Security-news

security-news@drupal.org

1 participants
1782 discussions

SA-CONTRIB-2012-061 - Gigya - Social optimization - Cross Site Scripting (XSS)
by security-news＠drupal.org 18 Apr '12

18 Apr '12

View online: http://drupal.org/node/1538704 * Advisory ID: DRUPAL-SA-CONTRIB-2012-061 * Project: Gigya - Social optimization [1] (third-party module) * Version: 6.x * Date: 2012-April-18 * Security risk: Moderately critical [2] * Exploitable from: Remote * Vulnerability: Cross Site Scripting -------- DESCRIPTION --------------------------------------------------------- The Gigya - Social optimization [3] module provides a single API that aggregates authentication and social APIs from Facebook Connect, MySpace ID, Twitter, and OpenID webmail providers including Google, Yahoo, and AOL. The module doesn't sufficiently escape URL elements which are printed back to the user. -------- VERSIONS AFFECTED --------------------------------------------------- * Gigya [4] 6.x versions prior to 6.x-3.2 [5]. Drupal core is not affected. If you do not use the contributed Gigya - Social optimization [6] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the Gigya module for Drupal 6.x, upgrade to Gigya 6.x-3.2 [7] Also see the Gigya - Social optimization [8] project page. -------- REPORTED BY --------------------------------------------------------- * Marek Lyczba [9] -------- FIXED BY ------------------------------------------------------------ * Yaniv Aran-Shamir [10] the module maintainer -------- COORDINATED BY ------------------------------------------------------ * Matt Kleve [11] of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [12]. Learn more about the Drupal Security team and their policies [13], writing secure code for Drupal [14], and securing your site [15]. [1] http://drupal.org/project/gigya [2] http://drupal.org/security-team/risk-levels [3] http://drupal.org/project/gigya [4] http://drupal.org/project/gigya [5] http://drupal.org/node/1515084 [6] http://drupal.org/project/gigya [7] http://drupal.org/node/1515084 [8] http://drupal.org/project/gigya [9] http://drupal.org/user/20043 [10] http://drupal.org/user/691662 [11] http://drupal.org/user/150473 [12] http://drupal.org/contact [13] http://drupal.org/security-team [14] http://drupal.org/writing-secure-code [15] http://drupal.org/security/secure-configuration

1 0

SA-CONTRIB-2012-060 - Commerce Reorder - Cross Site Request Forgery
by security-news＠drupal.org 18 Apr '12

18 Apr '12

View online: http://drupal.org/node/1538436 * Advisory ID: DRUPAL-SA-CONTRIB-2012-060 * Project: Commerce Reorder [1] (third-party module) * Version: 7.x * Date: 2012-April-18 * Security risk: Not critical [2] * Exploitable from: Remote * Vulnerability: Cross Site Request Forgery -------- DESCRIPTION --------------------------------------------------------- The Commerce Reorder module enables you to reorder previously purchased products for Drupal Commerce. The module does not sufficiently protect the re-order URL against Cross Site Request Forgery (CSRF [3]), allowing a malicious user to trick someone into adding unwanted items to their shopping cart. This vulnerability is mitigated by by the fact that while items can be placed in a shopping cart, the user still has to complete the checkout process, and by the fact that re-ordering is restricted by access to the "source" order. -------- VERSIONS AFFECTED --------------------------------------------------- * Commerce Reorder versions prior to 7.x-1.1. Drupal core is not affected. If you do not use the contributed Commerce Reorder [4] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the Commerce Reorder module, upgrade to Commerce Reorder 7.x-1.1 [5] Also see the Commerce Reorder [6] project page. -------- REPORTED BY --------------------------------------------------------- * Ivo Van Geertruyen (mr.baileys [7]) of the Drupal Security Team -------- FIXED BY ------------------------------------------------------------ * Pedro Cambra (pcambra [8]), the module maintainer * Ivo Van Geertruyen (mr.baileys [9]) of the Drupal Security Team -------- COORDINATED BY ------------------------------------------------------ * Ivo Van Geertruyen (mr.baileys [10]) of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [11]. Learn more about the Drupal Security team and their policies [12], writing secure code for Drupal [13], and securing your site [14]. [1] http://drupal.org/project/commerce_reorder [2] http://drupal.org/security-team/risk-levels [3] http://en.wikipedia.org/wiki/Csrf [4] http://drupal.org/project/commerce_reorder [5] http://drupal.org/node/1538198 [6] http://drupal.org/project/commerce_reorder [7] http://drupal.org/user/383424 [8] http://drupal.org/user/122101 [9] http://drupal.org/user/383424 [10] http://drupal.org/user/383424 [11] http://drupal.org/contact [12] http://drupal.org/security-team [13] http://drupal.org/writing-secure-code [14] http://drupal.org/security/secure-configuration

1 0

SA-CONTRIB-2012-059 - Autosave - Cross Site Scripting
by security-news＠drupal.org 11 Apr '12

11 Apr '12

View online: http://drupal.org/node/1528864 * Advisory ID: DRUPAL-SA-CONTRIB-2012-059 * Project: Autosave [1] (third-party module) * Version: 6.x, 7.x * Date: 2012-April-11 * Security risk: Moderately critical [2] * Exploitable from: Remote * Vulnerability: Cross Site Request Forgery -------- DESCRIPTION --------------------------------------------------------- This module enables snapshots of your node edit form to be saved in the background while you are editing to help prevent the data from being lost. The module doesn't sufficiently protect against a user being tricked into submitting saved results to a node. -------- VERSIONS AFFECTED --------------------------------------------------- * Autosave 6.x versions prior to 6.x-1.10 Drupal core is not affected. If you do not use the contributed Autosave [3] module, there is nothing you need to do. Drupal core is not affected. If you do not use the contributed Autosave [4] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the Autosave module for Drupal 6.x, upgrade to Autosave 6.x-1.0 [5] Also see the Autosave [6] project page. -------- REPORTED BY --------------------------------------------------------- * Ryan Jud Hughes -------- FIXED BY ------------------------------------------------------------ * liquidcms [7] the module maintainer * Crell [8] the module maintainer -------- COORDINATED BY ------------------------------------------------------ * Michael Hess [9] of the Drupal Security Team * Greg Knaddison [10] of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [11]. Learn more about the Drupal Security team and their policies [12], writing secure code for Drupal [13], and securing your site [14]. [1] http://drupal.org/project/autosave [2] http://drupal.org/security-team/risk-levels [3] http://drupal.org/project/autosave [4] http://drupal.org/project/autosave [5] http://drupal.org/node/1525998 [6] http://drupal.org/project/autosave [7] http://drupal.org/user/44114 [8] http://drupal.org/user/26398 [9] http://drupal.org/user/102818 [10] http://drupal.org/user/36762 [11] http://drupal.org/contact [12] http://drupal.org/security-team [13] http://drupal.org/writing-secure-code [14] http://drupal.org/security/secure-configuration

1 0

SA-CONTRIB-2012-058 - Fivestar - Input Validation
by security-news＠drupal.org 11 Apr '12

11 Apr '12

View online: http://drupal.org/node/1528614 * Advisory ID: DRUPAL-SA-CONTRIB-2012-058 * Project: Fivestar [1] (third-party module) * Version: 6.x * Date: 2012-April-11 * Security risk: Moderately critical [2] * Exploitable from: Remote * Vulnerability: Input Validation -------- DESCRIPTION --------------------------------------------------------- The Fivestar module enables you to add a voting widget to nodes and comments. The module does not sufficiently validate all votes passed by the asynchronous voting widget allowing a malicious user to improperly modify voting averages. -------- VERSIONS AFFECTED --------------------------------------------------- * Fivestar 6.x-1.x versions prior to 6.x-1.20 Drupal core is not affected. If you do not use the contributed Fivestar [3] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the Fivestar module for Drupal 6.x, upgrade to Fivestar 6.x-1.20 [4] Also see the Fivestar [5] project page. -------- REPORTED BY --------------------------------------------------------- * Ezra Barnett Gildesgame [6] -------- FIXED BY ------------------------------------------------------------ * Eric J. Duran [7], the module maintainer -------- COORDINATED BY ------------------------------------------------------ * Ben Jeavons [8] of the Drupal Security Team * Michael Hess [9] of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [10]. Learn more about the Drupal Security team and their policies [11], writing secure code for Drupal [12], and securing your site [13]. [1] http://drupal.org/project/fivestar [2] http://drupal.org/security-team/risk-levels [3] http://drupal.org/project/fivestar [4] http://drupal.org/node/1528600 [5] http://drupal.org/project/fivestar [6] http://drupal.org/user/69959 [7] http://drupal.org/user/244460 [8] http://drupal.org/user/91990 [9] http://drupal.org/user/102818 [10] http://drupal.org/contact [11] http://drupal.org/security-team [12] http://drupal.org/writing-secure-code [13] http://drupal.org/security/secure-configuration

