[Security-news] Imagecache External - Critical - Insecure session token management - SA-CONTRIB-2019-065
security-news at drupal.org
security-news at drupal.org
Wed Aug 21 16:18:25 UTC 2019
View online: https://www.drupal.org/sa-contrib-2019-065
Project: Imagecache External [1]
Date: 2019-August-21
Security risk: *Critical* 15∕25
AC:Complex/A:None/CI:Some/II:Some/E:Theoretical/TD:All [2]
Vulnerability: Insecure session token management
Description:
This module that allows you to store external images on your server and apply
your own Image Styles.
The module exposes cookies to external sites when making external image
requests.
This vulnerability is mitigated by using the whitelisted host feature to
restrict external image requests from trusted sources.
Solution:
Install the latest version:
* If you use the Imagecache External 8.x-1.0 version, upgrade to Imagecache
External 8.x-1.1 version [3]
Also see the Imagecache External [4] project page.
Reported By:
* Jason Want [5]
* Heine Deelstra [6] of the Drupal Security Team
Fixed By:
* Heine Deelstra [7] of the Drupal Security Team
* Baris Wanschers [8]
Coordinated By:
* Greg Knaddison [9] of the Drupal Security Team
[1] https://www.drupal.org/project/imagecache_external
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/imagecache_external/releases/8.x-1.1
[4] https://www.drupal.org/project/imagecache_external
[5] https://www.drupal.org/user/589890
[6] https://www.drupal.org/user/17943
[7] https://www.drupal.org/user/17943
[8] https://www.drupal.org/user/107229
[9] https://www.drupal.org/user/36762
More information about the Security-news
mailing list