Drupal contrib security advisories

Subscribe to Drupal contrib security advisories hírcsatorna
Frissítve: 2 óra 31 perc
2021. március 17.

Fast Autocomplete - Moderately critical - Access bypass - SA-CONTRIB-2021-005

Project: Fast AutocompleteVersion: 8.x-1.78.x-1.68.x-1.58.x-1.48.x-1.38.x-1.28.x-1.18.x-1.0Date: 2021-March-17Security risk: Moderately critical 12∕25 AC:Basic/A:None/CI:Some/II:None/E:Theoretical/TD:DefaultVulnerability: Access bypassDescription: 

The Fast Autocomplete module provides fast IMDB-like suggestions below a text input field. Suggestions are stored as JSON files in the public files folder so that they can be provided to the browser relatively fast without the need for Drupal to be bootstrapped.

The module doesn't correctly generate certain hashes when the configuration option "Perform search as anonymous user only" is switched from the default on value to off.

This enables a malicious user to read search results generated by users with other roles, disclosing search results the user normally has no access to.

Solution: 

Install the latest version:

Alternatively, re-enable the setting "Perform search as anonymous user only" to only display anonymous search results and delete the generated files by using the "Delete json files" option in all Fast Autocomplete configurations.

Fast Autocomplete for Drupal 7.x is not affected.

Reported By: Fixed By: Coordinated By: 
2021. március 3.

Webform - Moderately critical - Access bypass - SA-CONTRIB-2021-004

Project: WebformDate: 2021-March-03Security risk: Moderately critical 12∕25 AC:Basic/A:None/CI:None/II:None/E:Exploit/TD:DefaultVulnerability: Access bypassDescription: 

The Webform module for Drupal 8/9 includes a default Contact webform, which sends a notification email to the site owner and a confirmation email to the email address supplied via the form.

The confirmation email can be used as an open mail relay to send an email to any email address.

This vulnerability is mitigated by the fact that the site owner's email address is also receiving a notification email, which should alert the site owner to the exploitation. If the site owner's mailbox is not monitored, the open mail relay can be more easily exploited.

With the Webform module's latest release, the default Contact's confirmation email will only be sent to an authenticated user's email address. Anonymous users will no longer receive a confirmation email.

If anonymous users need to receive a confirmation email, we recommend you add SPAM protection to the form and update the email handler.

Solution: 

Install the latest version:

If you are using a previous release of the Webform module you can immediately do one of several options.

  1. Delete the default Contact form. (/form/contact)
  2. Delete the default Contact form's confirmation email handler.(/admin/structure/webform/manage/contact/handlers)
  3. Update the default Contact form's confirmation email to only email the current user's email address using the [current-user:mail] token. (/admin/structure/webform/manage/contact/handlers/email_confirmation/edit)
  4. Add SPAM protection to the default Contact form.
Reported By: Fixed By: Coordinated By: 
2021. január 27.

Subgroup - Less critical - Access bypass - SA-CONTRIB-2021-003

Project: SubgroupVersion: 1.0.x-devDate: 2021-January-27Security risk: Less critical 9∕25 AC:Basic/A:User/CI:Some/II:None/E:Theoretical/TD:UncommonVulnerability: Access bypassDescription: 

This module enables you to add groups to other groups in a tree structure where access can be inherited up or down the tree.

When you configure Subgroup to have a tree with at least three levels, users may inadvertently get permissions in a group that is an uncle or cousin of the source group, rather than a direct ancestor or descendant. Trees with only multiple nodes at the lowest tier (or nowhere) are unaffected.

Solution: 

Install the latest version, Subgroup 1.0.1, and clear your caches.

Reported By: Fixed By: Coordinated By: 
2021. január 27.

Open Social - Moderately critical - Access bypass - SA-CONTRIB-2021-002

Project: Open SocialVersion: 8.x-9.x-dev8.x-8.x-devDate: 2021-January-27Security risk: Moderately critical 10∕25 AC:Basic/A:User/CI:Some/II:None/E:Theoretical/TD:DefaultVulnerability: Access bypassDescription: 

The Social User Export module enables users within Open Social to create an export of users and download this to a CSV file.

The module doesn't sufficiently check access when building the CSV file, allowing logged-in users without the manage members permission to be able to export all data from a selected user in certain scenarios.

This vulnerability is mitigated by the fact that an attacker must have the authenticated user role and the site must have the configuration set in such a way a logged in user is able to export users.

Solution: 

Install the latest version:

  • If you use Open Social major version 8, upgrade to 8.x-8.10
  • If you use Open Social major version 9, upgrade to 8.x-9.8
Reported By: Fixed By: Coordinated By: 
2021. január 27.

Open Social - Moderately critical - Access bypass - SA-CONTRIB-2021-001

Project: Open SocialVersion: 8.x-9.x-dev8.x-8.x-devDate: 2021-January-27Security risk: Moderately critical 12∕25 AC:Basic/A:None/CI:Some/II:None/E:Theoretical/TD:DefaultVulnerability: Access bypassDescription: 

The optional Social Auth Extra module enables you to use the single sign-on methods provided by Open Social e.g. Facebook, LinkedIn, Google and Twitter.

The module doesn't implement a proper cache strategy for anonymous users allowing the registration form to be cached with disclosed information in certain scenarios. The information is usually only available for logged-in users of the community.

This vulnerability is mitigated by the fact that social_auth_extra needs to be enabled, one of the single sign-on methods needs to be configured. There is no impact for regular registration without single sign-on.

Removing the single sign-on providers from configuration will allow this vulnerability to be blocked.

Solution: 

Install the latest version:

  • If you use Open Social major version 8, upgrade to 8.x-8.10
  • If you use Open Social major version 9, upgrade to 8.x-9.8
Reported By: Fixed By: Coordinated By: