Drupal contrib security advisories

Subscribe to Drupal contrib security advisories hírcsatorna
Frissítve: 2 óra 1 perc
2020. március 25.

Svg Image - Critical - Cross site scripting - SA-CONTRIB-2020-008

Project: Svg ImageDate: 2020-March-25Security risk: Critical 15∕25 AC:Basic/A:User/CI:Some/II:Some/E:Proof/TD:AllVulnerability: Cross site scriptingDescription: 

SVG Image module allows to upload SVG files.

The module did not sufficiently protect against malicious code inside SVG files leading to a Cross Site Scripting vulnerability.

This vulnerability is mitigated by the fact that an attacker must have permission to upload an SVG file.

Solution: 

Install the latest version:

Also see the Svg Image project page.

Reported By: Fixed By: Coordinated By: 
2020. március 18.

CKEditor - WYSIWYG HTML editor - Moderately critical - Cross site scripting - SA-CONTRIB-2020-007

Project: CKEditor - WYSIWYG HTML editorDate: 2020-March-18Security risk: Moderately critical 11∕25 AC:Complex/A:User/CI:Some/II:Some/E:Theoretical/TD:UncommonVulnerability: Cross site scriptingDescription: 

The CKEditor module (and its predecessor, FCKeditor module) allows Drupal to replace textarea fields with CKEditor 3.x/4.x (FCKeditor 2.x in case of FCKeditor module) - a visual HTML editor, sometimes called WYSIWYG editor.

Due to the usage of the JavaScript `eval()` function on non-filtered data in admin section, it was possible for a user with permission to create content visible in the admin area to inject specially crafted malicious script which causes Cross Site Scripting (XSS).

The problem existed in CKEditor module for Drupal, not in JavaScript libraries with the same names.

Solution: 

Install the latest version:

Also see the CKEditor- WYSIWYG HTML editor project page

Reported By: Fixed By: Coordinated By: 
2020. március 11.

SAML Service Provider - Critical - Access bypass - SA-CONTRIB-2020-006

Project: SAML Service ProviderDate: 2020-March-11Security risk: Critical 15∕25 AC:Basic/A:None/CI:Some/II:Some/E:Theoretical/TD:DefaultVulnerability: Access bypassDescription: 

This module enables you to authenticate Drupal users using an external SAML Identity Provider.

If the site is configured to allow visitors to register for user accounts but administrator approval is required, the module doesn't sufficiently enforce the administrative approval requirement, in the case where the requesting user has already authenticated through SAML.

This vulnerability is mitigated by the fact that user accounts created in this way have only default roles, which may not have access significantly beyond that of an anonymous user. To mitigate the vulnerability without upgrading sites could disable public registration.

Solution: 

Install the latest version:

Also see the SAML Service Provider project page.

Reported By: Fixed By: Coordinated By: 
2020. március 4.

SVG Formatter - Critical - Cross site scripting - SA-CONTRIB-2020-005

Project: SVG FormatterDate: 2020-March-04Security risk: Critical 15∕25 AC:Basic/A:User/CI:Some/II:Some/E:Proof/TD:AllVulnerability: Cross site scriptingDescription: 

SVG Formatter module provides support for using SVG images on your website.

This security release fixes third-party dependencies included in or required by SVG Formatter. XSS bypass using entities and tab.

This vulnerability is mitigated by the fact that an attacker must be able to upload SVG files.

Solution: 

Install the latest version:

Also see the SVG Formatter project page.

Reported By: Fixed By: Coordinated By: 
2020. február 19.

Profile - Moderately critical - Access Bypass - SA-CONTRIB-2020-004

Project: ProfileDate: 2020-February-19Security risk: Moderately critical 14∕25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:AllVulnerability: Access BypassDescription: 

The Profile module enables you to allow users to have configurable user profiles.

The module doesn't sufficiently check access when creating a user profile. Users with the "create profiles" permission could create profiles for any users.

Solution: 

Install the latest version:

Also see the Profile project page.

Reported By: Fixed By: Coordinated By: 
2020. február 5.

Views Bulk Operations (VBO) - Moderately critical - Access bypass - SA-CONTRIB-2020-003

Project: Views Bulk Operations (VBO)Date: 2020-February-05Security risk: Moderately critical 12∕25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:UncommonVulnerability: Access bypassDescription: 

Views Bulk Operations provides enhancements to running bulk actions on views.

The module contains an access bypass vulnerability that might allow users to execute views actions that they should not have access to.

This vulnerability is mitigated by the fact that it only occurs in the case of customised action access (by means of hook_action_info_alter).

Solution: 

Install the latest version:

Also see the Views Bulk Operations (VBO) project page.

Reported By: Fixed By: Coordinated By: 
2020. január 22.

SpamSpan filter - Moderately critical - Cross site scripting - SA-CONTRIB-2020-002

Project: SpamSpan filterDate: 2020-January-22Security risk: Moderately critical 11∕25 AC:Basic/A:None/CI:None/II:Some/E:Theoretical/TD:UncommonVulnerability: Cross site scriptingDescription: 

The SpamSpan module obfuscates email addresses to help prevent spambots from collecting them.

This module contains a spamspan twig filter which doesn't sanitize the passed HTML string.

This vulnerability is mitigated by the fact that sites must have custom twig template files that use the SpamSpan filter on a field that an attacker could populate. By default the SpamSpan module does not use the vulnerable twig filter.

Solution: 

Install the latest version:

Also see the SpamSpan filter project page.

Reported By: Fixed By: Coordinated By: 
2020. január 15.

Radix - Moderately critical - Cross site scripting - SA-CONTRIB-2020-001

Project: RadixDate: 2020-January-15Security risk: Moderately critical 13∕25 AC:Basic/A:Admin/CI:Some/II:Some/E:Theoretical/TD:AllVulnerability: Cross site scriptingDescription: 

Radix is a base theme for Drupal, with Bootstrap 4, Sass, ES6 and BrowserSync built-in.

The module doesn't sufficiently filter menu titles when used in a dropdown in the main menu.

This vulnerability is mitigated by the fact that an attacker must have permission to edit a menu title used in the main menu.

Solution: 

Install the latest version:

  • If you use the Radix theme for Drupal 7.x, upgrade to Radix 7.x-3.8

Also see the Radix project page.

Reported By: Fixed By: Coordinated By: