Drupal Security Advisories

Project: Drupal coreDate: 2019-April-17Security risk: Moderately critical 10∕25 AC:Complex/A:Admin/CI:Some/II:Some/E:Theoretical/TD:UncommonVulnerability: Cross Site ScriptingDescription: 

The jQuery project released version 3.4.0, and as part of that, disclosed a security vulnerability that affects all prior versions. As described in their release notes:

jQuery 3.4.0 includes a fix for some unintended behavior when using jQuery.extend(true, {}, ...). If an unsanitized source object contained an enumerable __proto__ property, it could extend the native Object.prototype. This fix is included in jQuery 3.4.0, but patch diffs exist to patch previous jQuery versions.

It's possible that this vulnerability is exploitable with some Drupal modules. As a precaution, this Drupal security release backports the fix to jQuery.extend(), without making any other changes to the jQuery version that is included in Drupal core (3.2.1 for Drupal 8 and 1.4.4 for Drupal 7) or running on the site via some other module such as jQuery Update.

Solution: 

Install the latest version:

Versions of Drupal 8 prior to 8.5.x are end-of-life and do not receive security coverage.

Also see the Drupal core project page.

Additional information

All advisories released today:

Updating to the latest Drupal core release will apply the fixes for all the above advisories.

Reported By: Fixed By: 
Project: Drupal coreDate: 2019-April-17Security risk: Moderately critical 14∕25 AC:Basic/A:User/CI:Some/II:Some/E:Proof/TD:DefaultVulnerability: Multiple Vulnerabilities Description: 

This security release fixes third-party dependencies included in or required by Drupal core.

  • CVE-2019-10909: Escape validation messages in the PHP templating engine. From that advisory:

    Validation messages were not escaped when using the form theme of the PHP templating engine which, when validation messages may contain user input, could result in an XSS.

  • CVE-2019-10910: Check service IDs are valid. From that advisory:

    Service IDs derived from unfiltered user input could result in the execution of any arbitrary code, resulting in possible remote code execution.

  • CVE-2019-10911: Add a separator in the remember me cookie hash. From that advisory:

    This fixes situations where part of an expiry time in a cookie could be considered part of the username, or part of the username could be considered part of the expiry time. An attacker could modify the remember me cookie and authenticate as a different user. This attack is only possible if remember me functionality is enabled and the two users share a password hash or the password hashes (e.g. UserInterface::getPassword()) are null for all users (which is valid if passwords are checked by an external system, e.g. an SSO).

Solution: 

Install the latest version:

Versions of Drupal 8 prior to 8.5.x are end-of-life and do not receive security coverage.

Also see the Drupal core project page.

Additional information

All advisories released today:

Updating to the latest Drupal core release will apply the fixes for all the above advisories.

Reported By: Fixed By: 
Project: TableFieldDate: 2019-April-17Security risk: Critical 16∕25 AC:Complex/A:User/CI:All/II:All/E:Theoretical/TD:DefaultVulnerability: Remote Code ExecutionDescription: 

This module allows you to attach tabular data to an entity.

The module doesn't sufficiently determine that the data being unserialized is the contents of a tablefield when users request a CSV export, which could lead to Remote Code Execution via Object Injection.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission 'export tablefield', and be able to insert a payload into an entity's field.

Solution: 

Install the latest version:

  • If you use the Tablefield module 7.x-3.x branch for Drupal 7.x, upgrade to tablefield 7.x-3.4

Reported By: Fixed By: Coordinated By: 
Project: Stage File ProxyVersion: 7.x-1.x-devDate: 2019-April-17Security risk: Less critical 9∕25 AC:Basic/A:None/CI:None/II:None/E:Theoretical/TD:DefaultVulnerability: Denial of ServiceDescription: 

Stage File Proxy is a general solution for getting production files on a development server on demand.

The module doesn't sufficiently validate requested urls, allowing an attacker to send repeated requests for files that do not exist which could exhaust resources on the server where Stage File Proxy is installed.

This vulnerability is mitigated by the fact that an attacker must make repeated requests. The vulnerability only exists on environments where Stage File Proxy is installed (it generally is not installed on production). It only affects sites where the "Hot Link" option is disabled (disabled is the default configuration).

Solution: 

Install the latest version:

Also see the Stage File Proxy project page.

Reported By: Fixed By: Coordinated By: 
Project: ServicesVersion: 7.x-3.x-devDate: 2019-April-03Security risk: Less critical 9∕25 AC:Complex/A:User/CI:Some/II:None/E:Theoretical/TD:DefaultVulnerability: Access bypassDescription: 

This module provides a standardized solution for building API's so that external clients can communicate with Drupal.

