View online: https://www.drupal.org/sa-contrib-2019-065

Project: Imagecache External [1] Date: 2019-August-21 Security risk: *Critical* 15∕25 AC:Complex/A:None/CI:Some/II:Some/E:Theoretical/TD:All [2] Vulnerability: Insecure session token management

Description:  This module that allows you to store external images on your server and apply your own Image Styles.

The module exposes cookies to external sites when making external image requests.

This vulnerability is mitigated by using the whitelisted host feature to restrict external image requests from trusted sources.

Solution:  Install the latest version:

* If you use the Imagecache External 8.x-1.0 version, upgrade to Imagecache External 8.x-1.1 version [3]

Also see the Imagecache External [4] project page.

Reported By:  * Jason Want [5] * Heine Deelstra [6] of the Drupal Security Team

Fixed By:  * Heine Deelstra [7] of the Drupal Security Team * Baris Wanschers [8]

Coordinated By:  * Greg Knaddison [9] of the Drupal Security Team

[1] https://www.drupal.org/project/imagecache_external [2] https://www.drupal.org/security-team/risk-levels [3] https://www.drupal.org/project/imagecache_external/releases/8.x-1.1 [4] https://www.drupal.org/project/imagecache_external [5] https://www.drupal.org/user/589890 [6] https://www.drupal.org/user/17943 [7] https://www.drupal.org/user/17943 [8] https://www.drupal.org/user/107229 [9] https://www.drupal.org/user/36762