Drupal contrib security advisories

Subscribe to Drupal contrib security advisories hírcsatorna
Frissítve: 2 óra 54 perc
2020. november 18.

SAML SP 2.0 Single Sign On (SSO) - SAML Service Provider - Critical - Access bypass - SA-CONTRIB-2020-038

Project: SAML SP 2.0 Single Sign On (SSO) - SAML Service ProviderDate: 2020-November-18Security risk: Critical 16∕25 AC:Basic/A:None/CI:Some/II:Some/E:Theoretical/TD:AllVulnerability: Access bypassDescription: 

This module enables your users residing at a SAML 2.0 compliant Identity Provider to login to your Drupal website.

The module has two Authentication Bypass vulnerabilities.

Solution: 

Install the latest version:

Reported By: Fixed By: Coordinated By: 
2020. november 18.

Ink Filepicker - Critical - Unsupported - SA-CONTRIB-2020-037

Project: Ink FilepickerDate: 2020-November-18Security risk: Critical 17∕25 AC:Basic/A:User/CI:All/II:All/E:Theoretical/TD:DefaultVulnerability: UnsupportedDescription: 

The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer.

It looks like the 3rd party service that this module integrates with may have been retired.

If you would like to maintain this project nevertheless, please read: https://www.drupal.org/node/251466#procedure---own-project---unsupported

Solution: 

If you use this project, you should uninstall it. To take over maintainership, please read https://www.drupal.org/node/251466#procedure---own-project---unsupported in full.

2020. november 18.

Media: oEmbed - Critical - Remote Code Execution - SA-CONTRIB-2020-036

Project: Media: oEmbedDate: 2020-November-18Security risk: Critical 17∕25 AC:Basic/A:User/CI:All/II:All/E:Theoretical/TD:DefaultVulnerability: Remote Code ExecutionDescription: 

Media oEmbed does not properly sanitize certain filenames as described in SA-CORE-2020-012.

Solution: 

Install the latest version:

Reported By: Fixed By: Coordinated By: 
2020. november 18.

Examples for Developers - Critical - Remote Code Execution - SA-CONTRIB-2020-035

Project: Examples for DevelopersDate: 2020-November-18Security risk: Critical 17∕25 AC:Basic/A:User/CI:All/II:All/E:Theoretical/TD:DefaultVulnerability: Remote Code ExecutionDescription: 

The File Example submodule within the Examples project does not properly sanitize certain filenames as described in SA-CORE-2020-012, along with other related vulnerabilities.

Therefore, File Example so is being removed from Examples until a version demonstrating file security best practices can added back in the future.

Solution: 

Any sites that have File Example submodule installed should uninstall it immediately

Then, install the latest version of Examples:

Reported By: Fixed By: Coordinated By: 
2020. október 14.

Drupal OAuth Server ( OAuth Provider) - Single Sign On ( SSO ) - Moderately critical - SQL Injection - SA-CONTRIB-2020-034

Project: Drupal OAuth Server ( OAuth Provider) - Single Sign On ( SSO )Date: 2020-October-14Security risk: Moderately critical 12∕25 AC:Basic/A:None/CI:None/II:Some/E:Theoretical/TD:DefaultVulnerability: SQL InjectionDescription: 

This module enables you login into any OAuth 2.0 compliant application using Drupal credentials.

The 8.x branch of the module is vulnerable to SQL injection.

Solution: 

Install the latest version:

  • If you use the Drupal OAuth Server module for Drupal 8.x, upgrade to 8.x-1.1
Reported By: Fixed By: Coordinated By: