Blogroll: Drupal Contrib Security

I read blogs, as well as write one. The 'blogroll' on this site reproduces some posts from some of the people I enjoy reading. There are currently 10 posts from the blog 'Drupal Contrib Security.'

Disclaimer: Reproducing an article here need not necessarily imply agreement or endorsement!

Subscribe to Drupal Contrib Security feed
Updated: 13 min 1 sec ago

Pages Restriction Access - Critical - Access bypass - SA-CONTRIB-2021-024

Wed, 28/07/2021 - 17:39
Project: Pages Restriction AccessDate: 2021-July-28Security risk: Critical 16∕25 AC:Basic/A:None/CI:Some/II:Some/E:Theoretical/TD:AllVulnerability: Access bypassDescription: 

This project enables administrators to restrict access from anonymous and regular users to pre-defined pages.

The administration routes used by the project lacked proper permissions, allowing untrusted users to access, create and modify the module's settings.

Solution: 

Install the latest version:

Reported By: Fixed By: Coordinated By: 
Categories: Technology

Form mode manager - Moderately critical - Access bypass - SA-CONTRIB-2021-023

Wed, 21/07/2021 - 17:51
Project: Form mode managerDate: 2021-July-21Security risk: Moderately critical 11∕25 AC:Basic/A:User/CI:None/II:Some/E:Proof/TD:DefaultVulnerability: Access bypassDescription: 

This module provides a user interface that allows the implementation and use of Form modes without custom development.

The module does not sufficiently respect access restrictions to entity forms for routes it creates to use specific form modes.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission to use a specific form mode, for example use X form mode.

Solution: 

Install the latest version:

Reported By: Fixed By: Coordinated By: 
Categories: Technology

Block Content Revision UI - Moderately critical - Access bypass - SA-CONTRIB-2021-022

Wed, 30/06/2021 - 17:46
Project: Block Content Revision UIDate: 2021-June-30Security risk: Moderately critical 11∕25 AC:Complex/A:User/CI:Some/II:Some/E:Theoretical/TD:UncommonVulnerability: Access bypassDescription: 

This module provides a revision UI for Block Content entities.

The module doesn't sufficiently respect access restrictions to certain entities when used in conjunction with specific modules.

This vulnerability is mitigated by the fact that an attacker must have a role with any of the permissions provided by Block Content Revision UI, and another affected module must be enabled.

Solution: 

Install the latest version:

Reported By: Fixed By: Coordinated By: 
Categories: Technology

Linky Revision UI - Moderately critical - Access bypass - SA-CONTRIB-2021-021

Wed, 30/06/2021 - 17:43
Project: Linky Revision UIDate: 2021-June-30Security risk: Moderately critical 11∕25 AC:Complex/A:User/CI:Some/II:Some/E:Theoretical/TD:UncommonVulnerability: Access bypassDescription: 

This module provides a revision UI for Linky entities.

The module doesn't sufficiently respect access restrictions to certain entities when used in conjunction with specific modules.

This vulnerability is mitigated by the fact that an attacker must have a role with any of the permissions provided by Linky Revision UI, and another affected module must be enabled.

Solution: 

Install the latest version:

Reported By: Fixed By: Coordinated By: 
Categories: Technology

Apigee Edge - Moderately critical - Access bypass - SA-CONTRIB-2021-020

Wed, 30/06/2021 - 17:39
Project: Apigee EdgeDate: 2021-June-30Security risk: Moderately critical 11∕25 AC:Basic/A:User/CI:None/II:Some/E:Theoretical/TD:AllVulnerability: Access bypassDescription: 

The Apigee Edge module allows connecting a Drupal site to Apigee Edge in order to build a developer portal.

The module did not properly validate user access for data creation in certain circumstances.

Solution: 

Install the latest version:

  • If you use the apigee_edge module for Drupal 8.x, upgrade to Apigee Edge module 8.x-1.2 or later. Note that the 8.x-1.2 release is old and superseded due to SA-CONTRIB-2020-028. Users of the module should upgrade to a version including or newer than 8.x-1.12.
Reported By: Fixed By: Coordinated By: 
Categories: Technology

Opigno group manager - Less critical - UI redressing (clickjacking) - SA-CONTRIB-2021-019

Wed, 23/06/2021 - 17:51
Project: Opigno group managerDate: 2021-June-23Security risk: Less critical 9∕25 AC:Complex/A:None/CI:None/II:None/E:Theoretical/TD:AllVulnerability: UI redressing (clickjacking)Description: 

This project is related to Opigno LMS distribution. It implements the group manager in the Opigno LMS.

