Drupal

Security advisories for multiple Drupal 8 contributed modules: Smart Trim, Modal Page, Taxonomy access fix, Permissions by Term

Nick

Marketing Project Manager

Dec 11, 2019
Add comment

Security advisories for multiple Drupal 8 contributed modules: Smart Trim, Modal Page, Taxonomy access fix, Permissions by Term

Project: Smart Trim
Version: 8.x-1.x
Date: 2019-December-11
Security risk: Moderately critical 
Vulnerability: Cross site scripting

Description

The Smart Trim module allows site builders additional control with text summary fields.

The module doesn't sufficiently filter text when certain options are selected.

This vulnerability is mitigated by the fact that an attacker must have a role with the ability to create content on the site when certain options are selected for the trimmed output.

Multiple security advisories from Drupal Security team released today

Public

Nov 13, 2019
Add comment

Projects: Multiple
Date: 2019-November-13
Security risk: Critical 
Vulnerability: Unsupported

Drupal Security team released multiple security advisories earlier today, notifying the following contributed modules and themes have been marked as unsupported and therefore should be either fixed or uninstalled:

Open Social - Critical - Insecure Session Management - SA-CONTRIB-2019-075

Alex

Technical Support Specialist

Nov 6, 2019
Add comment

Open Social - Critical - Insecure Session Management - SA-CONTRIB-2019-075

Project: Open Social
Date: 2019-November-06
Security risk: Critical 15∕25
Vulnerability: Insecure Session Management

Description

Open Social is a Drupal distribution for online communities. The included social_magic_login module doesn't sufficiently validate magic login URLs for user accounts that do not have a local password, but login via external systems. The lack of validation makes it possible for an adversary to forge valid login URLs and login to such an account.

Booking and Availability Management Tools for Drupal - Moderately critical - Access Bypass - SA-CONTRIB-2019-074

Public

Oct 16, 2019
Add comment

Project: Booking and Availability Management Tools for Drupal
Date: 2019-October-16
Security risk: Moderately critical 11∕25
Vulnerability: Access Bypass

Description

The Bat module provides a foundation through which a wide range of availability management, reservation and booking use cases can be addressed.

The routes used to view events don't sufficiently guard access for non-privileged users. Specifically, a user with the 'View own' permission for bat events can view others' events as well.

Maxlength - Moderately critical - Cross Site Scripting - SA-CONTRIB-2019-073

Public

Oct 9, 2019
Add comment

Maxlength - Moderately critical - Cross Site Scripting - SA-CONTRIB-2019-073

Project: Maxlength
Date: 2019-October-09
Security risk: Moderately critical 13∕25 
Vulnerability: Cross Site Scripting

Description

This module enables you to set a maximum length allowed on text fields and indicate how many characters are left.

The module doesn't sufficiently filter strings leading to a Cross Site Scripting (XSS) vulnerability.

Localization update - Moderately critical - Insecure server configuration - SA-CONTRIB-2019-072

Nick

Marketing Project Manager

Oct 2, 2019
Add comment

Localization update - Moderately critical - Insecure server configuration - SA-CONTRIB-2019-072

Project: Localization update
Date: 2019-October-02
Security risk: Moderately critical 10∕25 
Vulnerability: Insecure server configuration

Description

This module enables you to automatically download and update the site's interface translation by fetching them from localize.drupal.org or any other Localization server.

Simple AMP (Accelerated Mobile Pages) - Moderately critical - Access bypass - SA-CONTRIB-2019-071

Nick

Marketing Project Manager

Oct 2, 2019
Add comment

Simple AMP (Accelerated Mobile Pages) - Moderately critical - Access bypass - SA-CONTRIB-2019-071

Project: Simple AMP (Accelerated Mobile Pages)
Date: 2019-October-02
Security risk: Moderately critical 13∕25 
Vulnerability: Access bypass

Description

This module allows display of a site's content in AMP format.

The module doesn't sufficiently check access on unpublished or restricted content.

Solution

Install the latest version of the module.

Gutenberg - Critical - Access bypass - SA-CONTRIB-2019-069

Nick

Marketing Project Manager

Sep 25, 2019
Add comment

Gutenberg - Critical - Access bypass - SA-CONTRIB-2019-069

Project: Gutenberg
Date: 2019-September-25
Security risk: Critical 16∕25 
Vulnerability: Access bypass

Description

This module provides a new UI experience for node editing - Gutenberg editor.

The routes used by the Gutenberg editor lack proper permissions allowing untrusted users to view and modify some content they should not be able to view or modify.

Solution

Install the latest version:

Permissions by Term - Moderately critical - Access bypass - SA-CONTRIB-2019-068

Nick

Marketing Project Manager

Sep 25, 2019
Add comment

Permissions by Term - Moderately critical - Access bypass - SA-CONTRIB-2019-068

Project: Permissions by Term
Version: 8.x-1.x-dev
Date: 2019-September-25
Security risk: Moderately critical 14∕25
Vulnerability: Access bypass

Description

This module enables you to control access to content based on taxonomy terms. The module doesn't sufficiently check if a given entity should be access controlled, defaulting to allowing access even to unpublished nodes.

The vulnerability is mitigated by the fact that the submodule Permissions by Entity must also be enabled.

Solution

Install the latest version:

TableField - Moderately critical - Access bypass - SA-CONTRIB-2019-067

Nick

Marketing Project Manager

Sep 18, 2019
Add comment

Project: TableField
Version: 8.x-2.x-dev
Date: 2019-September-18
Security risk: Moderately critical 12∕25 
Vulnerability: Access bypass

Description

This module allows you to attach tabular data to an entity.

There is insufficient access checking for users with the ability to "Export Tablefield Data as CSV". They can export data from unpublished nodes or otherwise inaccessible entities.