Security-news

security-news@drupal.org

1 participants
1782 discussions

Drupal REST & JSON API Authentication - Moderately critical - Access bypass - SA-CONTRIB-2024-022
by security-news＠drupal.org 29 May '24

29 May '24

View online: https://www.drupal.org/sa-contrib-2024-022 Project: Drupal REST & JSON API Authentication [1] Date: 2024-May-29 Security risk: *Moderately critical* 11∕25 AC:Basic/A:User/CI:Some/II:None/E:Theoretical/TD:All [2] Vulnerability: Access bypass Affected versions: <2.0.13 Description: Drupal REST & JSON API Authentication module restricts and secures unauthorized access to your Drupal site APIs using different authentication methods including Basic Authentication , API Key Authentication , JWT Authentication , OAuth Authentication , External / Third-Party Provider Authentication, etc. The module doesn't sufficiently control user access when using Basic Authentication. Solution: Install the latest version: * If you use the 2.0.x branch, upgrade to Drupal REST & JSON API Authentication 2.0.13 [3] * If you use the 8.x-1.x branch, upgrade to Drupal REST & JSON API Authentication 2.0.13 [4], as the 8.x-1.x branch is now unsupported. Reported By: * Arek Suchecki [5] Fixed By: * solideogloria [6] * Shashank Thigale [7] * Arek Suchecki [8] * Greg Knaddison [9] of the Drupal Security Team Coordinated By: * Greg Knaddison [10] of the Drupal Security Team * Juraj Nemec [11] of the Drupal Security Team * David Rothstein [12] of the Drupal Security Team [1] https://www.drupal.org/project/rest_api_authentication [2] https://www.drupal.org/security-team/risk-levels [3] https://www.drupal.org/project/rest_api_authentication/releases/2.0.13 [4] https://www.drupal.org/project/rest_api_authentication/releases/2.0.13 [5] https://www.drupal.org/user/3553379 [6] https://www.drupal.org/user/3589277 [7] https://www.drupal.org/user/3632808 [8] https://www.drupal.org/user/3553379 [9] https://www.drupal.org/user/36762 [10] https://www.drupal.org/user/36762 [11] https://www.drupal.org/user/272316 [12] https://www.drupal.org/user/124982

1 0

Image Sizes - Moderately critical - Access bypass - SA-CONTRIB-2024-023
by security-news＠drupal.org 29 May '24

29 May '24

View online: https://www.drupal.org/sa-contrib-2024-023 Project: Image Sizes [1] Date: 2024-May-29 Security risk: *Moderately critical* 14∕25 AC:None/A:None/CI:Some/II:None/E:Theoretical/TD:Default [2] Vulnerability: Access bypass Affected versions: <3.0.2 Description: This module enables you to create responsive image styles that depend on the parent element's width. The module doesn't sufficiently check access to rendered images, resulting in access bypass vulnerabilities in specific scenarios. Solution: Install the latest version. * If you use the Image Sizes module for Drupal 10, upgrade to Image Sizes 3.0.2 [3] Reported By: * Dezső Biczó [4] Fixed By: * Dezső Biczó [5] * Pascal Crott [6] * Juraj Nemec [7] of the Drupal Security Team Coordinated By: * Juraj Nemec [8] of the Drupal Security Team * Neil Drumm [9] of the Drupal Security Team [1] https://www.drupal.org/project/image_sizes [2] https://www.drupal.org/security-team/risk-levels [3] https://www.drupal.org/project/image_sizes/releases/3.0.2 [4] https://www.drupal.org/user/315522 [5] https://www.drupal.org/user/315522 [6] https://www.drupal.org/user/647364 [7] https://www.drupal.org/user/272316 [8] https://www.drupal.org/user/272316 [9] https://www.drupal.org/user/3064

1 0

Migrate queue importer - Moderately critical - Cross Site Request Forgery - SA-CONTRIB-2024-024
by security-news＠drupal.org 29 May '24

