View online: https://www.drupal.org/sa-contrib-2018-041
Project: Custom Tokens [1] Date: 2018-June-13 Security risk: *Critical* 16∕25 AC:Basic/A:Admin/CI:All/II:All/E:Theoretical/TD:Default [2] Vulnerability: Arbitrary PHP code execution
Description: The Custom Tokens module enables you to create custom tokens for specific replacements that can improve other modules relying on the token API.
The module doesn't sufficiently identify that its custom permissions are risky and should only be granted to highly trusted roles.
This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer custom tokens".
-------- CVE IDENTIFIER(S) ISSUED --------------------------------------------
* /A CVE identifier [3] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./
Solution: Install the latest version and review your permissions.
*Note, after upgrading, additional configuration steps required.* Sites using this module should review the permissions page at Administration » People » Permissions to verify only trusted users are granted permissions defined by the module such as "administer custom tokens".
* If you use the Custom Tokens module (1.x) for Drupal 7.x, upgrade to Custom Tokens 7.x-1.2 [4]. * If you use the Custom Tokens module (2.x) for Drupal 7.x, upgrade to Custom Tokens 7.x-2.0 [5].
Also see the Custom Tokens [6] project page.
Reported By: * Matt Glaman [7]
Fixed By: * Ariel Barreiro [8]
Coordinated By: * Michael Hess [9] of the Drupal Security Team * Greg Knaddison [10] of the Drupal Security Team
[1] https://www.drupal.org/project/token_custom [2] https://www.drupal.org/security-team/risk-levels [3] http://cve.mitre.org/ [4] https://www.drupal.org/project/token_custom/releases/7.x-1.2 [5] https://www.drupal.org/project/token_custom/releases/7.x-2.0 [6] https://www.drupal.org/project/token_custom [7] https://www.drupal.org/user/2416470 [8] https://www.drupal.org/user/23157 [9] https://www.drupal.org/u/mlhess [10] https://www.drupal.org/u/greggles