1 0

SA-CONTRIB-2012-057 - Printer, email and PDF versions - Cross Site Scripting (XSS)
by security-news＠drupal.org 04 Apr '12

04 Apr '12

* Advisory ID: DRUPAL-SA-CONTRIB-2012-057 * Project: Printer, email and PDF versions [1] (third-party module) * Version: 6.x, 7.x * Date: 2012-April-04 * Security risk: Moderately critical [2] * Exploitable from: Remote * Vulnerability: Cross Site Scripting -------- DESCRIPTION --------------------------------------------------------- This module provides printer-friendly versions of content, including send by e-mail and PDF versions. The module doesn't sufficiently escape URL elements which are printed back to the user. -------- VERSIONS AFFECTED --------------------------------------------------- * Printer, email and PDF versions 6.x-1.x versions prior to 6.x-1.15. * Printer, email and PDF versions 7.x-1.x versions prior to 7.x-1.0. Drupal core is not affected. If you do not use the contributed Printer, email and PDF versions [3] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the Printer, email and PDF versions module for Drupal 6.x, upgrade to Printer, email and PDF versions 6.x-1.15 [4] * If you use the Printer, email and PDF versions module for Drupal 7.x, upgrade to Printer, email and PDF versions 7.x-1.0 [5] Also see the Printer, email and PDF versions [6] project page. -------- REPORTED BY --------------------------------------------------------- * Shlomi Zadok [7] * Ivan Bueno [8] -------- FIXED BY ------------------------------------------------------------ * João Ventura [9] the module maintainer * Ivan Bueno [10] -------- COORDINATED BY ------------------------------------------------------ * Greg Knaddison [11] of the Drupal Security Team * James Gilliland [12] of the Drupal Security Team * Michael Hess [13] of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [14]. Learn more about the Drupal Security team and their policies [15], writing secure code for Drupal [16], and securing your site [17]. [1] http://drupal.org/project/print [2] http://drupal.org/security-team/risk-levels [3] http://drupal.org/project/print [4] http://drupal.org/node/1515060 [5] http://drupal.org/node/1515076 [6] http://drupal.org/project/print [7] http://drupal.org/user/408236 [8] http://drupal.org/user/578064 [9] http://drupal.org/user/122464 [10] http://drupal.org/user/578064 [11] http://drupal.org/user/36762 [12] http://drupal.org/user/48673 [13] http://drupal.org/user/102818 [14] http://drupal.org/contact [15] http://drupal.org/security-team [16] http://drupal.org/writing-secure-code [17] http://drupal.org/security/secure-configuration

1 0

SA-CONTRIB-2012-056 - Janrain Engage - Sensitive Data Protection Vulnerability
by security-news＠drupal.org 04 Apr '12