29 May '24

View online: https://www.drupal.org/sa-contrib-2024-024 Project: Migrate queue importer [1] Date: 2024-May-29 Security risk: *Moderately critical* 10∕25 AC:Basic/A:Admin/CI:None/II:Some/E:Theoretical/TD:All [2] Vulnerability: Cross Site Request Forgery Affected versions: <2.1.1 Description: The Migrate queue importer module enables you to create cron migrations(configuration entities) with a reference towards migration entities in order to import them during cron runs. The module doesn't sufficiently protect against Cross Site Request Forgery under specific scenarios allowing an attacker to enable/disable a cron migration. This vulnerability is mitigated by the fact that an attacker must know the id of the migration. Solution: Install the latest version: * If you use Migrate queue importer module for Drupal 10, upgrade to Migrate queue importer 2.1.1 [3] Reported By: * Pierre Rudloff [4] Fixed By: * David Bätge [5] * Pierre Rudloff [6] Coordinated By: * Greg Knaddison [7] of the Drupal Security Team * Juraj Nemec [8] of the Drupal Security Team [1] https://www.drupal.org/project/migrate_queue_importer [2] https://www.drupal.org/security-team/risk-levels [3] https://www.drupal.org/project/migrate_queue_importer/releases/2.1.1 [4] https://www.drupal.org/user/3611858 [5] https://www.drupal.org/user/2526160 [6] https://www.drupal.org/user/3611858 [7] https://www.drupal.org/user/36762 [8] https://www.drupal.org/user/272316

1 0

Commerce View Receipt - Moderately critical - Access bypass - SA-CONTRIB-2024-021
by security-news＠drupal.org 22 May '24

22 May '24

View online: https://www.drupal.org/sa-contrib-2024-021 Project: Commerce View Receipt [1] Date: 2024-May-22 Security risk: *Moderately critical* 13∕25 AC:None/A:User/CI:Some/II:None/E:Theoretical/TD:All [2] Vulnerability: Access bypass Affected versions: <1.0.3 Description: The Commerce View Receipts module enables you to view commerce order receipts in the browser. The module doesn't sufficiently check access permissions, allowing a malicious to view the private information of other customers. Solution: Install the latest version. * If you use the Commerce View Receipts module for Drupal, upgrade to Commerce View Receipts 1.0.3 [3]. Sites may wish to temporarily revoke the "view receipts" permission from most roles until the site can be upgraded to the latest version. Reported By: * Norman Kämper-Leymann [4] Fixed By: * Norman Kämper-Leymann [5] * Greg Mack [6] * Greg Knaddison [7] of the Drupal Security Team * Drew Webber [8] of the Drupal Security Team Coordinated By: * Greg Knaddison [9] of the Drupal Security Team * Juraj Nemec [10] of the Drupal Security Team * xjm [11] of the Drupal Security Team [1] https://www.drupal.org/project/commerce_view_receipt [2] https://www.drupal.org/security-team/risk-levels [3] https://www.drupal.org/project/commerce_view_receipt/releases/1.0.3 [4] https://www.drupal.org/user/2482808 [5] https://www.drupal.org/user/2482808 [6] https://www.drupal.org/user/336930 [7] https://www.drupal.org/user/36762 [8] https://www.drupal.org/user/255969 [9] https://www.drupal.org/user/36762 [10] https://www.drupal.org/u/poker10 [11] https://www.drupal.org/u/xjm

1 0

Email Contact - Moderately critical - Access bypass - SA-CONTRIB-2024-020
by security-news＠drupal.org 22 May '24

22 May '24

View online: https://www.drupal.org/sa-contrib-2024-020 Project: Email Contact [1] Date: 2024-May-22 Security risk: *Moderately critical* 12∕25 AC:Basic/A:None/CI:Some/II:None/E:Theoretical/TD:Default [2] Vulnerability: Access bypass Affected versions: <2.0.4 Description: The Email Contact module provides email field display formatters that can display the field as a link to the contact form, or as an inline contact form. The module does not sufficiently handle restricted entity or field access to the mail sending form, when the "Email contact link" formatter is used. This vulnerability is mitigated by the fact that it requires the "Email contact link" formatter to be used. Solution: Install the latest version: * If you use the 2.0.x branch, upgrade to email_contact 2.0.4 [3]. * If you use the 8.x-1.x branch, upgrade to email_contact 2.0.4 [4], as the 8.x-1.x branch is now unsupported. Reported By: * Claudiu Cristea [5] Fixed By: * Claudiu Cristea [6] * Bálint Nagy [7] * Greg Knaddison [8] of the Drupal Security Team * Juraj Nemec [9] of the Drupal Security Team * xjm [10] of the Drupal Security Team Coordinated By: * Greg Knaddison [11] of the Drupal Security Team * xjm [12] of the Drupal Security Team * Juraj Nemec [13] of the Drupal Security Team [1] https://www.drupal.org/project/email_contact [2] https://www.drupal.org/security-team/risk-levels [3] https://www.drupal.org/project/email_contact/releases/2.0.4 [4] https://www.drupal.org/project/email_contact/releases/2.0.4 [5] https://www.drupal.org/user/56348 [6] https://www.drupal.org/user/56348 [7] https://www.drupal.org/user/1763952 [8] https://www.drupal.org/user/36762 [9] https://www.drupal.org/user/272316 [10] https://www.drupal.org/user/65776 [11] https://www.drupal.org/u/greggles [12] https://www.drupal.org/u/xjm [13] https://www.drupal.org/user/272316

