Drupal contrib security advisories

Project: Apigee EdgeDate: 2023-February-01Security risk: Moderately critical 13∕25 AC:None/A:User/CI:Some/II:None/E:Theoretical/TD:AllVulnerability: Access bypassDescription: 

The Apigee Edge module allows connecting a Drupal site to Apigee X / Edge in order to build a developer portal.

Previous module versions did not support entity query level access checking, which could have led to information disclosure or access bypass in various places.

Solution: 

Install the latest version:

• If you use the Apigee Edge module version 2.0.x for Drupal 9.x, upgrade to Apigee Edge 2.0.8
• If you use the Apigee Edge module version 8.x-1.x for Drupal 9.x, upgrade to Apigee Edge 8.x-1.27

Reported By: 

• Dezső Biczó

Fixed By: 

• Dezső Biczó
• Shishir Suvarna

Coordinated By: 

• Greg Knaddison of the Drupal Security Team

Project: Media Library Form API ElementVersion: 8.x-1.38.x-1.28.x-1.1Date: 2023-January-18Security risk: Moderately critical 13∕25 AC:None/A:User/CI:Some/II:None/E:Theoretical/TD:AllVulnerability: Information DisclosureAffected versions: >=2.0 <2.0.6Description: 

This module enables you to use the media library in custom forms without the Media Library Widget.

The module does not properly check entity access in some circumstances. This may result in users with access to edit content seeing metadata about media items they are not authorized to access.

The vulnerability is mitigated by the fact that the inaccessible media will only be visible to users who can already edit content that includes a media reference field.

Solution: 

Install the latest version:

• If you use the Media Library Form API Element module versions 2.x for Drupal 9 or 10, upgrade to 2.0.6.
• If you use the Media Library Form API Element module version 8.x-1.* they are all affected and are no longer supported. You should upgrade to 2.0.6.

Reported By: 

• Benji Fisher of the Drupal Security Team
• Dan Flanagan

Fixed By: 

• Kim Kennof
• Lauri Eskola
• Alex Bronstein of the Drupal Security Team
• Luke Leber
• Lee Rowlands of the Drupal Security Team

Coordinated By: 

• xjm of the Drupal Security Team
• Lee Rowlands of the Drupal Security Team
• Benji Fisher of the Drupal Security Team

Project: Media Library BlockDate: 2023-January-18Security risk: Moderately critical 14∕25 AC:None/A:None/CI:Some/II:None/E:Theoretical/TD:DefaultVulnerability: Information DisclosureAffected versions: >=1.0 <1.0.4Description: 

The Media Library Block module allows you to render a media entity in a block.

The module does not properly check media access in some circumstances. This may result in unauthorized users (including anonymous users) seeing media items they are not authorized to access if a block containing a restricted media item is placed on the page.

Administrators may mitigate this vulnerability by removing blocks referencing media items that have access restrictions.

Solution: 

Install the latest version:

• If you use the Media Library Block module for Drupal 9 or 10, upgrade to Media Library Block 1.0.4.

Reported By: 

• Lee Rowlands of the Drupal Security Team
• Dan Flanagan

Fixed By: 

• ayalon
• xjm of the Drupal Security Team
• Jan Hug
• Dan Flanagan

Coordinated By: 

• Dave Reid of the Drupal Security Team
• Damien McKenna of the Drupal Security Team

Project: Entity BrowserDate: 2023-January-18Security risk: Moderately critical 12∕25 AC:None/A:User/CI:Some/II:None/E:Theoretical/TD:DefaultVulnerability: Information DisclosureDescription: 

The Entity Browser module allows you to select entities from entity reference fields using a custom entity browser widget.

Entity Browser does not properly check entity access in some circumstances. This may result in users with access to edit content seeing metadata about entities they are not authorized to access.

The vulnerability is mitigated by the fact that the inaccessible entities will only be visible to users who can already edit content using Entity Browser.

Solution: 

Install the latest version:

• If you use the Entity Browser module for Drupal 9 or 10, upgrade to Entity Browser 8.x-2.9.

Reported By: 

• Lee Rowlands of the Drupal Security Team

Fixed By: 

• Lee Rowlands of the Drupal Security Team
• Sascha Grossenbacher
• Benji Fisher of the Drupal Security Team
• xjm of the Drupal Security Team
• Lauri Eskola, provisional member of the Drupal Security Team
• Dan Flanagan

Coordinated By: 

• xjm of the Drupal Security Team
• Lee Rowlands of the Drupal Security Team
• Benji Fisher of the Drupal Security Team

Project: Private Taxonomy TermsDate: 2023-January-11Security risk: Moderately critical 10∕25 AC:Basic/A:User/CI:Some/II:None/E:Theoretical/TD:DefaultVulnerability: Access bypassDescription: 

This module enables users to create 'private' vocabularies.

The module doesn't enforce permissions appropriately for the taxonomy overview page and overview form.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission "Administer own taxonomy" or "View private taxonomies"

Solution: 

Install the latest version:

• If you use the Private Taxonomy Terms module for Drupal 8.x, upgrade to Private Taxonomy Terms 8.x-2.6

Reported By: 

• Giuseppe

Fixed By: 

• Conrad Lara
• Giuseppe

Coordinated By: 

• Damien McKenna of the Drupal Security Team
• Jess of the Drupal Security Team
• Greg Knaddison of the Drupal Security Team

Project: File (Field) PathsDate: 2022-December-14Security risk: Moderately critical 12∕25 AC:Basic/A:None/CI:Some/II:None/E:Theoretical/TD:DefaultVulnerability: Access bypassDescription: 

The File (Field) Paths module extends the default functionality of Drupal's core File module, by adding the ability to use entity-based tokens in destination paths and file names.

The module's default configuration could temporarily expose private files to anonymous visitors.

Important note: to fix the problem, database updates must be run in addition to updating the module.

It's possible to make a configuration change to mitigate this problem in the admin UI at /admin/config/media/file-system/filefield-paths - the temp file location should use either the temporary:// or private:// stream wrapper if uploaded files should not be exposed publicly.

This vulnerability is mitigated by the fact that an attacker must be able to guess the temporary path used for file upload.

Solution: 

Install the latest version:

• If you use the File (Field) Paths module for Drupal 7.x, upgrade to File (Field) Paths 7.x-1.2

Reported By: 

• Hayato Goto
• Drew Webber of the Drupal Security Team
• Steve Bink

Fixed By: 

• Hayato Goto
• David Snopek of the Drupal Security Team
• Vijay Mani provisional member of the Drupal Security Team
• Drew Webber of the Drupal Security Team
• Oleh Vehera
• Damien McKenna of the Drupal Security Team

Coordinated By: 

• David Snopek of the Drupal Security Team
• Drew Webber of the Drupal Security Team
• Greg Knaddison of the Drupal Security Team

Project: H5P - Create and Share Rich Content and ApplicationsDate: 2022-December-14Security risk: Moderately critical 12∕25 AC:Complex/A:User/CI:Some/II:Some/E:Theoretical/TD:DefaultVulnerability: Remote Code ExecutionDescription: 

This module enables you to create interactive content.

The module doesn't sufficiently stop path traversal attacks through zipped filenames for the uploadable .h5p files.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission "update h5p libraries". In addition, it is only exploitable on Windows servers.

Solution: 

Install the latest version:

• If you use the H5P module for Drupal 7.x, upgrade to H5P 7.x-1.51

Reported By: 

Disclosed publicly.

Fixed By: 

• Frode Petterson
• paalj

Coordinated By: 

• Greg Knaddison of the Drupal Security Team

Project: Entity RegistrationDate: 2022-December-07Security risk: Moderately critical 13∕25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:DefaultVulnerability: Access bypassAffected versions: >=7.1.0 <7.1.9Description: 

This module enables you to create registration entities related to nodes.

The module doesn't sufficiently restrict update access to a user's own registrations.

This vulnerability is mitigated by the fact that an attacker must have the "update own [registration type]" permission.

Solution: 

Install the latest version:

• If you use the Entity Registration module for Drupal 7.x, upgrade to Entity Registration 7.x-1.9 release

Note: Sites that allow non-administrative users to manage registrations because the users can update the registration host entity and have "update own registration" permission for a given registration type, may need to give those users the "administer own registration" permission for them to retain the ability to manage registrations after installing this upgrade.

