------------------------------------------------------------ * Amitai Burstein [8] the module maintainer -------- COORDINATED BY ------------------------------------------------------ * Lee Rowlands [9] * Greg Knaddison [10] of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [11]. Learn more about the Drupal Security team and their policies [12], writing secure code for Drupal [13], and securing your site [14]. [1] http://drupal.org/project/og [2] http://drupal.org/security-team/risk-levels [3] http://drupal.org/project/og [4] http://drupal.org/node/1795906 [5] http://drupal.org/project/og [6] http://drupal.org/user/2126442 [7] http://drupal.org/user/1792608 [8] http://drupal.org/user/57511 [9] http://drupal.org/user/395439 [10] http://drupal.org/user/36762 [11] http://drupal.org/contact [12] http://drupal.org/security-team [13] http://drupal.org/writing-secure-code [14] http://drupal.org/security/secure-configuration

1 0

SA-CONTRIB-2012-147 - FileField Sources - Cross Site Scripting (XSS)
by security-news＠drupal.org 19 Sep '12

19 Sep '12

View online: http://drupal.org/node/1789306 * Advisory ID: DRUPAL-SA-CONTRIB-2012-147 * Project: FileField Sources [1] (third-party module) * Version: 6.x, 7.x * Date: 2012-September-19 * Security risk: Moderately critical [2] * Exploitable from: Remote * Vulnerability: Cross Site Scripting -------- DESCRIPTION --------------------------------------------------------- The Drupal FileField module lets you upload files from your computer through a CCK field. The FileField Sources module expands on this ability by allowing you to select new or existing files through additional means. The FileField Sources module contains a persistent cross site scripting (XSS) vulnerability due to the fact that it fails to sanitize user supplied filenames before display. This vulnerability is mitigated by the fact that malicious users must have the ability to upload files on a field that has the "Reference existing" source enabled. CVE: Requested -------- VERSIONS AFFECTED --------------------------------------------------- * FileField Sources 6.x-1.x versions prior to 6.x-1.6. * FileField Sources 7.x-1.x versions prior to 7.x-1.6. Drupal core is not affected. If you do not use the contributed FileField Sources [3] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the FileField Sources module for Drupal 6.x, upgrade to FileField Sources 6.x-1.6 [4] * If you use the FileField Sources module for Drupal 7.x, upgrade to FileField Sources 7.x-1.6 [5] Also see the FileField Sources [6] project page. -------- REPORTED BY --------------------------------------------------------- * Disclosed publicly. -------- FIXED BY ------------------------------------------------------------ * Nathan Haug [7] the module maintainer -------- COORDINATED BY ------------------------------------------------------ * Greg Knaddison [8] of the Drupal Security Team * Michael Hess [9] of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [10]. Learn more about the Drupal Security team and their policies [11], writing secure code for Drupal [12], and securing your site [13]. [1] http://drupal.org/project/filefield_sources [2] http://drupal.org/security-team/risk-levels [3] http://drupal.org/project/filefield_sources [4] http://drupal.org/node/1789300 [5] http://drupal.org/node/1789302 [6] http://drupal.org/project/filefield_sources [7] http://drupal.org/user/35821 [8] http://drupal.org/user/36762 [9] http://drupal.org/user/102818 [10] http://drupal.org/contact [11] http://drupal.org/security-team [12] http://drupal.org/writing-secure-code [13] http://drupal.org/security/secure-configuration

1 0

SA-CONTRIB-2012-146 - Simplenews Scheduler - Arbitrary code execution
by security-news＠drupal.org 19 Sep '12

