Drupal Security Advisories

Project: BibleDate: 2018-January-17Security risk: Critical 17∕25 AC:Basic/A:User/CI:Some/II:All/E:Proof/TD:AllVulnerability: Multiple Vulnerabilities Description: 

This module enables you to display a Bible on your website. Users can associate notes with a Bible version.

This module has a vulnerability that would allow an attacker to wipe out, update or read notes from other users with a carefully crafted title.

A user must have the "Access Bible content" privilege, which is most likely the default if you have enabled this module.

The code appeared to allow other SQL injection vulnerabilities as well. Many lines of code were rewritten to make this module more secure. Therefore, even if you did not give users the "Access Bible content" privilege, there may have been other SQL vulnerabilities which could have been exploited.

Solution: 

Install the latest version:

  • If you use the Bible module for Drupal 7.x, upgrade to Bible 7.x-1.7
Reported By: Fixed By: Coordinated By: 
Project: Node View PermissionsVersion: 8.x-1.x-dev7.x-1.x-devDate: 2018-January-10Security risk: Moderately critical 14∕25 AC:None/A:None/CI:Some/II:None/E:Theoretical/TD:DefaultVulnerability: Access BypassDescription: 

The Node view permissions module enables the "View own content" and "View any content" permissions for each content type on the permissions page.

This module has a vulnerability that allows users with these permissions to view unpublished content that they are not otherwise authorized to view.

This issue was fixed by the maintainer outside of the normal security team protocols. Some issues were patched in 2014 for the 7.x version of this module. The 8.x release was updated within the last 6 months. Both are now flagged as security updates.

Solution: 

Install the latest version:

Reported By: Fixed By: 
  • The module maintainer
Coordinated By: 
Project: StacksDate: 2018-January-10Security risk: Critical 18∕25 AC:None/A:None/CI:Some/II:Some/E:Theoretical/TD:AllVulnerability: Arbitrary PHP code executionDescription: 

This module enables content editors to create complex pages and layouts on the fly without the help from a developer, using reusable widgets.
The module does not sufficiently filter values posted to its AJAX endpoint, which leads to the instantiation of an arbitrary PHP class.
This vulnerability is mitigated by the fact that only sites with the Stacks - Content Feed submodule enabled are affected.

Solution: 

Install the latest version:

  • If you use the Stacks module for Drupal 8.x, upgrade to Stacks 8.x-1.1
Reported By: 
  • Jean-François Hovinne
  • Fixed By: 
  • Mauro Vigliotti the module maintainer
  • Coordinated By: 
  • Michael Hess of the Drupal Security Team
  • Project: me aliasesDate: 2017-December-20Security risk: Highly critical 20∕25 AC:Basic/A:None/CI:All/II:All/E:Theoretical/TD:AllVulnerability: Arbitrary code executionDescription: 

    'me' module provides shortcut paths to current user's pages, eg user/me, blog/me, user/me/edit, tracker/me etc.

    The way 'me' module handles URL arguments allows an attacker to execute arbitrary code strings.

    Solution: 

    Install the latest version:

    • If you use the 'me' module for Drupal 7.x, upgrade to 'me' 7.x-1.3
    Reported By: 
  • ross.linscott
  • Fixed By: 
  • Camilo Bravo
  • nohup
  • Michael Hess of the Drupal Security Team
  • Coordinated By: 
  • Michael Hess of the Drupal Security Team
  • Project: Directory based organisational layerDate: 2017-December-20Security risk: Critical 18∕25 AC:None/A:None/CI:Some/II:Some/E:Proof/TD:DefaultVulnerability: UnsupportedDescription: 

    This module adds a new organizational layer to Drupal, making it easy for managing large numbers of files and nodes.

    The security team is marking this module unsupported. There is a known security issue with the module that has not been fixed by the maintainer. The security team takes action in cases like this without regard to the severity of the security issue in question. If you would like to maintain this module, please read: https://www.drupal.org/node/251466

    All projects that are being marked unsupported are given a score of critical. Code that is no longer maintained poses a threat to securing sites.

    Solution: 

    If you use the Directory based organisational layer tag module for Drupal you should uninstall it.