04 Apr '12

* Advisory ID: DRUPAL-SA-CONTRIB-2012-056 * Project: Janrain Engage (formerly RPX) [1] (third-party module) * Version: 6.x, 7.x * Date: 2012-April-04 * Security risk: Less critical [2] * Exploitable from: Not exploitable * Vulnerability: Sensitive Data Protection Vulnerability -------- DESCRIPTION --------------------------------------------------------- Using Janrain Engage, Drupal sites can authenticate new and existing users with popular social networks, map user profile data from these websites to Drupal fields, and share Drupal content with a user's friends on their social networks. The module permanently retains the complete user profile data returned from Engage in the users table. Only a subset of that data is needed for a limited time. The profile data is also stored in the sessions table. This is undesirable as it may include sensitive information (such as provider access tokens). This is not an immediate vulnerability per se as it does not create an attack vector (i.e. it cannot be exploited) but it makes other weaknesses much more critical (e.g. a data breach could be parlayed into privilege escalation). -------- VERSIONS AFFECTED --------------------------------------------------- * Janrain Engage (formerly RPX) 6.x-1.x versions (all). * Janrain Engage (formerly RPX) 6.x-2.x versions prior to 6.x-2.2. * Janrain Engage (formerly RPX) 7.x-2.x versions prior to 7.x-2.2. Drupal core is not affected. If you do not use the contributed Janrain Engage (formerly RPX) [3] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use Janrain Engage (formerly RPX) for Drupal 6.x, upgrade to version 6.x-2.2 [4] * If you use Janrain Engage (formerly RPX) for Drupal 7.x, upgrade to version 7.x-2.2 [5] Also see the Janrain Engage (formerly RPX) [6] project page. -------- REPORTED BY --------------------------------------------------------- * Peter Wolanin [7] of the Drupal Security Team -------- FIXED BY ------------------------------------------------------------ * George Katsitadze [8] the module maintainer -------- COORDINATED BY ------------------------------------------------------ * Peter Wolanin [9] of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [10]. Learn more about the Drupal Security team and their policies [11], writing secure code for Drupal [12], and securing your site [13]. [1] http://drupal.org/project/rpx [2] http://drupal.org/security-team/risk-levels [3] http://drupal.org/project/rpx [4] http://drupal.org/node/1515114 [5] http://drupal.org/node/1515120 [6] http://drupal.org/project/rpx [7] http://drupal.org/user/49851 [8] http://drupal.org/user/933066 [9] http://drupal.org/user/49851 [10] http://drupal.org/contact [11] http://drupal.org/security-team [12] http://drupal.org/writing-secure-code [13] http://drupal.org/security/secure-configuration

1 0

SA-CONTRIB-2012-055 - Fusion theme - Cross Site Scripting (XSS)
by security-news＠drupal.org 28 Mar '12

28 Mar '12

* Advisory ID: DRUPAL-SA-CONTRIB-2012-055 * Project: Fusion [1] (third-party theme) * Version: 6.x * Date: 2012-March-28 * Security risk: Moderately critical [2] * Exploitable from: Remote * Vulnerability: Cross Site Scripting -------- DESCRIPTION --------------------------------------------------------- Fusion is a base theme that provides a configurable grid system and modular styling for common Drupal UI components. The theme outputs a CSS class for the tag based on the current URL, but does not provide sufficient filtering to prevent a Cross site scripting (XSS) attack. This vulnerability affects all sub-themes of Fusion. -------- VERSIONS AFFECTED --------------------------------------------------- * Fusion 6.x-1.x versions prior to 6.x-1.13 Drupal core is not affected. If you do not use the contributed Fusion [3] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ If you utilize Fusion or a Fusion-based theme, you should upgrade to Fusion 6.x-1.13 [4]. * Most Fusion sub-themes will inherit this fix. * If you copied code from Fusion core's template.php file into a custom sub-theme's template.php file you should compare your code to the changes made in this release to ensure the vulnerability has not been duplicated. In YOURTHEME_preprocess_page() look for this code: $vars['body_id'] = 'pid-' . strtolower(preg_replace('/[_+\/]/', '-', drupal_get_path_alias($_GET['q']))); If this code exists within your sub-theme, there are two possible solutions: 1) *Recommended:* Delete the line of code. It is unnecessary in your sub-theme since the sub-theme will inherit this functionality from Fusion Core 2) Replace the code with the following: $vars['body_id'] = 'pid-' . strtolower(fusion_core_clean_css_identifier(drupal_get_path_alias($_GET['q']))); fusion_core_clean_css_identifier() is a function added in this security release of Fusion. Making this change to your sub-theme's code without updating Fusion core will result in a WSOD. Also see the Fusion [5] project page. -------- REPORTED BY --------------------------------------------------------- * Jakub Suchy [6], of the Drupal Security Team * Justin Emond [7] * Rick Manelius [8] * Abhishek Nagar [9] * Chris Lee [10] -------- FIXED BY ------------------------------------------------------------ * Jason Yergeau [11], theme co-maintainer * Sheena Donnelly [12], theme co-maintainer -------- COORDINATED BY ------------------------------------------------------ * Derek Wright [13] of the Drupal Security Team * Stéphane Corlosquet [14] of the Drupal Security Team * Greg Knaddison [15] of the Drupal Security Team * David Rothstein [16] of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [17]. Learn more about the Drupal Security team and their policies [18], writing secure code for Drupal [19], and securing your site [20]. [1] http://drupal.org/project/fusion [2] http://drupal.org/security-team/risk-levels [3] http://drupal.org/project/fusion [4] http://drupal.org/node/1506600 [5] http://drupal.org/project/fusion [6] http://drupal.org/user/31977 [7] http://drupal.org/user/186334 [8] http://drupal.org/user/680072 [9] http://drupal.org/user/259737 [10] http://drupal.org/user/1117072 [11] http://drupal.org/user/162308 [12] http://drupal.org/user/380305 [13] http://drupal.org/user/46549 [14] http://drupal.org/user/52142 [15] http://drupal.org/user/36762 [16] http://drupal.org/user/124982 [17] http://drupal.org/contact [18] http://drupal.org/security-team [19] http://drupal.org/writing-secure-code [20] http://drupal.org/security/secure-configuration