1 0

RESTful Web Services - Critical - Access bypass - SA-CONTRIB-2024-019
by security-news＠drupal.org 15 May '24

15 May '24

View online: https://www.drupal.org/sa-contrib-2024-019 Project: RESTful Web Services [1] Date: 2024-May-15 Security risk: *Critical* 16∕25 AC:None/A:None/CI:Some/II:None/E:Proof/TD:All [2] Vulnerability: Access bypass Description: This module exposes Drupal resources (e.g. entities) as RESTful web services. The module doesn't sufficiently restrict access for user resources. Solution: Install the latest version: * If you use the RESTful Web Services module for Drupal 7, upgrade to RESTful Web Services 7.x-2.10 [3] Reported By: * Fran Garcia-Linares [4] Fixed By: * Neil Drumm [5] of the Drupal Security Team * Fran Garcia-Linares [6] Coordinated By: * Neil Drumm [7] of the Drupal Security Team [1] https://www.drupal.org/project/restws [2] https://www.drupal.org/security-team/risk-levels [3] https://www.drupal.org/project/restws/releases/7.x-2.10 [4] https://www.drupal.org/user/2495842 [5] https://www.drupal.org/user/3064 [6] https://www.drupal.org/user/2495842 [7] https://www.drupal.org/user/3064

1 0

REST Views - Moderately critical - Information Disclosure - SA-CONTRIB-2024-018
by security-news＠drupal.org 24 Apr '24

24 Apr '24

View online: https://www.drupal.org/sa-contrib-2024-018 Project: REST Views [1] Date: 2024-April-24 Security risk: *Moderately critical* 14∕25 AC:None/A:None/CI:Some/II:None/E:Theoretical/TD:Default [2] Vulnerability: Information Disclosure Affected versions: <3.0.1 Description: The Rest views module lets site admins create rest exports in views with additional options for serializing data. This module does not accurately check access and may expose paths to unpublished content. This vulnerability is mitigated by the fact that there must be a specific content structure to expose. Paths to unpublished entities (such as nodes) will be exposed if those entities are referenced from other entities listed in a REST display, and the reference field on those listed entities is displayed with the "Entity path" formatter. Solution: Install the latest version: * REST Views 8.x-1.x versions are unsupported. * REST Views 2.x versions upgrade to Rest Views 3.0.1 [3] * REST Views 3.x versions prior to 3.0.1 upgrade to Rest Views 3.0.1 [4] Reported By: * nicxvan [5] Fixed By: * nicxvan [6] Coordinated By: * Benji Fisher [7] of the Drupal Security Team * Greg Knaddison [8] of the Drupal Security Team * Cathy Theys [9] of the Drupal Security Team [1] https://www.drupal.org/project/rest_views [2] https://www.drupal.org/security-team/risk-levels [3] https://www.drupal.org/project/rest_views/releases/3.0.1 [4] https://www.drupal.org/project/rest_views/releases/3.0.1 [5] https://www.drupal.org/user/531480 [6] https://www.drupal.org/user/531480 [7] https://www.drupal.org/user/683300 [8] https://www.drupal.org/user/36762 [9] https://www.drupal.org/user/258568

1 0

Advanced PWA - Critical - Access bypass - SA-CONTRIB-2024-017
by security-news＠drupal.org 24 Apr '24

24 Apr '24

View online: https://www.drupal.org/sa-contrib-2024-017 Project: Advanced PWA [1] Date: 2024-April-24 Security risk: *Critical* 16∕25 AC:None/A:User/CI:Some/II:Some/E:Theoretical/TD:All [2] Vulnerability: Access bypass Affected versions: <1.5.0 Description: Progressive web applications are web applications that load like regular web pages or websites but can offer the user functionality such as working offline, push notifications, and device hardware access traditionally available only to native applications. This module doesn't sufficiently protect access to the settings form, allowing an unauthorized malicious user to view and modify the module settings. Solution: Install the latest version: * If you use the Advanced Progressive Web App module for Drupal 8.x, upgrade to Advanced Progressive Web App 8.x-1.5 [3] Reported By: * Matthew Grasmick [4] Fixed By: * gMaximus [5] Coordinated By: * Greg Knaddison [6] of the Drupal Security Team * Michael Hess [7] of the Drupal Security Team * cilefen [8] of the Drupal Security Team * Cathy Theys [9] of the Drupal Security Team [1] https://www.drupal.org/project/advanced_pwa [2] https://www.drupal.org/security-team/risk-levels [3] https://www.drupal.org/project/advanced_pwa/releases/8.x-1.5 [4] https://www.drupal.org/user/455714 [5] https://www.drupal.org/user/1612496 [6] https://www.drupal.org/user/36762 [7] https://www.drupal.org/user/102818 [8] https://www.drupal.org/user/1850070 [9] https://www.drupal.org/user/258568

1 0

TacJS - Moderately critical - Cross Site Scripting - SA-CONTRIB-2024-016
by security-news＠drupal.org 27 Mar '24

27 Mar '24

View online: https://www.drupal.org/sa-contrib-2024-016 Project: TacJS [1] Date: 2024-March-27 Security risk: *Moderately critical* 14∕25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:All [2] Vulnerability: Cross Site Scripting Affected versions: <6.5.0 Description: This module enables sites to comply with the European cookie law using tarteaucitron.js. The module doesn't sufficiently filter user-supplied markup inside of content leading to a persistent Cross Site Scripting (XSS) vulnerability. More details are available in CVE-2023-3620 [3]. This vulnerability is mitigated by the fact that an attacker needs to be able to write content in the page, a feature commonly available on Drupal sites. Solution: Install the latest version: * If you use the tacjs module for Drupal 8.x, upgrade to tacjs 8.x-6.5 [4] Reported By: * Pierre Rudloff [5] Fixed By: * Frank Mably [6] * Pierre Rudloff [7] Coordinated By: * Greg Knaddison [8] of the Drupal Security Team [1] https://www.drupal.org/project/tacjs [2] https://www.drupal.org/security-team/risk-levels [3] https://nvd.nist.gov/vuln/detail/CVE-2023-3620 [4] https://www.drupal.org/project/tacjs/releases/8.x-6.5 [5] https://www.drupal.org/user/3611858 [6] https://www.drupal.org/user/3375160 [7] https://www.drupal.org/user/3611858 [8] https://www.drupal.org/user/36762

1 0

Registration role - Critical - Access bypass - SA-CONTRIB-2024-015
by security-news＠drupal.org 06 Mar '24

06 Mar '24

View online: https://www.drupal.org/sa-contrib-2024-015 Project: Registration role [1] Date: 2024-March-06 Security risk: *Critical* 18∕25 AC:Basic/A:None/CI:All/II:All/E:Theoretical/TD:Uncommon [2] Vulnerability: Access bypass Affected versions: <2.0.1 Description: The Registration role module lets an administrator select a role (or multiple roles) to automatically assign to new users. The selected role (or roles) will be assigned to new registrants. The module has a logic error when handling sites that upgraded code and did not run the Drupal update process (e.g. update.php). This vulnerability is mitigated by the fact that the problem does not exist on sites that followed the process of updating code and running the standard updates. Solution: Install the latest version: * If you use the Registration role module version 2.x, upgrade to Registration role 2.0.1 [3] Review user accounts registered between 2023 July 11 and now for having additional roles you did not intend for them to have. If your site missed or reverted an update to configuration in the version 2.0.0 release of Registration Role (or development branch from 2020 August 17 on), non-selected roles were not removed from configuration. Without this update, up until you re-saved the settings form or until you install the new release - whichever came first - users who registered receive /all/ roles. Also, upgrade to the latest version /and run update hooks/ at update.php or with Drush, drush updb OR: Immediately re-save the the configuration page at /admin/people/registration-role Reported By: * Pamela Barone [4] * Renaud Joubert [5] Fixed By: * Juraj Nemec [6] of the Drupal Security Team * Benjamin Melançon [7] Coordinated By: * Juraj Nemec [8] of the Drupal Security Team * Greg Knaddison [9] of the Drupal Security Team * Drew Webber [10] of the Drupal Security Team [1] https://www.drupal.org/project/registration_role [2] https://www.drupal.org/security-team/risk-levels [3] https://www.drupal.org/project/registration_role/releases/2.0.1 [4] https://www.drupal.org/user/1431110 [5] https://www.drupal.org/user/549974 [6] https://www.drupal.org/user/272316 [7] https://www.drupal.org/user/64383 [8] https://www.drupal.org/user/272316 [9] https://www.drupal.org/user/36762 [10] https://www.drupal.org/user/255969

1 0

Jump to page:

2026

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

Security-news