Security-news

security-news@drupal.org

1 participants
1782 discussions

Media - Critical - 1.x branch unsupported - SA-CONTRIB-2017-042
by security-news＠drupal.org 12 Apr '17

12 Apr '17

View online: https://www.drupal.org/node/2869190 * Advisory ID: DRUPAL-SA-CONTRIB-2017-042 * Project: Media [1] (third-party module) * Date: 12-Apr-2017 -------- DESCRIPTION --------------------------------------------------------- The Media module provides an extensible framework for managing files and multimedia assets, regardless of whether they are hosted on your own site or a 3rd party site - it is commonly referred to as a 'file browser to the internet'. -------- VERSIONS AFFECTED --------------------------------------------------- * Only the 1.x branch is affected. The 2.x branch does not have this vulnerability. /li> Drupal core is not affected. If you do not use the contributed Media [2] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ If you use the Media 1.x branch you should upgrade to the 2.x branch. Also see the Media [3] project page. -------- REPORTED BY --------------------------------------------------------- * Fabricio Bedoya [4] -------- FIXED BY ------------------------------------------------------------ Not applicable -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact [5]. Learn more about the Drupal Security team and their policies [6], writing secure code for Drupal [7], and securing your site [8]. Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity [9] [1] https://www.drupal.org/project/media [2] https://www.drupal.org/project/media [3] https://www.drupal.org/project/media [4] https://www.drupal.org/u/fafabedoya [5] https://www.drupal.org/contact [6] https://www.drupal.org/security-team [7] https://www.drupal.org/writing-secure-code [8] https://www.drupal.org/security/secure-configuration [9] https://twitter.com/drupalsecurity

1 0

Open Atrium - Moderately critical - Information Disclosure - SA-CONTRIB-2014-041
by security-news＠drupal.org 12 Apr '17

12 Apr '17

View online: https://www.drupal.org/node/2869156 * Advisory ID: DRUPAL-SA-CONTRIB-2014-041 * Project: Open Atrium Core [1] (third-party module), OA Comment [2] (third-party module) * Version: 7.x * Date: 2017-April-12 * Security risk: 11/25 ( Moderately Critical) AC:Basic/A:User/CI:Some/II:None/E:Theoretical/TD:All [3] * Vulnerability: Information Disclosure -------- DESCRIPTION --------------------------------------------------------- Open Atrium is a distribution the enables collaboration sites to be built. It contains several custom modules to provide various functionality. While content is often protected behind private groups, public content can also be shared. When using Open Atrium as an internal Intranet, this "public" content might be restricted to only logged in users by disabling anonymous access to the site. The oa_core and oa_comment modules do not properly respect the "view published content" permission and allows anonymous users to view this "public" content regardless of the permission setting. This only affects sites that have disabled the "view published content" permission for anonymous users, and only affects a small number of views. -------- CVE IDENTIFIER(S) ISSUED -------------------------------------------- * /A CVE identifier [4] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ -------- VERSIONS AFFECTED --------------------------------------------------- * Open Atrium distribution 7.x-2.x versions prior to 7.x-2.615 * oa_core 7.x-2.x versions prior to 7.x-2.84. * oa_comment 7.x-2.x versions prior to 7.x-2.14. Drupal core is not affected. If you do not use the contributed Open Atrium Core [5] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version of Open Atrium. Be sure to revert the following features: oa_comments, oa_core, oa_news, oa_river, oa_section, oa_sections Also see the Open Atrium [6] project page. -------- REPORTED BY --------------------------------------------------------- * Mike Potter [7] of the Drupal Security Team -------- FIXED BY ------------------------------------------------------------ * Mike Potter [8] the distribution maintainer and member of the Drupal Security Team -------- COORDINATED BY ------------------------------------------------------ * Mike Potter [9] of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact [10]. Learn more about the Drupal Security team and their policies [11], writing secure code for Drupal [12], and securing your site [13]. Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity [14] [1] https://www.drupal.org/project/oa_core [2] https://www.drupal.org/project/oa_comment [3] https://www.drupal.org/security-team/risk-levels [4] http://cve.mitre.org/ [5] https://www.drupal.org/project/oa_core [6] https://www.drupal.org/project/openatrium [7] https://www.drupal.org/u/mpotter [8] https://www.drupal.org/u/mpotter [9] https://www.drupal.org/u/mpotter [10] https://www.drupal.org/contact [11] https://www.drupal.org/security-team [12] https://www.drupal.org/writing-secure-code [13] https://www.drupal.org/security/secure-configuration [14] https://twitter.com/drupalsecurity

