Security-news

security-news@drupal.org

1 participants
1782 discussions

Off Cycle Drupal Core Security Release - PSA-2021-05-25
by security-news＠drupal.org 25 May '21

25 May '21

View online: https://www.drupal.org/psa-2021-05-25 Date: 2021-May-25 Description: There will be a security release of Drupal Core 8.9.x, and 9.1.x on May 26th, 2021 between 16:00 - 18:00 UTC. This Public Service Advisory is to notify that the Drupal core release is outside of the regular schedule of security releases. For all security updates, the Drupal Security Team urges you to reserve time for core updates at that time because there is some risk that exploits might be developed within hours or days. Security release announcements will appear on the Drupal.org security advisory page. The security risk of the advisory is currently rated as Moderately Critical. This is not a mass-exploitable vulnerability as far as the security team is currently aware. Given that this is a moderately critical vulnerability and is not believed to be mass exploitable it is not covered by Drupal Steward partners. [1] [1] https://www.drupal.org/drupal-security-team/steward

1 0

Facets - Moderately critical - Cross site scripting - SA-CONTRIB-2021-008
by security-news＠drupal.org 12 May '21

12 May '21

View online: https://www.drupal.org/sa-contrib-2021-008 Project: Facets [1] Version: 8.x-1.x-dev Date: 2021-May-12 Security risk: *Moderately critical* 11∕25 AC:Complex/A:Admin/CI:Some/II:Some/E:Theoretical/TD:Default [2] Vulnerability: Cross site scripting Description: This module enables you to add customizable facets on search pages, from core search or searches provided by Search API. The module doesn't sufficiently filter all output in certain circumstances. This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer facets". Solution: Install the latest version: * If you use the Facets module for Drupal 8.x/9.x, upgrade to Facets 8.x-1.8 [3] Reported By: * Ide Braakman [4] Fixed By: * Markus Kalkbrenner [5] * Ide Braakman [6] * Joris Vercammen [7] Coordinated By: * Damien McKenna [8] of the Drupal Security Team [1] https://www.drupal.org/project/facets [2] https://www.drupal.org/security-team/risk-levels [3] https://www.drupal.org/project/facets/releases/8.x-1.8 [4] https://www.drupal.org/user/1879760 [5] https://www.drupal.org/user/124705 [6] https://www.drupal.org/user/1879760 [7] https://www.drupal.org/user/2393360 [8] https://www.drupal.org/u/damienmckenna

1 0

Gutenberg - Critical - Cross site scripting - SA-CONTRIB-2021-007
by security-news＠drupal.org 12 May '21

12 May '21

View online: https://www.drupal.org/sa-contrib-2021-007 Project: Gutenberg [1] Version: 8.x-2.x-dev8.x-1.x-dev Date: 2021-May-12 Security risk: *Critical* 18∕25 AC:None/A:None/CI:Some/II:Some/E:Theoretical/TD:All [2] Vulnerability: Cross site scripting Description: This module provides a new UI experience for node editing using the Gutenberg Editor library. The module did not correctly validate access rules in certain situations allowing anonymous users to delete blocks. Solution: Install the latest version: * If you use the Gutenberg module 8.x-1.x, upgrade to 8.x-1.12 [3] * If you use the Gutenberg module 8.x-2.x, upgrade to 8.x-2.0 [4] * For roles other than administrator, the "Administer Gutenberg" (8.x-1.x) or the "Use Gutenberg" (8.x-2.x) permission must be given to view and delete reusable blocks. Reported By: * Stephan Zeidler [5] * Mariusz Andrzejewski [6] Fixed By: * Stephan Zeidler [7] * codebymikey [8] * Marco Fernandes [9] Coordinated By: * Damien McKenna [10] of the Drupal Security Team [1] https://www.drupal.org/project/gutenberg [2] https://www.drupal.org/security-team/risk-levels [3] https://www.drupal.org/project/gutenberg/releases/8.x-1.12 [4] https://www.drupal.org/project/gutenberg/releases/8.x-2.0 [5] https://www.drupal.org/user/767652 [6] https://www.drupal.org/user/3517832 [7] https://www.drupal.org/user/767652 [8] https://www.drupal.org/user/3573206 [9] https://www.drupal.org/user/2127558 [10] https://www.drupal.org/u/damienmckenna

1 0

Chaos Tool Suite (ctools) - Moderately critical - Information disclosure - SA-CONTRIB-2021-009
by security-news＠drupal.org 12 May '21

12 May '21

View online: https://www.drupal.org/sa-contrib-2021-009 Project: Chaos Tool Suite (ctools) [1] Version: 8.x-3.58.x-3.48.x-3.38.x-3.28.x-3.18.x-3.0 Date: 2021-May-12 Security risk: *Moderately critical* 12∕25 AC:Complex/A:None/CI:Some/II:None/E:Theoretical/TD:All [2] Vulnerability: Information disclosure Description: Chaos tool suite (ctools) module provides a number of APIs and extensions for Drupal, it's 8.x-3.x branch is a start from scratch to evaluate the features of ctools that didn't make it into Drupal Core 8.0.x and port them. The module doesn't sufficiently handle access control on its EntityView plugin. This vulnerability is mitigated by the fact that successful exploitation requires special conditions in place such as custom solutions that allow injecting the context by means other than the route. Solution: Install the latest version: * If you use the Chaos tool suite module for Drupal 8.x, upgrade to Chaos tool suite 8.x-3.6 [3] Reported By: * Jonathan Hedstrom [4] Fixed By: * Jonathan Hedstrom [5] * Balazs Janos Tatar [6] * Jakob Perry [7] Coordinated By: * Greg Knaddison [8] of the Drupal Security Team [1] https://www.drupal.org/project/ctools [2] https://www.drupal.org/security-team/risk-levels [3] https://www.drupal.org/project/ctools/releases/8.x-3.6 [4] https://www.drupal.org/user/208732 [5] https://www.drupal.org/user/208732 [6] https://www.drupal.org/user/649590 [7] https://www.drupal.org/user/45640 [8] https://www.drupal.org/u/greggles

1 0

SAML Authentication - Moderately critical - Access bypass - SA-CONTRIB-2021-006
by security-news＠drupal.org 28 Apr '21

28 Apr '21

View online: https://www.drupal.org/sa-contrib-2021-006 Project: SAML Authentication [1] Date: 2021-April-28 Security risk: *Moderately critical* 14∕25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:All [2] Vulnerability: Access bypass Description: The SAML Authentication module [3] allows users to authenticate against a SAML identity provider to login to your Drupal site. The module doesn't sufficiently protect against unauthorized local access, by way of using the 'password reset' facility, for users who are supposed to only be able to log in through the identity provider. This creates a scenario where after such a user is blocked from logging in through the identity provider but not explicitly blocked in Drupal, they are still able to log in by sending themselves a Drupal 'password reset' e-mail. Solution: Install the latest version: * for all versions of Drupal 8/9, upgrade to samlauth 8.x-3.1 [4]. * for Drupal 7, upgrade to samlauth 7.x-1.1 [5]. Reported By: * Bobby Gryzynger [6] * Mark Shropshire [7] Fixed By: * Bobby Gryzynger [8] * Roderik Muit [9] * Jakob Perry [10] * Sascha Grossenbacher [11] * Cameron Eagans [12] * Drew Webber [13] of the Drupal Security Team Coordinated By: * Greg Knaddison [14] of the Drupal Security Team [1] https://www.drupal.org/project/samlauth [2] https://www.drupal.org/security-team/risk-levels [3] https://www.drupal.org/project/samlauth [4] https://www.drupal.org/project/samlauth/releases/8.x-3.1 [5] https://www.drupal.org/project/samlauth/releases/7.x-1.1 [6] https://www.drupal.org/user/3311649 [7] https://www.drupal.org/user/14767 [8] https://www.drupal.org/user/3311649 [9] https://www.drupal.org/user/8841 [10] https://www.drupal.org/user/45640 [11] https://www.drupal.org/user/214652 [12] https://www.drupal.org/user/404732 [13] https://www.drupal.org/user/255969 [14] https://www.drupal.org/user/36762

1 0

Drupal core - Critical - Cross-site scripting - SA-CORE-2021-002
by security-news＠drupal.org 21 Apr '21

