Security-news

security-news@drupal.org

1 participants
1782 discussions

Mime Mail - Critical - Remote Code Execution - SA-CONTRIB-2018-068
by security-news＠drupal.org 17 Oct '18

17 Oct '18

View online: https://www.drupal.org/sa-contrib-2018-068 Project: Mime Mail [1] Date: 2018-October-17 Security risk: *Critical* 17∕25 AC:Basic/A:User/CI:All/II:All/E:Theoretical/TD:Default [2] Vulnerability: Remote Code Execution Description: The MIME Mail module allows to send MIME-encoded e-mail messages with embedded images and attachments. The module doesn't sufficiently sanitized some variables for shell arguments when sending email, which could lead to arbitrary remote code execution. This issue is related to the Drupal Core release SA-CORE-2018-006 [3]. Solution: Install the latest version: * If you use the Mime Mail module for Drupal 7.x, upgrade to Mime Mail 7.x-1.1 [4] Also see the Mime Mail [5] project page. Reported By: * RainbowLyte [6] Fixed By: * sgabe [7] Coordinated By: * Greg Knaddison [8] of the Drupal Security Team [1] https://www.drupal.org/project/mimemail [2] https://www.drupal.org/security-team/risk-levels [3] https://www.drupal.org/sa-core-2018-006 [4] https://www.drupal.org/node/3007375 [5] https://www.drupal.org/project/mimemail [6] https://www.drupal.org/user/3518785 [7] https://www.drupal.org/user/232117 [8] https://www.drupal.org/u/greggles

1 0

Drupal Core - Multiple Vulnerabilities - SA-CORE-2018-006
by security-news＠drupal.org 17 Oct '18