The Services module has an access bypass vulnerability in its "attach_file" resource that allows users who have access to create or update nodes that include file fields to arbitrarily reference files they do not have access to, which can expose private files.

This vulnerability is mitigated by the fact that an attacker must have a role with permission to create or edit a node.

Solution: 

Install the latest version:

Also see the Services project page.

Reported By: Fixed By: Coordinated By: 
Project: Module FilterVersion: 7.x-2.x-devDate: 2019-March-27Security risk: Moderately critical 12∕25 AC:Basic/A:Admin/CI:Some/II:Some/E:Theoretical/TD:DefaultVulnerability: Cross site scriptingDescription: 

This module enables you to filter the list of modules on the admin modules page, and organizes packages into vertical tabs.

The module doesn't sufficiently escape HTML under the scenario leading to a Cross Site Scripting (XSS) vulnerability.

This vulnerability is mitigated by the fact that the attacker must have access to input filtered html that will be included on the modules administration page e.g. in a block (this configuration is not common). Further, the Module Filter vertical tabs setting must be enabled.

Solution: 

Install the latest version:

Also see the Module Filter project page.

Reported By: Fixed By: Coordinated By: 
Project: Drupal coreDate: 2019-March-20Security risk: Moderately critical 13∕25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:DefaultVulnerability: Cross Site ScriptingDescription: 

Under certain circumstances the File module/subsystem allows a malicious user to upload a file that can trigger a cross-site scripting (XSS) vulnerability.

Solution: 

Versions of Drupal 8 prior to 8.5.x are end-of-life and do not receive security coverage.

Reported By: Fixed By: 
Project: RESTfulVersion: 7.x-2.x-dev7.x-1.x-devDate: 2019-March-20Security risk: Critical 18∕25 AC:Complex/A:User/CI:All/II:All/E:Exploit/TD:UncommonVulnerability: Remote code executionDescription: 

This resolves issues described in SA-CORE-2019-003 for this module.

Solution: 
Project: Back To TopVersion: 7.x-1.x-devDate: 2019-March-20Security risk: Moderately critical 13∕25 AC:Basic/A:Admin/CI:Some/II:Some/E:Theoretical/TD:AllVulnerability: Cross Site ScriptingDescription: 

This module enables you to add a button that hovers in the bottom of your screen and allows users to smoothly scroll up the page using jQuery.

The module doesn't sufficiently sanitize the code that gets printed on pages leading to a Cross Site Scripting (XSS) issue.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission "access backtotop settings".

Solution: 

Install the latest version:

Reported By: Fixed By: Coordinated By: 
Project: AddToAny Share ButtonsVersion: 7.x-4.x-devDate: 2019-March-20Security risk: Moderately critical 13∕25 AC:Basic/A:Admin/CI:Some/II:Some/E:Theoretical/TD:AllVulnerability: Cross Site ScriptingDescription: 

This module enables you to add social media share buttons on your website to its content and pages.

The module doesn't sufficiently mark its administration permission restricted, allowing cross site scripting vulnerabilities to users who have access to its admin settings.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer addtoany".

Solution: Reported By: Fixed By: Coordinated By: 

What our clients are saying

A great experience and a much improved website.
...took my less than mediocre site and completely revamped it into a beautiful, professional, and easy-to-navigate site
...provided us with excellent, expert service in a professional and personable manner.
... incredibly impressed with what you brought to the table
I have seen the first layouts and they are awesome...
...dedicated, competent and driven to get the job done and done well.
...we just want you to know that we are appreciative!
...able to take my abstract ideas and add their expertise to bring them to life in a way that was better than I could have imagined!
...very responsive to our questions and needs
Thanks so much for everything!
...creative, independent, responsive...
...your punctuality, your casual and open personalities, and both your hard copy and online portfolios speak very highly of you and your business as well
...I have no doubt we will have the best site in the 2010 election of any PA candidate
I would highly recommend her for any position requiring IT design and development
I had a very tight deadline and budget, and they met it, seemingly with ease.
...continued to monitor it closely and is still always available to help me if I have any questions
...can do anything any other designer can do and generally quicker, cheaper and better.
I realized that I had picked the right company to work with soon after beginning a project with Peerless Design, Inc.
... they also made suggestions which showed me that they fully understood what I wanted to accomplish.
I'm so happy we chose to work with PEERLESS Design.
...a pleasure to work with, combining patience (for my busy schedule and at times overwhelmed brain) with her strong motivation and energy to keep me going
I would highly recommend her for any position requiring IT design and development
" PDI provides us prompt, effective and efficient service in maintaining our Drupal based website."
...able to translate technical information in an accessible way...
I love directing our customers to our new site knowing that they are going to be able to find exactly what they are looking for...