Blogroll: Drupal Contrib Security

I read blogs, as well as write one. The 'blogroll' on this site reproduces some posts from some of the people I enjoy reading. There are currently 20 posts from the blog 'Drupal Contrib Security.'

Disclaimer: Reproducing an article here need not necessarily imply agreement or endorsement!

Subscribe to Drupal Contrib Security feed
Updated: 37 min 9 sec ago

Zircon - Critical - Unsupported - SA-CONTRIB-2018-037

Wed, 23/05/2018 - 15:30
Project: ZirconDate: 2018-May-23Security risk: Critical 15∕25 AC:Basic/A:User/CI:Some/II:Some/E:Proof/TD:AllVulnerability: UnsupportedDescription: 

The security team is marking this theme unsupported. There is a known security issue with the theme that has not been fixed by the maintainer. If you would like to maintain this theme, please read: https://www.drupal.org/node/251466.

The security team marks all unsupported themes and modules critical by default.

Solution: 

If you use this theme, you should uninstall it.

Reported By: 

Drew Webber

Categories: Technology

Education - Critical - Unsupported - SA-CONTRIB-2018-036

Wed, 23/05/2018 - 15:28
Project: EducationDate: 2018-May-23Security risk: Critical 15∕25 AC:Basic/A:User/CI:Some/II:Some/E:Proof/TD:AllVulnerability: UnsupportedDescription: 

The security team is marking this theme unsupported. There is a known security issue with the theme that has not been fixed by the maintainer. If you would like to maintain this theme, please read: https://www.drupal.org/node/251466.

The security team marks all unsupported themes and modules critical by default.

Solution: 

If you use this theme, you should uninstall it.

Reported By: 

Drew Webber

Categories: Technology

TB Sirate - Critical - Unsupported - SA-CONTRIB-2018-035

Wed, 23/05/2018 - 15:28
Project: TB SirateDate: 2018-May-23Security risk: Critical 15∕25 AC:Basic/A:User/CI:Some/II:Some/E:Proof/TD:AllVulnerability: UnsupportedDescription: 

The security team is marking this theme unsupported. There is a known security issue with the theme that has not been fixed by the maintainer. If you would like to maintain this theme, please read: https://www.drupal.org/node/251466.

The security team marks all unsupported themes and modules critical by default.

Solution: 

If you use this theme, you should uninstall it.

Reported By: 

Drew Webber

Categories: Technology

Hotel - Critical - Unsupported - SA-CONTRIB-2018-034

Wed, 23/05/2018 - 15:26
Project: HotelDate: 2018-May-23Security risk: Critical 15∕25 AC:Basic/A:User/CI:Some/II:Some/E:Proof/TD:AllVulnerability: UnsupportedDescription: 

The security team is marking this theme unsupported. There is a known security issue with the theme that has not been fixed by the maintainer. If you would like to maintain this theme, please read: https://www.drupal.org/node/251466.

The security team marks all unsupported themes and modules critical by default.

Solution: 

If you use this theme, you should uninstall it.

Reported By: 

Drew Webber

Categories: Technology

iShopping - Critical - Unsupported - SA-CONTRIB-2018-033

Wed, 23/05/2018 - 15:25
Project: iShoppingDate: 2018-May-23Security risk: Critical 15∕25 AC:Basic/A:User/CI:Some/II:Some/E:Proof/TD:AllVulnerability: UnsupportedDescription: 

The security team is marking this theme unsupported. There is a known security issue with the theme that has not been fixed by the maintainer. If you would like to maintain this theme, please read: https://www.drupal.org/node/251466.

The security team marks all unsupported themes and modules critical by default.

Solution: 

If you use this theme, you should uninstall it.

Reported By: 

Drew Webber

Categories: Technology

Corporate Site - Critical - Unsupported - SA-CONTRIB-2018-032

Wed, 23/05/2018 - 15:23
Project: Corporate SiteDate: 2018-May-23Security risk: Critical 15∕25 AC:Basic/A:User/CI:Some/II:Some/E:Proof/TD:AllVulnerability: UnsupportedDescription: 

The security team is marking this theme unsupported. There is a known security issue with the theme that has not been fixed by the maintainer. If you would like to maintain this theme, please read: https://www.drupal.org/node/251466.

The security team marks all unsupported themes and modules critical by default.

Solution: 

If you use this theme, you should uninstall it.

Reported By: 

Drew Webber

Categories: Technology

TB Nucleus - Critical - Unsupported - SA-CONTRIB-2018-031

Wed, 23/05/2018 - 15:22
Project: TB NucleusDate: 2018-May-23Security risk: Critical 15∕25 AC:Basic/A:User/CI:Some/II:Some/E:Proof/TD:AllVulnerability: UnsupportedDescription: 

The security team is marking this theme unsupported. There is a known security issue with the theme that has not been fixed by the maintainer. If you would like to maintain this theme, please read: https://www.drupal.org/node/251466.

The security team marks all unsupported themes and modules critical by default.

Solution: 

If you use this theme, you should uninstall it.

Reported By: 

Drew Webber

Categories: Technology

SimpleCrop - Critical - Unsupported - SA-CONTRIB-2018-030

Wed, 23/05/2018 - 15:02
Project: SimpleCropDate: 2018-May-23Security risk: Critical 15∕25 AC:Basic/A:User/CI:Some/II:Some/E:Proof/TD:AllVulnerability: UnsupportedDescription: 

The security team is marking this module unsupported. There is a known security issue with the module that has not been fixed by the maintainer. If you would like to maintain this module, please read: https://www.drupal.org/node/251466.

The security team marks all unsupported modules critical by default.

Solution: 

If you use this module, you should uninstall it.

Reported By: 
Categories: Technology

Baidu Analytics - Critical - Unsupported - SA-CONTRIB-2018-029

Wed, 23/05/2018 - 14:59
Project: Baidu AnalyticsDate: 2018-May-23Security risk: Critical 15∕25 AC:Basic/A:User/CI:Some/II:Some/E:Proof/TD:AllVulnerability: UnsupportedDescription: 

The security team is marking this module unsupported. There is a known security issue with the module that has not been fixed by the maintainer. If you would like to maintain this module, please read: https://www.drupal.org/node/251466.

The security team marks all unsupported modules critical by default.

Solution: 

If you use this module, you should uninstall it.

Reported By: 
Categories: Technology

Protected Pages - Critical - Unsupported - SA-CONTRIB-2018-028

Wed, 23/05/2018 - 14:55
Project: Protected PagesDate: 2018-May-23Security risk: Critical 15∕25 AC:Basic/A:User/CI:Some/II:Some/E:Proof/TD:AllVulnerability: UnsupportedDescription: 

The security team is marking this module unsupported. There is a known security issue with the module that has not been fixed by the maintainer. If you would like to maintain this module, please read: https://www.drupal.org/node/251466.

The security team marks all unsupported modules critical by default.

Solution: 

If you use this module, you should uninstall it.

Reported By: 
Categories: Technology

SVG Formatter - Critical - Cross Site Scripting - SA-CONTRIB-2018-027

Wed, 09/05/2018 - 21:28
Project: SVG FormatterDate: 2018-May-09Security risk: Critical 15∕25 AC:Basic/A:User/CI:Some/II:Some/E:Proof/TD:AllVulnerability: Cross Site ScriptingDescription: 

This module adds a new formatter for the file fields, which allows any file extension to be uploaded.
The module doesn't sufficiently handle sanitization under the scenario uploaded SVG files.
This vulnerability is mitigated by the fact that an attacker must have a role with the permission create or edit on certain content types that allows SVG files to be uploaded.

Solution: 

Install the latest version:

Also see the SVG Formatter project page.

Reported By: Fixed By: Coordinated By: 
Categories: Technology

Scrollable Content - Critical - Unsupported - SA-CONTRIB-2018-026

Wed, 09/05/2018 - 15:19
Project: Scrollable ContentDate: 2018-May-09Security risk: Critical 16∕25 AC:None/A:User/CI:Some/II:Some/E:Proof/TD:DefaultVulnerability: UnsupportedDescription: 

Scrollable Content provides a scrolling functionality for your content. Scrollable Content will give you a nice content slider preview of your site's nodes, and provides some display options.

The security team is marking this module unsupported. There is a known security issue with the module that has not been fixed by the maintainer. If you would like to maintain this module, please read: https://www.drupal.org/node/251466.

The security team marks all unsupported modules critical by default.

Solution: 

If you use the Scrollable Content module you should uninstall it.

Reported By: 
  • Balazs Janos Tatar Provisional member of the Security Team
  • Fixed By: 

    N/A

    Categories: Technology

    Simple Taxonomy Revision - Critical - Unsupported - SA-CONTRIB-2018-025

    Wed, 09/05/2018 - 15:16
    Project: Simple Taxonomy RevisionDate: 2018-May-09Security risk: Critical 16∕25 AC:None/A:User/CI:Some/II:Some/E:Proof/TD:DefaultVulnerability: UnsupportedDescription: 

    Simple Taxonomy Revision module enables revisions for taxonomy terms for Drupal 8.

    The security team is marking this module unsupported. There is a known security issue with the module that has not been fixed by the maintainer. If you would like to maintain this module, please read: https://www.drupal.org/node/251466.

    The security team marks all unsupported modules critical by default.

    Solution: 

    If you use the Simple Taxonomy Revision module you should uninstall it.

    Reported By: 
  • Balazs Janos Tatar Provisional member of the Security Team
  • Fixed By: 

    N/A

    Categories: Technology

    KCFinder integration - Critical - Unsupported Module - SA-CONTRIB-2018-024

    Wed, 09/05/2018 - 15:14
    Project: KCFinder integrationDate: 2018-May-09Security risk: Critical 16∕25 AC:None/A:User/CI:Some/II:Some/E:Proof/TD:DefaultVulnerability: Unsupported ModuleDescription: 

    KCFinder is a multi-language file / image manager you can use to easily select, insert, upload and arrange images, flash movies, and other kinds of files.

    The security team is marking this module unsupported. There is a known security issue with the module that has not been fixed by the maintainer. If you would like to maintain this module, please read: https://www.drupal.org/node/251466.

    The security team marks all unsupported modules critical by default.

    Solution: 

    If you use the KCFinder integration you should uninstall it.

    Reported By: 

    Neil Drumm of the Drupal Security Team

    Fixed By: 

    N/A

    Categories: Technology

    Multi-Step Registration - Critical - Unsupported Module - SA-CONTRIB-2018-023

    Wed, 09/05/2018 - 15:09
    Project: Multi-Step RegistrationDate: 2018-May-09Security risk: Critical 16∕25 AC:None/A:User/CI:Some/II:Some/E:Proof/TD:DefaultVulnerability: Unsupported ModuleDescription: 

    With Multi-Step Registration you can create multi-step (wizard) user account registration forms.

    The security team is marking this module unsupported. There is a known security issue with the module that has not been fixed by the maintainer. If you would like to maintain this module, please read: https://www.drupal.org/node/251466.

    The security team marks all unsupported modules critical by default.

    Solution: 

    If you use the step module for Drupal you should uninstall it.

    Reported By: 

    Ayesh Karunaratne

    Fixed By: 

    N/A

    Categories: Technology

    JSON API - Moderately critical - Cross Site Request Forgery - SA-CONTRIB-2018-021

    Wed, 25/04/2018 - 18:43
    Project: JSON APIVersion: 8.x-1.15Date: 2018-April-25Security risk: Moderately critical 11∕25 AC:Basic/A:Admin/CI:Some/II:Some/E:Theoretical/TD:UncommonVulnerability: Cross Site Request ForgeryDescription: 

    This module provides a JSON API standards-compliant API for accessing and manipulating Drupal content and configuration entities.