17 Oct '18

View online: https://www.drupal.org/sa-core-2018-006 * Advisory ID: DRUPAL-SA-CONTRIB-2018-006 * Project: Drupal core [1] * Version: 7.x, 8.x * Date: 2018-October-17 -------- DESCRIPTION --------------------------------------------------------- *Content moderation - Moderately critical - Access bypass - Drupal 8 * In some conditions, content moderation fails to check a users access to use certain transitions, leading to an access bypass. In order to fix this issue, the following changes have been made to content moderation which may have implications for backwards compatibility: ModerationStateConstraintValidator Two additional services have been injected into this service. Anyone subclassing this service must ensure these additional dependencies are passed to the constructor, if the constructor has been overridden. StateTransitionValidationInterface An additional method has been added to this interface. Implementations of this interface which do not extend the StateTransitionValidation should implement this method. Implementations which /do/ extend from the StateTransitionValidation should ensure any behavioural changes they have made are also reflected in this new method. User permissions Previously users who didn't have access to use any content moderation transitions were granted implicit access to update content provided the state of the content did not change. Now access to an associated transition will be validated for all users in scenarios where the state of content does not change between revisions. Reported by * Roland Kovacsics [2] * attilatilman [3] Fixed by * Jess [4] of the Drupal Security Team * Lee Rowlands [5] of the Drupal Security Team * Wim Leers [6] * Daniel Wehner [7] * Sam Becker [8] * Tim Millwood [9] * Alex Pott [10] of the Drupal Security Team *External URL injection through URL aliases - Moderately Critical - Open Redirect - Drupal 7 and Drupal 8 * The path module allows users with the 'administer paths' to create pretty URLs for content. In certain circumstances the user can enter a particular path that triggers an open redirect to a malicious url. The issue is mitigated by the fact that the user needs the administer paths permission to exploit. Reported by * dyates [11] Fixed by * Dave Reid [12] of the Drupal Security Team * David Rothstein [13] of the Drupal Security Team * Peter Wolanin [14] of the Drupal Security Team * Jess [15] of the Drupal Security Team * Alex Bronstein [16] of the Drupal Security Team * Nathaniel Catchpole [17] of the Drupal Security Team * Lee Rowlands [18] of the Drupal Security Team * Ted Bowman [19]Provisional member of the Drupal Security Team *Anonymous Open Redirect - Moderately Critical - Open Redirect - Drupal 8 * Drupal core and contributed modules frequently use a "destination" query string parameter in URLs to redirect users to a new destination after completing an action on the current page. Under certain circumstances, malicious users can use this parameter to construct a URL that will trick users into being redirected to a 3rd party website, thereby exposing the users to potential social engineering attacks. This vulnerability has been publicly documented. .... RedirectResponseSubscriber event handler removal As part of the fix, \Drupal\Core\EventSubscriber\RedirectResponseSubscriber::sanitizeDestination has been removed, although this is a public function, it is not considered an API as per our API policy for event subscribers [20]. If you have extended that class or are calling that method, you should review your implementation in line with the changes in the patch. The existing function has been removed to prevent a false sense of security. Reported by * Brian Osborne [21] Fixed by * Michael Hess [22] of the Drupal Security Team * Wim Leers [23] * Alex Pott [24] of the Drupal Security Team * Grant Gaudet [25] * Lee Rowlands [26] of the Drupal Security Team * Nathaniel Catchpole [27] of the Drupal Security Team * Jess [28] of the Drupal Security Team *Injection in DefaultMailSystem::mail() - Critical - Remote Code Execution - Drupal 7 and Drupal 8* When sending email some variables were not being sanitized for shell arguments, which could lead to remote code execution. Reported by * Damien Tournoud [29] Fixed by * Lee Rowlands [30] of the Drupal Security Team * Sascha Grossenbacher [31] * Daniel Wehner [32] * Klaus Purer [33] * Damien Tournoud [34] * Stefan Ruijsenaars [35] of the Drupal Security Team * David Rothstein [36] of the Drupal Security Team * David Snopek [37] of the Drupal Security Team * Jess [38] of the Drupal Security Team * Wim Leers [39] * Peter Wolanin [40] of the Drupal Security Team * Ted Bowman [41]Provisional member of the Drupal Security Team *Contextual Links validation - Critical - Remote Code Execution - Drupal 8 * The Contextual Links module doesn't sufficiently validate the requested contextual links. This vulnerability is mitigated by the fact that an attacker must have a role with the permission "access contextual links". Reported by * Nick Booher [42] Fixed by * Lee Rowlands [43] of the Drupal Security Team * Nick Booher [44] * Samuel Mortenson [45] of the Drupal Security Team * Wim Leers [46] * Alex Pott [47] of the Drupal Security Team -------- SOLUTION ------------------------------------------------------------ Upgrade to the most recent version of Drupal 7 or 8 core. * If you are running 7.x, upgrade to Drupal 7.60 [48]. * If you are running 8.6.x, upgrade to Drupal 8.6.2 [49]. * If you are running 8.5.x or earlier, upgrade to Drupal 8.5.8 [50]. Minor versions of Drupal 8 prior to 8.5.x are not supported and do not receive security coverage, so sites running older versions should update to the above 8.5.x release immediately. 8.5.x will receive security coverage until May 2019. [1] https://www.drupal.org/project/drupal [2] https://www.drupal.org/user/3528385 [3] https://www.drupal.org/u/attilatilman [4] https://www.drupal.org/user/65776 [5] https://www.drupal.org/user/395439 [6] https://www.drupal.org/user/99777 [7] https://www.drupal.org/user/99340 [8] https://www.drupal.org/user/1485048 [9] https://www.drupal.org/user/227849 [10] https://www.drupal.org/user/157725 [11] https://www.drupal.org/user/3426845 [12] https://www.drupal.org/user/53892 [13] https://www.drupal.org/user/124982 [14] https://www.drupal.org/user/49851 [15] https://www.drupal.org/user/65776 [16] https://www.drupal.org/user/78040 [17] https://www.drupal.org/user/35733 [18] https://www.drupal.org/user/395439 [19] https://www.drupal.org/user/240860 [20] https://www.drupal.org/core/d8-bc-policy#paramconverters [21] https://www.drupal.org/user/788032 [22] https://www.drupal.org/user/102818 [23] https://www.drupal.org/user/99777 [24] https://www.drupal.org/user/157725 [25] https://www.drupal.org/user/360002 [26] https://www.drupal.org/user/395439 [27] https://www.drupal.org/user/35733 [28] https://www.drupal.org/user/65776 [29] https://www.drupal.org/user/22211 [30] https://www.drupal.org/user/395439 [31] https://www.drupal.org/user/214652 [32] https://www.drupal.org/user/99340 [33] https://www.drupal.org/user/262198 [34] https://www.drupal.org/user/22211 [35] https://www.drupal.org/user/551886 [36] https://www.drupal.org/user/124982 [37] https://www.drupal.org/user/266527 [38] https://www.drupal.org/user/65776 [39] https://www.drupal.org/user/99777 [40] https://www.drupal.org/user/49851 [41] https://www.drupal.org/user/240860 [42] https://www.drupal.org/user/809346 [43] https://www.drupal.org/user/395439 [44] https://www.drupal.org/user/809346 [45] https://www.drupal.org/user/2582268 [46] https://www.drupal.org/user/99777 [47] https://www.drupal.org/user/157725 [48] https://www.drupal.org/project/drupal/releases/7.60 [49] http://www.drupal.org/project/drupal/releases/8.6.2 [50] http://www.drupal.org/project/drupal/releases/8.5.8

1 0

Drupal 7.x and 8.x release on Oct 17th, 2018 - DRUPAL-PSA-2018-10-17
by security-news＠drupal.org 17 Oct '18

17 Oct '18

View online: https://www.drupal.org/psa-2018-10-17 The Drupal Security team has a core and contrib release window on the 3rd Wednesday of the month. This window normally ends at 5pm Eastern (9PM UTC) . Due to unforeseen circumstances, we are extending the current window we are in by 4 hours until *Oct 17th, 2018 at 8pm Eastern (11:59PM UTC) *.

1 0

NVP field - Moderately critical - Cross Site Scripting - SA-CONTRIB-2018-066
by security-news＠drupal.org 10 Oct '18

10 Oct '18

View online: https://www.drupal.org/sa-contrib-2018-066 Project: NVP field [1] Date: 2018-October-10 Security risk: *Moderately critical* 14∕25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:All [2] Vulnerability: Cross Site Scripting Description: NVP field module allows you to create a field type of name/value pairs, with custom titles and easily editable rendering with customizable HTML/text surrounding the pairs. The module doesn't sufficiently handle sanitization of its field formatter's output. This vulnerability is mitigated by the fact that an attacker must have a role with the permission of creating/editing content where the module defined fields are in use. Solution: Install the latest version: * If you use the NVP field module for Drupal 7.x, upgrade to NVP field 7.x-1.1 [3] Also see the NVP field [4] project page. Reported By: * Balazs Janos Tatar [5] Provisional Security Team Member Fixed By: * John Avery [6] Coordinated By: * Michael Hess [7] of the Drupal Security Team [1] https://www.drupal.org/project/nvp [2] https://www.drupal.org/security-team/risk-levels [3] project/nvp/releases/7.x-1.1 [4] https://www.drupal.org/project/nvp [5] https://www.drupal.org/user/649590 [6] https://www.drupal.org/user/2573976 [7] https://www.drupal.org/u/mlhess

1 0

Search API Solr Search - Moderately critical - Access bypass - SA-CONTRIB-2018-065
by security-news＠drupal.org 10 Oct '18

10 Oct '18

View online: https://www.drupal.org/sa-contrib-2018-065 Project: Search API Solr Search [1] Version: 7.x-1.13 Date: 2018-October-10 Security risk: *Moderately critical* 10∕25 AC:Complex/A:None/CI:Some/II:None/E:Theoretical/TD:Uncommon [2] Vulnerability: Access bypass Description: This module provides support for creating searches using the Apache Solr search engine and the Search API Drupal module. The module doesn't sufficiently take the searched fulltext fields into account when creating a search excerpt. This can, in specific cases, lead to confidential data being leaked as part of the search excerpt. Solution: Install the latest version: * If you use the Search API Solr Search module for Drupal 7.x, upgrade to Search API Solr Search 7.x-1.14 [3] Also see the Search API Solr Search [4] project page. Reported By: * Ronino [5] Fixed By: * Thomas Seidl [6] * Markus Kalkbrenner [7] * Ronino [8] Coordinated By: * Michael Hess [9] of the Drupal Security Team * Greg Knaddison [10] of the Drupal Security Team [1] https://www.drupal.org/project/search_api_solr [2] https://www.drupal.org/security-team/risk-levels [3] https://www.drupal.org/project/search_api_solr/releases/7.x-1.14 [4] https://www.drupal.org/project/search_api_solr [5] https://www.drupal.org/user/645948 [6] https://www.drupal.org/user/205582 [7] https://www.drupal.org/user/124705 [8] https://www.drupal.org/user/645948 [9] https://www.drupal.org/u/mlhess [10] https://www.drupal.org/u/greggles