1 0

@Base - Critical - Unsupported - SA-CONTRIB-2017-040
by security-news＠drupal.org 12 Apr '17

12 Apr '17

View online: https://www.drupal.org/node/2869148 * Advisory ID: DRUPAL-SA-CONTRIB-2017-040 * Project: @Base [1] (third-party module) * Date: 2017-April-12 -------- DESCRIPTION --------------------------------------------------------- Provide some more API for developer to work with Drupal 7. The security team is marking this module unsupported. There is a known security issue with the module that has not been fixed by the maintainer. If you would like to maintain this module, please read: https://www.drupal.org/node/251466 [2] -------- VERSIONS AFFECTED --------------------------------------------------- * All versions. Drupal core is not affected. If you do not use the contributed @Base [3] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ If you use the @Base module for Drupal you should uninstall it. Also see the @Base [4] project page. -------- REPORTED BY --------------------------------------------------------- * Chad DeGroot [5] -------- FIXED BY ------------------------------------------------------------ Not applicable. -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact [6]. Learn more about the Drupal Security team and their policies [7], writing secure code for Drupal [8], and securing your site [9]. Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity [10] [1] https://www.drupal.org/project/at_base [2] https://www.drupal.org/node/251466 [3] https://www.drupal.org/project/at_base [4] https://www.drupal.org/project/at_base [5] https://www.drupal.org/u/badjava [6] https://www.drupal.org/contact [7] https://www.drupal.org/security-team [8] https://www.drupal.org/writing-secure-code [9] https://www.drupal.org/security/secure-configuration [10] https://twitter.com/drupalsecurity

1 0

Scheduler Workbench Integration - Critical - Unsupported - SA-CONTRIB-2017-39
by security-news＠drupal.org 12 Apr '17

12 Apr '17

View online: https://www.drupal.org/node/2869141 * Advisory ID: DRUPAL-SA-CONTRIB-2017-39 * Project: Scheduler Workbench Integration [1] (third-party module) * Date: 12-Apr-2017 -------- DESCRIPTION --------------------------------------------------------- Provides integration between the Scheduler module and the Workbench Moderation module. The security team is marking this module unsupported. There is a known security issue with the module that has not been fixed by the maintainer. If you would like to maintain this module, please read: https://www.drupal.org/node/251466 -------- VERSIONS AFFECTED --------------------------------------------------- * All versions Drupal core is not affected. If you do not use the contributed Scheduler Workbench Integration [2] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ If you use the Scheduler Workbench Integration module for Drupal you should uninstall it. Also see the Scheduler Workbench Integration [3] project page. -------- REPORTED BY --------------------------------------------------------- * Caroline Boyden [4] -------- FIXED BY ------------------------------------------------------------ Not applicable -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact [5]. Learn more about the Drupal Security team and their policies [6], writing secure code for Drupal [7], and securing your site [8]. Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity [9] [1] https://www.drupal.org/project/scheduler_workbench [2] https://www.drupal.org/project/scheduler_workbench [3] https://www.drupal.org/project/scheduler_workbench [4] https://www.drupal.org/user/657902 [5] https://www.drupal.org/contact [6] https://www.drupal.org/security-team [7] https://www.drupal.org/writing-secure-code [8] https://www.drupal.org/security/secure-configuration [9] https://twitter.com/drupalsecurity

1 0

References - Critical - Unsupported - SA-CONTRIB-2017-38
by security-news＠drupal.org 12 Apr '17

