Drupal contrib security advisories

Project: S3 File SystemDate: 2022-September-28Security risk: Moderately critical 10∕25 AC:Complex/A:None/CI:Some/II:None/E:Theoretical/TD:UncommonVulnerability: Access bypassDescription: 

This module enables you to utilize S3-compatible storage as a Drupal filesystem.

The module doesn't sufficiently prevent file access across multiple filesystem schemes stored in the same bucket.

This vulnerability is mitigated by the fact that an attacker must obtain a method to access arbitrary file paths, the site must have public or private takeover enabled, and the file metadata cache must be ignored.

Solution: 

Install the latest version:

• If you use the S3 File System module for Drupal 7.x, upgrade to S3 File System 7.x-2.14

Reported By: 

• Conrad Lara
• Guy Elsmore-Paddock

Fixed By: 

• Conrad Lara
• Ron Shimshock

Coordinated By: 

• Greg Knaddison of the Drupal Security Team

Project: Permissions by TermVersion: 3.1.18Date: 2022-September-07Security risk: Moderately critical 14∕25 AC:None/A:None/CI:Some/II:None/E:Theoretical/TD:DefaultVulnerability: Access bypassDescription: 

This module enables you to set content permissions based on taxonomy terms.

The module doesn't sufficiently restrict access to translated and unpublished nodes.

This vulnerability is mitigated by the fact that it only affects sites with translated content.

Solution: 

Install the latest version:

• If you use the Permissions by Term module for Drupal 9.x, upgrade to version 3.1.19

Reported By: 

• federico prato

Fixed By: 

• federico prato
• Peter Majmesku
• Jess of the Drupal Security Team

Coordinated By: 

• Damien McKenna of the Drupal Security Team
• Greg Knaddison of the Drupal Security Team

Project: Permissions by TermVersion: 3.1.173.1.163.1.153.1.143.1.133.1.123.1.113.1.103.1.93.1.83.1.73.1.63.1.53.1.43.1.33.1.23.1.13.1.03.0.13.0.0Date: 2022-September-07Security risk: Moderately critical 14∕25 AC:None/A:None/CI:Some/II:None/E:Theoretical/TD:DefaultVulnerability: Access bypassDescription: 

This module enables you to restrict content via taxonomy terms and related permissions.

The module doesn't sufficiently restrict cached content in certain circumstances.

This vulnerability is mitigated by the fact that it only occurs when multiple entity types are enabled in the module.

Solution: 

Install the latest version:

• If you use the Permissions by Term module for Drupal 9.x, upgrade to version 3.1.19

Reported By: 

• ytsurk
• Andy Fowlston
• Joseph
• Julian Pustkuchen
• Aleksi Peebles

Fixed By: 

• Peter Majmesku
• ytsurk
• Joseph
• Julian Pustkuchen
• Aleksi Peebles
• Ambient.Impact
• Stephen Mustgrave
• Jay McGraw

Coordinated By: 

• Damien McKenna of the Drupal Security Team
• Greg Knaddison of the Drupal Security Team

Project: Next.jsVersion: 1.2.01.1.01.0.0Date: 2022-September-07Security risk: Moderately critical 12∕25 AC:Basic/A:None/CI:Some/II:None/E:Theoretical/TD:DefaultVulnerability: Access bypassDescription: 

The Next.js module provides an inline preview for content. Authenticated requests are made to Drupal to fetch JSON:API content and render them in an iframe from the decoupled Next.js site.

The current implementation doesn’t sufficiently check access for fetching data. All requests made to Drupal are authenticated using a single scope with elevated content access. Users without access to content could be exposed to unauthorized content.

Solution: 

If you use the Next.js module for Drupal 9.x:

1. Upgrade to version v1.3.0.
2. Edit the Next.js user and assign all roles that can be used as scopes. The granted roles will be filtered based on roles assigned to the current user.

See the upgrade guide at https://next-drupal.org/docs/upgrade-guide.

Reported By: 

• Lauri Eskola

Fixed By: 

• Lauri Eskola
• shadcn
• Minnur Yunusov

Coordinated By: 

• Damien McKenna of the Drupal Security Team

Project: Commerce ElavonVersion: 8.x-2.28.x-2.18.x-2.08.x-2.0-beta28.x-2.0-beta17.x-1.47.x-1.37.x-1.27.x-1.17.x-1.0Date: 2022-August-24Security risk: Moderately critical 11∕25 AC:Complex/A:None/CI:None/II:Some/E:Theoretical/TD:DefaultVulnerability: Access bypassAffected versions: <=2.2.0Description: 

This module enables you to accept payments from the Elavon payment provider.

