Drupal Security Advisories

Project: Entity RegistrationDate: 2019-February-13Security risk: Critical 18∕25 AC:Basic/A:None/CI:Some/II:Some/E:Exploit/TD:DefaultVulnerability: Multiple Vulnerabilities Description: 

This module enables you to take registrations for events, gathering information from registrants including email address and any other questions you wish to configure.

In some cases, an anonymous user may view, edit, or delete other anonymous registrations by guessing the URL of that registration based on a simple pattern.
If anonymous users are allowed to register and:

  • anonymous users have the "View" permission, information included in the registration can be accessed.
  • anonymous users have the "Edit" permission, information included in the registration can be altered.
  • anonymous users have the "Delete" permission, the registration itself can be deleted.

This vulnerability is mitigated by the fact that it only applies to cases where the anonymous user role has specifically been given View, Edit, or Delete access to the specific Registration Type.

Solution: 

Install the latest version:

Reported By: Fixed By: Coordinated By: 
Project: OAuth 2.0 Client Login (Single Sign-On)Date: 2019-February-13Security risk: Critical 17∕25 AC:Basic/A:None/CI:Some/II:Some/E:Proof/TD:AllVulnerability: Multiple Vulnerabilities Description: 

This module enables you to allow login into the Drupal websites through an external provider over the OAuth 2.0 protocol.

The module sets a Drupal variable used for redirection based on unsanitised user input, leading to an Open Redirect vulnerability. It also fails to sanitise user input which is displayed as part of an error message by a test authentication endpoint which is accessible by anonymous users, leading to an XSS vulnerability.

Solution: 

Install the latest version:

Reported By: Fixed By: Coordinated By: 
Project: Focal PointVersion: 7.x-1.17.x-1.0Date: 2019-February-13Security risk: Moderately critical 13∕25 AC:Complex/A:User/CI:Some/II:Some/E:Theoretical/TD:AllVulnerability: Cross site scriptingDescription: 

This module enables a privileged user to specify the important part of an image for the purposes of cropping.

The module doesn't sufficiently sanitize certain form element attributes when the focal point widget is displayed on a form.

This vulnerability is mitigated by the fact that an attacker must have the ability to generate markup (e.g. with a field that accepts "filtered html") AND they must have permission to edit a node or entity whose add/edit form contains the focal point widget.

Solution: 

Install the latest version:

Also see the Focal Point project page.

Reported By: Fixed By: Coordinated By: 
Project: Acquia ConnectorDate: 2019-February-06Security risk: Moderately critical 12∕25 AC:Basic/A:None/CI:Some/II:None/E:Theoretical/TD:DefaultVulnerability: Access bypassDescription: 

Acquia Connector facilitates sending certain telemetry data to Acquia for the purposes of analysis. The module automates the collection of site information to speed support communication and issue resolution. It is required for use with the Acquia Insight service.

The module does not properly enforce access control in a specific case, which can lead to disclosing information.

The vulnerability is mitigated by requiring the module diff feature to be enabled. This feature is enabled by default.

Solution: 

Install the latest version:

This vulnerability can be mitigated by unchecking Source code under Allow collection and examination of the following items on the Acquia Subscription settings (in Drupal 7) or Acquia Connector settings (in Drupal 8) page. The settings page is under Administration -> Configuration -> System.

For Drupal 7, this setting can also be disabled by setting the acquia_spi_module_diff_data variable to FALSE. Using Drush:

drush vset acquia_spi_module_diff_data FALSE

For Drupal 8, this setting can also be disabled by setting the spi.module_diff_data key within the acquia_connector.settings configuration setting to 0. Using Drush:

drush config-set acquia_connector.settings spi.module_diff_data 0

Also see the Acquia Connector project page.

Reported By: Fixed By: Coordinated By: 
Project: Login AlertDate: 2019-February-06Security risk: Moderately critical 13∕25 AC:Basic/A:None/CI:None/II:Some/E:Theoretical/TD:AllVulnerability: Access bypassDescription: 

This module provides a field on user profiles which allows users to get a notification when their account logs in to the site. The notification e-mail includes a link which will terminate all sessions for that user. This is useful in the case of unauthorised access to the account.