1 0

Lightbox2 - Critical - Cross Site Scripting - SA-CONTRIB-2018-064
by security-news＠drupal.org 10 Oct '18

10 Oct '18

View online: https://www.drupal.org/sa-contrib-2018-064 Project: Lightbox2 [1] Version: 7.x-2.x-dev Date: 2018-October-10 Security risk: *Critical* 18∕25 AC:None/A:None/CI:Some/II:Some/E:Theoretical/TD:All [2] Vulnerability: Cross Site Scripting Description: The Lightbox2 module enables you to overlay images on the current page. The module did not sanitize some inputs when used in combination with a custom view leading to potential Cross Site Scripting (XSS). Solution: Install the latest version: * If you use the Lightbox2 module for Drupal 7.x, upgrade to Lightbox2 release 7.x-2.11 [3] Also see the Lightbox2 [4] project page. Reported By: * emf [5] Fixed By: * joseph.olstad [6] * Stella Power [7] of the Drupal Security Team Coordinated By: * David Stoline [8] of the Drupal Security Team [1] https://www.drupal.org/project/lightbox2 [2] https://www.drupal.org/security-team/risk-levels [3] https://www.drupal.org/project/lightbox2/releases/7.x-2.11 [4] https://www.drupal.org/project/lightbox2 [5] https://www.drupal.org/user/664258 [6] https://www.drupal.org/user/1321830 [7] https://www.drupal.org/user/66894 [8] https://www.drupal.org/user/329570

1 0

Printer, email and PDF versions - Highly critical - Remote Code Execution - SA-CONTRIB-2018-063
by security-news＠drupal.org 03 Oct '18

03 Oct '18

View online: https://www.drupal.org/sa-contrib-2018-063 Project: Printer, email and PDF versions [1] Version: 7.x-2.x-dev Date: 2018-October-03 Security risk: *Highly critical* 20∕25 AC:None/A:None/CI:All/II:All/E:Theoretical/TD:Uncommon [2] Vulnerability: Remote Code Execution Description: This module provides printer-friendly versions of content, including send by e-mail and PDF versions. The module doesn't sufficiently sanitize the arguments passed to the wkhtmltopdf executable, allowing a remote attacker to execute arbitrary shell commands. It also doesn't sufficiently sanitize the HTML content passed to dompdf, allowing a privileged attacker to execute arbitrary PHP code. This vulnerability is mitigated by the fact that the site must have either the wkhtmltopdf or dompdf sub-modules enabled and selected as the PDF generation tool. In the case of the dompdf vulnerability, the attacker must be able to write content to the site. Solution: Install the latest version: * If you use the print module for Drupal 7.x, upgrade to print 7.x-2.1 [3] In alternative, disable PDF generation, or replace the PDF generation library with another of the supported versions. Also see the Printer, email and PDF versions [4] project page. Reported By: * yoloClin [5] Fixed By: * Lee Rowlands [6] of the Drupal Security Team * João Ventura [7] * yoloClin [8] Coordinated By: * Lee Rowlands [9] of the Drupal Security Team * Michael Hess [10] of the Drupal Security Team [1] https://www.drupal.org/project/print [2] https://www.drupal.org/security-team/risk-levels [3] https://www.drupal.org/project/print/releases/7.x-2.1 [4] https://www.drupal.org/project/print [5] https://www.drupal.org/user/3585171 [6] https://www.drupal.org/user/395439 [7] https://www.drupal.org/user/122464 [8] https://www.drupal.org/user/3585171 [9] https://www.drupal.org/user/395439 [10] https://www.drupal.org/u/mlhess

1 0

Commerce Klarna Checkout - Moderately critical - Access bypass - SA-CONTRIB-2018-062
by security-news＠drupal.org 26 Sep '18

