Blogroll: Drupal Contrib Security

I read blogs, as well as write one. The 'blogroll' on this site reproduces some posts from some of the people I enjoy reading. There are currently 16 posts from the blog 'Drupal Contrib Security.'

Disclaimer: Reproducing an article here need not necessarily imply agreement or endorsement!

Subscribe to Drupal Contrib Security feed
Updated: 1 hour 2 min ago

XML sitemap - Moderately critical - Information Disclosure - SA-CONTRIB-2018-053

Wed, 18/07/2018 - 16:31
Project: XML sitemapDate: 2018-July-18Security risk: Moderately critical 13∕25 AC:None/A:None/CI:Some/II:None/E:Theoretical/TD:UncommonVulnerability: Information DisclosureDescription: 

This module enables you to generate XML sitemaps and it helps search engines to more intelligently crawl a website and keep their results up to date.

The module doesn't sufficiently handle access rights under the scenario of updating contents from cron execution.

Solution: 

Also see the XML sitemap project page.

Reported By: Fixed By: Coordinated By: 
Categories: Technology

Taxonomy Entity Queue - Critical - SQL Injection - SA-CONTRIB-2018-052

Wed, 18/07/2018 - 15:39
Project: Taxonomy Entity QueueDate: 2018-July-18Security risk: Critical 17∕25 AC:Basic/A:Admin/CI:All/II:All/E:Theoretical/TD:AllVulnerability: SQL InjectionDescription: 

This module enables you to create an entityqueue based on a taxonomy.

The module did not properly use Drupal's database API when querying the database with user supplied values, allowing an attacker to send a specially crafted request to modify the query or potentially perform additional queries.

This vulnerability is mitigated by the fact that an attacker must have a role with the "administer entity queue taxonomy" permission.

Solution: 

Install the latest version:

Also see the Taxonomy Entity Queue project page.

Reported By: Fixed By: Coordinated By: 
Categories: Technology

Tapestry - Moderately critical - Cross Site Scripting - SA-CONTRIB-2018-051

Wed, 11/07/2018 - 15:41
Project: TapestryDate: 2018-July-11Security risk: Moderately critical 14∕25 AC:Basic/A:None/CI:Some/II:Some/E:Theoretical/TD:UncommonVulnerability: Cross Site ScriptingDescription: 

This theme provides Drupal users with many advanced features including 20 Different Color Styles, 30 User Regions, Custom Block Theme Templates, Suckerfish Menus, Icon Support, Advanced Page Layout Options, Simple Configuration, Custom Typography...

The theme doesn't sufficiently sanitize user input.

This vulnerability is mitigated by the fact that the theme is only exploitable with non-default settings and under certain site configurations.

Solution: 

Install the latest version:

Also see the Tapestry project page.

Reported By: Fixed By: Coordinated By: 
Categories: Technology

litejazz - Moderately critical - Cross Site Scripting - SA-CONTRIB-2018-050

Wed, 11/07/2018 - 15:38
Project: litejazzDate: 2018-July-11Security risk: Moderately critical 14∕25 AC:Basic/A:None/CI:Some/II:Some/E:Theoretical/TD:UncommonVulnerability: Cross Site ScriptingDescription: 

This theme features 3 color styles, 12 fully collapsible regions, suckerfish menus, fluid or fixed widths, easy configuration, and more.

The theme doesn't sufficiently sanitize user input.

This vulnerability is mitigated by the fact that the theme is only exploitable with non-default settings and under certain site configurations.

Solution: 

Install the latest version:

Also see the litejazz project page.

Reported By: Fixed By: Coordinated By: 
Categories: Technology

NewsFlash - Moderately critical - Cross Site Scripting - SA-CONTRIB-2018-049

Wed, 11/07/2018 - 15:35
Project: NewsFlashDate: 2018-July-11Security risk: Moderately critical 14∕25 AC:Basic/A:None/CI:Some/II:Some/E:Theoretical/TD:UncommonVulnerability: Cross Site ScriptingDescription: 

This theme features 7 color styles, 12 collapsible regions, suckerfish menus, fluid or fixed widths, and lots more.

The theme doesn't sufficiently sanitize user input.

This vulnerability is mitigated by the fact that the theme is only exploitable with non-default settings and under certain site configurations.

Solution: 

Install the latest version:

Also see the NewsFlash project page.

Reported By: Fixed By: Coordinated By: 
Categories: Technology

Beale Street - Moderately critical - Cross Site Scripting - SA-CONTRIB-2018-048

Wed, 11/07/2018 - 15:32
Project: Beale StreetDate: 2018-July-11Security risk: Moderately critical 13∕25 AC:Complex/A:None/CI:Some/II:Some/E:Theoretical/TD:UncommonVulnerability: Cross Site ScriptingDescription: 

This theme features 4 built-in color styles, 18 collapsible regions, Suckerfish menus, flexible widths, adjustable sidebars, configurable font family, and lots more.

The theme doesn't sufficiently sanitize user input.

This vulnerability is mitigated by the fact that the theme is not exploitable under common site configurations.

Solution: 

Also see the Beale Street project page.

Reported By: Fixed By: Coordinated By: 
Categories: Technology

EU Cookie Compliance - Moderately critical - Cross Site Scripting - SA-CONTRIB-2018-047

Wed, 11/07/2018 - 15:24
Project: EU Cookie ComplianceDate: 2018-July-11Security risk: Moderately critical 12∕25 AC:Basic/A:Admin/CI:Some/II:Some/E:Theoretical/TD:DefaultVulnerability: Cross Site ScriptingDescription: 

This module addresses the General Data Protection Regulation (GDPR) that came into effect 25th May 2018, and the EU Directive on Privacy and Electronic Communications from 2012. It provides a banner where you can gather consent from the user to store cookies on their computer and handle their personal information.

This module does not sanitize some inputs leading to XSS. This is mitigated by the attacker having the permission "Administer EU Cookie Compliance."

Solution: 

Install the latest version:

Also see the EU Cookie Compliance project page.

Reported By: Fixed By: Coordinated By: 
Categories: Technology

Commerce Custom Order Status - Moderately critical - Cross Site Scripting - SA-CONTRIB-2018-046

Wed, 11/07/2018 - 15:15
Project: Commerce Custom Order StatusDate: 2018-July-11Security risk: Moderately critical 13∕25 AC:Basic/A:Admin/CI:Some/II:Some/E:Theoretical/TD:AllVulnerability:  Cross Site ScriptingDescription: 

Commerce Custom Order Status provides forms for administrators to add, edit, and delete order statuses from the order settings screen.

The module doesn't sufficiently sanitize the output of the status names.

This vulnerability is mitigated by the fact that an attacker must have a role with the "configure order settings" permission.

Solution: 

Install the latest version:

Also see the Commerce Custom Order Status project page.

Reported By: Fixed By: Coordinated By: 
Categories: Technology

Universally Unique IDentifier - Moderately critical - Arbitrary file upload - SA-CONTRIB-2018-045

Wed, 04/07/2018 - 17:56
Project: Universally Unique IDentifierDate: 2018-July-04Security risk: Moderately critical 12∕25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:UncommonVulnerability: Arbitrary file uploadDescription: 

This module provides an API for adding universally unique identifiers (UUID) to Drupal objects, most notably entities.

The module module has an arbitrary file upload vulnerability when it's used in combination with the services REST server.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission to allow to upload to the file create REST endpoint.

Solution: 
  • If you use the uuid module for Drupal 7.x, upgrade to uuid 7.x-1.1
  • Also see the Universally Unique IDentifier project page

    Reported By: Fixed By: Coordinated By: 
    Categories: Technology

    TFA Basic plugins - Less critical - Insecure Randomness - SA-CONTRIB-2018-044

    Wed, 27/06/2018 - 18:24
    Project: TFA Basic pluginsVersion: 7.x-1.0Date: 2018-June-27Security risk: Less critical 9∕25 AC:Complex/A:User/CI:Some/II:None/E:Theoretical/TD:DefaultVulnerability: Insecure RandomnessDescription: 

    The TFA Basic module enables you to use Two Factor Authentication via a variety of plugins including TOTP and one-time codes delivered via email or sms.

    The module doesn't use a strong source of randomness, creating weak and predictable one-time login codes that are then delivered using SMS. This weakness does not affect the more common TOTP second factor.

    This vulnerability is mitigated by the fact that the site must be configured to use SMS to deliver one-time login codes which is an uncommon configuration.

    Solution: 

    Also see the TFA Basic plugins project page.

    Reported By: Fixed By: Coordinated By: 
    Categories: Technology

    Mass Password Reset - Less critical - Insecure Randomness - SA-CONTRIB-2018-043

    Wed, 27/06/2018 - 18:11
    Project: Mass Password ResetVersion: 7.x-1.0Date: 2018-June-27Security risk: Less critical 9∕25 AC:Complex/A:User/CI:Some/II:None/E:Theoretical/TD:DefaultVulnerability: Insecure RandomnessDescription: 

    This module enables you to reset passwords for all users based upon their user role.

    The module doesn't use a strong source of randomness, creating weak and predictable passwords.

    This vulnerability is mitigated by the fact that the site must be configured to reveal the password to the attacker, which is a common configuration.

    Solution: 

    Install the latest version:

    Also see the Mass Password Reset project page.

    Reported By: Fixed By: Coordinated By: 
    Categories: Technology

    Generate Password - Less critical - Insecure Randomness - SA-CONTRIB-2018-042

    Wed, 27/06/2018 - 17:49
    Project: Generate Password Version: 7.x-1.x-devDate: 2018-June-27Security risk: Less critical 9∕25 AC:Complex/A:User/CI:Some/II:None/E:Theoretical/TD:DefaultVulnerability: Insecure RandomnessDescription: 

    The Genpass module makes the password field optional (or hidden) on the add new user page (admin & registration). If the password field is not set during registration, the system generates a password.

    The module doesn't use a strong source of randomness, creating weak and predictable passwords.

    This vulnerability is mitigated by the fact that the site must be configured to reveal the password to the attacker which is a common configuration.

    CVE identifier(s) issued
    • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
    Solution: 

    Install the latest version:

    • If you use the Genpass module for Drupal 7.x-1.x, upgrade to Genpass 7.x-1.1

    Also see the Generate Password project page.

    Reported By: Fixed By: Coordinated By: 
    Categories: Technology

    Custom Tokens - Critical - Arbitrary PHP code execution - SA-CONTRIB-2018-041

    Wed, 13/06/2018 - 15:03
    Project: Custom TokensDate: 2018-June-13Security risk: Critical 16∕25 AC:Basic/A:Admin/CI:All/II:All/E:Theoretical/TD:DefaultVulnerability: Arbitrary PHP code executionDescription: 

    The Custom Tokens module enables you to create custom tokens for specific replacements that can improve other modules relying on the token API.

    The module doesn't sufficiently identify that its custom permissions are risky and should only be granted to highly trusted roles.

    This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer custom tokens".

    CVE identifier(s) issued
    • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
    Solution: 

    Install the latest version and review your permissions.

    Note, after upgrading, additional configuration steps required. Sites using this module should review the permissions page at Administration » People » Permissions to verify only trusted users are granted permissions defined by the module such as "administer custom tokens".

    Also see the Custom Tokens project page.

    Reported By: Fixed By: Coordinated By: 
    Categories: Technology

    Entity Delete - Critical - Multiple Vulnerabilities - SA-CONTRIB-2018-040

    Wed, 06/06/2018 - 14:05
    Project: Entity DeleteDate: 2018-June-06Security risk: Critical 18∕25 AC:None/A:None/CI:Some/II:Some/E:Theoretical/TD:AllVulnerability: Multiple Vulnerabilities Description: 

    This module enables you to delete any types of entities in bulk.

    The module doesn't sufficiently verify access permissions under its use cases, leading to access bypass. The module also does not protect against Cross Site Request Forgeries on its delete process.

    The access bypass vulnerability is mitigated by the fact that an attacker must have a role with the permission "access content". There is no additional mitigation for the Cross Site Request Forgery vulnerability.

    Solution: 

    Install the latest version:

    Also see the Entity Delete project page.

    Reported By: Fixed By: Coordinated By: 
    Categories: Technology

    AdTego SiteIntel - AdBlocker Detect - Critical - Unsupported - SA-CONTRIB-2018-039

    Wed, 06/06/2018 - 14:01
    Project: AdTego SiteIntel - AdBlocker DetectDate: 2018-June-06Security risk: Critical 15∕25 AC:Basic/A:User/CI:Some/II:Some/E:Proof/TD:AllVulnerability: UnsupportedDescription: 

    The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: https://www.drupal.org/node/251466.

    Solution: 

    If you use this project, you should uninstall it.

    Reported By: 
    Categories: Technology

    Mollom - Critical - Unsupported - SA-CONTRIB-2018-038

    Wed, 06/06/2018 - 13:58
    Project: MollomDate: 2018-June-06Security risk: Critical 15∕25 AC:Basic/A:User/CI:Some/II:Some/E:Proof/TD:AllVulnerability: UnsupportedDescription: 

    The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: https://www.drupal.org/node/251466.

    The security team marks all unsupported projects critical by default.

    Solution: 

    If you use this project, you should uninstall it.

    Reported By: Fixed By: 

    N/A

    Coordinated By: 

    N/A

    Categories: Technology
    Additional Terms