Reported By: 

• Joël Pittet

Fixed By: 

• Joël Pittet
• Maria Fisher
• john.oltman

Coordinated By: 

• James Gilliland of the Drupal Security Team

Reported at: 20 November 2022

Project: Open SocialDate: 2022-November-30Security risk: Moderately critical 10∕25 AC:Basic/A:User/CI:None/II:Some/E:Theoretical/TD:DefaultVulnerability: Access bypassAffected versions: >=11.4.0 <11.4.9 || >=11.5.0 <11.5.1Description: 

Social Private Message module allows users on the platform to allow users to send private messages to each other.

The module does not properly perform the correct access checks for certain operations.

Solution: 

Install the latest version:

• If you use the Open Social distribution for Drupal 9.x, upgrade to Open Social 11.5.1
• If you use the Open Social distribution for Drupal 9.x, upgrade to Open Social 11.4.9

Reported By: 

• zanvidmar

Fixed By: 

• Navneet Singh
• zanvidmar

Coordinated By: 

• Damien McKenna of the Drupal Security Team
• Greg Knaddison of the Drupal Security Team

Project: Open SocialDate: 2022-November-30Security risk: Moderately critical 13∕25 AC:None/A:None/CI:Some/II:None/E:Theoretical/TD:UncommonVulnerability: Access bypassAffected versions: >=11.4.0 <11.4.9 || >=11.5.0 <11.5.1Description: 

Social Flexible Group is an Open Social extension that allows users to create groups with many different configurations.

In specific uncommon scenarios, where a platform doesn't have any flexible groups with the "Group members only (secret)" visibility, community groups are visible to anonymous users on the /all-groups page. No other group information is revealed since group access is not affected by this issue.

This vulnerability is mitigated by creating a Flexible Group with visibility "Group members only (secret)".

Solution: 

Install the latest version:

• If you use the Open Social distribution for Drupal 9.x, upgrade to Open Social 11.5.1
• If you use the Open Social distribution for Drupal 9.x, upgrade to Open Social 11.4.9

Reported By: 

• Tiago Siqueira

Fixed By: 

• Tiago Siqueira
• Alexander Varwijk
• Navneet Singh

Coordinated By: 

• cilefen of the Drupal Security Team
• Damien McKenna of the Drupal Security Team
• Greg Knaddison of the Drupal Security Team

Project: Social BaseDate: 2022-November-30Security risk: Moderately critical 14∕25 AC:None/A:None/CI:Some/II:None/E:Theoretical/TD:DefaultVulnerability: Access bypassAffected versions: >=2.3 <2.3.4 || >=2.4 <2.4.3Description: 

The Social Base theme is designed as a base theme for Open Social. This base
theme holds has a lot of sensible defaults. It doesn't however contain much
styling. We expect developers to want to change this for their own project.

When content within the Open Social distribution is placed within a group then the Socialbase theme renders a link to that group on the content view page.

The link to groups was rendered without sufficiently checking that the viewing user has access to the group. When creating public content in a non-public group this could lead to exposing the existence of the group and the group title to unauthorized users. The group itself remained inaccessible.

Solution: 

Install the latest version:

• If you use the Socialbase module theme for Drupal 8.x/9.x, upgrade to Socialbase 2.4.3
• If you use the Socialbase module theme for Drupal 8.x/9.x, upgrade to Socialbase 2.3.4

Reported By: 

• Alexander Varwijk

Fixed By: 

• Alexander Varwijk
• Ronald te Brake
• Navneet Singh

Coordinated By: 

• Damien McKenna of the Drupal Security Team
• Greg Knaddison of the Drupal Security Team

Project: Search APIDate: 2022-October-19Security risk: Moderately critical 13∕25 AC:None/A:None/CI:Some/II:None/E:Theoretical/TD:UncommonVulnerability: Information DisclosureDescription: 

This module enables you to build searches using a wide range of features, data sources and backends.

The module doesn't in all cases correctly detect whether a given search is active on the current page, leading to potential information disclosure for some setups.

This vulnerability is mitigated by the fact that only very specific setups will have this problem and there is no way for an attacker to trigger it.

Solution: 

Install the latest version:

• If you use the Search API module for Drupal 9.x/10.x, upgrade to Search API 8.x-1.27

Reported By: 

• Markus Kalkbrenner

Fixed By: 

• Gerhard Killesreiter of the Drupal Security Team
• Joris Vercammen
• Markus Kalkbrenner
• Thomas Seidl
• Damien McKenna of the Drupal Security Team

Coordinated By: 

• Michael Hess of the Drupal Security Team