1 0

SA-CONTRIB-2012-054 - Chaos tool suite - Cross Site Scripting (XSS)
by security-news＠drupal.org 28 Mar '12

28 Mar '12

* Advisory ID: DRUPAL-SA-CONTRIB-2012-054 * Project: Chaos tool suite (ctools) [1] (third-party module) * Version: 7.x * Date: 2012-March-28 * Security risk: Moderately critical [2] * Exploitable from: Remote * Vulnerability: Cross Site Scripting -------- DESCRIPTION --------------------------------------------------------- This suite is primarily a set of APIs and tools to improve the developer experience. It also contains a module called the Page Manager whose job is to manage pages. In particular it manages panel pages, but as it grows it will be able to manage far more than just Panels. The module doesn't appropriate filter user signatures when rendering comments. This vulnerability is mitigated by the fact that an attacker must have a role with the permission "post comments" and a site must use Chaos tool suite to render comments. -------- VERSIONS AFFECTED --------------------------------------------------- * Chaos tool suite 7.x-1.x versions prior to 7.x-1.0. Drupal core is not affected. If you do not use the contributed Chaos tool suite (ctools) [3] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the Chaos tool suite module for Drupal 7.x, upgrade to Chaos tool suite 7.x-1.0 [4] Also see the Chaos tool suite (ctools) [5] project page. -------- REPORTED BY --------------------------------------------------------- * Kristof De Jaeger [6] -------- FIXED BY ------------------------------------------------------------ * Earl Miles [7] the module maintainer -------- COORDINATED BY ------------------------------------------------------ * Dylan Tack [8] of the Drupal Security Team * Michael Hess [9] of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [10]. Learn more about the Drupal Security team and their policies [11], writing secure code for Drupal [12], and securing your site [13]. [1] http://drupal.org/project/ctools [2] http://drupal.org/security-team/risk-levels [3] http://drupal.org/project/ctools [4] http://drupal.org/node/1507412 [5] http://drupal.org/project/ctools [6] http://drupal.org/user/107403 [7] http://drupal.org/user/26979 [8] http://drupal.org/user/96647 [9] http://drupal.org/user/102818 [10] http://drupal.org/contact [11] http://drupal.org/security-team [12] http://drupal.org/writing-secure-code [13] http://drupal.org/security/secure-configuration

1 0

SA-CONTRIB-2012-053 - Organic Groups - Access Bypass
by security-news＠drupal.org 28 Mar '12

