Drupal Security Advisories

Project: Responsive MenusVersion: 7.x-1.x-devDate: 2018-December-05Security risk: Moderately critical 13∕25 AC:Basic/A:Admin/CI:Some/II:Some/E:Theoretical/TD:AllVulnerability: Cross site scriptingDescription: 

This module enables you to collapse your sites main menu on mobile, and show a menu toggle button.

The module doesn't sufficiently sanitize configuration settings provided by users which leads to a Cross Site Scripting (XSS) vulnerability.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer responsive menus".

Solution: 

Install the latest version:

Reported By: Fixed By: Coordinated By: 
Project: Salesforce SuiteDate: 2018-December-05Security risk: Moderately critical 14∕25 AC:None/A:None/CI:Some/II:None/E:Theoretical/TD:DefaultVulnerability: Access bypassDescription: 

This module enables Drupal to synchronize entities with Salesforce records. The module includes a page that does not sufficiently protect access rights, resulting in potential information disclosure.

This vulnerability is mitigated by the fact that only Drupal entity title and IDs, and Salesforce record IDs are exposed. Entity content and metadata are appropriately protected. Disclosure of Salesforce ID does not confer any additional privileges.

Solution: 

Install the latest version:

Also see the Salesforce Suite project page.

Reported By: Fixed By: Coordinated By: 
Project: Password PolicyVersion: 7.x-1.x-devDate: 2018-December-05Security risk: Less critical 9∕25 AC:Basic/A:None/CI:None/II:None/E:Theoretical/TD:DefaultVulnerability: Denial of ServiceDescription: 

The Password Policy module makes it possible to set constraints on user passwords which disallow certain passwords.

The "digit placement" constraint is vulnerable to Denial of Service attacks if an attacker submits specially crafted passwords which can cause a site to become unresponsive.

This vulnerability is mitigated by the fact that a site must have the "digit placement" constraint enabled.

Solution: 

Install the latest version:

Reported By: Fixed By: Coordinated By: 
Project: Date ReminderDate: 2018-November-28Security risk: Moderately critical 10∕25 AC:Basic/A:User/CI:Some/II:None/E:Theoretical/TD:DefaultVulnerability: Access bypassDescription: 

This module allows registered users to request email reminders to be sent at a specified time before an event.

The module doesn't sufficiently check access to nodes, allowing a user to set a reminder on a node that the user shouldn't be able to access.

This can be mitigated with configuring DateReminder with Reminder Display: "Fieldset within a node" disables the potential exploit.

Solution: 

Install the latest version:

Also see the Date Reminder project page.

Reported By: Fixed By: Coordinated By: 
  • Balazs Janos Tatar Provisional Security Team member
  • Project: GatherContentDate: 2018-November-28Security risk: Moderately critical 13∕25 AC:Basic/A:None/CI:Some/II:None/E:Theoretical/TD:AllVulnerability: Access bypassDescription: 

    This module enables you to import and export data from the GatherContent service.

    The module didn't properly protect its administrative paths.

    Solution: 
    • gathercontent 7.x versions prior to 7.x-3.5.

    Drupal core is not affected. If you do not use the contributed GatherContent module, there is nothing you need to do.

    Solution

    Install the latest version:

    Reported By: Fixed By: Coordinated By: 
    Project: BootstrapVersion: 7.x-3.228.x-3.14Date: 2018-November-28Security risk: Moderately critical 11∕25 AC:Complex/A:User/CI:Some/II:Some/E:Theoretical/TD:UncommonVulnerability: Cross site scriptingDescription: 

    This base theme bridges the gap between Drupal and the Bootstrap Framework.

    The theme doesn't sufficiently filter valid targets under the scenario of opening modals, popovers, and tooltips.

    This vulnerability is mitigated by the fact that an attacker must already have the ability to either:

    1. Edit/save custom content that supplies a value for the data-target attribute by injecting malicious code.
    2. Inject custom markup onto the page that further exploits the data-target attribute by injecting malicious code. This method of attack is highly unlikely if they already have this level of access.

    Note: while the base-theme does not provide either of these opportunities to do this out-of-the-box; a custom sub-theme may, however, be susceptible if it didn't sanitize or filter user provided input for XSS properly.

    Solution: 

    Install the latest version and take additional manual steps (see below).

    • If you use the Drupal Bootstrap base-theme for Drupal 7.x, upgrade to 7.x-3.22
    • If you use the Drupal Bootstrap base-theme for Drupal 8.x, upgrade to 8.x-3.14

    Extra Note:

    The vulnerability fixed in the Bootstrap theme releases on Drupal.org is a by-product from forking parts of the external framework's JavaScript code. The external framework's vulnerability was first reported in a public issue and later a fix for this vulnerability was merged into the external framework, however an official release of the external framework has yet to be made.

