Critical vulnerabilities found in Drupal 8 Core and two Drupal 7 contributed modules

Critical vulnerabilities found in Drupal 8 Core and two Drupal 7 contributed modules

Drupal Security team announced today the discovery of vulnerabilities in Drupal 8 core and two Drupal 7 contributed modules - ImageCache Actions and Meta tags quick with the following details and recommended ways of mitigations.

Drupal 8.7.4

Project: Drupal core
Date: 2019-July-17
Security risk: Critical 17∕25
Vulnerability: Access bypass
CVE IDs: CVE-2019-6342

Description

In Drupal 8.7.4, when the experimental Workspaces module is enabled, an access bypass condition is created. This can be mitigated by disabling the Workspaces module. It does not affect any release other than Drupal 8.7.4. Drupal 8.7.3 and earlier, Drupal 8.6.x and earlier, and Drupal 7.x are not affected.

Solution

If the site is running Drupal 8.7.4, upgrade to Drupal 8.7.5. Note, manual step needed. For sites with the Workspaces module enabled, update.php needs to run to ensure a required cache clear. If there is a reverse proxy cache or content delivery network (e.g. Varnish, CloudFlare) it is also advisable to clear these as well.

ImageCache Actions

Project: ImageCache Actions
Date: 2019-July-17
Security risk: Critical 17∕25
Vulnerability: Multiple Vulnerabilities

Description

The Imagecache Actions module defines a number of additional image effects that can be used to create image styles. The "Image styles admin" sub module provides additional functionality to duplicate, export and import image styles. The module uses unserialize() to import image styles into another site where unserialize() is known to have security issues when processing potentially unsafe input.

This vulnerability is mitigated by the fact that the "Image styles admin" sub module must be enabled and an attacker must have a role with the permission "'administer image styles'".

Furthermore, the import functionality supports PHP code included in image effects as part of an image style, which would run on image derivative generation subject to the PHP module being enabled. This is intended behavior for the "Image styles admin" sub module, but the user access restrictions should reflect the potential risks involved.

The new security release of this module introduces a new "import image styles" permission which is marked as restricted. In order to use the image style import functionality, users will need to have a role which has this new permission in addition to "administer image styles" (which is not marked as restricted).

Solution

If you use the Imagecache Actions module for Drupal 7.x, upgrade to Imagecache Actions 7.x-1.10. Image Effects, the D8 successor is *not* vulnerable to this exploit.

Meta tags quick

Project: Meta tags quick
Date: 2019-July-17
Security risk: Moderately critical 13∕25 
Vulnerability: Cross Site Scripting

Description

Metatags quick is a module that manages meta tags (tags that appear in HTML's head section) as Drupal 7 fields. Administration page of metatags quick does not sanitize the output of blocks that appear on the same page. This allows an attacker to inject malicious JavaScript in block markup. This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer blocks".

Solution

Install the latest version. If you use the Metatags Quick module for Drupal 7.x, upgrade to Metatags Quick 7.x-2.10.

Nick Onom's picture
Nick Onom
Marketing Project Manager
Enthusiastic about all kind of Open Source applications, AI, bitcoins, but mostly about Drupal. For last years has been actively developing AltaGrade's new back-end system.

We value your opinion. Please add your feedback.