Drupal contrib security advisories

Project: Svg ImageDate: 2020-March-25Security risk: Critical 15∕25 AC:Basic/A:User/CI:Some/II:Some/E:Proof/TD:AllVulnerability: Cross site scriptingDescription: 

SVG Image module allows to upload SVG files.

The module did not sufficiently protect against malicious code inside SVG files leading to a Cross Site Scripting vulnerability.

This vulnerability is mitigated by the fact that an attacker must have permission to upload an SVG file.

Solution: 

Install the latest version:

• If you use the SVG Image module for Drupal 8.x, upgrade to Svg Image 8.x-1.10

Also see the Svg Image project page.

Reported By: 

• Dmitry Kiselev

Fixed By: 

• Yaroslav Lushnikov
• Dmitry Kiselev
• Jeroen Tubex

Coordinated By: 

• Greg Knaddison of the Drupal Security Team

Project: CKEditor - WYSIWYG HTML editorDate: 2020-March-18Security risk: Moderately critical 11∕25 AC:Complex/A:User/CI:Some/II:Some/E:Theoretical/TD:UncommonVulnerability: Cross site scriptingDescription: 

The CKEditor module (and its predecessor, FCKeditor module) allows Drupal to replace textarea fields with CKEditor 3.x/4.x (FCKeditor 2.x in case of FCKeditor module) - a visual HTML editor, sometimes called WYSIWYG editor.

Due to the usage of the JavaScript `eval()` function on non-filtered data in admin section, it was possible for a user with permission to create content visible in the admin area to inject specially crafted malicious script which causes Cross Site Scripting (XSS).

The problem existed in CKEditor module for Drupal, not in JavaScript libraries with the same names.

Solution: 

Install the latest version:

• If you use the CKEditor module for Drupal 7.x, upgrade to CKEditor 7.x-1.19

Also see the CKEditor- WYSIWYG HTML editor project page

Reported By: 

• Yonatan Offek

Fixed By: 

• Robert Mikołajuk

Coordinated By: 

• Greg Knaddison of the Drupal Security Team

Project: SAML Service ProviderDate: 2020-March-11Security risk: Critical 15∕25 AC:Basic/A:None/CI:Some/II:Some/E:Theoretical/TD:DefaultVulnerability: Access bypassDescription: 

This module enables you to authenticate Drupal users using an external SAML Identity Provider.

If the site is configured to allow visitors to register for user accounts but administrator approval is required, the module doesn't sufficiently enforce the administrative approval requirement, in the case where the requesting user has already authenticated through SAML.

This vulnerability is mitigated by the fact that user accounts created in this way have only default roles, which may not have access significantly beyond that of an anonymous user. To mitigate the vulnerability without upgrading sites could disable public registration.

Solution: 

Install the latest version:

• If you use the SAML Service Provider module for Drupal 8.x, upgrade to SAML Service Provider 8.x-3.7

Also see the SAML Service Provider project page.

Reported By: 

• J Proctor

Fixed By: 

• J Proctor
• James Glasgow

Coordinated By: 

• Greg Knaddison of the Drupal Security Team

Project: SVG FormatterDate: 2020-March-04Security risk: Critical 15∕25 AC:Basic/A:User/CI:Some/II:Some/E:Proof/TD:AllVulnerability: Cross site scriptingDescription: 

SVG Formatter module provides support for using SVG images on your website.

This security release fixes third-party dependencies included in or required by SVG Formatter. XSS bypass using entities and tab.

This vulnerability is mitigated by the fact that an attacker must be able to upload SVG files.

Solution: 

Install the latest version:

• If you use the SVG Formatter module for Drupal 8.x, upgrade to SVG Formatter 8.x-1.12

Also see the SVG Formatter project page.

Reported By: 

• Jeroen Tubex

Fixed By: 

• Goran Nikolovski

Coordinated By: 

• Greg Knaddison of the Drupal Security Team

Project: ProfileDate: 2020-February-19Security risk: Moderately critical 14∕25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:AllVulnerability: Access BypassDescription: 

The Profile module enables you to allow users to have configurable user profiles.

The module doesn't sufficiently check access when creating a user profile. Users with the "create profiles" permission could create profiles for any users.

Solution: 

Install the latest version:

• If you use the Profile module for Drupal 8.x, upgrade to Profile 8.x-1.1

Also see the Profile project page.

Reported By: 

• karl972

Fixed By: 

• Matt Glaman
• Bojan Živanović

Coordinated By: 

• Greg Knaddison of the Drupal Security Team

Project: Views Bulk Operations (VBO)Date: 2020-February-05Security risk: Moderately critical 12∕25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:UncommonVulnerability: Access bypassDescription: 

Views Bulk Operations provides enhancements to running bulk actions on views.

The module contains an access bypass vulnerability that might allow users to execute views actions that they should not have access to.

This vulnerability is mitigated by the fact that it only occurs in the case of customised action access (by means of hook_action_info_alter).

Solution: 

Install the latest version:

• If you use Views Bulk Operations version 3.x for Drupal 8.x, upgrade to Views Bulk Operations 8.x-3.4
• If you use Views Bulk Operations version 2.x for Drupal 8.x, upgrade to Views Bulk Operations 8.x-2.6

Also see the Views Bulk Operations (VBO) project page.

Reported By: 

• Adam Shepherd

Fixed By: 

• Adam Shepherd
• Marcin Grabias

Coordinated By: 

• Greg Knaddison of the Drupal Security Team

Project: SpamSpan filterDate: 2020-January-22Security risk: Moderately critical 11∕25 AC:Basic/A:None/CI:None/II:Some/E:Theoretical/TD:UncommonVulnerability: Cross site scriptingDescription: 

The SpamSpan module obfuscates email addresses to help prevent spambots from collecting them.

This module contains a spamspan twig filter which doesn't sanitize the passed HTML string.

This vulnerability is mitigated by the fact that sites must have custom twig template files that use the SpamSpan filter on a field that an attacker could populate. By default the SpamSpan module does not use the vulnerable twig filter.

Solution: 

Install the latest version:

• If you use the SpamSpan module for Drupal 8.x, upgrade to SpamSpan 8.x-1.1

Also see the SpamSpan filter project page.

Reported By: 

• Jeroen Tubex

Fixed By: 

• Jeroen Tubex
• vitalie

Coordinated By: 

• Ben Jeavons of the Drupal Security Team

Project: RadixDate: 2020-January-15Security risk: Moderately critical 13∕25 AC:Basic/A:Admin/CI:Some/II:Some/E:Theoretical/TD:AllVulnerability: Cross site scriptingDescription: 

Radix is a base theme for Drupal, with Bootstrap 4, Sass, ES6 and BrowserSync built-in.

The module doesn't sufficiently filter menu titles when used in a dropdown in the main menu.

This vulnerability is mitigated by the fact that an attacker must have permission to edit a menu title used in the main menu.

Solution: 

Install the latest version:

• If you use the Radix theme for Drupal 7.x, upgrade to Radix 7.x-3.8

Also see the Radix project page.

Reported By: 

• annagaz

Fixed By: 

• David Snopek of the Drupal Security Team

Coordinated By: 

• David Snopek of the Drupal Security Team