Drupal Security Advisories

Project: Custom PermissionsVersion: 8.x-1.x-devDate: 2017-November-08Security risk: Moderately critical 13∕25 AC:Basic/A:Admin/CI:Some/II:Some/E:Theoretical/TD:AllVulnerability: Access bypassDescription: 

Custom Permissions is a lightweight module that allows permissions to be created and managed through an administrative form.

When this module is in use, any user who is able to perform an action which rebuilds some of Drupal's caches can trigger a scenario in which certain pages protected by this module's custom permissions temporarily lose those custom access controls, thereby leading to an access bypass vulnerability.

Solution: 

Install the latest version:

Reported By: Fixed By: Coordinated By: 
Project: Permissions by TermVersion: 8.x-1.x-devDate: 2017-November-08Security risk: Moderately critical 14∕25 AC:None/A:None/CI:Some/II:None/E:Theoretical/TD:DefaultVulnerability: Access bypassDescription: 

The Permissions by Term module extends Drupal by adding functionality for restricting access to single nodes via taxonomy terms.

The module grants access to nodes that are being blocked by other node access modules and that the Permissions by Term module does not intend to control. Additionally, it grants access to unpublished nodes in node listings to users who should not be able to see them. These problems lead to an access bypass vulnerability.

This vulnerability is mitigated by the fact that it only occurs on sites that either have another node access module (besides Permissions by Term) in use, or that have node listings that are accessible to unprivileged users and that don't directly filter out unpublished content.

Solution: 

Install the latest version:

Reported By: Fixed By: Coordinated By: 
Project: Automated LogoutVersion: 7.x-4.x-devDate: 2017-November-01Security risk: Moderately critical 14∕25 AC:Basic/A:Admin/CI:Some/II:Some/E:Proof/TD:AllVulnerability: Cross Site ScriptingDescription: 

This module provides a site administrator the ability to log users out after a specified time of inactivity. It is highly customizable and includes "site policies" by role to enforce log out.

The module does not sufficiently filter user-supplied text that is stored in the configuration, resulting in a persistent Cross Site Scripting vulnerability (XSS).

This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer autologout".

Solution: 

Install the latest version:

Reported By: Fixed By: Coordinated By: 
Project: MosaikVersion: 7.x-1.x-devDate: 2017-October-25Security risk: Moderately critical 13∕25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:DefaultVulnerability: Cross-site scriptingDescription: 

The Mosaik module enables you to create pages or complex blocks in Drupal with the logic of a real mosaic and its pieces.

The module doesn't sufficiently sanitize the titles of fieldsets on its administration pages or the titles of blocks that it creates. This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer mosaik".

Solution: 

Install the latest version:

Also see the Mosaik project page.

Reported By: Fixed By: Coordinated By: 
Project: Brilliant GalleryVersion: 7.x-1.x-devDate: 2017-October-25Security risk: Highly critical 20∕25 AC:Basic/A:None/CI:All/II:All/E:Theoretical/TD:AllVulnerability: Multiple Vulnerabilities Description: 

This module enables you to display any number of galleries based on images located in the files folder.

The module doesn't sufficiently sanitize various database queries which may allow attackers to craft requests resulting in an SQL injection vulnerability. This vulnerability could be exploited even by anonymous users and could potentially allow them to take over the site.

The module doesn't sufficiently confirm a user's intent to save checklist data, which allows for a cross-site request forgery (CSRF) exploit to be executed by unprivileged users.

Some configuration fields are not filtered while rendered, resulting in a cross-site scripting (XSS) vulnerability. This vulnerability is mitigated by the fact that an attacker must have a role with the permission "Administer Brilliant Gallery".

Solution: 

Install the latest version:

Reported By: Fixed By: Coordinated By: 
Project: Yandex.MetricsVersion: 7.x-3.x-dev7.x-2.x-dev7.x-1.x-devDate: 2017-October-18Security risk: Moderately critical 13∕25 AC:Basic/A:Admin/CI:Some/II:Some/E:Theoretical/TD:AllVulnerability: Cross site scriptingDescription: 

The Yandex.Metrics module allows you to look for key indicators of your site effectiveness.

The module doesn't sufficiently let users know a setting page should not be given to untrusted users.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer Yandex.Metrics settings."

Solution: 

Install the latest version:

  • If you use the Yandex.Metrics module for Drupal 7.x, upgrade to its 7.x-3.1

Also see the Yandex.Metrics project page.

Reported By: Fixed By: Coordinated By: 
Project: netFORUM AuthenticationVersion: 7.x-1.0Date: 2017-October-11Security risk: Moderately critical 12∕25 AC:None/A:None/CI:None/II:None/E:Theoretical/TD:AllVulnerability: Access BypassDescription: 

The netFORUM Authentication module implements external authentication for users against netFORUM.

The module does not correctly use flood control making it susceptible to brute force attacks.

Solution: 

Install the latest version:

Reported By: Coordinated By: Fixed By: 

What our clients are saying