Drupal contrib security advisories

Subscribe to Drupal contrib security advisories hírcsatorna
Frissítve: 23 perc 6 másodperc
2022. május 25.

Apigee Edge - Moderately critical - Access bypass - SA-CONTRIB-2022-045

Project: Apigee EdgeDate: 2022-May-25Security risk: Moderately critical 13∕25 AC:None/A:User/CI:Some/II:None/E:Theoretical/TD:AllVulnerability: Access bypassDescription: 

The Apigee Edge module allows connecting a Drupal site to Apigee X / Edge in order to build a developer portal. The developers (user) can view API keys for their respective Apps.

The module discloses information by allowing attackers to view cached information of API Keys from the browser cache for a limited time frame after the user login on the same computer.

Solution: 

Install the latest version:

  • If you use the Apigee Edge module version 2.0.x for Drupal 9.x, upgrade to Apigee Edge 2.0.3
  • If you use the Apigee Edge module version 8.x-1.x for Drupal 9.x, upgrade to Apigee Edge 8.x-1.26
Reported By: Fixed By: Coordinated By: 
2022. május 25.

Entity Browser Block - Moderately critical - Access bypass - SA-CONTRIB-2022-044

Project: Entity Browser BlockDate: 2022-May-25Security risk: Moderately critical 13∕25 AC:None/A:User/CI:Some/II:None/E:Theoretical/TD:AllVulnerability: Access bypassDescription: 

Entity Browser Block provides a Block Plugin for every Entity Browser on your site.

The module didn't sufficiently check entity view access in the block form.

This vulnerability is mitigated by the fact that an attacker must be able to place a block - either through the core "Block Layout" page or via a module like Layout Builder.

Solution: 

Install the latest version:

Reported By: Fixed By: Coordinated By: 
2022. május 25.

Open Social - Moderately critical - Access bypass - SA-CONTRIB-2022-043

Project: Open SocialDate: 2022-May-25Security risk: Moderately critical 14∕25 AC:None/A:None/CI:Some/II:None/E:Theoretical/TD:DefaultVulnerability: Access bypassDescription: 

Open Social is a Drupal distribution for online communities.

Group entities created within Open Social did not sufficiently check entity access in group overviews, allowing users to see information in the overviews they should not have access to. Visiting the entity directly resulted in correct access checks applied.

This vulnerability is mitigated by the fact that an attacker must be able to view Group entities in an overview and have certain common permissions revoked.

Please note the affected versions were already unsupported, this advisory is released additionally as there are still reported installs for the affected versions.

Solution: 

Install the latest versions:

  • If you use Open Social versions prior to 11.0.0, upgrade to at least Open Social 11.0.0 where this issue is resolved

Preferably use one of the supported versions:

Reported By: Fixed By: 

A variety of people as part of upgrading to version 11.

Coordinated By: 
2022. május 25.

Embed - Moderately critical - Cross Site Scripting - SA-CONTRIB-2022-042

Project: EmbedDate: 2022-May-25Security risk: Moderately critical 13∕25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:DefaultVulnerability: Cross Site ScriptingDescription: 

The Drupal Embed module provides a filter to allow embedding various embeddable items like entities in content fields.

In certain circumstances, the filter could allow an unprivileged user to inject HTML into a page when it is accessed by a trusted user with permission to embed items. In some cases, this could lead to cross-site scripting (XSS).

Solution: 

Install the latest version:

  • If you use the Embed module for Drupal 8.x or 9.x, upgrade to Embed 8.x-1.5
Reported By: Fixed By: Coordinated By: 
2022. május 18.

Wingsuit - Storybook for UI Patterns - Critical - Access bypass - SA-CONTRIB-2022-040

Project: Wingsuit - Storybook for UI PatternsVersion: 8.x-2.x-dev8.x-1.x-devDate: 2022-May-18Security risk: Critical 16∕25 AC:Basic/A:None/CI:Some/II:Some/E:Theoretical/TD:AllVulnerability: Access bypassDescription: 

The Wingsuit module enables site builders to build UI Patterns (and|or) Twig Components with Storybook and use them without any mapping code in Drupal.

The module doesn't have an access check for the admin form allowing an attacker to view and modify the Wingsuit configuration.

Solution: 

Install the latest version:

  • If you use the wingsuit_companion 8.x-1.x module for Drupal 8.x, upgrade to Wingsuit 8.x-1.1
Reported By: Fixed By: Coordinated By: 
2022. május 4.

Duo Two-Factor Authentication - Critical - Unsupported - SA-CONTRIB-2022-039

Project: Duo Two-Factor AuthenticationDate: 2022-May-04Security risk: Critical 15∕25 AC:Basic/A:User/CI:Some/II:Some/E:Proof/TD:AllVulnerability: UnsupportedDescription: 

The security team is marking this project unsupported. If you would like to maintain this project, please read: https://www.drupal.org/node/251466#procedure---own-project---unsupported.

2022. május 4.

Quick Node Clone - Moderately critical - Access bypass - SA-CONTRIB-2022-038

Project: Quick Node CloneDate: 2022-May-04Security risk: Moderately critical 10∕25 AC:Complex/A:Admin/CI:None/II:Some/E:Proof/TD:AllVulnerability: Access bypassDescription: 

The module adds a "Clone" tab to a node. When clicked, a new node is created and fields from the previous node are populated into the new fields. This module supports paragraphs, groups, and other referenced entities.

The module has a vulnerability which allows attackers to bypass the protection to clone any group content with an access check. Users are allowed to copy other group's nodes, and if they do that, the node gets added to groups they don't have access to.

This vulnerability is mitigated by the fact it only affects sites that also use the Groups contributed module.

Solution: 

Install the latest version:

Reported By: Fixed By: Coordinated By: 
2022. május 4.

Image Field Caption - Moderately critical - Cross Site Scripting - SA-CONTRIB-2022-036

Project: Image Field CaptionVersion: 8.x-1.1Date: 2022-May-04Security risk: Moderately critical 13∕25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:DefaultVulnerability: Cross Site ScriptingDescription: 

Image Field Caption (image_field_caption) adds an extra text area for captions on image fields.

The module doesn't sanitize user input in certain cases, which leads to a Cross-Site-Scripting (XSS) vulnerability.

The vulnerability is mitigated by several permissions, of which at least some are commonly only assigned to either editors, site builders or administrators.

Solution: 

Install the latest version:

Reported By: Fixed By: Coordinated By: 
2022. május 4.

Doubleclick for Publishers (DFP) - Moderately critical - Cross site scripting - SA-CONTRIB-2022-035

Project: Doubleclick for Publishers (DFP)Date: 2022-May-04Security risk: Moderately critical 13∕25 AC:Basic/A:Admin/CI:Some/II:Some/E:Theoretical/TD:AllVulnerability: Cross site scriptingDescription: 

Doubleclick for Publishers (DFP) module enables a site to place ads from Doubleclick For Publishers.

The module doesn't sanitize user input in certain cases, which leads to Cross-Site-Scripting (XSS) vulnerabilities. An attacker that can create or edit certain entities may be able to exploit a Cross-Site-Scripting (XSS) vulnerability to target visitors of the site, including site admins with privileged access.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer DFP".

Solution: 

Install the latest version:

  • If you use the Doubleclick for Publishers module for Drupal 9.x, upgrade to DFP 8.x-1.2

Note that the Drupal 7 version of this module is unaffected.

Reported By: Fixed By: Coordinated By: 
2022. május 4.

Link - Moderately critical - Cross site scripting - SA-CONTRIB-2022-034

Project: LinkDate: 2022-May-04Security risk: Moderately critical 13∕25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:DefaultVulnerability: Cross site scriptingDescription: 

This module enables you to add URL fields to entity types with a variety of options.

The module doesn't sufficiently filter output when token processing is disabled on an individual field.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission to create content and the token processing option must be disabled.

Solution: 

Install the latest version:

  • If you use the Link module for Drupal 7.x, upgrade to Link 7.x-1.11
Reported By: Fixed By: Coordinated By: 
2022. április 12.

