Security-news

security-news@drupal.org

1 participants
1782 discussions

Acquia Content Hub - Moderately Critical - Access Bypass - SA-CONTRIB-2017-013
by security-news＠drupal.org 08 Feb '17

08 Feb '17

View online: https://www.drupal.org/node/2850909 * Advisory ID: DRUPAL-SA-CONTRIB-2017-013 * Project: Acquia Content Hub [1] (third-party module) * Version: 8.x * Date: 2017-February-08 * Security risk: 13/25 ( Moderately Critical) AC:Basic/A:None/CI:Some/II:None/E:Theoretical/TD:All [2] * Vulnerability: Access bypass -------- DESCRIPTION --------------------------------------------------------- The Acquia Content Hub module enables the distribution and discovery of content from any source using the Acquia Content Hub [3] service. The module allows rendering of any arbitrary entity, without performing the appropriate access check. Users browsing to a well crafted URL could access information they may not be authorized to view. -------- CVE IDENTIFIER(S) ISSUED -------------------------------------------- * /A CVE identifier [4] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ -------- VERSIONS AFFECTED --------------------------------------------------- * Acquia Content Hub 8.x-1.x versions prior to 8.x-1.4. Drupal core is not affected. If you do not use the contributed Acquia Content Hub [5] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the Acquia Content Hub module for Drupal 8.x, upgrade to Acquia Content Hub 8.x-1.4 [6] Also see the Acquia Content Hub [7] project page. -------- REPORTED BY --------------------------------------------------------- * Samuel Mortenson [8] -------- FIXED BY ------------------------------------------------------------ * Alejandro Barrios [9] the module maintainer * Cash William [10] of the Drupal Security Team * Samuel Mortenson [11] * Kyle Browning [12] * Wim Leers [13] -------- COORDINATED BY ------------------------------------------------------ * Stéphane Corlosquet [14] of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact [15]. Learn more about the Drupal Security team and their policies [16], writing secure code for Drupal [17], and securing your site [18]. Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity [19] [1] https://www.drupal.org/project/acquia_contenthub [2] https://www.drupal.org/security-team/risk-levels [3] https://www.acquia.com/products-services/acquia-content-hub [4] http://cve.mitre.org/ [5] https://www.drupal.org/project/acquia_contenthub [6] https://www.drupal.org/node/2850903 [7] https://www.drupal.org/project/acquia_contenthub [8] https://www.drupal.org/u/samuelmortenson [9] https://www.drupal.org/u/abarrios [10] https://www.drupal.org/u/cashwilliams [11] https://www.drupal.org/u/samuelmortenson [12] https://www.drupal.org/u/kylebrowning [13] https://www.drupal.org/u/wim-leers [14] https://www.drupal.org/u/scor [15] https://www.drupal.org/contact [16] https://www.drupal.org/security-team [17] https://www.drupal.org/writing-secure-code [18] https://www.drupal.org/security/secure-configuration [19] https://twitter.com/drupalsecurity

1 0

Wetkit Omega - Moderately Critical - Access Bypass - SA-CONTRIB-2017-012
by security-news＠drupal.org 08 Feb '17

08 Feb '17

View online: https://www.drupal.org/node/2850880 * Advisory ID: DRUPAL-SA-CONTRIB-2017-012 * Project: Web Experience Toolkit: Omega [1] (third-party module) * Version: 7.x * Date: 2017-February-08 * Security risk: 10/25 ( Moderately Critical) AC:Basic/A:User/CI:Some/II:None/E:Proof/TD:Uncommon [2] * Vulnerability: Access bypass -------- DESCRIPTION --------------------------------------------------------- WetKit Omega 4.x is a modern, Sass [3] and Compass [4] enabled Drupal 7 theme powered by the Omega base theme. When using the Drupal page cache, some links intended for privileged users can get cached and displayed to users who shouldn't have access to them. This is mitigated by the fact that the unprivileged users won't be able to actually visit the links. -------- CVE IDENTIFIER(S) ISSUED -------------------------------------------- * /A CVE identifier [5] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ -------- VERSIONS AFFECTED --------------------------------------------------- * wetkit_omega 7.x-1.x versions prior to 7.x-1.15. Drupal core is not affected. If you do not use the contributed Web Experience Toolkit: Omega [6] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the wetkit_omega module for Drupal 7.x, upgrade to wetkit_omega 7.x-1.15 [7] Also see the Web Experience Toolkit: Omega [8] project page. -------- REPORTED BY --------------------------------------------------------- * Fabian Franz [9] -------- FIXED BY ------------------------------------------------------------ * William Hearn [10] the module maintainer -------- COORDINATED BY ------------------------------------------------------ * Michael Hess [11] of the Drupal Security Team * David Snopek [12] of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact [13]. Learn more about the Drupal Security team and their policies [14], writing secure code for Drupal [15], and securing your site [16]. Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity [17] [1] https://www.drupal.org/project/wetkit_omega [2] https://www.drupal.org/security-team/risk-levels [3] http://sass-lang.com/ [4] http://compass-style.org/ [5] http://cve.mitre.org/ [6] https://www.drupal.org/project/wetkit_omega [7] https://www.drupal.org/project/wetkit_omega/releases/7.x-1.15 [8] https://www.drupal.org/project/wetkit_omega [9] https://www.drupal.org/user/fabianx [10] https://www.drupal.org/user/sylus [11] https://www.drupal.org/u/mlhess [12] https://www.drupal.org/u/dsnopek [13] https://www.drupal.org/contact [14] https://www.drupal.org/security-team [15] https://www.drupal.org/writing-secure-code [16] https://www.drupal.org/security/secure-configuration [17] https://twitter.com/drupalsecurity

1 0

Facebook Pull - Critical - Cross Site Scripting (XSS) - SA-CONTRIB-2017-011
by security-news＠drupal.org 08 Feb '17

08 Feb '17

View online: https://www.drupal.org/node/2850873 * Advisory ID: DRUPAL-SA-CONTRIB-2017-011 * Project: Facebook Pull [1] (third-party module) * Version: 7.x * Date: 2017-February-08 * Security risk: 15/25 ( Critical) AC:Complex/A:None/CI:Some/II:Some/E:Theoretical/TD:All [2] * Vulnerability: Cross Site Scripting -------- DESCRIPTION --------------------------------------------------------- This module enables you to add integration with Facebook API. The module doesn't sufficiently sanitize incoming data from Facebook. This vulnerability is mitigated by the fact that an attacker must have be able to successfully pass malicious code through Facebook API or alter facebooks DNS and recreate API endpoints. -------- CVE IDENTIFIER(S) ISSUED -------------------------------------------- * /A CVE identifier [3] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ -------- VERSIONS AFFECTED --------------------------------------------------- * Facebook Pull versions prior to 7.x-3.1. Drupal core is not affected. If you do not use the contributed Facebook Pull [4] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the Facebook Pull module for Drupal 7.x, upgrade to Facebook Pull 7.x-3.1 [5] Also see the Facebook Pull [6] project page. -------- REPORTED BY --------------------------------------------------------- * Nedjo Rogers [7] -------- FIXED BY ------------------------------------------------------------ * Dave Ferrara [8] the module maintainer * Lee Rowlands [9] of the Drupal Security Team -------- COORDINATED BY ------------------------------------------------------ * Michael Hess [10] of the Drupal Security Team * David Snopek [11] of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact [12]. Learn more about the Drupal Security team and their policies [13], writing secure code for Drupal [14], and securing your site [15]. Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity [16] [1] https://www.drupal.org/project/facebook_pull [2] https://www.drupal.org/security-team/risk-levels [3] http://cve.mitre.org/ [4] https://www.drupal.org/project/facebook_pull [5] https://www.drupal.org/project/facebook_pull/releases/7.x-3.1 [6] https://www.drupal.org/project/facebook_pull [7] https://www.drupal.org/user/4481 [8] https://www.drupal.org/u/daveferrara1 [9] https://www.drupal.org/u/larowlan [10] https://www.drupal.org/u/mlhess [11] https://www.drupal.org/u/dsnopek [12] https://www.drupal.org/contact [13] https://www.drupal.org/security-team [14] https://www.drupal.org/writing-secure-code [15] https://www.drupal.org/security/secure-configuration [16] https://twitter.com/drupalsecurity

1 0

Storage API stream wrappers - Moderately Critical - Access bypass - SA-CONTRIB-2017-010
by security-news＠drupal.org 08 Feb '17

08 Feb '17

View online: https://www.drupal.org/node/2850866 * Advisory ID: DRUPAL-SA-CONTRIB-2017-010 * Project: Storage API stream wrappers [1] (third-party module) * Version: 7.x * Date: 2017-February-08 * Security risk: 13/25 ( Moderately Critical) AC:None/A:None/CI:Some/II:None/E:Theoretical/TD:Uncommon [2] * Vulnerability: Access bypass -------- DESCRIPTION --------------------------------------------------------- This module provides stream wrappers [3] to integrate Storage API [4] with Drupal, as an alternative to Storage API's core_bridge submodule. It provides two stream wrappers: "Storage API Public" and "Storage API Private". The private storage API doesn't sufficiently performs access control allowing anonymous users to access the private storage files. -------- CVE IDENTIFIER(S) ISSUED -------------------------------------------- * /A CVE identifier [5] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ -------- VERSIONS AFFECTED --------------------------------------------------- * Storage API stream wrappers 7.x-1.x versions prior to 7.x-1.1. Drupal core is not affected. If you do not use the contributed Storage API stream wrappers [6] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the Storage API stream wrappers module for Drupal 7.x, upgrade to Storage API stream wrappers 7.x-1.1 [7] Also see the Storage API stream wrappers [8] project page. -------- REPORTED BY --------------------------------------------------------- * Gareth Goodwin [9] -------- FIXED BY ------------------------------------------------------------ * Jonathan Araña Cruz [10] the module maintainer -------- COORDINATED BY ------------------------------------------------------ * Michael Hess [11] of the Drupal Security Team * David Snopek [12] of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact [13]. Learn more about the Drupal Security team and their policies [14], writing secure code for Drupal [15], and securing your site [16]. Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity [17] [1] https://www.drupal.org/project/storage_api_stream_wrapper [2] https://www.drupal.org/security-team/risk-levels [3] https://www.drupal.org/node/555118 [4] https://www.drupal.org/project/storage_api [5] http://cve.mitre.org/ [6] https://www.drupal.org/project/storage_api_stream_wrapper [7] https://www.drupal.org/project/storage_api_stream_wrapper/releases/7.x-1.1 [8] https://www.drupal.org/project/storage_api_stream_wrapper [9] https://www.drupal.org/u/smaz [10] https://www.drupal.org/u/jonhattan [11] https://www.drupal.org/u/mlhess [12] https://www.drupal.org/u/dsnopek [13] https://www.drupal.org/contact [14] https://www.drupal.org/security-team [15] https://www.drupal.org/writing-secure-code [16] https://www.drupal.org/security/secure-configuration [17] https://twitter.com/drupalsecurity

1 0

Better Exposed Filters - Less Critical - Cross Site Sscripting (XSS) - SA-CONTRIB-2017-009
by security-news＠drupal.org 01 Feb '17

01 Feb '17

View online: https://www.drupal.org/node/2848865 * Advisory ID: DRUPAL-SA-CONTRIB-2017-009 * Project: Better Exposed Filters [1] (third-party module) * Version: 7.x * Date: 2017-February-01 * Security risk: 7/25 ( Less Critical) AC:Complex/A:Admin/CI:None/II:Some/E:Theoretical/TD:Uncommon [2] * Vulnerability: Cross Site Scripting -------- DESCRIPTION --------------------------------------------------------- The Better Exposed Filters [3] module gives site builders more choices for rendering Views' exposed form elements. The module does not sufficiently sanitize taxonomy term descriptions when the "Include the term description" option is selected. This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer taxonomy". -------- CVE IDENTIFIER(S) ISSUED -------------------------------------------- * /A CVE identifier [4] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ -------- VERSIONS AFFECTED --------------------------------------------------- * Better Exposed Filters 7.x-3.x versions prior to 7.x-3.4. Drupal core is not affected. If you do not use the contributed Better Exposed Filters [5] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the Better Exposed Filters module for Drupal 7.x, upgrade to Better Exposed Filters 7.x-3.4 [6] or greater. Also see the Better Exposed Filters [7] project page. -------- REPORTED BY --------------------------------------------------------- * Henri Medot (anrikun) [8] -------- FIXED BY ------------------------------------------------------------ * Henri Medot (anrikun) [9] * Mike Keran (mikeker) [10] the module maintainer -------- COORDINATED BY ------------------------------------------------------ * Klaus Purer [11] of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact [12]. Learn more about the Drupal Security team and their policies [13], writing secure code for Drupal [14], and securing your site [15]. Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity [16] [1] https://www.drupal.org/project/better_exposed_filters [2] https://www.drupal.org/security-team/risk-levels [3] https://www.drupal.org/project/better_exposed_filters [4] http://cve.mitre.org/ [5] https://www.drupal.org/project/better_exposed_filters [6] https://www.drupal.org/project/better_exposed_filters/releases/7.x-3.4 [7] https://www.drupal.org/project/better_exposed_filters [8] https://www.drupal.org/user/410199 [9] https://www.drupal.org/user/410199 [10] https://www.drupal.org/user/192273 [11] https://www.drupal.org/u/klausi [12] https://www.drupal.org/contact [13] https://www.drupal.org/security-team [14] https://www.drupal.org/writing-secure-code [15] https://www.drupal.org/security/secure-configuration [16] https://twitter.com/drupalsecurity

1 0

SalesCloud - Critical - Unsupported - SA-CONTRIB-2017-008
by security-news＠drupal.org 25 Jan '17

25 Jan '17

View online: https://www.drupal.org/node/2846791 * Advisory ID: DRUPAL-SA-CONTRIB-2017-008 * Project: Salescloud [1] (third-party module) * Version: 7.x * Date: 2017-Jan-25 * Security risk: 19/25 ( Critical) AC:None/A:None/CI:Some/II:Some/E:Proof/TD:All [2] -------- DESCRIPTION --------------------------------------------------------- This module Connects Drupal to SalesCloud's API, a Commerce Platform as a Service. -------- CVE IDENTIFIER(S) ISSUED -------------------------------------------- * /A CVE identifier [3] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ -------- VERSIONS AFFECTED --------------------------------------------------- * All versions Drupal core is not affected. If you do not use the contributed salescloud [4] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ If you use the salescloud module for Drupal 7.x you should uninstall it. Also see the salescloud [5] project page. -------- REPORTED BY --------------------------------------------------------- * Cash Williams [6] of the Drupal Security Team -------- FIXED BY ------------------------------------------------------------ Not applicable -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact [7]. Learn more about the Drupal Security team and their policies [8], writing secure code for Drupal [9], and securing your site [10]. Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity [11] [1] https://www.drupal.org/project/oauth [2] https://www.drupal.org/security-team/risk-levels [3] http://cve.mitre.org/ [4] https://www.drupal.org/project/salescloud [5] https://www.drupal.org/project/salescloud [6] https://www.drupal.org/u/cashwilliams [7] https://www.drupal.org/contact [8] https://www.drupal.org/security-team [9] https://www.drupal.org/writing-secure-code [10] https://www.drupal.org/security/secure-configuration [11] https://twitter.com/drupalsecurity

1 0

Microblog - Critical - Unsupported - SA-CONTRIB-2017-007
by security-news＠drupal.org 25 Jan '17

25 Jan '17

View online: https://www.drupal.org/node/2846788 * Advisory ID: DRUPAL-SA-CONTRIB-2017-007 * Project: microblog [1] (third-party module) * Version: 7.x * Date: 2017-Jan-25 * Security risk: 19/25 ( Critical) AC:None/A:None/CI:Some/II:Some/E:Proof/TD:All [2] -------- DESCRIPTION --------------------------------------------------------- This module enables microblogging on Drupal sites using it. -------- CVE IDENTIFIER(S) ISSUED -------------------------------------------- * /A CVE identifier [3] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ -------- VERSIONS AFFECTED --------------------------------------------------- * All versions Drupal core is not affected. If you do not use the contributed microblog [4] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ If you use the microblog module for Drupal 7.x you should uninstall it. Also see the microblog [5] project page. -------- REPORTED BY --------------------------------------------------------- * Reuben Unruh [6] -------- FIXED BY ------------------------------------------------------------ Not applicable -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact [7]. Learn more about the Drupal Security team and their policies [8], writing secure code for Drupal [9], and securing your site [10]. Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity [11] [1] https://www.drupal.org/project/microblog [2] https://www.drupal.org/security-team/risk-levels [3] http://cve.mitre.org/ [4] https://www.drupal.org/project/microblog [5] https://www.drupal.org/project/microblog [6] https://www.drupal.org/user/1126610 [7] https://www.drupal.org/contact [8] https://www.drupal.org/security-team [9] https://www.drupal.org/writing-secure-code [10] https://www.drupal.org/security/secure-configuration [11] https://twitter.com/drupalsecurity

1 0

Oauth - Critical - Unsupported - SA-CONTRIB-2017-006
by security-news＠drupal.org 25 Jan '17

25 Jan '17

View online: https://www.drupal.org/node/2846787 * Advisory ID: DRUPAL-SA-CONTRIB-2017-006 * Project: oauth [1] (third-party module) * Version: 7.x * Date: 2017-Jan-25 * Security risk: 19/25 ( Critical) AC:None/A:None/CI:Some/II:Some/E:Proof/TD:All [2] -------- DESCRIPTION --------------------------------------------------------- This module implements the OAuth 1.0 standard for use with Drupal and acts as a support module for other modules that wish to use OAuth. -------- CVE IDENTIFIER(S) ISSUED -------------------------------------------- * /A CVE identifier [3] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ -------- VERSIONS AFFECTED --------------------------------------------------- * All versions Drupal core is not affected. If you do not use the contributed Oauth [4] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ If you use the oauth module for Drupal 7.x you should uninstall it. Also see the oauth [5] project page. -------- REPORTED BY --------------------------------------------------------- * Tim Brandin [6] * Damien McKenna [7] of the Drupal Security Team -------- FIXED BY ------------------------------------------------------------ Not applicable -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact [8]. Learn more about the Drupal Security team and their policies [9], writing secure code for Drupal [10], and securing your site [11]. Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity [12] [1] https://www.drupal.org/project/oauth [2] https://www.drupal.org/security-team/risk-levels [3] http://cve.mitre.org/ [4] https://www.drupal.org/project/oauth [5] https://www.drupal.org/project/oauth [6] https://www.drupal.org/u/timbrandin [7] https://www.drupal.org/u/DamienMcKenna [8] https://www.drupal.org/contact [9] https://www.drupal.org/security-team [10] https://www.drupal.org/writing-secure-code [11] https://www.drupal.org/security/secure-configuration [12] https://twitter.com/drupalsecurity

1 0

Mailjet - Highly critical - Arbitrary PHP code execution - SA-CONTRIB-2017-005
by security-news＠drupal.org 11 Jan '17

