Drupal Security Advisories

Project: File (Field) PathsDate: 2018-August-15Security risk: Critical 15∕25 AC:Basic/A:User/CI:Some/II:All/E:Theoretical/TD:DefaultVulnerability: Remote Code ExecutionDescription: 

This module enables you to automatically sort and rename your uploaded files using token based replacement patterns to maintain a nice clean filesystem.

The module doesn't sufficiently sanitize the path while a new file is uploading, allowing a remote attacker to execute arbitrary PHP code.

This vulnerability is mitigated by the fact that an attacker must have access to a form containing a widget processed by this module.

Solution: 

Install the latest version:

Reported By: Fixed By: Coordinated By: 
Project: PHP ConfigurationVersion: 8.x-1.07.x-1.0Date: 2018-August-08Security risk: Critical 17∕25 AC:Basic/A:Admin/CI:All/II:All/E:Theoretical/TD:AllVulnerability: Arbitrary PHP code executionDescription: 

This module enables you to add or overwrite PHP configuration on a drupal website.

The module doesn't sufficiently allow access to set these configurations, leading to arbitrary PHP configuration execution by an attacker.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer phpconfig".

After updating the module, it's important to review the permissions of your website and if 'administer phpconfig' permission is given to a not fully trusted user role, we advise to revoke it.

Solution: 

Install the latest version:

Also see the PHP Configuration project page.

Reported By: Fixed By: Coordinated By: 
  • mpotter of the Drupal Security Team

  • Advisory ID: SA-CORE-2018-005
  • Project: Drupal core
  • Version: 8.x
  • CVE: CVE-2018-14773
  • Date: 2018-August-01
Description

The Drupal project uses the Symfony library. The Symfony library has released a security update that impacts Drupal. Refer to the Symfony security advisory for the issue.

The same vulnerability also exists in the Zend Feed and Diactoros libraries included in Drupal core; however, Drupal core does not use the vulnerable functionality. If your site or module uses Zend Feed or Diactoros directly, read the Zend Framework security advisory and update or patch as needed.

The Drupal Security Team would like to to thank the Symfony and Zend Security teams for their collaboration on this issue.

Versions affected

8.x versions before 8.5.6.

Solution

Upgrade to Drupal 8.5.6.

Versions of Drupal 8 prior to 8.5.x are end-of-life and do not receive security coverage.

Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 8.x
Project: Select (or other)Date: 2018-July-25Security risk: Moderately critical 14∕25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:AllVulnerability: Cross Site ScriptingDescription: 

This module enables users to select 'other' on certain form elements and a textfield appears for the user to provide a custom value.

The module doesn't sufficiently escape values of a text field the under the scenario when "Select or other" formatter is used.

This vulnerability is mitigated by the fact that an attacker must have access to edit a field that is displayed through the "Select or other" formatter.

Solution: 

Also see the Select (or other) project page.

Reported By: Fixed By: Coordinated By: 
  • Michael Hess of the Drupal Security Team
  • Project: XML sitemapDate: 2018-July-18Security risk: Moderately critical 13∕25 AC:None/A:None/CI:Some/II:None/E:Theoretical/TD:UncommonVulnerability: Information DisclosureDescription: 

    This module enables you to generate XML sitemaps and it helps search engines to more intelligently crawl a website and keep their results up to date.

    The module doesn't sufficiently handle access rights under the scenario of updating contents from cron execution.

    Solution: 

    Also see the XML sitemap project page.

    Reported By: Fixed By: Coordinated By: 
    Project: Taxonomy Entity QueueDate: 2018-July-18Security risk: Critical 17∕25 AC:Basic/A:Admin/CI:All/II:All/E:Theoretical/TD:AllVulnerability: SQL InjectionDescription: 

    This module enables you to create an entityqueue based on a taxonomy.

    The module did not properly use Drupal's database API when querying the database with user supplied values, allowing an attacker to send a specially crafted request to modify the query or potentially perform additional queries.

    This vulnerability is mitigated by the fact that an attacker must have a role with the "administer entity queue taxonomy" permission.

    Solution: 

    Install the latest version:

    Also see the Taxonomy Entity Queue project page.

    Reported By: Fixed By: Coordinated By: 
    Project: TapestryDate: 2018-July-11Security risk: Moderately critical 14∕25 AC:Basic/A:None/CI:Some/II:Some/E:Theoretical/TD:UncommonVulnerability: Cross Site ScriptingDescription: 

    This theme provides Drupal users with many advanced features including 20 Different Color Styles, 30 User Regions, Custom Block Theme Templates, Suckerfish Menus, Icon Support, Advanced Page Layout Options, Simple Configuration, Custom Typography...

    The theme doesn't sufficiently sanitize user input.

    This vulnerability is mitigated by the fact that the theme is only exploitable with non-default settings and under certain site configurations.

    Solution: 

    Install the latest version:

    Also see the Tapestry project page.

    Reported By: Fixed By: Coordinated By: 
    Project: litejazzDate: 2018-July-11Security risk: Moderately critical 14∕25 AC:Basic/A:None/CI:Some/II:Some/E:Theoretical/TD:UncommonVulnerability: Cross Site ScriptingDescription: 

    This theme features 3 color styles, 12 fully collapsible regions, suckerfish menus, fluid or fixed widths, easy configuration, and more.

    The theme doesn't sufficiently sanitize user input.

    This vulnerability is mitigated by the fact that the theme is only exploitable with non-default settings and under certain site configurations.

    Solution: 

    Install the latest version:

    Also see the litejazz project page.

    Reported By: Fixed By: Coordinated By: 
    Project: NewsFlashDate: 2018-July-11Security risk: Moderately critical 14∕25 AC:Basic/A:None/CI:Some/II:Some/E:Theoretical/TD:UncommonVulnerability: Cross Site ScriptingDescription: 

    This theme features 7 color styles, 12 collapsible regions, suckerfish menus, fluid or fixed widths, and lots more.

    The theme doesn't sufficiently sanitize user input.

    This vulnerability is mitigated by the fact that the theme is only exploitable with non-default settings and under certain site configurations.

    Solution: 

    Install the latest version:

    Also see the NewsFlash project page.

    Reported By: Fixed By: Coordinated By: 
    Project: Beale StreetDate: 2018-July-11Security risk: Moderately critical 13∕25 AC:Complex/A:None/CI:Some/II:Some/E:Theoretical/TD:UncommonVulnerability: Cross Site ScriptingDescription: 

    This theme features 4 built-in color styles, 18 collapsible regions, Suckerfish menus, flexible widths, adjustable sidebars, configurable font family, and lots more.

    The theme doesn't sufficiently sanitize user input.

    This vulnerability is mitigated by the fact that the theme is not exploitable under common site configurations.

    Solution: 

    Also see the Beale Street project page.

    Reported By: Fixed By: Coordinated By: 

    What our clients are saying

    ... they also made suggestions which showed me that they fully understood what I wanted to accomplish.
    I love directing our customers to our new site knowing that they are going to be able to find exactly what they are looking for...
    I would highly recommend her for any position requiring IT design and development
    ...very responsive to our questions and needs
    ...provided us with excellent, expert service in a professional and personable manner.
    ...a pleasure to work with, combining patience (for my busy schedule and at times overwhelmed brain) with her strong motivation and energy to keep me going
    ...creative, independent, responsive...
    ...your punctuality, your casual and open personalities, and both your hard copy and online portfolios speak very highly of you and your business as well
    ...we just want you to know that we are appreciative!
    I have seen the first layouts and they are awesome...
    ...took my less than mediocre site and completely revamped it into a beautiful, professional, and easy-to-navigate site
    I'm so happy we chose to work with PEERLESS Design.
    Thanks so much for everything!
    I would highly recommend her for any position requiring IT design and development
    ...can do anything any other designer can do and generally quicker, cheaper and better.
    ...able to take my abstract ideas and add their expertise to bring them to life in a way that was better than I could have imagined!
    I realized that I had picked the right company to work with soon after beginning a project with Peerless Design, Inc.
    ...continued to monitor it closely and is still always available to help me if I have any questions
    ...I have no doubt we will have the best site in the 2010 election of any PA candidate
    ...able to translate technical information in an accessible way...
    A great experience and a much improved website.
    ... incredibly impressed with what you brought to the table
    I had a very tight deadline and budget, and they met it, seemingly with ease.
    ...dedicated, competent and driven to get the job done and done well.
    " PDI provides us prompt, effective and efficient service in maintaining our Drupal based website."