Drupal Security

Project: RenderkitDate: 2018-September-19Security risk: Moderately critical 11∕25 AC:Basic/A:None/CI:Some/II:None/E:Theoretical/TD:UncommonVulnerability: Access bypassDescription: 

This module, typically in combination with cfr:cfrplugin, allows to compose behaviors from granular components. One of such behaviors is to display a list of related entities, for a given source entity and a given entity relation (e.g. an entity reference field).

The components that display related content do not check if the user has access to view the related entities. This way e.g. unpublished nodes may be displayed to anonymous visitors.

This vulnerability is mitigated by the facts that
- a site builder must have used the component that displays "related" entities for a source entity, using cfr:cfrplugin, OR a programmer has used one of the affected components in code.
- a source entity displayed this way must reference access-restricted content.

Solution: 

Install the latest version:

• If you use the Renderkit module for Drupal 7.x, upgrade to Renderkit 7.x-1.6

Also see the Renderkit project page.

Reported By: 

• Andreas Hennings

Fixed By: 

• Andreas Hennings

Coordinated By: 

• Lee Rowlands

Project: FractionDate: 2018-September-05Security risk: Less critical 5∕25 6/25 ( Less Critical) AC:Complex/A:Admin/CI:None/II:None/E:Theoretical/TD:AllVulnerability: XSS vulnerabilityDescription: 

This module enables you to create fields for storing decimal values as two integers (numerator and denominator) for maximum precision.

The module doesn't sufficiently filter XSS strings out of field labels.

This vulnerability is mitigated by the fact that an attacker must have a role with the ability to manage field configuration.

Solution: 

Install the latest version:

• If you use the Fraction module for Drupal 7.x, upgrade to Fraction 7.x-1.7.
• If you use the Fraction module for Drupal 8.x, upgrade to Fraction 8.x-1.2.

Also see the Fraction project page.

Reported By: 

• bucefal91

Fixed By: 

• bucefal91
• Michael Stenta, the module maintainer.

Coordinated By: 

• Michael Hess of the security team.

Project: Bing Autosuggest APIVersion: 7.x-1.x-devDate: 2018-August-29Security risk: Moderately critical 13∕25 AC:Basic/A:None/CI:None/II:Some/E:Theoretical/TD:AllVulnerability: Cross Site ScriptingDescription: 

This module enables you to use the Bing Autosuggest API.

The module doesn't sufficiently sanitize a value used to populate an API request.

Solution: 

Install the latest version:

• If you use the Bing Autosuggest API module for Drupal 7.x, upgrade to Bing Autosuggest API 7.x-1.1

Also see the Bing Autosuggest API project page.

Reported By: 

• Drew Webber Provisional Security Team Member

Fixed By: 

• Drew Webber
• Alex Sansom

Coordinated By: 

• Drew Webber Provisional Security Team Member

Project: Drupal CommerceVersion: 8.x-2.x-devDate: 2018-August-29Security risk: Moderately critical 14∕25 AC:Basic/A:None/CI:Some/II:Some/E:Theoretical/TD:UncommonVulnerability: Access bypassDescription: 

This module enables you to build eCommerce websites and applications with Drupal.

The module doesn't sufficiently check access for some of its entity types.

Solution: 

Update to Commerce 8.x-2.9.

Reported By: 

• Samuel Mortenson of the Drupal Security Team

Fixed By: 

• Samuel Mortenson of the Drupal Security Team
• Matt Glaman
• Bojan Živanović
• Wim Leers

Coordinated By: 

• Samuel Mortenson of the Drupal Security Team

Project: File (Field) PathsDate: 2018-August-15Security risk: Critical 15∕25 AC:Basic/A:User/CI:Some/II:All/E:Theoretical/TD:DefaultVulnerability: Remote Code ExecutionDescription: 

This module enables you to automatically sort and rename your uploaded files using token based replacement patterns to maintain a nice clean filesystem.

The module doesn't sufficiently sanitize the path while a new file is uploading, allowing a remote attacker to execute arbitrary PHP code.

This vulnerability is mitigated by the fact that an attacker must have access to a form containing a widget processed by this module.

Solution: 

Install the latest version:

• If you use the filefield_paths module for Drupal 7.x, upgrade to filefield_paths 7.x-1.1

Reported By: 

• Wayne Eaker
• jasonschweb
• ericdee

Fixed By: 

• Oleh Vehera

Coordinated By: 

• Michael Hess of the Drupal Security Team

Project: PHP ConfigurationVersion: 8.x-1.07.x-1.0Date: 2018-August-08Security risk: Critical 17∕25 AC:Basic/A:Admin/CI:All/II:All/E:Theoretical/TD:AllVulnerability: Arbitrary PHP code executionDescription: 

This module enables you to add or overwrite PHP configuration on a drupal website.