    Reported By: 

    Jean-Francois Hovinne

    Fixed By: 

    N/A

    Project: ComScore direct tagDate: 2017-December-20Security risk: Critical 18∕25 AC:None/A:None/CI:Some/II:Some/E:Proof/TD:DefaultVulnerability: UnsupportedDescription: 

    A simple module to add in the JS for the comScore Direct tag to your Drupal site.

    The security team is marking this module unsupported. There is a known security issue with the module that has not been fixed by the maintainer. The security team takes action in cases like this without regard to the severity of the security issue in question. If you would like to maintain this module, please read: https://www.drupal.org/node/251466

    All projects that are being marked unsupported are given a score of critical. Code that is no longer maintained poses a threat to securing sites.

    Solution: 

    If you use the ComScore Direct tag module for Drupal you should uninstall it.

    Reported By: 

    Balazs Janos Tatar

    Fixed By: 

    N/A

    Project: Link Click CountDate: 2017-December-20Security risk: Critical 18∕25 AC:None/A:None/CI:Some/II:Some/E:Proof/TD:DefaultVulnerability: UnsupportedDescription: 

    The Link Click Count module helps you to monitor the traffic to your website by creating link fields. These link fields can be individual links or internal/external links that can be added to the content type.

    The security team is marking this module unsupported. There is a known security issue with the module that has not been fixed by the maintainer. The security team takes action in cases like this without regard to the severity of the security issue in question. If you would like to maintain this module, please read: https://www.drupal.org/node/251466

    All projects that are being marked unsupported are given a score of critical. Code that is no longer maintained poses a threat to securing sites.

    Solution: 

    If you use the link click count module for Drupal you should uninstall it.

    Reported By: 

    Karthik Kumar D K

    Fixed By: 

    N/A

    Project: Panopoly CoreVersion: 7.x-1.x-devDate: 2017-December-13Security risk: Moderately critical 13∕25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:DefaultVulnerability: Cross Site ScriptingDescription: 

    This module provides common functionality used by other modules in the Panopoly distribution and child distributions, like, Open Atrium.

    The module doesn't sufficiently filter node titles used in breadcrumbs when the "Append Page Title to Site Breadcrumb" setting is enabled.

    This vulnerability is mitigated by the fact that an attacker must have a role with the ability to create content.

    Solution: 

    Install the latest version:

    Reported By: Fixed By: Coordinated By: 
    Project: Node feedbackVersion: 7.x-1.2Date: 2017-December-06Security risk: Moderately critical 12∕25 AC:None/A:User/CI:Some/II:None/E:Theoretical/TD:DefaultVulnerability: Access BypassDescription: 

    This module enables you to set nodes to send feedbacks by personal/site wide contact forms.
    The module doesn't sufficiently handle the access to nodes whose titles will be shown on contact forms.

    This vulnerability is mitigated by the fact that an attacker must have a role with the permission "Use the site-wide contact form" or "Use users' personal contact forms" which is often assigned to untrusted user roles such as anonymous.

    Solution: 

    Install the latest version:

    Also see the Node feedback project page.

    Reported By: Fixed By: Coordinated By: 
    Project: Configuration Update ManagerVersion: 8.x-1.4Date: 2017-December-06Security risk: Moderately critical 12∕25 AC:Basic/A:None/CI:None/II:Some/E:Theoretical/TD:DefaultVulnerability: Cross Site Request Forgery (CSRF)Description: 

    The Configuration Update Reports sub-module in the Configuration Update module project enables you to run reports to see what configuration on your site differs from the configuration distributed by a module, theme, or installation profile, and to revert, delete, or import configuration.

    This module doesn't sufficiently protect the Import operation, thereby exposing a Cross Site Request Forgery (CSRF) vulnerability which can be exploited by unprivileged users to trick an administrator into unwanted import of configuration.

    This vulnerability is mitigated by the fact that only configuration items distributed with a module, theme, or installation profile that is currently installed and enabled on the site can be imported, not arbitrary configuration values.

    Solution: 

    Install the latest version:

    Alternatively, you could remove the permission "import configuration" from all roles on the site, or uninstall the Configuration Update Reports sub-module from your production sites.

    Also see the Configuration Update Manager project page.

    Reported By: Fixed By: Coordinated By: 

    What our clients are saying