Show advisories for only Drupal Core, only contributed projects, or only PSAs

NewsFlash - Moderately critical - Cross Site Scripting - SA-CONTRIB-2018-049

Date: 
2018-July-11
Security risk: 
Moderately critical 14 ∕ 25 AC:Basic/A:None/CI:Some/II:Some/E:Theoretical/TD:Uncommon

This theme features 7 color styles, 12 collapsible regions, suckerfish menus, fluid or fixed widths, and lots more.

The theme doesn't sufficiently sanitize user input.

This vulnerability is mitigated by the fact that the theme is only exploitable with non-default settings and under certain site configurations.

Beale Street - Moderately critical - Cross Site Scripting - SA-CONTRIB-2018-048

Date: 
2018-July-11
Security risk: 
Moderately critical 13 ∕ 25 AC:Complex/A:None/CI:Some/II:Some/E:Theoretical/TD:Uncommon

This theme features 4 built-in color styles, 18 collapsible regions, Suckerfish menus, flexible widths, adjustable sidebars, configurable font family, and lots more.

The theme doesn't sufficiently sanitize user input.

This vulnerability is mitigated by the fact that the theme is not exploitable under common site configurations.

EU Cookie Compliance (GDPR Compliance) - Moderately critical - Cross Site Scripting - SA-CONTRIB-2018-047

Date: 
2018-July-11
Security risk: 
Moderately critical 12 ∕ 25 AC:Basic/A:Admin/CI:Some/II:Some/E:Theoretical/TD:Default

This module addresses the General Data Protection Regulation (GDPR) that came into effect 25th May 2018, and the EU Directive on Privacy and Electronic Communications from 2012. It provides a banner where you can gather consent from the user to store cookies on their computer and handle their personal information.

This module does not sanitize some inputs leading to XSS. This is mitigated by the attacker having the permission "Administer EU Cookie Compliance."

Commerce Custom Order Status - Moderately critical - Cross Site Scripting - SA-CONTRIB-2018-046

Date: 
2018-July-11
Security risk: 
Moderately critical 13 ∕ 25 AC:Basic/A:Admin/CI:Some/II:Some/E:Theoretical/TD:All

Commerce Custom Order Status provides forms for administrators to add, edit, and delete order statuses from the order settings screen.

The module doesn't sufficiently sanitize the output of the status names.

This vulnerability is mitigated by the fact that an attacker must have a role with the "configure order settings" permission.

Universally Unique IDentifier - Moderately critical - Arbitrary file upload - SA-CONTRIB-2018-045

Date: 
2018-July-04
Security risk: 
Moderately critical 12 ∕ 25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:Uncommon

This module provides an API for adding universally unique identifiers (UUID) to Drupal objects, most notably entities.

The module module has an arbitrary file upload vulnerability when it's used in combination with the services REST server.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission to allow to upload to the file create REST endpoint.

TFA Basic plugins - Less critical - Insecure Randomness - SA-CONTRIB-2018-044

Date: 
2018-June-27
Security risk: 
Less critical 9 ∕ 25 AC:Complex/A:User/CI:Some/II:None/E:Theoretical/TD:Default

The TFA Basic module enables you to use Two Factor Authentication via a variety of plugins including TOTP and one-time codes delivered via email or sms.

The module doesn't use a strong source of randomness, creating weak and predictable one-time login codes that are then delivered using SMS. This weakness does not affect the more common TOTP second factor.

This vulnerability is mitigated by the fact that the site must be configured to use SMS to deliver one-time login codes which is an uncommon configuration.

Mass Password Reset - Less critical - Insecure Randomness - SA-CONTRIB-2018-043

Date: 
2018-June-27
Security risk: 
Less critical 9 ∕ 25 AC:Complex/A:User/CI:Some/II:None/E:Theoretical/TD:Default

This module enables you to reset passwords for all users based upon their user role.

The module doesn't use a strong source of randomness, creating weak and predictable passwords.

This vulnerability is mitigated by the fact that the site must be configured to reveal the password to the attacker, which is a common configuration.

Generate Password - Less critical - Insecure Randomness - SA-CONTRIB-2018-042

Date: 
2018-June-27
Security risk: 
Less critical 9 ∕ 25 AC:Complex/A:User/CI:Some/II:None/E:Theoretical/TD:Default

The Genpass module makes the password field optional (or hidden) on the add new user page (admin & registration). If the password field is not set during registration, the system generates a password.

The module doesn't use a strong source of randomness, creating weak and predictable passwords.

This vulnerability is mitigated by the fact that the site must be configured to reveal the password to the attacker which is a common configuration.

Custom Tokens - Critical - Arbitrary PHP code execution - SA-CONTRIB-2018-041

Date: 
2018-June-13
Security risk: 
Critical 16 ∕ 25 AC:Basic/A:Admin/CI:All/II:All/E:Theoretical/TD:Default

The Custom Tokens module enables you to create custom tokens for specific replacements that can improve other modules relying on the token API.

The module doesn't sufficiently identify that its custom permissions are risky and should only be granted to highly trusted roles.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer custom tokens".

Entity Delete - Critical - Multiple Vulnerabilities - SA-CONTRIB-2018-040

Date: 
2018-June-06
Security risk: 
Critical 18 ∕ 25 AC:None/A:None/CI:Some/II:Some/E:Theoretical/TD:All

This module enables you to delete any types of entities in bulk.

The module doesn't sufficiently verify access permissions under its use cases, leading to access bypass. The module also does not protect against Cross Site Request Forgeries on its delete process.

The access bypass vulnerability is mitigated by the fact that an attacker must have a role with the permission "access content". There is no additional mitigation for the Cross Site Request Forgery vulnerability.

Pages

Subscribe with RSS Subscribe to Security advisories