12 Apr '17

View online: https://www.drupal.org/node/2869138 * Advisory ID: DRUPAL-SA-CONTRIB-2017-38 * Project: References [1] (third-party module) * Date: 12-Apr-2017 -------- DESCRIPTION --------------------------------------------------------- This project provides D7 versions of the 'node_reference' and 'user_reference' field types, that were part of the CCK package in D6, at functional parity with the D6 counterparts. The security team is marking this module unsupported. There is a known security issue with the module that has not been fixed by the maintainer. If you would like to maintain this module, please read: https://www.drupal.org/node/251466 -------- VERSIONS AFFECTED --------------------------------------------------- * All versions Drupal core is not affected. If you do not use the contributed References [2] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ If you use the References module for Drupal you should uninstall it. Also see the References [3] project page. -------- REPORTED BY --------------------------------------------------------- * Cash Williams [4] of the Drupal Security Team -------- FIXED BY ------------------------------------------------------------ Not applicable -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact [5]. Learn more about the Drupal Security team and their policies [6], writing secure code for Drupal [7], and securing your site [8]. Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity [9] [1] https://www.drupal.org/project/references [2] https://www.drupal.org/project/references [3] https://www.drupal.org/project/references [4] https://www.drupal.org/user/421070 [5] https://www.drupal.org/contact [6] https://www.drupal.org/security-team [7] https://www.drupal.org/writing-secure-code [8] https://www.drupal.org/security/secure-configuration [9] https://twitter.com/drupalsecurity

1 0

Filemaker Form - Critical - Unsupported - SA-CONTRIB-2017-37
by security-news＠drupal.org 12 Apr '17

12 Apr '17

View online: https://www.drupal.org/node/2869129 * Advisory ID: DRUPAL-SA-CONTRIB-2017-37 * Project: Filemaker Form [1] (third-party module) * Date: 12-Apr-2017 -------- DESCRIPTION --------------------------------------------------------- Easily create forms in Drupal that submit data to Filemaker databases which are hosted on Filemaker Server. The security team is marking this module unsupported. There is a known security issue with the module that has not been fixed by the maintainer. If you would like to maintain this module, please read: https://www.drupal.org/node/251466 -------- VERSIONS AFFECTED --------------------------------------------------- * All versions Drupal core is not affected. If you do not use the contributed Filemaker Form [2] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ If you use the Filemaker Form module for Drupal you should uninstall it. Also see the Filemaker Form [3] project page. -------- REPORTED BY --------------------------------------------------------- * adlab [4] -------- FIXED BY ------------------------------------------------------------ Not applicable -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact [5]. Learn more about the Drupal Security team and their policies [6], writing secure code for Drupal [7], and securing your site [8]. Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity [9] [1] https://www.drupal.org/project/filemakerform [2] https://www.drupal.org/project/filemakerform [3] https://www.drupal.org/project/filemakerform [4] https://www.drupal.org/user/3514633 [5] https://www.drupal.org/contact [6] https://www.drupal.org/security-team [7] https://www.drupal.org/writing-secure-code [8] https://www.drupal.org/security/secure-configuration [9] https://twitter.com/drupalsecurity

1 0

Legal - Critical - Unsupported - SA-CONTRIB-2017-36
by security-news＠drupal.org 12 Apr '17

12 Apr '17

View online: https://www.drupal.org/node/2869127 * Advisory ID: DRUPAL-SA-CONTRIB-2017-36 * Project: Legal [1] (third-party module) * Date: 12-Apr-2017 -------- DESCRIPTION --------------------------------------------------------- Displays your Terms & Conditions to users who want to register, and requires that they accept the T&C before their registration is accepted. The security team is marking this module unsupported. There is a known security issue with the module that has not been fixed by the maintainer. If you would like to maintain this module, please read: https://www.drupal.org/node/251466 -------- VERSIONS AFFECTED --------------------------------------------------- * All versions Drupal core is not affected. If you do not use the contributed Legal [2] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ If you use the Legal module for Drupal you should uninstall it. Also see the Legal [3] project page. -------- REPORTED BY --------------------------------------------------------- * pbafe [4] -------- FIXED BY ------------------------------------------------------------ Not applicable -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact [5]. Learn more about the Drupal Security team and their policies , writing secure code for Drupal [6], and securing your site [7]. Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity [8] [1] https://www.drupal.org/project/legal [2] https://www.drupal.org/project/legal [3] https://www.drupal.org/project/legal [4] https://www.drupal.org/user/3494981 [5] https://www.drupal.org/contact [6] https://www.drupal.org/writing-secure-code [7] https://www.drupal.org/security/secure-configuration [8] https://twitter.com/drupalsecurity

1 0

Book access - Critical - Unsupported - SA-CONTRIB-2017-35
by security-news＠drupal.org 12 Apr '17

12 Apr '17

View online: https://www.drupal.org/node/2869123 * Advisory ID: DRUPAL-SA-CONTRIB-2017-35 * Project: Book access [1] (third-party module) * Date: 12-April-2017 -------- DESCRIPTION --------------------------------------------------------- This module alters the book module permissions model by letting you specify access/modify/delete rights on a per-book basis. Normally, book-related permissions provided by drupal core apply across all books, but this module will let you drill down as granular as to letting specific users have specific rights for specific books. The security team is marking this module unsupported. There is a known security issue with the module that has not been fixed by the maintainer. If you would like to maintain this module, please read: https://www.drupal.org/node/251466 -------- VERSIONS AFFECTED --------------------------------------------------- * All versions Drupal core is not affected. If you do not use the contributed Book access [2] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ If you use the Book access module for Drupal you should uninstall it. Also see the Book access [3] project page. -------- REPORTED BY --------------------------------------------------------- * Ergun Kuru [4] -------- FIXED BY ------------------------------------------------------------ Not applicable -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact [5]. Learn more about the Drupal Security team and their policies [6], writing secure code for Drupal [7], and securing your site [8]. Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity [9] [1] https://www.drupal.org/project/book_access [2] https://www.drupal.org/project/book_access [3] https://www.drupal.org/project/book_access [4] https://www.drupal.org/user/379181 [5] https://www.drupal.org/contact [6] https://www.drupal.org/security-team [7] https://www.drupal.org/writing-secure-code [8] https://www.drupal.org/security/secure-configuration [9] https://twitter.com/drupalsecurity

1 0

Auto Login URL - Less Critical - Access Bypass - DRUPAL-SA-CONTRIB-2017-034
by security-news＠drupal.org 05 Apr '17

05 Apr '17

View online: https://www.drupal.org/node/2867101 * Advisory ID: DRUPAL-SA-CONTRIB-2017-034 * Project: Auto Login URL [1] (third-party module) * Version: 7.x, 8.x * Date: 2017-April-05 * Security risk: 8/25 ( Less Critical) AC:Complex/A:None/CI:None/II:None/E:Theoretical/TD:Default [2] * Vulnerability: Access bypass -------- DESCRIPTION --------------------------------------------------------- This module lets you create auto login URLs programmatically on demand and through tokens. The module does not provide sufficient protection when generating login URLs. An attacker could rebuild login URLs independently thereby logging in as another user. This vulnerability is mitigated by the fact that an attacker needs to be able to exactly guess the second when a login URL was generated for a user. Furthermore the attacker also needs to know the victim user ID and login destination of the generated login URL. The attack is also mitigated by the fact that the module has flood control, so an attacker has only limited attempts to guess login URLs. -------- CVE IDENTIFIER(S) ISSUED -------------------------------------------- * /A CVE identifier [3] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ -------- VERSIONS AFFECTED --------------------------------------------------- * Auto Login URL 8.x-1.x versions prior to 8.x-1.2. * Auto Login URL 7.x-1.x versions prior to 7.x-1.7. Drupal core is not affected. If you do not use the contributed Auto Login URL [4] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the Auto Login URL module for Drupal 8.x, upgrade to Auto Login URL 8.x-1.2 [5] * If you use the Auto Login URL module for Drupal 7.x, upgrade to Auto Login URL 7.x-1.7 [6] Also see the Auto Login URL [7] project page. -------- REPORTED BY --------------------------------------------------------- * Klaus Purer [8] of the Drupal Security Team -------- FIXED BY ------------------------------------------------------------ * Thanos Nokas [9] the module maintainer * Klaus Purer [10] of the Drupal Security Team -------- COORDINATED BY ------------------------------------------------------ * Klaus Purer [11] of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact [12]. Learn more about the Drupal Security team and their policies [13], writing secure code for Drupal [14], and securing your site [15]. Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity [16] [1] https://www.drupal.org/project/auto_login_url [2] https://www.drupal.org/security-team/risk-levels [3] http://cve.mitre.org/ [4] https://www.drupal.org/project/auto_login_url [5] https://www.drupal.org/project/auto_login_url/releases/8.x-1.2 [6] https://www.drupal.org/project/auto_login_url/releases/7.x-1.7 [7] https://www.drupal.org/project/auto_login_url [8] https://www.drupal.org/u/klausi [9] https://www.drupal.org/u/matrixlord [10] https://www.drupal.org/u/klausi [11] https://www.drupal.org/u/klausi [12] https://www.drupal.org/contact [13] https://www.drupal.org/security-team [14] https://www.drupal.org/writing-secure-code [15] https://www.drupal.org/security/secure-configuration [16] https://twitter.com/drupalsecurity