11 Jan '17

View online: https://www.drupal.org/node/2842760 * Advisory ID: DRUPAL-SA-CONTRIB-2017-005 * Project: (third-party module) * Version: 7.x * Date: 2017-January-11 * Security risk: 23/25 ( Highly Critical) AC:None/A:User/CI:All/II:All/E:Exploit/TD:All [1] * Vulnerability: Arbitrary PHP code execution -------- DESCRIPTION --------------------------------------------------------- The Mailjet module integrates with a 3rd party system to deliver site-generated emails, including newsletters, system notifications, etc. The Mailjet module included v5.2.8 of the PHPMailer library in its "includes" directory. Per PSA-2016-004 [2], this version of the PHPMailer library was vulnerable to PHP code execution. Per Drupal.org policy, 3rd party code should not be stored [3] in drupal.org repositories. Updating this module will require manual actions to replace the PHPMailer library as described in the README.txt file included in the release. -------- CVE IDENTIFIER(S) ISSUED -------------------------------------------- * /A CVE identifier [4] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ -------- VERSIONS AFFECTED --------------------------------------------------- * Mailjet 7.x-2.x versions prior 7.x-2.9. Drupal core is not affected. If you do not use the contributed module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the Mailjet module for Drupal 7.x, upgrade to Mailjet7.x-2.9 [5] Also see the project page. -------- REPORTED BY --------------------------------------------------------- * hargobind [6] -------- FIXED BY ------------------------------------------------------------ * Proxiad [7] the module maintainer -------- COORDINATED BY ------------------------------------------------------ * Damien McKenna [8] of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact [9]. Learn more about the Drupal Security team and their policies [10], writing secure code for Drupal [11], and securing your site [12]. Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity [13] [1] https://www.drupal.org/security-team/risk-levels [2] https://www.drupal.org/psa-2016-004 [3] https://www.drupal.org/node/422996 [4] http://cve.mitre.org/ [5] https://www.drupal.org/project/mailjet/releases/7.x-2.9 [6] https://www.drupal.org/u/hargobind [7] https://www.drupal.org/u/proxiad [8] https://www.drupal.org/u/damienmckenna [9] https://www.drupal.org/contact [10] https://www.drupal.org/security-team [11] https://www.drupal.org/writing-secure-code [12] https://www.drupal.org/security/secure-configuration [13] https://twitter.com/drupalsecurity

1 0

OpenLucius - Moderately Critical - Multiple vulnerabilities - SA-CONTRIB-2017-004
by security-news＠drupal.org 11 Jan '17

11 Jan '17

View online: https://www.drupal.org/node/2842759 * Advisory ID: DRUPAL-SA-CONTRIB-2017-004 * Project: OpenLucius [1] (third-party distribution) * Version: 7.x * Date: 2017-January-11 * Security risk: 14/25 ( Moderately Critical) AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:All [2] * Vulnerability: Cross Site Scripting, Cross Site Request Forgery -------- DESCRIPTION --------------------------------------------------------- OpenLucius is a work management platform for social communication, documentation, and projects. The distribution doesn't sufficiently use tokens when marking messages for users as read thereby exposing a Cross Site Request Forgery (CSRF) vulnerability. The distribution does not sufficiently filter taxonomy term names before outputting them to HTML thereby exposing a Cross Site Scripting (XSS) vulnerability. This vulnerability is mitigated by the fact that an attacker must have permissions to insert malicious taxonomy terms. -------- CVE IDENTIFIER(S) ISSUED -------------------------------------------- * /A CVE identifier [3] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ -------- VERSIONS AFFECTED --------------------------------------------------- * Openlucius 7.x-1.x versions prior to 7.x-1.6. Drupal core is not affected. If you do not use the contributed OpenLucius News [4] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the Openlucius for Drupal 7.x, upgrade to Openlucius 7.x-1.7 [5] Also see the OpenLucius News [6] project page. -------- REPORTED BY --------------------------------------------------------- * Klaus Purer [7] of the Drupal Security Team -------- FIXED BY ------------------------------------------------------------ * Thomas Dik [8] the distribution maintainer -------- COORDINATED BY ------------------------------------------------------ * Klaus Purer [9] of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact [10]. Learn more about the Drupal Security team and their policies [11], writing secure code for Drupal [12], and securing your site [13]. Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity [14] [1] https://www.drupal.org/project/openlucius [2] https://www.drupal.org/security-team/risk-levels [3] http://cve.mitre.org/ [4] https://www.drupal.org/project/openlucius_news [5] https://www.drupal.org/project/openlucius/releases/7.x-1.7 [6] https://www.drupal.org/project/openlucius_news [7] https://www.drupal.org/user/262198 [8] https://www.drupal.org/user/1718070 [9] https://www.drupal.org/user/262198 [10] https://www.drupal.org/contact [11] https://www.drupal.org/security-team [12] https://www.drupal.org/writing-secure-code [13] https://www.drupal.org/security/secure-configuration [14] https://twitter.com/drupalsecurity

1 0

Jump to page:

2026

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

Security-news