Critical vulnerabilities found in Drupal 8 Core and two Drupal 7 contributed modules
Drupal Security team announced today the discovery of vulnerabilities in Drupal 8 core and two Drupal 7 contributed modules - ImageCache Actions and Meta tags quick with the following details and recommended ways of mitigations.
Project: Drupal core Date: 2019-July-17 Security risk: Critical 17∕25 Vulnerability: Access bypass CVE IDs: CVE-2019-6342
In Drupal 8.7.4, when the experimental Workspaces module is enabled, an access bypass condition is created. This can be mitigated by disabling the Workspaces module. It does not affect any release other than Drupal 8.7.4. Drupal 8.7.3 and earlier, Drupal 8.6.x and earlier, and Drupal 7.x are not affected.
If the site is running Drupal 8.7.4, upgrade to Drupal 8.7.5. Note, manual step needed. For sites with the Workspaces module enabled, update.php needs to run to ensure a required cache clear. If there is a reverse proxy cache or content delivery network (e.g. Varnish, CloudFlare) it is also advisable to clear these as well.
Project: ImageCache Actions Date: 2019-July-17 Security risk: Critical 17∕25 Vulnerability: Multiple Vulnerabilities
The Imagecache Actions module defines a number of additional image effects that can be used to create image styles. The "Image styles admin" sub module provides additional functionality to duplicate, export and import image styles. The module uses
unserialize() to import image styles into another site where
unserialize() is known to have security issues when processing potentially unsafe input.
This vulnerability is mitigated by the fact that the "Image styles admin" sub module must be enabled and an attacker must have a role with the permission "'administer image styles'".
Furthermore, the import functionality supports PHP code included in image effects as part of an image style, which would run on image derivative generation subject to the PHP module being enabled. This is intended behavior for the "Image styles admin" sub module, but the user access restrictions should reflect the potential risks involved.
The new security release of this module introduces a new "import image styles" permission which is marked as restricted. In order to use the image style import functionality, users will need to have a role which has this new permission in addition to "administer image styles" (which is not marked as restricted).
If you use the Imagecache Actions module for Drupal 7.x, upgrade to Imagecache Actions 7.x-1.10. Image Effects, the D8 successor is *not* vulnerable to this exploit.
Meta tags quick
Project: Meta tags quick Date: 2019-July-17 Security risk: Moderately critical 13∕25 Vulnerability: Cross Site Scripting
Install the latest version. If you use the Metatags Quick module for Drupal 7.x, upgrade to Metatags Quick 7.x-2.10.