1 0

Linkit - Moderately Critical - Access Bypass - DRUPAL-SA-CONTRIB-2017-033
by security-news＠drupal.org 22 Mar '17

22 Mar '17

View online: https://www.drupal.org/node/2862986 * Advisory ID: DRUPAL-SA-CONTRIB-2014-0XX * Project: Linkit- Enriched linking experience [1] (third-party module) * Version: 8.x * Date: 2017-March-22 * Security risk: 10/25 ( Moderately Critical) AC:Basic/A:User/CI:Some/II:None/E:Theoretical/TD:Default [2] * Vulnerability: Access bypass -------- DESCRIPTION --------------------------------------------------------- Linkit provides an easy interface for internal and external linking with WYSIWYG editors by using an autocomplete field. When searching for entities, this module doesn't always enforce the access restrictions and users may see information about entities they should not be able to access. This is mitigated by the fact that a user must have access to a text format that uses Linkit. -------- CVE IDENTIFIER(S) ISSUED -------------------------------------------- * /A CVE identifier [3] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ -------- VERSIONS AFFECTED --------------------------------------------------- * Linkit 8.x-4.x versions prior to 8.x-4.3. Drupal core is not affected. If you do not use the contributed Linkit- Enriched linking experience [4] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the Linkit module for Drupal 8.x, upgrade to Linkit 8.x-4.3 [5] Also see the Linkit- Enriched linking experience [6] project page. -------- REPORTED BY --------------------------------------------------------- * Ben Dougherty [7] of the Drupal Security Team -------- FIXED BY ------------------------------------------------------------ * Emil Stjerneman [8] the module maintainer * Ben Dougherty [9] of the Drupal Security Team -------- COORDINATED BY ------------------------------------------------------ * Michael Hess [10] of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact [11]. Learn more about the Drupal Security team and their policies [12], writing secure code for Drupal [13], and securing your site [14]. Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity [15] [1] https://www.drupal.org/project/linkit [2] https://www.drupal.org/security-team/risk-levels [3] http://cve.mitre.org/ [4] https://www.drupal.org/project/linkit [5] https://www.drupal.org/project/linkit/releases/8.x-4.3 [6] https://www.drupal.org/project/linkit [7] https://www.drupal.org/user/1852732 [8] https://www.drupal.org/user/464598 [9] https://www.drupal.org/user/1852732 [10] https://www.drupal.org/u/mlhess [11] https://www.drupal.org/contact [12] https://www.drupal.org/security-team [13] https://www.drupal.org/writing-secure-code [14] https://www.drupal.org/security/secure-configuration [15] https://twitter.com/drupalsecurity

1 0

Jump to page:

2026

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

Security-news