Drupal contrib security advisories

Project: Meta tags quickDate: 2019-July-17Security risk: Moderately critical 13∕25 AC:Basic/A:Admin/CI:Some/II:Some/E:Theoretical/TD:AllVulnerability: Cross Site ScriptingDescription: 

Metatags quick is a module that manages meta tags (tags that appear in HTML's head section) as Drupal 7 fields.
Administration page of metatags quick does not sanitize the output of blocks that appear on the same page. This allows an attacker to inject malicious JavaScript in block markup.
This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer blocks".

Solution: 

Install the latest version.

If you use the Metatags quick module for Drupal 7.x, upgrade to metatags quick 7.x-2.10.

Reported By: 

• Yonatan Offek

Fixed By: 

• Valery Lourie
• Yonatan Offek

Coordinated By: 

• Greg Knaddison of the Drupal Security Team

Project: ImageCache ActionsDate: 2019-July-17Security risk: Critical 17∕25 AC:Basic/A:Admin/CI:All/II:All/E:Theoretical/TD:AllVulnerability: Multiple Vulnerabilities Description: 

The imagecache actions module defines a number of additional image effects that can be used to create image styles. The "Image styles admin" sub module provides additional functionality to duplicate, export and import image styles. The module uses unserialize() to import image styles into another site where unserialize() is known to have security issues when processing potentially unsafe input.

This vulnerability is mitigated by the fact that the "Image styles admin" sub module must be enabled and an attacker must have a role with the permission "'administer image styles'".

Furthermore, the import functionality supports PHP code included in image effects as part of an image style, which would run on image derivative generation subject to the PHP module being enabled. This is intended behaviour for the "Image styles admin" sub module, but the user access restrictions should reflect the potential risks involved.

The new security release of this module introduces a new "import image styles" permission which is marked as restricted. In order to use the image style import functionality, users will need to have a role which has this new permission in addition to "administer image styles" (which is not marked as restricted).

Solution: 

• If you use the Imagecache Actions module for Drupal 7.x, upgrade to Imagecache Actions 7.x-1.10.
• Image Effects, the D8 successor is *not* vulnerable to this exploit.

Reported By: 

• Ruben Hofman

Fixed By: 

• Erwin Derksen
• Greg Knaddison of the Drupal Security Team

Coordinated By: 

• Greg Knaddison of the Drupal Security Team
• Ivo Van Geertruyen of the Drupal Security Team
• Drew Webber of the Drupal Security Team

Project: Custom PermissionsVersion: 8.x-1.x-devDate: 2019-July-10Security risk: Critical 16∕25 AC:Basic/A:None/CI:Some/II:Some/E:Theoretical/TD:AllVulnerability: Access bypassDescription: 

This module enables you to add and manage additional custom permissions through the administration UI.

The module doesn't sufficiently check for the proper access permissions to this page.

This vulnerability is mitigated by the fact that an attacker must know the route of the Custom Permissions administration form though this is easily known.

Solution: 

Install the latest version:

• If you use the Custom Permissions 8.x-1.1 for Drupal 8.x, upgrade to Custom Permissions 8.x-1.2

Also see the Custom Permissions project page.

Reported By: 

• Mohammed Razem

Fixed By: 

• David Valdez

Coordinated By: 

• Greg Knaddison of the Drupal Security Team

Project: Advanced ForumVersion: 7.x-2.x-devDate: 2019-June-26Security risk: Critical 16∕25 AC:Basic/A:None/CI:Some/II:Some/E:Theoretical/TD:AllVulnerability: Cross Site ScriptingDescription: 

Advanced Forum builds on and enhances Drupal's core forum module. When used in combination with other Drupal contributed modules, many of which are automatically used by Advanced Forum, you can achieve much of what stand alone software provides.

The module doesn't sufficiently sanitise user input in specific circumstances. It is not possible to disable the vulnerable functionality.

This vulnerability is mitigated by the fact that an attacker must have a role with permission to create forum content.

Solution: 

Install the latest version:

• If you use the Advanced Forum module for Drupal 7.x, upgrade to Advanced Forum 7.x-2.8

Also see the Advanced Forum project page.

Reported By: 

• Drew Webber of the Drupal Security Team

Fixed By: 

• Drew Webber of the Drupal Security Team
• Vijaya Chandran Mani Provisonal Member of the Drupal Security Team

Coordinated By: 

• Drew Webber of the Drupal Security Team

Project: Easy BreadcrumbVersion: 7.x-2.x-devDate: 2019-June-19Security risk: Critical 15∕25 AC:Basic/A:None/CI:Some/II:Some/E:Theoretical/TD:DefaultVulnerability: Cross Site ScriptingDescription: 

This module enables you to use the current URL (path alias) and the current page's title to automatically extract the breadcrumb's segments and its respective links then show them as breadcrumbs on your website.

The module doesn't sufficiently sanitise user input in certain circumstances.

This vulnerability does not require any permissions but can be mitigated by un-checking the 'Allow HTML tags in breadcrumb text' setting (enabled by default). In some cases browsers' built-in XSS protection may prevent exploitation.

