Several moderately critical and critical bugs are found in Drupal core

Several moderately critical and critical bugs are found in Drupal core

Drupal core - Moderately critical - Cross-site scripting - SA-CORE-2020-007

Project: Drupal core
Date: 2020-September-16
Security risk: Moderately critical 14∕25 
Vulnerability: Cross-site scripting
CVE IDs: CVE-2020-13666

Description

The Drupal AJAX API does not disable JSONP by default, which can lead to cross-site scripting.

Solution

Install the latest version:

If you are using Drupal 7.x, upgrade to Drupal 7.73.
If you are using Drupal 8.8.x, upgrade to Drupal 8.8.10.
If you are using Drupal 8.9.x, upgrade to Drupal 8.9.6.
If you are using Drupal 9.0.x, upgrade to Drupal 9.0.6.

Versions of Drupal 8 prior to 8.8.x are end-of-life and do not receive security coverage. Sites on 8.7.x or earlier should update to 8.8.10.

If you were previously relying on Drupal's AJAX API to perform trusted JSONP requests, you'll either need to override the AJAX options to set "jsonp: true", or you'll need to use the jQuery AJAX API directly.

If you are using jQuery's AJAX API for user-provided URLs in a contrib or custom module, you should review your code and set "jsonp: false" where this is appropriate.

Drupal 7 sites should also pass such URLs through the new Drupal.sanitizeAjaxUrl() function.

Drupal core - Moderately critical - Access bypass - SA-CORE-2020-008

Project: Drupal core
Date: 2020-September-16
Security risk: Moderately critical 12∕25 
Vulnerability: Access bypass
CVE IDs: CVE-2020-13667

Description

The experimental Workspaces module allows you to create multiple workspaces on your site in which draft content can be edited before being published to the live workspace.

The Workspaces module doesn't sufficiently check access permissions when switching workspaces, leading to an access bypass vulnerability. An attacker might be able to see content before the site owner intends people to see the content.

This vulnerability is mitigated by the fact that sites are only vulnerable if they have installed the experimental Workspaces module.

Solution

Install the latest version:

If you are using Drupal 8.8.x, upgrade to Drupal 8.8.10.
If you are using Drupal 8.9.x, upgrade to Drupal 8.9.6.
If you are using Drupal 9.0.x, upgrade to Drupal 9.0.6.

Versions of Drupal 8 prior to 8.8.x are end-of-life and do not receive security coverage. Sites on 8.7.x or earlier should update to 8.8.10.

Once a site running Workspaces is upgraded, authenticated users may continue to see unauthorized workspace content that they accessed previously until they are logged out.

If it is important for the unintended access to stop immediately, you may wish to end all active user sessions on your site (for example, by truncating the sessions table). Be aware that this will immediately log all users out and can cause side effects like lost user input.

Drupal core - Moderately critical - Cross-site scripting - SA-CORE-2020-010

Project: Drupal core
Date: 2020-September-16
Security risk: Moderately critical 13∕25
Vulnerability: Cross-site scripting
CVE IDs: CVE-2020-13669

Description

Drupal core's built-in CKEditor image caption functionality is vulnerable to XSS.

Solution

Install the latest version:

If you are using Drupal 8.8.x, upgrade to Drupal 8.8.10.
If you are using Drupal 8.9.x, upgrade to Drupal 8.9.6.
If you are using Drupal 9.0.x, upgrade to Drupal 9.0.6.

Versions of Drupal 8 prior to 8.8.x are end-of-life and do not receive security coverage. Sites on 8.7.x or earlier should update to 8.8.10.

Drupal core - Moderately critical - Information disclosure - SA-CORE-2020-011

Project: Drupal core
Date: 2020-September-16
Security risk: Moderately critical 12∕25 
Vulnerability: Information disclosure
CVE IDs: CVE-2020-13670

Description

A vulnerability exists in the File module which allows an attacker to gain access to the file metadata of a permanent private file that they do not have access to by guessing the ID of the file.

Solution

Install the latest version:

If you are using Drupal 8.8.x, upgrade to Drupal 8.8.10.
If you are using Drupal 8.9.x, upgrade to Drupal 8.9.6.
If you are using Drupal 9.0.x, upgrade to Drupal 9.0.6.

Versions of Drupal 8 prior to 8.8.x are end-of-life and do not receive security coverage. Sites on 8.7.x or earlier should update to 8.8.10.

Drupal core - Critical - Cross-site scripting - SA-CORE-2020-009

Project: Drupal core
Date: 2020-September-16
Security risk: Critical 15∕25
Vulnerability: Cross-site scripting
CVE IDs: CVE-2020-13668

Description

Drupal 8 and 9 have a reflected cross-site scripting (XSS) vulnerability under certain circumstances.

An attacker could leverage the way that HTML is rendered for affected forms in order to exploit the vulnerability.

Solution

Install the latest version:

If you are using Drupal 8.8.x, upgrade to Drupal 8.8.10.
If you are using Drupal 8.9.x, upgrade to Drupal 8.9.6.
If you are using Drupal 9.0.x, upgrade to Drupal 9.0.6.

Versions of Drupal 8 prior to 8.8.x are end-of-life and do not receive security coverage. Sites on 8.7.x or earlier should update to 8.8.10.

In addition to updating Drupal core, sites that override \Drupal\Core\Form\FormBuilder's renderPlaceholderFormAction() and/or buildFormAction() methods in contrib and/or custom code should ensure that appropriate sanitization is applied for URLs.

Nick Onom's picture
Nick Onom
Marketing Project Manager
Enthusiastic about all kind of Open Source applications, AI, bitcoins, but mostly about Drupal. For last years has been actively developing AltaGrade's new back-end system.
2 comments

Hello Nick,
Thank for your post. My Drupal site (D7) has one field that uses 'Autocomplete' widget.
Autocomplete stopped working after I updated to Drupal 7.73 ("SA-CORE-2020-007")
Looking at the console, the error states: "Uncaught TypeError: Drupal.sanitizeAjaxUrl is not a function"

Following your suggestion, I have set "jsonp: true" on autocomplete.js and ajax.js; however, this does not fix the problem.

What do you think I might be missing?

Laura

Hello,
Just a follow up on my previous post; what did the trick was clearing cache.
Thanks again for the post.
Laura

We value your opinion. Please add your feedback.