28 Mar '12

* Advisory ID: DRUPAL-SA-CONTRIB-2012-053 * Project: Organic groups [1] (third-party module) * Version: 6.x * Date: 2012-March-28 * Security risk: Moderately critical [2] * Exploitable from: Remote * Vulnerability: Access bypass -------- DESCRIPTION --------------------------------------------------------- Organic groups (OG) enables users to create and manage their own 'groups'. Each group can have subscribers, and maintains a group home page where subscribers communicate amongst themselves. The module's Views integration does not filter out information from display groups to which the current user does not have access, exposing private group titles and the fact that the content is associated with the group. -------- VERSIONS AFFECTED --------------------------------------------------- * Organic Groups 6.x-2.x versions prior to 6.x-2.3. Drupal core is not affected. If you do not use the contributed Organic groups [3] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the Organic Groups module for Drupal 6.x, upgrade to Organic Groups 6.x-2.3 [4] Also see the Organic groups [5] project page. -------- REPORTED BY --------------------------------------------------------- * John f Galvin [6] -------- FIXED BY ------------------------------------------------------------ * Adam Ross [7] the module maintainer -------- COORDINATED BY ------------------------------------------------------ * Ben Jeavons [8] of the Drupal Security Team * Greg Knaddison [9] of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [10]. Learn more about the Drupal Security team and their policies [11], writing secure code for Drupal [12], and securing your site [13]. [1] http://drupal.org/project/og [2] http://drupal.org/security-team/risk-levels [3] http://drupal.org/project/og [4] http://drupal.org/node/1507328 [5] http://drupal.org/project/og [6] http://drupal.org/user/83305 [7] http://drupal.org/user/346868 [8] http://drupal.org/user/91990 [9] http://drupal.org/user/36762 [10] http://drupal.org/contact [11] http://drupal.org/security-team [12] http://drupal.org/writing-secure-code [13] http://drupal.org/security/secure-configuration

1 0

SA-CONTRIB-2012-052 - Node Limit Number - Cross Site Request Forgery
by security-news＠drupal.org 28 Mar '12

28 Mar '12

* Advisory ID: DRUPAL-SA-CONTRIB-2012-052 * Project: Node Limit Number [1] (third-party module) * Version: 6.x * Date: 2012-March-28 * Security risk: Moderately critical [2] * Exploitable from: Remote * Vulnerability: Cross Site Request Forgery -------- DESCRIPTION --------------------------------------------------------- The Node Limit Number module enables an administrator to place limits on how many nodes may be created by each user. Node Limit Number does not protect the delete URL against Cross Site Request Forgery attacks, allowing a malicious user to trick someone with "administer node limitnumber" permissions to unknowingly remove existing limits. -------- VERSIONS AFFECTED --------------------------------------------------- * Node Limit Number 6.x-1.x versions prior to 6.x-1.2. Drupal core is not affected. If you do not use the contributed Node Limit Number [3] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the Node Limit Number module for Drupal 6.x, upgrade to Node Limit Number 6.x-1.2 [4] Also see the Node Limit Number [5] project page. -------- REPORTED BY --------------------------------------------------------- * Ivo Van Geertruyen [6] of the Drupal Security Team -------- FIXED BY ------------------------------------------------------------ * Joe Wheaton [7] the module maintainer * Ivo Van Geertruyen [8] of the Drupal Security Team -------- COORDINATED BY ------------------------------------------------------ * Michael Hess [9] of the Drupal Security Team * Greg Knaddison [10] of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [11]. Learn more about the Drupal Security team and their policies [12], writing secure code for Drupal [13], and securing your site [14]. [1] http://drupal.org/project/node_limitnumber [2] http://drupal.org/security-team/risk-levels [3] http://drupal.org/project/node_limitnumber [4] http://drupal.org/node/1506594 [5] http://drupal.org/project/node_limitnumber [6] http://drupal.org/user/383424 [7] http://drupal.org/user/298179 [8] http://drupal.org/user/383424 [9] http://drupal.org/user/102818 [10] http://drupal.org/user/36762 [11] http://drupal.org/contact [12] http://drupal.org/security-team [13] http://drupal.org/writing-secure-code [14] http://drupal.org/security/secure-configuration

1 0

Jump to page:

2026

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

Security-news