Drupal contrib security advisories
Fast Autocomplete - Moderately critical - Access bypass - SA-CONTRIB-2021-005
The Fast Autocomplete module provides fast IMDB-like suggestions below a text input field. Suggestions are stored as JSON files in the public files folder so that they can be provided to the browser relatively fast without the need for Drupal to be bootstrapped.
The module doesn't correctly generate certain hashes when the configuration option "Perform search as anonymous user only" is switched from the default on value to off.
This enables a malicious user to read search results generated by users with other roles, disclosing search results the user normally has no access to.
Solution:Install the latest version:
- If you use the Fast Autocomplete module for Drupal 8.x or 9.x, upgrade to Fast Autocomplete 8.x-1.8
Alternatively, re-enable the setting "Perform search as anonymous user only" to only display anonymous search results and delete the generated files by using the "Delete json files" option in all Fast Autocomplete configurations.
Fast Autocomplete for Drupal 7.x is not affected.
Reported By:- Heine Deelstra of the Drupal Security Team
- Heine Deelstra of the Drupal Security Team
- Martijn Vermeulen
- Heine Deelstra of the Drupal Security Team
Webform - Moderately critical - Access bypass - SA-CONTRIB-2021-004
The Webform module for Drupal 8/9 includes a default Contact webform, which sends a notification email to the site owner and a confirmation email to the email address supplied via the form.
The confirmation email can be used as an open mail relay to send an email to any email address.
This vulnerability is mitigated by the fact that the site owner's email address is also receiving a notification email, which should alert the site owner to the exploitation. If the site owner's mailbox is not monitored, the open mail relay can be more easily exploited.
With the Webform module's latest release, the default Contact's confirmation email will only be sent to an authenticated user's email address. Anonymous users will no longer receive a confirmation email.
If anonymous users need to receive a confirmation email, we recommend you add SPAM protection to the form and update the email handler.
Solution:Install the latest version:
- If you use the Webform module module for Drupal 8/9 upgrade to Webform 8.x-5.25 or Webform 6.0.2
If you are using a previous release of the Webform module you can immediately do one of several options.
- Delete the default Contact form. (/form/contact)
- Delete the default Contact form's confirmation email handler.(/admin/structure/webform/manage/contact/handlers)
- Update the default Contact form's confirmation email to only email the current user's email address using the [current-user:mail] token. (/admin/structure/webform/manage/contact/handlers/email_confirmation/edit)
- Add SPAM protection to the default Contact form.
- Greg Knaddison of the Drupal Security Team
Subgroup - Less critical - Access bypass - SA-CONTRIB-2021-003
This module enables you to add groups to other groups in a tree structure where access can be inherited up or down the tree.
When you configure Subgroup to have a tree with at least three levels, users may inadvertently get permissions in a group that is an uncle or cousin of the source group, rather than a direct ancestor or descendant. Trees with only multiple nodes at the lowest tier (or nowhere) are unaffected.
Solution:Install the latest version, Subgroup 1.0.1, and clear your caches.
Reported By:- Mori Sugimoto of the Drupal Security Team
- kyk
- Greg Knaddison of the Drupal Security Team
Open Social - Moderately critical - Access bypass - SA-CONTRIB-2021-002
The Social User Export module enables users within Open Social to create an export of users and download this to a CSV file.
The module doesn't sufficiently check access when building the CSV file, allowing logged-in users without the manage members permission to be able to export all data from a selected user in certain scenarios.
This vulnerability is mitigated by the fact that an attacker must have the authenticated user role and the site must have the configuration set in such a way a logged in user is able to export users.
Solution:Install the latest version:
- If you use Open Social major version 8, upgrade to 8.x-8.10
- If you use Open Social major version 9, upgrade to 8.x-9.8
- Greg Knaddison of the Drupal Security Team
Open Social - Moderately critical - Access bypass - SA-CONTRIB-2021-001
The optional Social Auth Extra module enables you to use the single sign-on methods provided by Open Social e.g. Facebook, LinkedIn, Google and Twitter.
The module doesn't implement a proper cache strategy for anonymous users allowing the registration form to be cached with disclosed information in certain scenarios. The information is usually only available for logged-in users of the community.
This vulnerability is mitigated by the fact that social_auth_extra needs to be enabled, one of the single sign-on methods needs to be configured. There is no impact for regular registration without single sign-on.
Removing the single sign-on providers from configuration will allow this vulnerability to be blocked.
Solution:Install the latest version:
- If you use Open Social major version 8, upgrade to 8.x-8.10
- If you use Open Social major version 9, upgrade to 8.x-9.8
- Greg Knaddison of the Drupal Security Team