Security advisories

Aegir is a Web hosting control panel program that provides a Drupal-based graphical interface designed to simplify deploying, managing and upgrading an entire network of Drupal, Wordpress and CiviCRM Web sites. The Hosting HTTPS module is a commonly used piece of the Aegir platform.

This module doesn't sufficiently shield multi-site installations.

This vulnerability is mitigated by the fact that the server must be using Apache and must host multiple sites on a common platform. An attacker must have a knowledge about used filenames and the server.

This module provides a phone field for Drupal 7 that supports the HTML5 tel:-schema.

In an API function that is not used by the module, the name for the phone field is not sufficiently sanitised when using it in database queries.

This vulnerability is mitigated by the fact that it affects an unused function. A site is only vulnerable if it has custom code that uses the phonefield_get_entity_id() function and exposes control over the $field parameter to visitors to the site.

This module allows for integration of Signature Pad, an electronic-signing
script, into Drupal for both nodes (content), the Field API (FAPI), and Webforms.

The module doesn't sufficiently filter user input when displaying a signature.

The vulnerability is mitigated by the fact that an attacker must have the ability to submit a signature. That permission might be associated with submitting a webform or creating or editing a node depending on site configuration.

This module enables Drupal to synchronize entities with Salesforce records. The module includes a page that does not sufficiently protect access rights, resulting in potential information disclosure.

This vulnerability is mitigated by the fact that only Drupal entity title and IDs, and Salesforce record IDs are exposed. Entity content and metadata are appropriately protected. Disclosure of Salesforce ID does not confer any additional privileges.