19 Sep '12

View online: http://drupal.org/node/1789284 * Advisory ID: DRUPAL-SA-CONTRIB-2012-146 * Project: Simplenews Scheduler [1] (third-party module) * Version: 6.x * Date: 2012-September-19 * Security risk: Moderately critical [2] * Exploitable from: Remote * Vulnerability: Arbitrary PHP code execution -------- DESCRIPTION --------------------------------------------------------- The Simplenews Scheduler module provides a system for creating automatic email newsletters. These can be set to be sent at a fixed interval, or PHP code can be entered to evaluate a condition for a new newsletter issue to be sent. The module allows a user with the 'send scheduled newsletters' access to the scheduling form where PHP code may be entered. This code is then executed the next time the site runs cron. A site administrator granting permissions is not given sufficient warning that they are granting this level of access to the site. This vulnerability is mitigated by the fact that an attacker must have already been granted a role with the permission 'send scheduled newsletters'. CVE: Requested -------- VERSIONS AFFECTED --------------------------------------------------- * Simplenews Scheduler 6.x-2.x versions prior to 6.x-2.3. Drupal core is not affected. If you do not use the contributed Simplenews Scheduler [3] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the Simplenews Scheduler module for Drupal 6.x, upgrade to Simplenews Scheduler 6.x-2.4 [4] Also see the Simplenews Scheduler [5] project page. -------- REPORTED BY --------------------------------------------------------- * Sascha Grossenbacher [6] * Joachim Noreiko [7] the module maintainer -------- FIXED BY ------------------------------------------------------------ * Joachim Noreiko [8] the module maintainer * Sascha Grossenbacher [9] -------- COORDINATED BY ------------------------------------------------------ * Greg Knaddison [10] of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [11]. Learn more about the Drupal Security team and their policies [12], writing secure code for Drupal [13], and securing your site [14]. [1] http://drupal.org/project/simplenews_scheduler [2] http://drupal.org/security-team/risk-levels [3] http://drupal.org/project/simplenews_scheduler [4] http://drupal.org/node/1789274 [5] http://drupal.org/project/simplenews_scheduler [6] http://drupal.org/user/214652 [7] http://drupal.org/user/107701 [8] http://drupal.org/user/107701 [9] http://drupal.org/user/214652 [10] http://drupal.org/user/36762 [11] http://drupal.org/contact [12] http://drupal.org/security-team [13] http://drupal.org/writing-secure-code [14] http://drupal.org/security/secure-configuration

1 0

SA-CONTRIB-2012-145 - Imagemenu - Cross Site Scripting (XSS)
by security-news＠drupal.org 19 Sep '12

19 Sep '12

View online: http://drupal.org/node/1789260 * Advisory ID: DRUPAL-SA-CONTRIB-2012-145 * Project: Imagemenu [1] (third-party module) * Version: 6.x * Date: 2012-September-19 * Security risk: Moderately critical [2] * Exploitable from: Remote * Vulnerability: Cross Site Scripting -------- DESCRIPTION --------------------------------------------------------- Imagemenu module allows you to create Drupal menus from images files. The module doesn't sufficiently escape image file names when rendering menus, allowing a potential XSS attack. This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer imagemenu". CVE: Requested -------- VERSIONS AFFECTED --------------------------------------------------- * Imagemenu 6.x-1.x versions prior to 6.x-1.4. Drupal core is not affected. If you do not use the contributed Imagemenu [3] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the Imagemenu module for Drupal 6.x, upgrade to Imagemenu 6.x-1.4 [4] Also see the Imagemenu [5] project page. -------- REPORTED BY --------------------------------------------------------- * David Houlder [6] -------- FIXED BY ------------------------------------------------------------ * Paul Maddern [7], module maintainer * Marcus Clements [8], module maintainer * Ben Jeavons [9] of the Drupal Security Team -------- COORDINATED BY ------------------------------------------------------ * Michael Hess [10], Ben Jeavons [11], and Greg Knaddison [12] of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [13]. Learn more about the Drupal Security team and their policies [14], writing secure code for Drupal [15], and securing your site [16]. [1] http://drupal.org/project/imagemenu [2] http://drupal.org/security-team/risk-levels [3] http://drupal.org/project/imagemenu [4] http://drupal.org/node/1788726 [5] http://drupal.org/project/imagemenu [6] http://drupal.org/user/588210 [7] http://drupal.org/user/25159 [8] http://drupal.org/user/190002 [9] http://drupal.org/user/91990 [10] http://drupal.org/user/102818 [11] http://drupal.org/user/91990 [12] http://drupal.org/user/36762 [13] http://drupal.org/contact [14] http://drupal.org/security-team [15] http://drupal.org/writing-secure-code [16] http://drupal.org/security/secure-configuration

1 0

SA-CONTRIB-2012-144 Fonecta verify - Cross Site Scripting (XSS)
by security-news＠drupal.org 19 Sep '12

