[Security-news] Taxonomy Entity Queue - Critical - SQL Injection - SA-CONTRIB-2018-052
security-news at drupal.org
security-news at drupal.org
Wed Jul 18 19:10:02 UTC 2018
View online: https://www.drupal.org/sa-contrib-2018-052
Project: Taxonomy Entity Queue [1]
Date: 2018-July-18
Security risk: *Critical* 17∕25
AC:Basic/A:Admin/CI:All/II:All/E:Theoretical/TD:All [2]
Vulnerability: SQL Injection
Description:
This module enables you to create an entityqueue based on a taxonomy.
The module did not properly use Drupal's database API when querying the
database with user supplied values, allowing an attacker to send a specially
crafted request to modify the query or potentially perform additional
queries.
This vulnerability is mitigated by the fact that an attacker must have a role
with the "administer entity queue taxonomy" permission.
Solution:
Install the latest version:
* If you use the Taxonomy Entity Queue module for Drupal 7.x, upgrade to
Taxonomy Entity Queue 7.x-1.1 [3]
Also see the Taxonomy Entity Queue [4] project page.
Reported By:
* Drew Webber [5]
Fixed By:
* Bappa Sarkar [6]
* Drew Webber [7]
Coordinated By:
* Michael Hess [8] of the Drupal Security Team
[1] https://www.drupal.org/project/entityqueue_taxonomy
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/entityqueue_taxonomy/releases/7.x-1.1
[4] https://www.drupal.org/project/entityqueue_taxonomy
[5] https://www.drupal.org/user/255969
[6] https://www.drupal.org/user/262655
[7] https://www.drupal.org/user/255969
[8] https://www.drupal.org/u/mlhess
More information about the Security-news
mailing list