26 Sep '18

View online: https://www.drupal.org/sa-contrib-2018-062 Project: Commerce Klarna Checkout [1] Version: 7.x-1.4 Date: 2018-September-26 Security risk: *Moderately critical* 13∕25 AC:Basic/A:None/CI:None/II:Some/E:Theoretical/TD:All [2] Vulnerability: Access bypass Description: The Commerce Klarna Checkout module enables you to accept payments from the Klarna Checkout payment provider The module doesn't sufficiently validate the payment callback made by Klarna. An attacker could bypass the payment step. Solution: Install the latest version: * If you use the Commerce Klarna Checkout module for Drupal 7.x, upgrade to Commerce Klarna Checkout 7.x-1.5 [3] Also see the Commerce Klarna Checkout [4] project page. Reported By: * Josef Gullström [5] Fixed By: * Eirik Morland [6] * Josef Gullström [7] Coordinated By: * Greg Knaddison [8] of the Drupal Security Team [1] https://www.drupal.org/project/commerce_klarna_checkout [2] https://www.drupal.org/security-team/risk-levels [3] https://www.drupal.org/project/commerce_klarna_checkout/releases/7.x-1.5 [4] https://www.drupal.org/project/commerce_klarna_checkout [5] https://www.drupal.org/user/2400268 [6] https://www.drupal.org/user/1014468 [7] https://www.drupal.org/user/2400268 [8] https://www.drupal.org/user/32672

1 0

Taxonomy File Tree - Moderately critical - Access bypass - SA-CONTRIB-2018-061
by security-news＠drupal.org 26 Sep '18

26 Sep '18

View online: https://www.drupal.org/sa-contrib-2018-061 Project: Taxonomy File Tree [1] Version: 7.x-1.0 Date: 2018-September-26 Security risk: *Moderately critical* 13∕25 AC:Basic/A:None/CI:Some/II:None/E:Theoretical/TD:All [2] Vulnerability: Access bypass Description: Taxonomy File Tree allows site managers to create file trees. For files managed as Drupal files, the module does not properly check that a user has access to a file before letting the user download the file. This vulnerability only affects sites that use private files. Solution: Install the latest version: * If you use the Taxonomy File Tree module for Drupal 7.x, upgrade to Taxonomy File Tree 7.x-1.1 [3] Also see the Taxonomy File Tree [4] project page. Reported By: * Nathaniel Catchpole [5] of the Drupal Security Team Fixed By: * James Aparicio [6] * Nathaniel Catchpole [7] of the Drupal Security Team * Francesco Placella [8] Coordinated By: * Greg Knaddison [9] of the Drupal Security Team [1] https://www.drupal.org/project/tft [2] https://www.drupal.org/security-team/risk-levels [3] https://www.drupal.org/project/tft/releases/7.x-1.1 [4] https://www.drupal.org/project/tft [5] https://www.drupal.org/user/35733 [6] https://www.drupal.org/user/2547544 [7] https://www.drupal.org/user/35733 [8] https://www.drupal.org/user/183211 [9] https://www.drupal.org/user/32672

1 0

Renderkit - Moderately critical - Access bypass - SA-CONTRIB-2018-060
by security-news＠drupal.org 19 Sep '18

19 Sep '18

View online: https://www.drupal.org/sa-contrib-2018-060 Project: Renderkit [1] Date: 2018-September-19 Security risk: *Moderately critical* 11∕25 AC:Basic/A:None/CI:Some/II:None/E:Theoretical/TD:Uncommon [2] Vulnerability: Access bypass Description: This module, typically in combination with cfr:cfrplugin, allows to compose behaviors from granular components. One of such behaviors is to display a list of related entities, for a given source entity and a given entity relation (e.g. an entity reference field). The components that display related content do not check if the user has access to view the related entities. This way e.g. unpublished nodes may be displayed to anonymous visitors. This vulnerability is mitigated by the facts that - a site builder must have used the component that displays "related" entities for a source entity, using cfr:cfrplugin, OR a programmer has used one of the affected components in code. - a source entity displayed this way must reference access-restricted content. Solution: Install the latest version: * If you use the Renderkit module for Drupal 7.x, upgrade to Renderkit 7.x-1.6 [3] Also see the Renderkit [4] project page. Reported By: * Andreas Hennings [5] Fixed By: * Andreas Hennings [6] Coordinated By: * Lee Rowlands [7] [1] https://www.drupal.org/project/renderkit [2] https://www.drupal.org/security-team/risk-levels [3] https://www.drupal.org/project/renderkit/releases/7.x-1.6 [4] https://www.drupal.org/project/renderkit [5] https://www.drupal.org/user/459338 [6] https://www.drupal.org/user/459338 [7] https://www.drupal.org/u/larowlan

1 0

Jump to page:

2026

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

Security-news