Show advisories for only Drupal Core, only contributed projects, or only PSAs

Custom Permissions - Moderately critical - Access bypass - SA-CONTRIB-2017-083

Date: 
2017-November-08
Security risk: 
Moderately critical 13 ∕ 25 AC:Basic/A:Admin/CI:Some/II:Some/E:Theoretical/TD:All

Custom Permissions is a lightweight module that allows permissions to be created and managed through an administrative form.

When this module is in use, any user who is able to perform an action which rebuilds some of Drupal's caches can trigger a scenario in which certain pages protected by this module's custom permissions temporarily lose those custom access controls, thereby leading to an access bypass vulnerability.

Permissions by Term - Moderately critical - Access bypass - SA-CONTRIB-2017-082

Date: 
2017-November-08
Security risk: 
Moderately critical 14 ∕ 25 AC:None/A:None/CI:Some/II:None/E:Theoretical/TD:Default

The Permissions by Term module extends Drupal by adding functionality for restricting access to single nodes via taxonomy terms.

The module grants access to nodes that are being blocked by other node access modules and that the Permissions by Term module does not intend to control. Additionally, it grants access to unpublished nodes in node listings to users who should not be able to see them. These problems lead to an access bypass vulnerability.

Automated Logout - Moderately critical - Cross Site Scripting - SA-CONTRIB-2017-081

Date: 
2017-November-01
Security risk: 
Moderately critical 14 ∕ 25 AC:Basic/A:Admin/CI:Some/II:Some/E:Proof/TD:All

This module provides a site administrator the ability to log users out after a specified time of inactivity. It is highly customizable and includes "site policies" by role to enforce log out.

The module does not sufficiently filter user-supplied text that is stored in the configuration, resulting in a persistent Cross Site Scripting vulnerability (XSS).

This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer autologout".

Mosaik - Moderately critical - Cross-site scripting - SA-CONTRIB-2017-080

Date: 
2017-October-25
Security risk: 
Moderately critical 13 ∕ 25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:Default

The Mosaik module enables you to create pages or complex blocks in Drupal with the logic of a real mosaic and its pieces.

The module doesn't sufficiently sanitize the titles of fieldsets on its administration pages or the titles of blocks that it creates. This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer mosaik".

Brilliant Gallery - Highly critical - Multiple Vulnerabilities - SA-CONTRIB-2017-079

Date: 
2017-October-25
Security risk: 
Highly critical 20 ∕ 25 AC:Basic/A:None/CI:All/II:All/E:Theoretical/TD:All

This module enables you to display any number of galleries based on images located in the files folder.

The module doesn't sufficiently sanitize various database queries which may allow attackers to craft requests resulting in an SQL injection vulnerability. This vulnerability could be exploited even by anonymous users and could potentially allow them to take over the site.

The module doesn't sufficiently confirm a user's intent to save checklist data, which allows for a cross-site request forgery (CSRF) exploit to be executed by unprivileged users.

Yandex.Metrics - Moderately critical - Cross site scripting - SA-CONTRIB-2017-078

Date: 
2017-October-18
Security risk: 
Moderately critical 13 ∕ 25 AC:Basic/A:Admin/CI:Some/II:Some/E:Theoretical/TD:All

The Yandex.Metrics module allows you to look for key indicators of your site effectiveness.

The module doesn't sufficiently let users know a setting page should not be given to untrusted users.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer Yandex.Metrics settings."

Edited October 19, 2017 to add a note about checking permissions.

netFORUM Authentication - Moderately critical - Access Bypass - SA-CONTRIB-2017-077

Date: 
2017-October-11
Security risk: 
Moderately critical 12 ∕ 25 AC:None/A:None/CI:None/II:None/E:Theoretical/TD:All

The netFORUM Authentication module implements external authentication for users against netFORUM.

The module does not correctly use flood control making it susceptible to brute force attacks.

Skype Status - Moderately Critical - Cross Site Scripting - DRUPAL-SA-CONTRIB-2017-076

By Drupal Security Team on
Categories: Drupal 7.x

Page Access - Unsupported - SA-CONTRIB-2017-075

By Drupal Security Team on
  • Advisory ID: DRUPAL-SA-CONTRIB-2017-075
  • Project: Page Access (third-party module)
  • Date: 20-September-2017

Flag clear - Moderately Critical - CSRF - DRUPAL-SA-CONTRIB-2017-074

By Drupal Security Team on
Categories: Drupal 7.x

Pages

Subscribe with RSS Subscribe to Security advisories