    The module doesn't provide CSRF protection when processing authenticated traffic using cookie-based authentication.

    This vulnerability is mitigated by the fact that an attacker must be allowed to create or modify entities of a certain type, and a very specific and uncommon CORS configuration that allows all other pre-checks to be skipped.

    Solution: 

    Install the latest version:

    • If you use the JSON API module for Drupal 8.x, upgrade to 8.x-1.16
    Reported By: Fixed By: Coordinated By: 
    Categories: Technology

    DRD Agent - Critical - PHP object injection - SA-CONTRIB-2018-022

    Wed, 25/04/2018 - 18:37
    Project: DRD AgentDate: 2018-April-25Security risk: Critical 15∕25 AC:None/A:None/CI:None/II:Some/E:Theoretical/TD:AllVulnerability: PHP object injectionDescription: 

    This module enables you to monitor and manage any number of remote Drupal sites and aggregate useful information for administrators in a central dashboard.

    The modules (DRD and DRD Agent) encrypt the data which is exchanged between them but in order to do so, they use the PHP serialize/unserialize functions instead of the json_encode/json_decode combination. As the unserialize function is called on unauthenticated content, this introduces a PHP object injection vulnerability.

    Solution: 

    Install the latest version:

    Reported By: Fixed By: Coordinated By: 
    Categories: Technology

    Media - Critical - Remote Code Execution - SA-CONTRIB-2018-020

    Wed, 25/04/2018 - 18:23
    Project: MediaVersion: 7.x-2.18Date: 2018-April-25Security risk: Critical 18∕25 AC:Basic/A:User/CI:All/II:All/E:Theoretical/TD:AllVulnerability: Remote Code ExecutionDescription: 

    The Media module provides an extensible framework for managing files and multimedia assets, regardless of whether they are hosted on your own site or a third party site.

    The module contained a vulnerability similar to SA-CORE-2018-004, leading to a possible remote code execution (RCE) attack.

    Solution: 

    Install the latest version:

    • If you use the Media module for Drupal 7.x-2.x, upgrade to Media 7.x-2.19
    Coordinated By: 
    • Dave Reid the module maintainer and member of the Drupal Security Team
    Categories: Technology

    Display Suite - Critical - Cross site scripting (XSS) - SA-CONTRIB-2018-019

    Wed, 18/04/2018 - 18:31
    Project: Display SuiteVersion: 7.x-2.147.x-1.9Date: 2018-April-18Security risk: Critical 17∕25 AC:None/A:None/CI:Some/II:Some/E:Theoretical/TD:DefaultVulnerability: Cross site scripting (XSS)Description: 

    Display Suite allows you to take full control over how your content is displayed using a drag and drop interface.

    The module doesn't sufficiently validate view modes provided dynamically via URLs leading to a reflected cross site scripting (XSS) attack.

    This vulnerability is mitigated only by the fact that most modern browsers protect against reflected XSS via the url.

    Solution: Reported By: Fixed By: Coordinated By: 
    Categories: Technology

    Menu Import and Export - Critical - Access bypass - SA-CONTRIB-2018-018

    Wed, 18/04/2018 - 16:45
    Project: Menu Import and ExportVersion: 8.x-1.0Date: 2018-April-18Security risk: Critical 17∕25 AC:Basic/A:None/CI:Some/II:Some/E:Exploit/TD:UncommonVulnerability: Access bypassDescription: 

    This module helps in exporting and importing Menu Items via the administrative interface.

    The module does not properly restrict access to administrative pages, allowing anonymous users to export and import menu links.

    There is no mitigation for this vulnerability.

    Solution: 

    Update to Menu Import and Export 8.x-1.2.

    Reported By: Fixed By: Coordinated By: 
    Categories: Technology
    Additional Terms