21 Apr '21

View online: https://www.drupal.org/sa-core-2021-002 Project: Drupal core [1] Date: 2021-April-21 Security risk: *Critical* 15∕25 AC:Basic/A:None/CI:Some/II:Some/E:Theoretical/TD:Default [2] Vulnerability: Cross-site scripting Description: Drupal core's sanitization API fails to properly filter cross-site scripting under certain circumstances. Not all sites and users are affected, but configuration changes to prevent the exploit might be impractical and will vary between sites. Therefore, we recommend all sites update to this release as soon as possible. Solution: Install the latest version: * If you are using Drupal 9.1, update to Drupal 9.1.7 [3]. * If you are using Drupal 9.0, update to Drupal 9.0.12 [4]. * If you are using Drupal 8.9, update to Drupal 8.9.14 [5]. * If you are using Drupal 7, update to Drupal 7.80 [6]. Versions of Drupal 8 prior to 8.9.x are end-of-life and do not receive security coverage. Reported By: * Jasper Mattsson [7] Fixed By: * Alex Pott [8] of the Drupal Security Team * Jasper Mattsson [9] * Michael Hess [10] of the Drupal Security Team * Wim Leers [11] * Heine [12] of the Drupal Security Team * Peter Wolanin [13] of the Drupal Security Team * Jess (xjm) [14] of the Drupal Security Team * Samuel Mortenson [15] of the Drupal Security Team * nwellnhof [16] * Alex Bronstein [17] of the Drupal Security Team * Lee Rowlands [18] of the Drupal Security Team * Adam G-H [19] * Drew Webber [20] of the Drupal Security Team [1] https://www.drupal.org/project/drupal [2] https://www.drupal.org/security-team/risk-levels [3] https://www.drupal.org/project/drupal/releases/9.1.7 [4] https://www.drupal.org/project/drupal/releases/9.0.12 [5] https://www.drupal.org/project/drupal/releases/8.9.14 [6] https://www.drupal.org/project/drupal/releases/7.80 [7] https://www.drupal.org/user/521118 [8] https://www.drupal.org/user/157725 [9] https://www.drupal.org/user/521118 [10] https://www.drupal.org/user/102818 [11] https://www.drupal.org/user/99777 [12] https://www.drupal.org/user/17943 [13] https://www.drupal.org/user/49851 [14] https://www.drupal.org/user/65776 [15] https://www.drupal.org/user/2582268 [16] https://www.drupal.org/user/3407764 [17] https://www.drupal.org/user/78040 [18] https://www.drupal.org/user/395439 [19] https://www.drupal.org/user/205645 [20] https://www.drupal.org/user/255969

1 0

Fast Autocomplete - Moderately critical - Access bypass - SA-CONTRIB-2021-005
by security-news＠drupal.org 17 Mar '21

17 Mar '21

View online: https://www.drupal.org/sa-contrib-2021-005 Project: Fast Autocomplete [1] Version: 8.x-1.78.x-1.68.x-1.58.x-1.48.x-1.38.x-1.28.x-1.18.x-1.0 Date: 2021-March-17 Security risk: *Moderately critical* 12∕25 AC:Basic/A:None/CI:Some/II:None/E:Theoretical/TD:Default [2] Vulnerability: Access bypass Description: The Fast Autocomplete module [3] provides fast IMDB-like suggestions below a text input field. Suggestions are stored as JSON files in the public files folder so that they can be provided to the browser relatively fast without the need for Drupal to be bootstrapped. The module doesn't correctly generate certain hashes when the configuration option "Perform search as anonymous user only" is switched from the default on value to off. This enables a malicious user to read search results generated by users with other roles, disclosing search results the user normally has no access to. Solution: Install the latest version: * If you use the Fast Autocomplete module for Drupal 8.x, upgrade to Fast Autocomplete 8.x-1.8 [4] Alternatively, re-enable the setting "Perform search as anonymous user only" to only display anonymous search results and delete the generated files by using the "Delete json files" option in all Fast Autocomplete configurations. Fast Autocomplete for Drupal 7.x is not affected. Reported By: * Heine Deelstra [5] of the Drupal Security Team Fixed By: * Heine Deelstra [6] of the Drupal Security Team * Martijn Vermeulen [7] Coordinated By: * Heine Deelstra [8] of the Drupal Security Team [1] https://www.drupal.org/project/fac [2] https://www.drupal.org/security-team/risk-levels [3] https://www.drupal.org/project/fac [4] https://www.drupal.org/node/3204029 [5] https://www.drupal.org/user/17943 [6] https://www.drupal.org/user/17943 [7] https://www.drupal.org/user/960720 [8] https://www.drupal.org/user/17943

1 0

Webform - Moderately critical - Access bypass - SA-CONTRIB-2021-004
by security-news＠drupal.org 03 Mar '21