The module doesn't sufficiently verify that it's communicating with the correct server when using the Elavon (On-site) payment gateway, which could lead to leaking valid payment details as well as accepting invalid payment details.

This vulnerability is mitigated by the fact that an attacker must be able to spoof the Elavon DNS received by your site.

Solution: 

Install the latest version:

• If you use the Commerce Elavon module for Drupal 8.x/9.x, upgrade to Commerce Elavon 8.x-2.3
• If you use the Commerce Elavon module version 1.x for Drupal 7.x, upgrade to Commerce Elavon 7.x-1.5

Reported By: 

• Andy Fowlston

Fixed By: 

• Andy Fowlston
• Greg Knaddison of the Drupal Security Team

Coordinated By: 

• Damien McKenna of the Drupal Security Team
• Greg Knaddison of the Drupal Security Team

Project: jQuery UI CheckboxradioVersion: 8.x-1.38.x-1.28.x-1.18.x-1.0Date: 2022-August-10Security risk: Moderately critical 13∕25 AC:Basic/A:User/CI:Some/II:Some/E:Proof/TD:UncommonVulnerability: Cross site scriptingDescription: 

jQuery UI is a third-party library used by Drupal. The jQuery UI Checkboxradio module provides the jQuery UI Checkboxradio library (which was previously in Drupal 8 core, but has since been removed from core and moved to this module).

As part of the jQuery UI 1.13.2 update, the jQuery UI project disclosed following security issue that may affect sites using the jQuery UI Checkboxradio module:

• CVE-2022-31160: XSS when refreshing a checkboxradio with an HTML-like initial text label
  

Solution: 

Install the latest version. If you use the jQuery UI Checkboxradio module for Drupal 9, upgrade to:

• jQuery UI Checkboxradio 8.x-1.4.

Reported By: 

• Benji Fisher, provisional member of the Drupal Security Team

Fixed By: 

• Benji Fisher, provisional member of the Drupal Security Team
• xjm of the Drupal Security Team
• Lauri Eskola, provisional member of the Drupal Security Team
• Greg Knaddison of the Drupal Security Team

Coordinated By: 

• xjm of the Drupal Security Team

Project: TagifyVersion: 1.0.41.0.31.0.2-beta11.0.1-beta11.0.0-beta1Date: 2022-July-27Security risk: Moderately critical 11∕25 AC:Complex/A:User/CI:None/II:Some/E:Exploit/TD:UncommonVulnerability: Access bypassDescription: 

This module provides a widget to transform entity reference fields into a more user-friendly tags input component with a great performance.

The module doesn't sufficiently check access for the add operation. Users with permission to edit content can view and reference unpublished terms. The edit form may expose term data that users could not otherwise see, since there is no term view route by default.

This vulnerability is slightly mitigated by the fact that an attacker must have a role with the permission "access content", so may not be accessible to anonymous users on all sites.

Solution: 

Install the latest version:

• If you use the Tagify module for Drupal 9.x, upgrade to Tagify 1.0.5

Reported By: 

• Conrad Lara

Fixed By: 

• David Galeano
• Conrad Lara

Coordinated By: 

• Damien McKenna of the Drupal Security Team
• Greg Knaddison of the Drupal Security Team

Project: PDF generator APIVersion: 2.2.12.2.02.1.02.0.0Date: 2022-July-27Security risk: Moderately critical 12∕25 AC:Complex/A:User/CI:Some/II:Some/E:Theoretical/TD:DefaultVulnerability: Remote Code ExecutionDescription: 

This module enables you to generate PDF versions of content.

Some installations of the module make use of the dompdf/dompdf third-party dependency.

Security vulnerabilities exist for versions of dompdf/dompdf before 2.0.0 as described in the 2.0.0 release notes.

Solution: 

Install the latest version:

• If you use the pdf_api module for Drupal 2.x, upgrade to pdf_api 2.2.2

Reported By: 

• tedfordgif
• David Archuleta

Fixed By: 

• tedfordgif
• Nigel Cunningham

Coordinated By: 

• Damien McKenna of the Drupal Security Team
• Greg Knaddison of the Drupal Security Team

Project: ContextVersion: 7.x-3.107.x-3.97.x-3.87.x-3.77.x-3.67.x-3.57.x-3.47.x-3.37.x-3.27.x-3.17.x-3.07.x-3.0-rc17.x-3.0-beta77.x-3.0-beta67.x-3.0-beta57.x-3.0-beta47.x-3.0-beta37.x-3.0-beta27.x-3.0-beta17.x-3.0-alpha37.x-3.0-alpha27.x-3.0-alpha1Date: 2022-July-27Security risk: Moderately critical 12∕25 AC:Basic/A:Admin/CI:Some/II:Some/E:Theoretical/TD:DefaultVulnerability: Cross Site ScriptingDescription: 

This module enables you to conditionally display blocks in particular theme regions.

The module doesn't sufficiently sanitize the title of a block as displayed in the admin UI when a site administrator edits a context block reaction.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer blocks".

Solution: 

Install the latest version:

• If you use the Context module for Drupal 7.x, upgrade to Context 7.x-3.11.

Reported By: 

• Harold Aling

Fixed By: 

• Harold Aling
• Bostjan Kovac
• Nedjo Rogers

Coordinated By: 

• Damien McKenna of the Drupal Security Team
• Greg Knaddison of the Drupal Security Team
• Michael Hess of the Drupal Security Team

Project: Entity PrintDate: 2022-July-13Security risk: Moderately critical 13∕25 AC:Complex/A:User/CI:Some/II:Some/E:Proof/TD:DefaultVulnerability: Multiple: Remote Code Execution, Information disclosureDescription: 

This module enables you to generate print versions of content.
Some installations of the module make use of the dompdf/dompdf third-party dependency.
Security vulnerabilities exist for versions of dompdf/dompdf < 2.0.0

See the library release notes for more detail: https://github.com/dompdf/dompdf/releases/tag/v2.0.0

Note on 3rd party vulnerabilities

This security advisory corresponds to a 3rd party vulnerability. Normally the Drupal Security Team would not issue advisories related to 3rd party code that is shipped separately from a module per our policy (most recent update is PSA-2019-09-04). In this case, because the module required a specific version and could not be updated without a change to the Drupal module we do issue an advisory.

Solution: 

Install the latest version (8.x-2.6) of this module and update dompdf/dompdf at the same time. It is recommended to use composer to do the update using commands similar to the following:

composer update drupal/entity_print
composer require dompdf/dompdf:~2 Reported By: 

• szato
• Munavir P k

Fixed By: 

• Lee Rowlands of the Drupal Security Team
• Carlos Santana
• Manoj Selvan

Coordinated By: 

• Lee Rowlands of the Drupal Security Team
• Greg Knaddison of the Drupal Security Team

Project: Config TermsDate: 2022-June-29Security risk: Critical 15∕25 AC:Basic/A:User/CI:Some/II:Some/E:Proof/TD:AllVulnerability: Access bypassDescription: 

This module enables you to create and manage a version of taxonomy based on configuration entities instead of content. This allows the terms, vocabularies, and their structure to be exported, imported, and managed as site configuration.

The module doesn't sufficiently check access for the edit and delete operations. Users with "access content" permission can edit or delete any term. The edit form may expose term data that users could not otherwise see, since there is no term view route by default.

This vulnerability is slightly mitigated by the fact that an attacker must have a role with the permission "access content", so may not be accessible to anonymous users on all sites.

Solution: 

Install the latest version:

• If you use the Config Terms module for Drupal 9.x, upgrade to Config Terms 8.x-1.6 or later

Reported By: 

• Emil Johnsson

Fixed By: 

• Emil Johnsson
• Justin Ludwig

Project: Lottiefiles FieldDate: 2022-June-29Security risk: Moderately critical 14∕25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:AllVulnerability: Cross Site ScriptingDescription: 

The Lottiefiles Field module enables you to integrate the lottiefiles features into your page.

The module does not sufficiently filter user-provided text on output, resulting in a Cross-Site Scripting (XSS) vulnerability.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission to create or edit content that has lottiefiles fields.

Solution: 

Install the latest version:

• If you use the lottifiles_field module for Drupal 8.x or 9.x, upgrade to Lottiefiles Field 1.0.3.

Reported By: 

• Conrad Lara

Fixed By: 

• Hari Venu
• Conrad Lara

Coordinated By: 

• Greg Knaddison of the Drupal Security Team