Solution: 

Install the latest version:

• If you use the Easy Breadcrumb module for Drupal 7.x, upgrade to Easy Breadcrumb 7.x-2.17

Also see the Easy Breadcrumb project page.

Reported By: 

• Jill Garland
• P K

Fixed By: 

• Balazs Janos Tatar Provisional Member of the Drupal Security Team
• Drew Webber of the Drupal Security Team

Coordinated By: 

• Drew Webber of the Drupal Security Team

Project: Universally Unique IDentifierDate: 2019-May-29Security risk: Moderately critical 14∕25 AC:Complex/A:User/CI:All/II:Some/E:Theoretical/TD:DefaultVulnerability: Access bypassDescription: 

This module provides an API for adding universally unique identifiers (UUID) to Drupal objects, most notably entities.

The module has a privilege escalation vulnerability when it's used in combination with Services+REST server.

This vulnerability is mitigated by the fact that an attacker must authenticate to the site, services module must be configured on the site and the user update resource enabled.

Solution: 

Install the latest version:

• If you use the Universally Unique IDentifier module for Drupal 7.x, upgrade to UUID 7.x-1.3

Also see the Universally Unique IDentifier project page.

Reported By: 

• Gustavo Iñiguez Goia

Fixed By: 

• Manuel Garcia
• Samuel Mortenson of the Drupal Security Team

Coordinated By: 

• Samuel Mortenson of the Drupal Security Team

Project: TableFieldVersion: 7.x-3.x-dev7.x-2.x-devDate: 2019-May-29Security risk: Moderately critical 13∕25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:DefaultVulnerability: Access bypass and Cross Site ScriptingDescription: 

This module allows you to attach tabular data to an entity.

Access bypass

There's no access check for users with an "Export Tablefield Data as CSV". They can export data from unpublished nodes or otherwise inaccessible entities.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission 'Export Tablefield Data as CSV'.

XSS

When "Raw data (JSON or XML)" is used in the field's Display settings, it doesn't sanitize JSON output before passing it on to be rendered.

This vulnerability is mitigated by the fact that an attacker must have a role with Edit permissions.

Solution: 

Install the latest version:

• If you use a Tablefield module version 7.x-2.x, upgrade to tablefield 7.x-3.5.
• If you use a Tablefield module version 7.x-3.x, upgrade to tablefield 7.x-2.8.

Also see the TableField project page.

Reported By: 

• Yonatan Offek

Fixed By: 

• Yonatan Offek
• Jen Lampton
• Martin Postma

Coordinated By: 

• Greg Knaddison of the Drupal Security Team

Project: Menu Item ExtrasDate: 2019-May-22Security risk: Moderately critical 10∕25 AC:Basic/A:User/CI:None/II:Some/E:Theoretical/TD:DefaultVulnerability: Cross Site Request ForgeryDescription: 

This module enables you to handle fields for Custom Menu Links.
The module doesn't sufficiently check requests to one of the module controllers if the user has permission 'administer menu'.
This vulnerability is mitigated by the fact that an attacker must have a role with the permission to create content.

Solution: 

Install the latest version:

• If you use the Menu Item Extras module for Drupal 8.x, upgrade to Menu Item Extras 8.x-2.5

Reported By: 

• Graham Cole

Fixed By: 

• Andriy Khomych
• Graham Cole
• Mykhailo Gurei
• Oleh Vehera

Coordinated By: 

• Michael Hess of the Drupal Security Team

Project: WorkflowDate: 2019-May-22Security risk: Moderately critical 13∕25 AC:Basic/A:Admin/CI:Some/II:Some/E:Theoretical/TD:AllVulnerability: Cross Site ScriptingDescription: 

The Workflow module enables you to create arbitrary Workflows, and assign them to Entities.
The module doesn't sufficiently escape HTML in the field settings leading to a Cross Site Scripting (XSS) vulnerability.
This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer nodes" and "administer workflow".

Solution: 

Install the latest version:

• If you use the Workflow module for Drupal 7.x, upgrade to Workflow 7.x-2.12

Reported By: 

• Roberto Mariani

Fixed By: 

• Roberto Mariani
• David Snopek of the Drupal Security Team
• John Voskuilen
• Sarah Hood
• Greg Knaddison of the Drupal Security Team

Coordinated By: 

• Michael Hess of the Drupal Security Team

Project: Multiple RegistrationDate: 2019-May-15Security risk: Critical 19∕25 AC:Basic/A:None/CI:All/II:All/E:Theoretical/TD:DefaultVulnerability: Access bypassDescription: 

This module enables you to use special routes for user registration with special roles and custom field sets defined for the role.

The module doesn't sufficiently check which user roles can be registered under the scenario when the user tries to register the user with the administrator role.

This vulnerability is mitigated on sites where account approval is required as the user starts as blocked but still gets the "Administrator" role.

