Blogroll: Drupal Contrib Security

Project: GroupDate: 2023-December-06Security risk: Less critical 8∕25 AC:Complex/A:User/CI:Some/II:None/E:Theoretical/TD:UncommonVulnerability: Access bypassAffected versions: >=2.0.0 <2.2.2 || >=3.0.0 <3.2.2Description: 

The Group module has the ability to make content private to specific groups. When viewing a list of entities, e.g. nodes, a visitor should only see those entities that are either not attached to a group or that they have group access to.

The module doesn't sufficiently enforce list access under the scenario where two users have the same outsider and insider permissions, but are members of different groups without any individual roles being assigned to said memberships. In such a scenario, the permissions hash for both will be the same even though it should differ.

This vulnerability is mitigated by the fact that an attacker must have the same hash as someone else, which is quite rare yet not unthinkable.

Solution: 

Install the latest version:

• Sites using Group version 2 should upgrade to Group v2.2.2
• Sites using Group version 3 should upgrade to Group v3.2.2

Reported By: 

• Dylan Donkersgoed

Fixed By: 

• Dylan Donkersgoed
• Péter Keszthelyi
• Austin Mitchell
• Ian Bullock

Coordinated By: 

• Damien McKenna of the Drupal Security Team
• Greg Knaddison of the Drupal Security Team

Project: XsendfileDate: 2023-November-29Security risk: Moderately critical 13∕25 AC:Basic/A:None/CI:Some/II:None/E:Theoretical/TD:AllVulnerability: Access bypassAffected versions: <1.2.0Description: 

The Xsendfile module enables fast transfer for private files in Drupal.

In order to control private file downloads, the module overrides ImageStyleDownloadController, for which a vulnerability was disclosed in SA-CORE-2023-005. The Xsendfile module was still based on an insecure version of ImageStyleDownloadController.

Solution: 

Install the latest version:

• If you use the Xsendfile module for Drupal 8.x, upgrade to Xsendfile 8.x-1.2.

Reported By: 

• Pierre Rudloff

Fixed By: 

• Damien Norris
• Bruno De Bondt
• Pierre Rudloff
• Conrad Lara

Coordinated By: 

• Greg Knaddison of the Drupal Security Team

Project: Mollie for DrupalDate: 2023-November-15Security risk: Moderately critical 12∕25 AC:Complex/A:None/CI:None/II:Some/E:Theoretical/TD:AllVulnerability: Faulty payment confirmation logicAffected versions: <2.2.1Description: 

This module enables you to pay online via Mollie.

The module might not properly load the correct order to update the payment status when Mollie redirects to the redirect URL. This can allow an attacker to apply other people's orders to their own, getting credit without paying.

This vulnerability is mitigated by the fact that an attacker must have some knowledge about the module's internal functionality. The issue only affects installations that use the Mollie for Drupal Commerce submodule.

Solution: 

Install the latest version:

• If you use the Mollie for Drupal module, upgrade to Mollie for Drupal 2.2.1.

Reported By: 

• Rico Van de Vin
• Norbert Arends

Fixed By: 

• Rico Van de Vin
• hoporr
• Norbert Arends

Coordinated By: 

• Greg Knaddison of the Drupal Security Team
• xjm of the Drupal Security Team

Project: GraphQLDate: 2023-November-08Security risk: Moderately critical 12∕25 AC:Basic/A:None/CI:None/II:Some/E:Theoretical/TD:DefaultVulnerability: Cross Site Request ForgeryAffected versions: <3.4.0 || >=4.0.0 <4.6.0Description: 

The GraphQL module enables you to build GraphQL APIs which can include data fetching through Queries and data updates (create, update, delete) through mutations.

The module does not sufficiently validate incoming requests that are made from domains other than the one serving the GraphQL endpoint. In case a user visits a malicious site, that site may make requests on the users behalf which can lead to the execution of mutations, exposing a CSRF vulnerability. Whether data is returned to the malicious site depends on your sites CORS configuration.

This vulnerability is mitigated by the fact that a user with access to the API must have an active session cookie while visiting a malicious site. This vulnerability is also mitigated by restricting session cookies with the SameSite attribute (see solution below).

Solution: 

Install the latest version:

• If you use the GraphQL module v4 upgrade to GraphQL 8.x-4.6
• If you use the GraphQL module v3 upgrade to GraphQL 8.x-3.4

This vulnerability can also be mitigated by setting the SameSite attribute on session cookies to Lax (recommended) or Strict. This might not be suitable for sites that need to share the Drupal session cookie in some way with other sites. Set the following in your site's services.yml file:

parameters: session.storage.options: # Session cookies are only used for backend admin accounts, so we restrict # the cookies to be used only from the backend origin. We don't use "Strict" # because that also removes cookies whenever an admin navigates from an # email or chat app, which is inconvenient. See # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie#samesitesamesite-value cookie_samesite: Lax Reported By: 

• Sam Becker

Fixed By: 

• Sam Becker
• Klaus Purer
• Alexander Varwijk
• Luis
• Lee Rowlands of the Drupal Security Team

Coordinated By: 

• Greg Knaddison of the Drupal Security Team
• Damien McKenna of the Drupal Security Team

Project: GraphQLDate: 2023-November-08Security risk: Moderately critical 11∕25 AC:Basic/A:None/CI:Some/II:None/E:Theoretical/TD:UncommonVulnerability: Access bypassAffected versions: <3.4.0 || >=4.0.0 <4.6.0Description: 

This module lets you craft and expose a GraphQL schema for Drupal 9 and 10.

The module currently does not adequately verify whether a given user has the necessary permissions to access an entity's label creating an access bypass vulnerability.

This vulnerability is mitigated by the fact that entity view and entity label access are usually handled by the same access check; developers have to opt-in for supporting different logic on entity types. Additionally your schema must make use of the EntityLabel DataProducer to be affected.

Solution: 

Install the latest version:

• If you use the GraphQL module v4 upgrade to GraphQL 8.x-4.6
• If you use the GraphQL module v3 upgrade to GraphQL 8.x-3.4

Reported By: 

• Dezső Biczó

Fixed By: 

• Dezső Biczó
• Klaus Purer
• Alexander Varwijk
• Luis

Coordinated By: 

• Greg Knaddison of the Drupal Security Team

Project: Paragraphs adminDate: 2023-November-01Security risk: Moderately critical 14∕25 AC:None/A:None/CI:Some/II:None/E:Theoretical/TD:DefaultAffected versions: <1.5.0Description: 

This module enables you to view all paragraph entities in an admin view.
The module contains an access bypass that allows non admin users to access the view.
The vulnerability can be mitigated by editing the view to change the permission required to access the page.

Solution: 

Install the latest version:

• If you use the paragraphs_admin module for Drupal 8.x, upgrade to paragraphs_admin 8.x-1.5

Reported By: 

• Jen M

Fixed By: 

• Vladimir Roudakov

Coordinated By: 

• Lee Rowlands of the Drupal Security Team
• Greg Knaddison of the Drupal Security Team
• Damien McKenna of the Drupal Security Team