The module doesn't employ sufficient randomness in the generation of URLs, which represents an Access Bypass vulnerability.

Solution: 

Install the latest version:

Also see the Login Alert project page.

Reported By: Fixed By: Coordinated By: 
Project: Public Download CountDate: 2019-February-06Security risk: Less critical 8∕25 AC:Basic/A:None/CI:None/II:None/E:Theoretical/TD:UncommonVulnerability: Open Redirect VulnerabilityDescription: 

This module enables you to track download counts of files linked from a Drupal site. Links in Drupal content are rewritten to go through an intermediate page that records download stats and then redirects to the final destination.

The module did not verify that the links provided to the intermediate page were actually present in the Drupal site content and did not contain checks to prevent external sites from accessing the counter.

Solution: 

Install the latest version:

Also see the Public Download Count project page.

Reported By: Fixed By: Coordinated By: 
Project: Anti Spam by CleanTalkDate: 2019-January-23Security risk: Critical 15∕25 AC:Basic/A:User/CI:Some/II:Some/E:Proof/TD:AllVulnerability: UnsupportedDescription: 

The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: https://www.drupal.org/node/251466.

Solution: 

If you use this project, you should uninstall it.

Project: NodeaccessDate: 2019-January-23Security risk: Critical 15∕25 AC:Basic/A:User/CI:Some/II:Some/E:Proof/TD:AllVulnerability: UnsupportedDescription: 

The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: https://www.drupal.org/node/251466.

Solution: 

If you use this project, you should uninstall it.

Project: Expand collapse formatterDate: 2019-January-23Security risk: Critical 15∕25 AC:Basic/A:User/CI:Some/II:Some/E:Proof/TD:AllVulnerability: UnsupportedDescription: 

The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: https://www.drupal.org/node/251466.

Solution: 

If you use this project, you should uninstall it.

Project: Gridstack fieldDate: 2019-January-23Security risk: Critical 15∕25 AC:Basic/A:User/CI:Some/II:Some/E:Proof/TD:AllVulnerability: UnsupportedDescription: 

The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: https://www.drupal.org/node/251466.

Solution: 

If you use this project, you should uninstall it.

What our clients are saying

...we just want you to know that we are appreciative!
...able to take my abstract ideas and add their expertise to bring them to life in a way that was better than I could have imagined!
...took my less than mediocre site and completely revamped it into a beautiful, professional, and easy-to-navigate site
...can do anything any other designer can do and generally quicker, cheaper and better.
...provided us with excellent, expert service in a professional and personable manner.
I love directing our customers to our new site knowing that they are going to be able to find exactly what they are looking for...
...able to translate technical information in an accessible way...
...dedicated, competent and driven to get the job done and done well.
" PDI provides us prompt, effective and efficient service in maintaining our Drupal based website."
...I have no doubt we will have the best site in the 2010 election of any PA candidate
... they also made suggestions which showed me that they fully understood what I wanted to accomplish.
...continued to monitor it closely and is still always available to help me if I have any questions
I would highly recommend her for any position requiring IT design and development
...your punctuality, your casual and open personalities, and both your hard copy and online portfolios speak very highly of you and your business as well
... incredibly impressed with what you brought to the table
I realized that I had picked the right company to work with soon after beginning a project with Peerless Design, Inc.
I had a very tight deadline and budget, and they met it, seemingly with ease.
...very responsive to our questions and needs
I would highly recommend her for any position requiring IT design and development
A great experience and a much improved website.
...a pleasure to work with, combining patience (for my busy schedule and at times overwhelmed brain) with her strong motivation and energy to keep me going
I'm so happy we chose to work with PEERLESS Design.
Thanks so much for everything!
...creative, independent, responsive...
I have seen the first layouts and they are awesome...