19 Sep '12

View online: http://drupal.org/node/1789258 * Advisory ID: DRUPAL-SA-CONTRIB-2012-144 * Project: Fonecta verify [1] (third-party module) * Version: 7.x * Date: 2012-September-19 * Security risk: Moderately critical [2] * Exploitable from: Remote * Vulnerability: Cross Site Scripting -------- DESCRIPTION --------------------------------------------------------- Fonecta verify provides an interface to retrieve information from the Finnish Fonecta company information database. The module contains an arbitrary script injection vulnerability (XSS) due to the fact that it fails to sanitize data retrieved from an untrusted third party source. This vulnerability is mitigated by the fact that an attacker must have either gained access to that third party source or use techniques such as DNS spoofing in order to inject malicious data. CVE: Requested -------- VERSIONS AFFECTED --------------------------------------------------- * Fonecta verify 7.x-1.x versions prior to 7.x-1.6. Drupal core is not affected. If you do not use the contributed Fonecta verify [3] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the Fonecta verify module for Drupal 7.x, upgrade to Fonecta verify 7.x-1.6 [4] Also see the Fonecta verify [5] project page. -------- REPORTED BY --------------------------------------------------------- * Antti Alamäki [6] the module maintainer -------- FIXED BY ------------------------------------------------------------ * Antti Alamäki [7] the module maintainer -------- COORDINATED BY ------------------------------------------------------ * Klaus Purer [8] of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [9]. Learn more about the Drupal Security team and their policies [10], writing secure code for Drupal [11], and securing your site [12]. [1] http://drupal.org/project/fonecta_verify [2] http://drupal.org/security-team/risk-levels [3] http://drupal.org/project/fonecta_verify [4] http://drupal.org/node/1778782 [5] http://drupal.org/project/fonecta_verify [6] http://drupal.org/user/155131 [7] http://drupal.org/user/155131 [8] http://drupal.org/user/262198 [9] http://drupal.org/contact [10] http://drupal.org/security-team [11] http://drupal.org/writing-secure-code [12] http://drupal.org/security/secure-configuration

1 0

SA-CONTRIB-2012-143 PRH Search - Cross Site Scripting (XSS)
by security-news＠drupal.org 19 Sep '12

19 Sep '12

View online: http://drupal.org/node/1789252 * Advisory ID: DRUPAL-SA-CONTRIB-2012-143 * Project: PRH Search [1] (third-party module) * Version: 7.x * Date: 2012-September-19 * Security risk: Moderately critical [2] * Exploitable from: Remote * Vulnerability: Cross Site Scripting -------- DESCRIPTION --------------------------------------------------------- PRH Search provides an interface to search for association information for Finnish association using the PRH (Patentti- ja Rekisterihallitus) database. The module fails to sanitize data retrieved from an untrusted third party source, thereby exposing an arbitrary script injection vulnerability (XSS). This vulnerability is mitigated by the fact that an attacker must have either gained access to that third party source or use techniques such as DNS spoofing in order to inject malicious data. CVE: Requested -------- VERSIONS AFFECTED --------------------------------------------------- * PRH Search 7.x-1.x versions prior to 7.x-1.1 Drupal core is not affected. If you do not use the contributed PRH Search [3] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the PRH Search module for Drupal 7.x, upgrade to PRH Search 7.x-1.1 [4] Also see the PRH Search [5] project page. -------- REPORTED BY --------------------------------------------------------- * Klaus Purer [6] of the Drupal Security Team -------- FIXED BY ------------------------------------------------------------ * Antti Alamäki [7] the module maintainer -------- COORDINATED BY ------------------------------------------------------ * Klaus Purer [8] of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [9]. Learn more about the Drupal Security team and their policies [10], writing secure code for Drupal [11], and securing your site [12]. [1] http://drupal.org/project/prh_search [2] http://drupal.org/security-team/risk-levels [3] http://drupal.org/project/prh_search [4] http://drupal.org/node/1778778 [5] http://drupal.org/project/prh_search [6] http://drupal.org/user/262198 [7] http://drupal.org/user/155131 [8] http://drupal.org/user/262198 [9] http://drupal.org/contact [10] http://drupal.org/security-team [11] http://drupal.org/writing-secure-code [12] http://drupal.org/security/secure-configuration

1 0

SA-CONTRIB-2012-142 - Spambot - Cross Site Scripting (XSS)
by security-news＠drupal.org 19 Sep '12

