Drupal Security Advisories

Project: JSON APIVersion: 8.x-1.15Date: 2018-April-25Security risk: Moderately critical 11∕25 AC:Basic/A:Admin/CI:Some/II:Some/E:Theoretical/TD:UncommonVulnerability: Cross Site Request ForgeryDescription: 

This module provides a JSON API standards-compliant API for accessing and manipulating Drupal content and configuration entities.

The module doesn't provide CSRF protection when processing authenticated traffic using cookie-based authentication.

This vulnerability is mitigated by the fact that an attacker must be allowed to create or modify entities of a certain type, and a very specific and uncommon CORS configuration that allows all other pre-checks to be skipped.

Solution: 

Install the latest version:

  • If you use the JSON API module for Drupal 8.x, upgrade to 8.x-1.16
Reported By: Fixed By: Coordinated By: 
Project: DRD AgentDate: 2018-April-25Security risk: Critical 15∕25 AC:None/A:None/CI:None/II:Some/E:Theoretical/TD:AllVulnerability: PHP object injectionDescription: 

This module enables you to monitor and manage any number of remote Drupal sites and aggregate useful information for administrators in a central dashboard.

The modules (DRD and DRD Agent) encrypt the data which is exchanged between them but in order to do so, they use the PHP serialize/unserialize functions instead of the json_encode/json_decode combination. As the unserialize function is called on unauthenticated content, this introduces a PHP object injection vulnerability.

Solution: 

Install the latest version:

Reported By: Fixed By: Coordinated By: 
Project: MediaVersion: 7.x-2.18Date: 2018-April-25Security risk: Critical 18∕25 AC:Basic/A:User/CI:All/II:All/E:Theoretical/TD:AllVulnerability: Remote Code ExecutionDescription: 

The Media module provides an extensible framework for managing files and multimedia assets, regardless of whether they are hosted on your own site or a third party site.

The module contained a vulnerability similar to SA-CORE-2018-004, leading to a possible remote code execution (RCE) attack.

Solution: 

Install the latest version:

  • If you use the Media module for Drupal 7.x-2.x, upgrade to Media 7.x-2.19
Coordinated By: 
  • Dave Reid the module maintainer and member of the Drupal Security Team
Project: Drupal coreDate: 2018-April-25Security risk: Critical 17∕25 AC:Basic/A:User/CI:All/II:All/E:Theoretical/TD:DefaultVulnerability: Remote Code ExecutionDescription: 

A remote code execution vulnerability exists within multiple subsystems of Drupal 7.x and 8.x. This potentially allows attackers to exploit multiple attack vectors on a Drupal site, which could result in the site being compromised. This vulnerability is related to Drupal core - Highly critical - Remote Code Execution - SA-CORE-2018-002. While SA-CORE-2018-002 is being exploited in the wild, this vulnerability is not known to be in active exploitation as of this release.

Solution: 

Upgrade to the most recent version of Drupal 7 or 8 core.

  • If you are running 7.x, upgrade to Drupal 7.59.
  • If you are running 8.5.x, upgrade to Drupal 8.5.3.
  • If you are running 8.4.x, upgrade to Drupal 8.4.8. (Drupal 8.4.x is no longer supported and we don't normally provide security releases for unsupported minor releases. However, we are providing this 8.4.x release so that sites can update as quickly as possible. You should update to 8.4.8 immediately, then update to 8.5.3 or the latest secure release as soon as possible.)

If you are unable to update immediately, or if you are running a Drupal distribution that does not yet include this security release, you can attempt to apply the patch below to fix the vulnerability until you are able to update completely:

These patches will only work if your site already has the fix from SA-CORE-2018-002 applied. (If your site does not have that fix, it may already be compromised.)

Reported By: Fixed By: 
Project: Display SuiteVersion: 7.x-2.147.x-1.9Date: 2018-April-18Security risk: Critical 17∕25 AC:None/A:None/CI:Some/II:Some/E:Theoretical/TD:DefaultVulnerability: Cross site scripting (XSS)Description: 

Display Suite allows you to take full control over how your content is displayed using a drag and drop interface.

The module doesn't sufficiently validate view modes provided dynamically via URLs leading to a reflected cross site scripting (XSS) attack.

This vulnerability is mitigated only by the fact that most modern browsers protect against reflected XSS via the url.

Solution: Reported By: Fixed By: Coordinated By: 
Project: Menu Import and ExportVersion: 8.x-1.0Date: 2018-April-18Security risk: Critical 17∕25 AC:Basic/A:None/CI:Some/II:Some/E:Exploit/TD:UncommonVulnerability: Access bypassDescription: 

This module helps in exporting and importing Menu Items via the administrative interface.

The module does not properly restrict access to administrative pages, allowing anonymous users to export and import menu links.

There is no mitigation for this vulnerability.

Solution: 

Update to Menu Import and Export 8.x-1.2.

Reported By: Fixed By: Coordinated By: 
Project: Drupal coreDate: 2018-April-18Security risk: Moderately critical 12∕25 AC:Complex/A:User/CI:Some/II:Some/E:Theoretical/TD:DefaultVulnerability: Cross Site ScriptingDescription: 

CKEditor, a third-party JavaScript library included in Drupal core, has fixed a cross-site scripting (XSS) vulnerability. The vulnerability stemmed from the fact that it was possible to execute XSS inside CKEditor when using the image2 plugin (which Drupal 8 core also uses).

We would like to thank the CKEditor team for patching the vulnerability and coordinating the fix and release process, and matching the Drupal core security window.

Solution: 
  • If you are using Drupal 8, update to Drupal 8.5.2 or Drupal 8.4.7.
  • The Drupal 7.x CKEditor contributed module is not affected if you are running CKEditor module 7.x-1.18 and using CKEditor from the CDN, since it currently uses a version of the CKEditor library that is not vulnerable.
  • If you installed CKEditor in Drupal 7 using another method (for example with the WYSIWYG module or the CKEditor module with CKEditor locally) and you’re using a version of CKEditor from 4.5.11 up to 4.9.1, update the third-party JavaScript library by downloading CKEditor 4.9.2 from CKEditor's site.
Reported By: Fixed By: 
Project: Drupal coreDate: 2018-March-28Security risk: Highly critical 21∕25 AC:None/A:None/CI:All/II:All/E:Theoretical/TD:DefaultVulnerability: Remote Code Execution Description: 

CVE: CVE-2018-7600

A remote code execution vulnerability exists within multiple subsystems of Drupal 7.x and 8.x. This potentially allows attackers to exploit multiple attack vectors on a Drupal site, which could result in the site being completely compromised.

The security team has written an FAQ about this issue.

Solution: 

Upgrade to the most recent version of Drupal 7 or 8 core.

  • If you are running 7.x, upgrade to Drupal 7.58. (If you are unable to update immediately, you can attempt to apply this patch to fix the vulnerability until such time as you are able to completely update.)
  • If you are running 8.5.x, upgrade to Drupal 8.5.1. (If you are unable to update immediately, you can attempt to apply this patch to fix the vulnerability until such time as you are able to completely update.)

Drupal 8.3.x and 8.4.x are no longer supported and we don't normally provide security releases for unsupported minor releases. However, given the potential severity of this issue, we are providing 8.3.x and 8.4.x releases that includes the fix for sites which have not yet had a chance to update to 8.5.0.

Your site's update report page will recommend the 8.5.x release even if you are on 8.3.x or 8.4.x. Please take the time to update to a supported version after installing this security update.

This issue also affects Drupal 8.2.x and earlier, which are no longer supported. If you are running any of these versions of Drupal 8, update to a more recent release and then follow the instructions above.

This issue also affects Drupal 6. Drupal 6 is End of Life. For more information on Drupal 6 support please contact a D6LTS vendor.

Reported By: Fixed By:  Contact and more information

The Drupal security team can be reached by email at security at drupal.org or via the contact form.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Project: ExifVersion: 8.x-1.x-devDate: 2018-March-21Security risk: Critical 16∕25 AC:Basic/A:None/CI:Some/II:Some/E:Theoretical/TD:AllVulnerability: Access bypassDescription: 

This module enables you to retrieve image metadata and use them in fields or title.

The module doesn't sufficiently restrict access to module setting pages thereby causing an access bypass vulnerability.

This vulnerability is mitigated by the fact that an attacker must have permission to create entities of certain content entity types.

Solution: 

Install the latest version:

  • If you use the Exif module for Drupal 8.x, upgrade to Exif 8.x-1.1
Reported By: Fixed By: Coordinated By: 
Project: JSON APIVersion: 8.x-1.x-devDate: 2018-March-21Security risk: Moderately critical 11∕25 AC:Basic/A:User/CI:Some/II:None/E:Theoretical/TD:AllVulnerability: Access BypassDescription: 

This module provides a JSON API standards-compliant API for accessing and manipulating Drupal content and configuration entities.

The module doesn't sufficiently check access when viewing related resources or relationships, thereby causing an access bypass vulnerability.

This vulnerability is mitigated by the fact that an attacker must be allowed to view the related data, otherwise all they can glean is an entity type UUID and a UUID, which are meaningless by themselves.

Solution: 

Install the latest version:

Reported By: Fixed By: Coordinated By: 

What our clients are saying

I have seen the first layouts and they are awesome...
I'm so happy we chose to work with PEERLESS Design.
I would highly recommend her for any position requiring IT design and development
...able to translate technical information in an accessible way...
...very responsive to our questions and needs
...creative, independent, responsive...
... they also made suggestions which showed me that they fully understood what I wanted to accomplish.
I had a very tight deadline and budget, and they met it, seemingly with ease.
... incredibly impressed with what you brought to the table
A great experience and a much improved website.
...I have no doubt we will have the best site in the 2010 election of any PA candidate
I realized that I had picked the right company to work with soon after beginning a project with Peerless Design, Inc.
...your punctuality, your casual and open personalities, and both your hard copy and online portfolios speak very highly of you and your business as well
...provided us with excellent, expert service in a professional and personable manner.
...can do anything any other designer can do and generally quicker, cheaper and better.
...a pleasure to work with, combining patience (for my busy schedule and at times overwhelmed brain) with her strong motivation and energy to keep me going
Thanks so much for everything!
I love directing our customers to our new site knowing that they are going to be able to find exactly what they are looking for...
...able to take my abstract ideas and add their expertise to bring them to life in a way that was better than I could have imagined!
...continued to monitor it closely and is still always available to help me if I have any questions
...dedicated, competent and driven to get the job done and done well.
I would highly recommend her for any position requiring IT design and development
" PDI provides us prompt, effective and efficient service in maintaining our Drupal based website."
...took my less than mediocre site and completely revamped it into a beautiful, professional, and easy-to-navigate site
...we just want you to know that we are appreciative!