03 Mar '21

View online: https://www.drupal.org/sa-contrib-2021-004 Project: Webform [1] Date: 2021-March-03 Security risk: *Moderately critical* 12∕25 AC:Basic/A:None/CI:None/II:None/E:Exploit/TD:Default [2] Vulnerability: Access bypass Description: The Webform module for Drupal 8/9 [3] includes a default Contact webform, which sends a notification email to the site owner and a confirmation email to the email address supplied via the form. The confirmation email can be used as an open mail relay to send an email to any email address. This vulnerability is mitigated by the fact that the site owner's email address is also receiving a notification email, which should alert the site owner to the exploitation. If the site owner's mailbox is not monitored, the open mail relay can be more easily exploited. With the Webform module's latest release, the default Contact's confirmation email will only be sent to an authenticated user's email address. Anonymous users will no longer receive a confirmation email. If anonymous users need to receive a confirmation email, we recommend you add SPAM protection to the form and update the email handler. Solution: Install the latest version: * If you use the Webform module module for Drupal 8/9 upgrade to Webform 8.x-5.25 [4] or Webform 6.0.2 [5] If you are using a previous release of the Webform module you can immediately do one of several options. 1) Delete the default Contact form. (/form/contact) 2) Delete the default Contact form's confirmation email handler.(/admin/structure/webform/manage/contact/handlers) 3) Update the default Contact form's confirmation email to only email the current user's email address using the [current-user:mail] token. (/admin/structure/webform/manage/contact/handlers/email_confirmation/edit) 4) Add SPAM protection [6] to the default Contact form. Reported By: * KarinG [7] Fixed By: * Jacob Rockowitz [8] * Dan Chadwick [9] * KarinG [10] Coordinated By: * Greg Knaddison [11] of the Drupal Security Team [1] https://www.drupal.org/project/webform [2] https://www.drupal.org/security-team/risk-levels [3] https://www.drupal.org/project/webform [4] https://www.drupal.org/project/webform/releases/8.x-5.25 [5] https://www.drupal.org/project/webform/releases/6.0.2 [6] https://www.drupal.org/docs/contributed-modules/webform/webform-add-ons#spam [7] https://www.drupal.org/user/787114 [8] https://www.drupal.org/user/371407 [9] https://www.drupal.org/user/504278 [10] https://www.drupal.org/user/787114 [11] https://www.drupal.org/user/36762

1 0

Subgroup - Less critical - Access bypass - SA-CONTRIB-2021-003
by security-news＠drupal.org 27 Jan '21

27 Jan '21

View online: https://www.drupal.org/sa-contrib-2021-003 Project: Subgroup [1] Version: 1.0.x-dev Date: 2021-January-27 Security risk: *Less critical* 9∕25 AC:Basic/A:User/CI:Some/II:None/E:Theoretical/TD:Uncommon [2] Vulnerability: Access bypass Description: This module enables you to add groups to other groups in a tree structure where access can be inherited up or down the tree. When you configure Subgroup to have a tree with at least three levels, users may inadvertently get permissions in a group that is an uncle or cousin of the source group, rather than a direct ancestor or descendant. Trees with only multiple nodes at the lowest tier (or nowhere) are unaffected. Solution: Install the latest version, Subgroup 1.0.1 [3], and clear your caches. Reported By: * Mori Sugimoto [4] of the Drupal Security Team * kyk [5] Fixed By: * Kristiaan Van den Eynde [6] Coordinated By: * Greg Knaddison [7] of the Drupal Security Team [1] https://www.drupal.org/project/subgroup [2] https://www.drupal.org/security-team/risk-levels [3] https://www.drupal.org/project/subgroup/releases/1.0.1 [4] https://www.drupal.org/user/82971 [5] https://www.drupal.org/user/29822 [6] https://www.drupal.org/user/1345130 [7] https://www.drupal.org/user/36762

1 0

Open Social - Moderately critical - Access bypass - SA-CONTRIB-2021-002
by security-news＠drupal.org 27 Jan '21

27 Jan '21

View online: https://www.drupal.org/sa-contrib-2021-002 Project: Open Social [1] Version: 8.x-9.x-dev8.x-8.x-dev Date: 2021-January-27 Security risk: *Moderately critical* 10∕25 AC:Basic/A:User/CI:Some/II:None/E:Theoretical/TD:Default [2] Vulnerability: Access bypass Description: The Social User Export module enables users within Open Social to create an export of users and download this to a CSV file. The module doesn't sufficiently check access when building the CSV file, allowing logged-in users without the manage members permission to be able to export all data from a selected user in certain scenarios. This vulnerability is mitigated by the fact that an attacker must have the authenticated user role and the site must have the configuration set in such a way a logged in user is able to export users. Solution: Install the latest version: * If you use Open Social major version 8, upgrade to 8.x-8.10 [3] * If you use Open Social major version 9, upgrade to 8.x-9.8 [4] Reported By: * Robert Ragas [5] Fixed By: * Ronald te Brake [6] * Alexander Varwijk [7] * Bram ten Hove [8] Coordinated By: * Greg Knaddison [9] of the Drupal Security Team [1] https://www.drupal.org/project/social [2] https://www.drupal.org/security-team/risk-levels [3] https://www.drupal.org/project/social/releases/8.x-8.10 [4] https://www.drupal.org/project/social/releases/8.x-9.8 [5] https://www.drupal.org/user/2723261 [6] https://www.drupal.org/user/2314038 [7] https://www.drupal.org/user/1868952 [8] https://www.drupal.org/user/1549848 [9] https://www.drupal.org/user/36762

1 0

Jump to page:

2026

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

Security-news