The module does not set X-Frame-Options and blocks ability of other modules (e.g Security Kit) to add them, leaving it vulnerable to Clickjacking.

Solution: 

Install the latest version:

The issue was fixed in public but needed a security advisory. Users of the module are encouraged to upgrade to at least 8.x-1.8 or a later version to gain protection against this weakness.

Reported By: Fixed By: Coordinated By: 
Categories: Technology

Opigno Learning path - Less critical - UI redressing (clickjacking) - SA-CONTRIB-2021-018

Wed, 23/06/2021 - 17:47
Project: Opigno Learning pathDate: 2021-June-23Security risk: Less critical 9∕25 AC:Complex/A:None/CI:None/II:None/E:Theoretical/TD:AllVulnerability: UI redressing (clickjacking)Description: 

This project is related to Opigno LMS distribution. It implements the learning path, that combines together in a very flexible way the differents steps of a training in Opigno LMS.

The module does not set X-Frame-Options and blocks ability of other modules (e.g Security Kit) to add them, leaving it vulnerable to Clickjacking.

Solution: 

Install the latest version:

The issue was fixed in public but needed a security advisory. Users of the module are encouraged to upgrade to at least 8.x-1.11 or a later version to gain protection against this weakness.

Reported By: Fixed By: Coordinated By: 
Categories: Technology

Block Content Revision UI - Moderately critical - Access bypass - SA-CONTRIB-2021-017

Wed, 16/06/2021 - 17:15
Project: Block Content Revision UIDate: 2021-June-16Security risk: Moderately critical 11∕25 AC:Complex/A:User/CI:Some/II:Some/E:Theoretical/TD:UncommonVulnerability: Access bypassDescription: 

This module provides a revision UI to Block Content entities.

The module doesn't sufficiently respect access restrictions to certain entities when used in conjunction with specific modules.

This vulnerability is mitigated by the fact that an attacker must have a role with any of the permissions provided by Block Content Revision UI, and another affected module must be enabled.

Solution: 

Install the latest version:

Reported By: Fixed By: Coordinated By: 
Categories: Technology

Linky Revision UI - Moderately critical - Access bypass - SA-CONTRIB-2021-016

Wed, 16/06/2021 - 17:05
Project: Linky Revision UIDate: 2021-June-16Security risk: Moderately critical 11∕25 AC:Complex/A:User/CI:Some/II:Some/E:Theoretical/TD:UncommonVulnerability: Access bypassDescription: 

This module provides a revision UI to Linky entities.

The module doesn't sufficiently respect access restrictions to certain entities when used in conjunction with specific modules.

This vulnerability is mitigated by the fact that an attacker must have a role with any of the permissions provided by Linky Revision UI, and another affected module must be enabled.

Solution: 

Install the latest version:

Reported By: Fixed By: Coordinated By: 
Categories: Technology

Chaos Tool Suite (ctools) - Moderately critical - Access bypass - SA-CONTRIB-2021-015

Wed, 16/06/2021 - 16:58
Project: Chaos Tool Suite (ctools)Date: 2021-June-16Security risk: Moderately critical 13∕25 AC:None/A:None/CI:Some/II:None/E:Theoretical/TD:UncommonVulnerability: Access bypassDescription: 

Chaos tool suite (ctools) module provides a number of APIs and extensions for Drupal, its 8.x-3.x branch is a start from scratch to evaluate the features of ctools that didn't make it into Drupal Core 8.0.x and port them.

The module doesn't sufficiently handle block access control on its EntityView plugin. This is a followup to more fully implement the fixes from SA-CONTRIB-2021-009

This vulnerability is mitigated by the fact that successful exploitation requires special conditions in place such as custom blockAccess() method that differs from the default return value of 'AccessResult::allowed()' and extending from EntityView.

Solution: 

Install the latest version:

  • If you use the CTools module for Drupal 8.x, upgrade to CTools 8.x-3.7
Reported By: Fixed By: Coordinated By: 
Categories: Technology
Additional Terms