Solution: 

Install the latest version:

• If you use the Multiple registration module for Drupal 8.x, upgrade to Multiple registration 8.x-2.8

Reported By: 

• iswilson

Fixed By: 

• Yaroslav Samoylenko
• iswilson
• Cash Williams of the Drupal Security Team

Coordinated By: 

Cash Williams of the Drupal Security Team

Project: Opigno Learning pathDate: 2019-May-15Security risk: Moderately critical 10∕25 AC:Basic/A:User/CI:Some/II:None/E:Theoretical/TD:DefaultVulnerability: Access bypassDescription: 

In certain configuration cases, when a learning path is configured as semi-private, anonymous users are allowed to join a learning path when they should not.

Solution: 

Install the latest version:

• If you use the opigno learning path module for Drupal 8.x, upgrade to opigno_learning_path 8.x-1.4
• If using the opigno lms distribution it is recommended to update the whole distribution to the latest version Opigno lms 8.x-1.5

Also see the Opigno Learning path project page.

Reported By: 

• Nathaniel Catchpole of the Drupal Security Team

Fixed By: 

• James Aparicio
• Nathaniel Catchpole of the Drupal Security Team

Coordinated By: 

• Nathaniel Catchpole of the Drupal Security Team

Project: Opigno forumDate: 2019-May-15Security risk: Less critical 9∕25 AC:Basic/A:User/CI:Some/II:None/E:Theoretical/TD:UncommonVulnerability: Access bypassDescription: 

In certain circumstances it is possible that certain forum information is available to unprivileged users because the access check is done with node access instead of grants.

This vulnerability is mitigated by the fact that the module itself does not disclose information but only if there are listings such as views where the site builder / developer has not taken this into account.

Solution: 

Install the latest version:

• If you use the opigno_forum module for Drupal 8.x, upgrade to opigno_forum 8.x-1.2

Also see the Opigno forum project page.

Reported By: 

• Nathaniel Catchpole of the Drupal Security Team

Fixed By: 

• James Aparicio
• Nathaniel Catchpole of the Drupal Security Team

Coordinated By: 

• Nathaniel Catchpole of the Drupal Security Team

Project: TableFieldDate: 2019-April-17Security risk: Critical 16∕25 AC:Complex/A:User/CI:All/II:All/E:Theoretical/TD:DefaultVulnerability: Remote Code ExecutionDescription: 

This module allows you to attach tabular data to an entity.

The module doesn't sufficiently determine that the data being unserialized is the contents of a tablefield when users request a CSV export, which could lead to Remote Code Execution via Object Injection.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission 'export tablefield', and be able to insert a payload into an entity's field.

Solution: 

Install the latest version:

• If you use the Tablefield module 7.x-3.x branch for Drupal 7.x, upgrade to tablefield 7.x-3.4

Reported By: 

• Drew Webber Provisional Security Team Member

Fixed By: 

• Drew Webber Provisional Security Team Member
• Martin Postma
• Jen Lampton

Coordinated By: 

• Greg Knaddison of the Drupal Security Team

Project: Stage File ProxyVersion: 7.x-1.x-devDate: 2019-April-17Security risk: Less critical 9∕25 AC:Basic/A:None/CI:None/II:None/E:Theoretical/TD:DefaultVulnerability: Denial of ServiceDescription: 

Stage File Proxy is a general solution for getting production files on a development server on demand.

The module doesn't sufficiently validate requested urls, allowing an attacker to send repeated requests for files that do not exist which could exhaust resources on the server where Stage File Proxy is installed.

This vulnerability is mitigated by the fact that an attacker must make repeated requests. The vulnerability only exists on environments where Stage File Proxy is installed (it generally is not installed on production). It only affects sites where the "Hot Link" option is disabled (disabled is the default configuration).

Solution: 

Install the latest version:

• If you use the Stage File Proxy module for Drupal 7.x, upgrade to Stage File Proxy 7.x-1.9

Also see the Stage File Proxy project page.

Reported By: 

• remydenton
• Axel Rutz
• Drew Webber Provisional Security Team Member

Fixed By: 

• remydenton
• Axel Rutz
• Drew Webber Provisional Security Team Member

Coordinated By: 

• Greg Knaddison of the Drupal Security Team

Project: ServicesVersion: 7.x-3.x-devDate: 2019-April-03Security risk: Less critical 9∕25 AC:Complex/A:User/CI:Some/II:None/E:Theoretical/TD:DefaultVulnerability: Access bypassDescription: 

This module provides a standardized solution for building API's so that external clients can communicate with Drupal.

The Services module has an access bypass vulnerability in its "attach_file" resource that allows users who have access to create or update nodes that include file fields to arbitrarily reference files they do not have access to, which can expose private files.

This vulnerability is mitigated by the fact that an attacker must have a role with permission to create or edit a node.

Solution: 

Install the latest version:

• If you use the Services module for Drupal 7.x, upgrade to Services 7.x-3.24

Also see the Services project page.

Reported By: 

• Samuel Mortenson of the Drupal Security Team

Fixed By: 

• Tyler Frankenstein

Coordinated By: 

• Samuel Mortenson of the Drupal Security Team
• Greg Knaddison of the Drupal Security Team