Security advisories for multiple Drupal 8 contributed modules: Smart Trim, Modal Page, Taxonomy access fix, Permissions by Term

Security advisories for multiple Drupal 8 contributed modules: Smart Trim, Modal Page, Taxonomy access fix, Permissions by Term

Project: Smart Trim
Version: 8.x-1.x
Date: 2019-December-11
Security risk: Moderately critical 
Vulnerability: Cross site scripting

Description

The Smart Trim module allows site builders additional control with text summary fields.

The module doesn't sufficiently filter text when certain options are selected.

This vulnerability is mitigated by the fact that an attacker must have a role with the ability to create content on the site when certain options are selected for the trimmed output.

Solution

Install the latest version:

If you use the Smart Trim module for Drupal 8.x, upgrade to smart_trim-8.x-1.2

Project: Modal Page
Version: 8.x-2.x
Date: 2019-December-11
Security risk: Moderately critical 10∕25 
Vulnerability: Access bypass

Description

This project enables administrators to create modal dialogs.

The routes used by the module lacked proper permissions, allowing untrusted users to access, create and modify modal configurations.

Solution

If you use the Modal Page module 8.x-2.x, upgrade to 8.x-2.5
Review user permissions after updating to ensure only trusted users have access to manage modals.

Project: Taxonomy access fix
Version: 8.x-2.x
Date: 2019-December-11
Security risk: Moderately critical 13∕25 
Vulnerability: Access bypass

Description

This module extends access handling of Drupal Core's Taxonomy module.

The module doesn't sufficiently check:

  • if a given entity should be access controlled, defaulting to allowing access even to unpublished Taxonomy Terms
  • if certain administrative routes should be access controlled, defaulting to allowing access even to users without permission to access these administrative routes.

The vulnerability is mitigated by the facts, that the user interface to change the status of Taxonomy Terms has been released in Drupal Core 8.8 and a custom or contributed module is required in earlier versions of Drupal Core to mark Taxonomy Terms as unpublished.
all entity operations (except the view operation) available on affected administrative routes still require appropriate permissions.
an attacker must have a role with permission to either access content or view a Taxonomy Term in a vocabulary.

Solution

Install the latest version:

If you use taxonomy_access_fix 8.x-2.4 or later, upgrade to Taxonomy Access Fix 8.x-2.7

Project: Permissions by Term
Date: 2019-December-11
Security risk: Moderately critical 13∕25 
Vulnerability: Access bypass

Description

The Permissions by Term module extends Drupal by functionality for restricting access to single nodes via taxonomy terms.

The module doesn't sufficiently restrict access to node previews, when the Search API module is used to display nodes in search result lists.

Solution

Install the latest version:

If you use the Permissions by Term module for Drupal 8.x, upgrade to Version 8.x-2.0
The settings have been refactored. They are now bundled in the "permissions_by_term.settings.yml" file. There are not so many settings, so you can simply visit PbT's settings page and set the settings manually. Like the setting for "single term restriction".

Nick Onom's picture
Nick Onom
Marketing Project Manager
Enthusiastic about all kind of Open Source applications, AI, bitcoins, but mostly about Drupal. For last years has been actively developing AltaGrade's new back-end system.

We value your opinion. Please add your feedback.