Drupal Security Advisories

Project: MaxlengthDate: 2019-October-09Security risk: Moderately critical 13∕25 AC:Basic/A:Admin/CI:Some/II:Some/E:Theoretical/TD:AllVulnerability: Cross Site ScriptingDescription: 

This module enables you to set a maximum length allowed on text fields and indicate how many characters are left.

The module doesn't sufficiently filter strings leading to a Cross Site Scripting (XSS) vulnerability.

This vulnerability is mitigated by the fact the malicious script will not be triggered in the browser of UID 1 nor any user with "Bypass maxlength setting".

Solution: 

Install the latest version:

Also see the Maxlength project page.

Reported By: Fixed By: Coordinated By: 
Project: Localization updateDate: 2019-October-02Security risk: Moderately critical 10∕25 AC:Complex/A:Admin/CI:Some/II:Some/E:Theoretical/TD:UncommonVulnerability: Insecure server configurationDescription: 

This module enables you to automatically download and update the site's interface translation by fetching them from localize.drupal.org or any other Localization server.

The module doesn't sufficiently protect the directory it stores translation files in. It's conventional for directories which may be writeable to be protected by a .htaccess file to prevent malicious PHP files placed within them being executed by the webserver. This vulnerability is mitigated by the fact that an attacker typically wouldn't be able to place a malicious file in the module's storage directory.

Solution: 

Install the latest version:

Also see the Localization update project page.

Reported By: Fixed By: Coordinated By: 
Project: Simple AMP (Accelerated Mobile Pages)Date: 2019-October-02Security risk: Moderately critical 13∕25 AC:Basic/A:None/CI:Some/II:None/E:Theoretical/TD:AllVulnerability: Access bypassDescription: 

This module allows display of a site's content in AMP format.

The module doesn't sufficiently check access on unpublished or restricted content.

Solution: 

Install the latest version of the module.

Also see the Simple AMP (Accelerated Mobile Pages) project page.

Reported By: Fixed By: Coordinated By: 
Project: UbercartDate: 2019-October-02Security risk: Moderately critical 11∕25 AC:Basic/A:Admin/CI:Some/II:Some/E:Theoretical/TD:UncommonVulnerability: Cross site scriptingDescription: 

The Ubercart module provides a shopping cart and e-commerce features for Drupal.

The order module doesn't sufficiently sanitize user input when displayed on an invoice leading to a Cross Site Scripting (XSS) vulnerability.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission "edit orders".

Solution: 

Install the latest version:

Also see the Ubercart project page.

Reported By: Fixed By: Coordinated By: 
Project: GutenbergDate: 2019-September-25Security risk: Critical 16∕25 AC:Basic/A:None/CI:Some/II:Some/E:Theoretical/TD:AllVulnerability: Access bypassDescription: 

This module provides a new UI experience for node editing - Gutenberg editor.

The routes used by the Gutenberg editor lack proper permissions allowing untrusted users to view and modify some content they should not be able to view or modify.

Solution: 

Install the latest version:

  • If you use the Gutenberg module 8.x-1.x, upgrade to 8.x-1.8
  • For roles other than administrator, the Administer Gutenberg permission must be given to handle media files on the Gutenberg editor.

Also see the Gutenberg project page.

Reported By: Fixed By: Coordinated By: 
Project: Permissions by TermVersion: 8.x-1.x-devDate: 2019-September-25Security risk: Moderately critical 14∕25 AC:None/A:None/CI:Some/II:None/E:Theoretical/TD:DefaultVulnerability: Access bypassDescription: 

This module enables you to control access to content based on taxonomy terms. The module doesn't sufficiently check if a given entity should be access controlled, defaulting to allowing access even to unpublished nodes.

The vulnerability is mitigated by the fact that the submodule Permissions by Entity must also be enabled.

Solution: 

Install the latest version:

Also see the Permissions by Term project page.

Reported By: Fixed By: Coordinated By: 
Project: TableFieldVersion: 8.x-2.x-devDate: 2019-September-18Security risk: Moderately critical 12∕25 AC:None/A:User/CI:Some/II:None/E:Theoretical/TD:DefaultVulnerability: Access bypassDescription: 

This module allows you to attach tabular data to an entity.

There is insufficient access checking for users with the ability to "Export Tablefield Data as CSV". They can export data from unpublished nodes or otherwise inaccessible entities.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission "Export Tablefield Data as CSV".

Solution: 

Install the latest version:

Also see the TableField project page.

Reported By: Fixed By: Coordinated By: 
Project: Create user permissionVersion: 8.x-1.x-devDate: 2019-September-18Security risk: Critical 15∕25 AC:Basic/A:None/CI:Some/II:Some/E:Theoretical/TD:DefaultVulnerability: Access bypassDescription: 

This module enables you to have a separate permission only for creating users.

The module doesn't respect Drupal's setting for "Who can register accounts?" when set to "Visitors, but administrator approval is required".

When this option is chosen, the module overrides the setting, and makes it possible to register accounts with no approval.

This vulnerability can be mitigated by having other settings in place for account registration, such as requiring email verification for new accounts, or permitting account creation for "Administrators only".

Solution: 

Install the latest version:

Also see the Create user permission project page.

Reported By: Fixed By: Coordinated By: 
Project: Imagecache ExternalDate: 2019-August-21Security risk: Critical 15∕25 AC:Complex/A:None/CI:Some/II:Some/E:Theoretical/TD:AllVulnerability: Insecure session token managementDescription: 

This module that allows you to store external images on your server and apply your own Image Styles.

The module exposes cookies to external sites when making external image requests.

This vulnerability is mitigated by using the whitelisted host feature to restrict external image requests from trusted sources.

Solution: 

Install the latest version:

Also see the Imagecache External project page.

Reported By: Fixed By: Coordinated By: 

What our clients are saying

...took my less than mediocre site and completely revamped it into a beautiful, professional, and easy-to-navigate site
I would highly recommend her for any position requiring IT design and development
Thanks so much for everything!
...I have no doubt we will have the best site in the 2010 election of any PA candidate
I would highly recommend her for any position requiring IT design and development
... they also made suggestions which showed me that they fully understood what I wanted to accomplish.
...we just want you to know that we are appreciative!
...able to take my abstract ideas and add their expertise to bring them to life in a way that was better than I could have imagined!
...very responsive to our questions and needs
" PDI provides us prompt, effective and efficient service in maintaining our Drupal based website."
...continued to monitor it closely and is still always available to help me if I have any questions
I have seen the first layouts and they are awesome...
I had a very tight deadline and budget, and they met it, seemingly with ease.
... incredibly impressed with what you brought to the table
...your punctuality, your casual and open personalities, and both your hard copy and online portfolios speak very highly of you and your business as well
A great experience and a much improved website.
...provided us with excellent, expert service in a professional and personable manner.
I realized that I had picked the right company to work with soon after beginning a project with Peerless Design, Inc.
...a pleasure to work with, combining patience (for my busy schedule and at times overwhelmed brain) with her strong motivation and energy to keep me going
...can do anything any other designer can do and generally quicker, cheaper and better.
...able to translate technical information in an accessible way...
I'm so happy we chose to work with PEERLESS Design.
...dedicated, competent and driven to get the job done and done well.
...creative, independent, responsive...
I love directing our customers to our new site knowing that they are going to be able to find exactly what they are looking for...