Rename Admin Paths - Moderately critical - Access bypass - SA-CONTRIB-2022-033

Project: Rename Admin PathsVersion: 7.x-2.37.x-2.27.x-2.1Date: 2022-April-12Security risk: Moderately critical 10∕25 AC:Basic/A:None/CI:None/II:None/E:Theoretical/TD:AllVulnerability: Access bypassDescription: 

The Rename Admin Path module provides additional security to Drupal sites by renaming the admin paths. The module has a vulnerability with allows attackers to bypass the protection by using specially crafted URLs.

The risk is mitigated by the fact that, even though the attacker can bypass the protection offered by this module, all regular permissions still apply.

Solution: 

Install the latest version:

Only the 7.x version of the module is vulnerable. If you use the 8.x version, you do not have to take any action.

Reported By: Fixed By: Coordinated By: 
2022. március 30.

Anti Spam by CleanTalk - Moderately critical - SQL Injection - SA-CONTRIB-2022-032

Project: Anti Spam by CleanTalkDate: 2022-March-30Security risk: Moderately critical 14∕25 AC:Basic/A:None/CI:None/II:All/E:Theoretical/TD:DefaultVulnerability: SQL InjectionDescription: 

This module provides integration with the CleanTalk spam protection service.

The module does not properly filter data in certain circumstances.

Solution: 

Install the latest version:

Reported By: Fixed By: Coordinated By: 
2022. március 23.

Role Delegation - Moderately critical - Privilege escalation - SA-CONTRIB-2022-031

Project: Role DelegationDate: 2022-March-23Security risk: Moderately critical 14∕25 AC:Basic/A:User/CI:Some/II:Some/E:Proof/TD:DefaultVulnerability: Privilege escalationDescription: 

This module allows site administrators to grant specific roles the authority to assign selected roles to users, without them needing the administer permissions permission.

The module contains an access bypass vulnerability when used in combination with the Views Bulk Operations module. An authenticated user is able to assign the administrator role to his own user.

This vulnerability is mitigated by the fact that an attacker must have access to an overview of users with the views bulk operations module enabled. E.g. The admin_views module provides such a view.

Solution: 

Install the latest version:

Reported By: Fixed By: Coordinated By: 
2022. március 23.

Colorbox Node - Critical - Unsupported - SA-CONTRIB-2022-030

Project: Colorbox NodeDate: 2022-March-23Security risk: Critical 15∕25 AC:Basic/A:User/CI:Some/II:Some/E:Proof/TD:AllVulnerability: UnsupportedDescription: 

The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: https://www.drupal.org/node/251466#procedure---own-project---unsupported

This module was unsupported on 2022-01-26, however, the SA was missed in publishing them at that time.

Solution: 

If you use this project, you should uninstall it. To take over maintainership, please read https://www.drupal.org/node/251466#procedure---own-project---unsupported in full.

2022. március 9.

Opigno Learning path - Moderately critical - Access bypass - SA-CONTRIB-2022-029

Project: Opigno Learning pathDate: 2022-March-09Security risk: Moderately critical 13∕25 AC:Basic/A:None/CI:Some/II:None/E:Theoretical/TD:AllVulnerability: Access bypassDescription: 

This module is used as part of the Opigno LMS distribution and implements learning paths for the LMS.

The module was providing too much user information about users such as the list of groups a uid is in.

Solution: 

Install the latest version:

Reported By: Fixed By: 
2022. március 9.

SVG Formatter - Critical - Cross Site Scripting - SA-CONTRIB-2022-028

Project: SVG FormatterDate: 2022-March-09Security risk: Critical 15∕25 AC:Basic/A:User/CI:Some/II:Some/E:Proof/TD:AllVulnerability: Cross Site ScriptingDescription: 

SVG Formatter module provides support for using SVG images on your website.

Our dependency library enshrined/svg-sanitize has a cross-site scripting vulnerability.

This vulnerability is mitigated by the fact that an attacker must have a role with permission that enables them to upload SVG images.

Solution: 

Update the module (8.x-1.17 or 2.0.1) which will enable updating to the enshrined/svg-sanitize to version 0.15 or newer library.

The updated library is most easily installed with Composer. To update the module and library it's possible to run the following Composer command:

composer update --with-dependencies drupal/svg_formatterReported By: Fixed By: Coordinated By: