Drupal Security Advisories

Project: Universally Unique IDentifierDate: 2019-May-29Security risk: Moderately critical 14∕25 AC:Complex/A:User/CI:All/II:Some/E:Theoretical/TD:DefaultVulnerability: Access bypassDescription: 

This module provides an API for adding universally unique identifiers (UUID) to Drupal objects, most notably entities.

The module has a privilege escalation vulnerability when it's used in combination with Services+REST server.

This vulnerability is mitigated by the fact that an attacker must authenticate to the site, services module must be configured on the site and the user update resource enabled.

Solution: 

Install the latest version:

  • If you use the Universally Unique IDentifier module for Drupal 7.x, upgrade to UUID 7.x-1.3

Also see the Universally Unique IDentifier project page.

Reported By: Fixed By: Coordinated By: 
Project: TableFieldVersion: 7.x-3.x-dev7.x-2.x-devDate: 2019-May-29Security risk: Moderately critical 13∕25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:DefaultVulnerability: Access bypass and Cross Site ScriptingDescription: 

This module allows you to attach tabular data to an entity.

Access bypass

There's no access check for users with an "Export Tablefield Data as CSV". They can export data from unpublished nodes or otherwise inaccessible entities.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission 'Export Tablefield Data as CSV'.

XSS

When "Raw data (JSON or XML)" is used in the field's Display settings, it doesn't sanitize JSON output before passing it on to be rendered.

This vulnerability is mitigated by the fact that an attacker must have a role with Edit permissions.

Solution: 

Install the latest version:

Also see the TableField project page.

Reported By: Fixed By: Coordinated By: 
Project: Menu Item ExtrasDate: 2019-May-22Security risk: Moderately critical 10∕25 AC:Basic/A:User/CI:None/II:Some/E:Theoretical/TD:DefaultVulnerability: Cross Site Request ForgeryDescription: 

This module enables you to handle fields for Custom Menu Links.
The module doesn't sufficiently check requests to one of the module controllers if the user has permission 'administer menu'.
This vulnerability is mitigated by the fact that an attacker must have a role with the permission to create content.

Solution: 

Install the latest version:

Reported By: Fixed By: Coordinated By: 
Project: WorkflowDate: 2019-May-22Security risk: Moderately critical 13∕25 AC:Basic/A:Admin/CI:Some/II:Some/E:Theoretical/TD:AllVulnerability: Cross Site ScriptingDescription: 

The Workflow module enables you to create arbitrary Workflows, and assign them to Entities.
The module doesn't sufficiently escape HTML in the field settings leading to a Cross Site Scripting (XSS) vulnerability.
This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer nodes" and "administer workflow".

Solution: 

Install the latest version:

Reported By: Fixed By: Coordinated By: 
Project: Multiple RegistrationDate: 2019-May-15Security risk: Critical 19∕25 AC:Basic/A:None/CI:All/II:All/E:Theoretical/TD:DefaultVulnerability: Access bypassDescription: 

This module enables you to use special routes for user registration with special roles and custom field sets defined for the role.

The module doesn't sufficiently check which user roles can be registered under the scenario when the user tries to register the user with the administrator role.

This vulnerability is mitigated on sites where account approval is required as the user starts as blocked but still gets the "Administrator" role.

Solution: 

Install the latest version:

Reported By: Fixed By: Coordinated By: 
  • Cash Williams of the Drupal Security Team
  • Project: Opigno Learning pathDate: 2019-May-15Security risk: Moderately critical 10∕25 AC:Basic/A:User/CI:Some/II:None/E:Theoretical/TD:DefaultVulnerability: Access bypassDescription: 

    In certain configuration cases, when a learning path is configured as semi-private, anonymous users are allowed to join a learning path when they should not.

    Solution: 

    Install the latest version:

    Also see the Opigno Learning path project page.

    Reported By: Fixed By: Coordinated By: 
    Project: Opigno forumDate: 2019-May-15Security risk: Less critical 9∕25 AC:Basic/A:User/CI:Some/II:None/E:Theoretical/TD:UncommonVulnerability: Access bypassDescription: 

    In certain circumstances it is possible that certain forum information is available to unprivileged users because the access check is done with node access instead of grants.

    This vulnerability is mitigated by the fact that the module itself does not disclose information but only if there are listings such as views where the site builder / developer has not taken this into account.

    Solution: 

    Install the latest version:

    Also see the Opigno forum project page.

    Reported By: Fixed By: Coordinated By: 
    Project: Drupal coreDate: 2019-May-08Security risk: Moderately critical 14∕25 AC:Complex/A:Admin/CI:All/II:All/E:Theoretical/TD:UncommonVulnerability: Third-party librariesDescription: 

    This security release fixes third-party dependencies included in or required by Drupal core. As described in TYPO3-PSA-2019-007: By-passing protection of Phar Stream Wrapper Interceptor:

    In order to intercept file invocations like file_exists or stat on compromised Phar archives the base name has to be determined and checked before allowing to be handled by PHP Phar stream handling. [...]

    The current implementation is vulnerable to path traversal leading to scenarios where the Phar archive to be assessed is not the actual (compromised) file.

    Solution: 

    Install the latest version:

    Versions of Drupal 8 prior to 8.6.x are end-of-life and do not receive security coverage.

    Also see the Drupal core project page.

    Reported By: Fixed By: 

    What our clients are saying

    I would highly recommend her for any position requiring IT design and development
    A great experience and a much improved website.
    ...I have no doubt we will have the best site in the 2010 election of any PA candidate
    I love directing our customers to our new site knowing that they are going to be able to find exactly what they are looking for...
    ...creative, independent, responsive...
    I would highly recommend her for any position requiring IT design and development
    ...very responsive to our questions and needs
    ...your punctuality, your casual and open personalities, and both your hard copy and online portfolios speak very highly of you and your business as well
    ... they also made suggestions which showed me that they fully understood what I wanted to accomplish.
    ...continued to monitor it closely and is still always available to help me if I have any questions
    ...dedicated, competent and driven to get the job done and done well.
    ...able to translate technical information in an accessible way...
    ...able to take my abstract ideas and add their expertise to bring them to life in a way that was better than I could have imagined!
    ...can do anything any other designer can do and generally quicker, cheaper and better.
    I realized that I had picked the right company to work with soon after beginning a project with Peerless Design, Inc.
    " PDI provides us prompt, effective and efficient service in maintaining our Drupal based website."
    I'm so happy we chose to work with PEERLESS Design.
    I have seen the first layouts and they are awesome...
    ...provided us with excellent, expert service in a professional and personable manner.
    ... incredibly impressed with what you brought to the table
    I had a very tight deadline and budget, and they met it, seemingly with ease.
    ...took my less than mediocre site and completely revamped it into a beautiful, professional, and easy-to-navigate site
    Thanks so much for everything!
    ...a pleasure to work with, combining patience (for my busy schedule and at times overwhelmed brain) with her strong motivation and energy to keep me going
    ...we just want you to know that we are appreciative!