Show advisories for only Drupal Core, only contributed projects, or only PSAs

Node View Permissions - Moderately critical - Access Bypass - SA-CONTRIB-2018-002

Date: 
2018-January-10
Security risk: 
Moderately critical 14 ∕ 25 AC:None/A:None/CI:Some/II:None/E:Theoretical/TD:Default

The Node view permissions module enables the "View own content" and "View any content" permissions for each content type on the permissions page.

This module has a vulnerability that allows users with these permissions to view unpublished content that they are not otherwise authorized to view.

This issue was fixed by the maintainer outside of the normal security team protocols. Some issues were patched in 2014 for the 7.x version of this module. The 8.x release was updated within the last 6 months. Both are now flagged as security updates.

Stacks - Critical - Arbitrary PHP code execution - SA-CONTRIB-2018-001

Date: 
2018-January-10
Security risk: 
Critical 18 ∕ 25 AC:None/A:None/CI:Some/II:Some/E:Theoretical/TD:All

This module enables content editors to create complex pages and layouts on the fly without the help from a developer, using reusable widgets.

The module does not sufficiently filter values posted to its AJAX endpoint, which leads to the instantiation of an arbitrary PHP class.

This vulnerability is mitigated by the fact that only sites with the Stacks - Content Feed submodule enabled are affected.

me aliases - Highly critical - Arbitrary code execution - SA-CONTRIB-2017-097

Date: 
2017-December-20
Security risk: 
Highly critical 20 ∕ 25 AC:Basic/A:None/CI:All/II:All/E:Theoretical/TD:All

'me' module provides shortcut paths to current user's pages, eg user/me, blog/me, user/me/edit, tracker/me etc.

The way 'me' module handles URL arguments allows an attacker to execute arbitrary code strings.

Directory based organisational layer - Critical - Unsupported - SA-CONTRIB-2017-096

Date: 
2017-December-20
Security risk: 
Critical 18 ∕ 25 AC:None/A:None/CI:Some/II:Some/E:Proof/TD:Default

This module adds a new organizational layer to Drupal, making it easy for managing large numbers of files and nodes.

The security team is marking this module unsupported. There is a known security issue with the module that has not been fixed by the maintainer. The security team takes action in cases like this without regard to the severity of the security issue in question. If you would like to maintain this module, please read: https://www.drupal.org/node/251466

ComScore direct tag - Less critical - Cross site scripting - SA-CONTRIB-2017-095

Date: 
2017-December-20
Security risk: 
Less critical 7 ∕ 25 AC:Complex/A:Admin/CI:None/II:Some/E:Theoretical/TD:Uncommon

This module enables you to use the comScore Direct analytics system on a site.

The module doesn't sufficiently sanitize one of the configuration variables prior to rendering it.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission "Administer comScore direct".

Link Click Count - Critical - Unsupported - SA-CONTRIB-2017-094

Date: 
2017-December-20
Security risk: 
Critical 18 ∕ 25 AC:None/A:None/CI:Some/II:Some/E:Proof/TD:Default

The Link Click Count module helps you to monitor the traffic to your website by creating link fields. These link fields can be individual links or internal/external links that can be added to the content type.

Panopoly Core - Moderately critical - Cross Site Scripting - SA-CONTRIB-2017-093

Date: 
2017-December-13
Security risk: 
Moderately critical 13 ∕ 25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:Default

This module provides common functionality used by other modules in the Panopoly distribution and child distributions, like, Open Atrium.

The module doesn't sufficiently filter node titles used in breadcrumbs when the "Append Page Title to Site Breadcrumb" setting is enabled.

This vulnerability is mitigated by the fact that an attacker must have a role with the ability to create content.

Node feedback - Moderately critical - Access Bypass - SA-CONTRIB-2017-092

Date: 
2017-December-06
Security risk: 
Moderately critical 12 ∕ 25 AC:None/A:User/CI:Some/II:None/E:Theoretical/TD:Default

This module enables you to set nodes to send feedbacks by personal/site wide contact forms.
The module doesn't sufficiently handle the access to nodes whose titles will be shown on contact forms.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission "Use the site-wide contact form" or "Use users' personal contact forms" which is often assigned to untrusted user roles such as anonymous.

Configuration Update Manager - Moderately critical - Cross Site Request Forgery (CSRF) - SA-CONTRIB-2017-091

Date: 
2017-December-06
Security risk: 
Moderately critical 12 ∕ 25 AC:Basic/A:None/CI:None/II:Some/E:Theoretical/TD:Default

The Configuration Update Reports sub-module in the Configuration Update module project enables you to run reports to see what configuration on your site differs from the configuration distributed by a module, theme, or installation profile, and to revert, delete, or import configuration.

This module doesn't sufficiently protect the Import operation, thereby exposing a Cross Site Request Forgery (CSRF) vulnerability which can be exploited by unprivileged users to trick an administrator into unwanted import of configuration.

Feedback Collect - Moderately critical - Cross Site Scripting (XSS) - SA-CONTRIB-2017-090

Date: 
2017-December-06
Security risk: 
Moderately critical 14 ∕ 25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:All

This module enables you to add feedback forms and gather end user feedback, bug reports or any kind of suggestions. 

The module doesn't sufficiently filter output of its own fields under the scenario of creating or editing feedback-collect content types.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission "create feedback-collect content" or its related editing permissions.

Pages

Subscribe with RSS Subscribe to Security advisories