19 Sep '12

View online: http://drupal.org/node/1789242 * Advisory ID: DRUPAL-SA-CONTRIB-2012-142 * Project: Spambot [1] (third-party module) * Version: 6.x, 7.x * Date: 2012-September-19 * Security risk: Less critical [2] * Exploitable from: Remote * Vulnerability: Cross Site Scripting -------- DESCRIPTION --------------------------------------------------------- The Spambot module enables you to protect new user registrations from spammers using the database at stopforumspam.com. Spambot doesn't sufficiently sanitize API responses from stopforumspam.com when they are logged to the watchdog, allowing a potential XSS attack. This vulnerability is mitigated by the fact that only stopforumspam.com (or someone pretending to be stopforumspam.com) can exploit it. CVE: Requested -------- VERSIONS AFFECTED --------------------------------------------------- * Spambot 6.x-3.x versions prior to 6.x-3.2. * Spambot 7.x-1.x versions prior to 7.x-1.1. Drupal core is not affected. If you do not use the contributed Spambot [3] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the Spambot module for Drupal 6.x, upgrade to Spambot 6.x-3.2 [4] * If you use the Spambot module for Drupal 7.x, upgrade to Spambot 7.x-1.1 [5] Also see the Spambot [6] project page. -------- REPORTED BY --------------------------------------------------------- * Jimmy Axenhus [7] -------- FIXED BY ------------------------------------------------------------ * Beng Tan [8], the module maintainer * Jimmy Axenhus [9] -------- COORDINATED BY ------------------------------------------------------ * Greg Knaddison [10] of the Drupal Security Team * Ben Jeavons [11] of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [12]. Learn more about the Drupal Security team and their policies [13], writing secure code for Drupal [14], and securing your site [15]. [1] http://drupal.org/project/spambot [2] http://drupal.org/security-team/risk-levels [3] http://drupal.org/project/spambot [4] http://drupal.org/node/1789084 [5] http://drupal.org/node/1789086 [6] http://drupal.org/project/spambot [7] http://drupal.org/user/565562 [8] http://drupal.org/user/132729 [9] http://drupal.org/user/565562 [10] http://drupal.org/user/36762 [11] http://drupal.org/user/91990 [12] http://drupal.org/contact [13] http://drupal.org/security-team [14] http://drupal.org/writing-secure-code [15] http://drupal.org/security/secure-configuration

1 0

SA-CONTRIB-2012-139 - PDFThumb OS Injection
by security-news＠drupal.org 12 Sep '12

12 Sep '12

View online: http://drupal.org/node/1782580 * Advisory ID: DRUPAL-SA-CONTRIB-2012-139 * Project: PDFThumb [1] (third-party module) * Version: 7.x * Date: 2012-September-12 * Security risk: Moderately critical [2] * Exploitable from: Remote * Vulnerability: OS Injection -------- DESCRIPTION --------------------------------------------------------- PDFThumb module creates thumbnail images of PDF files. The module doesn't sufficiently escape user-entered values when executing commands on the server allowing an attacker to execute whatever commands are available to the web server user (e.g. www-data). This vulnerability is mitigated by the fact that an attacker must have a role with the permission "Administer PDFThumb". CVE: Requested -------- VERSIONS AFFECTED --------------------------------------------------- * PDFThumb 7.x-1.x versions prior to 7.x-1.1 Drupal core is not affected. If you do not use the contributed PDFThumb [3] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the PDFThumb module for Drupal 7.x, upgrade to PDFThumb 7.x-1.1 [4] Also see the PDFThumb [5] project page. -------- REPORTED BY --------------------------------------------------------- * Matt Kleve [6] of the Drupal Security Team * mdespeuilles [7], the module maintainer -------- FIXED BY ------------------------------------------------------------ * Matt Kleve [8] of the Drupal Security Team * mdespeuilles [9], the module maintainer -------- COORDINATED BY ------------------------------------------------------ * Greg Knaddison [10] of the Drupal Security Team * Matt Kleve [11] of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [12]. Learn more about the Drupal Security team and their policies [13], writing secure code for Drupal [14], and securing your site [15]. [1] http://drupal.org/project/pdfthumb [2] http://drupal.org/security-team/risk-levels [3] http://drupal.org/project/pdfthumb [4] http://drupal.org/node/1776248 [5] http://drupal.org/project/pdfthumb [6] http://drupal.org/user/150473 [7] http://drupal.org/user/939504 [8] http://drupal.org/user/150473 [9] http://drupal.org/user/939504 [10] http://drupal.org/user/36762 [11] http://drupal.org/user/150473 [12] http://drupal.org/contact [13] http://drupal.org/security-team [14] http://drupal.org/writing-secure-code [15] http://drupal.org/security/secure-configuration

1 0

Jump to page:

2026

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

Security-news