    Users of this theme should take two additional steps:

    1. Follow this external framework issue for further information and to keep up-to-date on when you need to upgrade your sub-theme's external framework source. You may consider using the distributed files from the temporary branch master-xmr-v3-fixes until an official release is made.
    2. Review any custom code on your site that might have copied from the external framework's vulnerable code.

    Also see the Bootstrap project page.

    Reported By: Fixed By: Coordinated By: 
    Project: ParagraphsVersion: 8.x-1.4Date: 2018-October-31Security risk: Moderately critical 10∕25 AC:Complex/A:None/CI:None/II:Some/E:Theoretical/TD:UncommonVulnerability: Access BypassDescription: 

    The Paragraphs module allows Drupal Site Builders to make content organization cleaner so that you can give more editing power to end-users.

    The module doesn't sufficiently check access to create new paragraph entities which can cause access bypass issues when used in combination with other contributed modules.

    Solution: 

    Install the latest version:

    Also see the Paragraphs project page.

    Reported By: Fixed By: Coordinated By: 
    Project: Session LimitVersion: 7.x-2.28.x-1.0-beta2Date: 2018-October-31Security risk: Critical 15∕25 AC:Complex/A:None/CI:Some/II:Some/E:Theoretical/TD:AllVulnerability: Insecure Session ManagementDescription: 

    The session limit module enables a site administrator to set a policy around the number of active sessions users of the site may have. This is typically set to one so that you can only be logged in once with the same user account.

    In one configuration of the module, when a user logs in with another session elsewhere already active, the module asks the user which session should be closed before they can proceed with login. The module does not sufficiently tokenise the list of sessions so that the user's session keys can be found through inspection of the form.

    This vulnerability is mitigated by the fact that an attacker must already be able to intercept the contents of the HTML page to exploit the issue. That ability to intercept may come from Cross Site Scripting. This makes a Cross Site Scripting vulnerability worse than it would normally be.

    Solution: 

    Install the latest version:

    • If you use the Session Limit module for Drupal 7.x, upgrade to 7.x-2.3
    • If you use the Session Limit module for Drupal 8.x, upgrade to 8.x-1.0-beta3

    Also see the Session Limit project page.

    Reported By: Fixed By: Coordinated By: 
    Project: Decoupled RouterVersion: 8.x-1.18.x-1.0Date: 2018-October-31Security risk: Critical 15∕25 AC:None/A:None/CI:Some/II:None/E:Theoretical/TD:AllVulnerability: Access bypassDescription: 

    This module enables you to resolve the provided Drupal path in order to find the canonical path and information about the resolved entity. This information includes entity type ID, entity ID, entity UUID and entity label.

    The module doesn't sufficiently check access before displaying entity labels. This leads to the display of labels on entities that are not be accessible, for example; titles of unpublished content.

    Solution: 

    Install the latest version:

    Also see the Decoupled Router project page.

    Reported By: Fixed By: Coordinated By: 

    What our clients are saying

    ...can do anything any other designer can do and generally quicker, cheaper and better.
    ...I have no doubt we will have the best site in the 2010 election of any PA candidate
    I'm so happy we chose to work with PEERLESS Design.
    ...we just want you to know that we are appreciative!
    ...took my less than mediocre site and completely revamped it into a beautiful, professional, and easy-to-navigate site
    ...provided us with excellent, expert service in a professional and personable manner.
    I would highly recommend her for any position requiring IT design and development
    ...able to take my abstract ideas and add their expertise to bring them to life in a way that was better than I could have imagined!
    ...a pleasure to work with, combining patience (for my busy schedule and at times overwhelmed brain) with her strong motivation and energy to keep me going
    I have seen the first layouts and they are awesome...
    I had a very tight deadline and budget, and they met it, seemingly with ease.
    " PDI provides us prompt, effective and efficient service in maintaining our Drupal based website."
    ...creative, independent, responsive...
    Thanks so much for everything!
    I love directing our customers to our new site knowing that they are going to be able to find exactly what they are looking for...
    I would highly recommend her for any position requiring IT design and development
    ...able to translate technical information in an accessible way...
    ...continued to monitor it closely and is still always available to help me if I have any questions
    ...dedicated, competent and driven to get the job done and done well.
    A great experience and a much improved website.
    ...very responsive to our questions and needs
    I realized that I had picked the right company to work with soon after beginning a project with Peerless Design, Inc.
    ... incredibly impressed with what you brought to the table
    ...your punctuality, your casual and open personalities, and both your hard copy and online portfolios speak very highly of you and your business as well
    ... they also made suggestions which showed me that they fully understood what I wanted to accomplish.