The module doesn't sufficiently allow access to set these configurations, leading to arbitrary PHP configuration execution by an attacker.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer phpconfig".

After updating the module, it's important to review the permissions of your website and if 'administer phpconfig' permission is given to a not fully trusted user role, we advise to revoke it.

Solution: 

Install the latest version:

• If you use the PHP Configuration module for Drupal 7.x, upgrade to PHP Configuration
  7.x-1.1
• If you use the PHP Configuration module for Drupal 8.x, upgrade to PHP Configuration
  8.x-1.1

Also see the PHP Configuration project page.

Reported By: 

• Balazs Janos Tatar Provisional security team member

Fixed By: 

• bappa.sarkar The module maintainer

Coordinated By: 

• mpotter of the Drupal Security Team

• Advisory ID: SA-CORE-2018-005
• Project: Drupal core
• Version: 8.x
• CVE: CVE-2018-14773
• Date: 2018-August-01

Description

The Drupal project uses the Symfony library. The Symfony library has released a security update that impacts Drupal. Refer to the Symfony security advisory for the issue.

The same vulnerability also exists in the Zend Feed and Diactoros libraries included in Drupal core; however, Drupal core does not use the vulnerable functionality. If your site or module uses Zend Feed or Diactoros directly, read the Zend Framework security advisory and update or patch as needed.

The Drupal Security Team would like to to thank the Symfony and Zend Security teams for their collaboration on this issue.

Versions affected

8.x versions before 8.5.6.

Solution

Upgrade to Drupal 8.5.6.

Versions of Drupal 8 prior to 8.5.x are end-of-life and do not receive security coverage.

Reported By

• James Kettle

Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 8.x

The Drupal Security Team will be coordinating a security release for Drupal 8 this week on Wednesday, August 1, 2018. (We are issuing this PSA in advance because the in the regular security release window schedule, August 1 would not typically be a core security window.)

The Drupal 8 core release will be made between 16:00 – 21:00 UTC (noon – 5:00pm EDT). It is rated as moderately critical and will be an update to a vendor library only.

August 1 also remains a normal security release window for contributed projects.

Updates

• 2018-07-31 — Made the time window consistent with the normal security release window.
• 2018-08-01 — Added UTC times in addition it EDT.

Project: Select (or other)Date: 2018-July-25Security risk: Moderately critical 14∕25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:AllVulnerability: Cross Site ScriptingDescription: 

This module enables users to select 'other' on certain form elements and a textfield appears for the user to provide a custom value.

The module doesn't sufficiently escape values of a text field the under the scenario when "Select or other" formatter is used.

This vulnerability is mitigated by the fact that an attacker must have access to edit a field that is displayed through the "Select or other" formatter.

Solution: 

• If you use the "Select or other" 7.x-2.x, upgrade to Select or other 7.x-2.24
• If you use the "Select or other" 7.x-3.x, upgrade to Select or other 7.x-3.0-alpha3

Also see the Select (or other) project page.

Reported By: 

• bucefal91

Fixed By: 

• Chris Jansen, the module maintainer

Coordinated By: 

Michael Hess of the Drupal Security Team

Project: XML sitemapDate: 2018-July-18Security risk: Moderately critical 13∕25 AC:None/A:None/CI:Some/II:None/E:Theoretical/TD:UncommonVulnerability: Information DisclosureDescription: 

This module enables you to generate XML sitemaps and it helps search engines to more intelligently crawl a website and keep their results up to date.

The module doesn't sufficiently handle access rights under the scenario of updating contents from cron execution.

Solution: 

• If you use the XML sitemap module for Drupal 7.x, upgrade to XML sitemap 7.x-2.4

Also see the XML sitemap project page.

Reported By: 

• Balazs Janos Tatar Provisional Security Team member

Fixed By: 

• Balazs Janos Tatar
• jtsnow
• Tushar Thatikonda

Coordinated By: 

• Michael Hess of the Drupal Security Team

Project: Taxonomy Entity QueueDate: 2018-July-18Security risk: Critical 17∕25 AC:Basic/A:Admin/CI:All/II:All/E:Theoretical/TD:AllVulnerability: SQL InjectionDescription: 

This module enables you to create an entityqueue based on a taxonomy.

The module did not properly use Drupal's database API when querying the database with user supplied values, allowing an attacker to send a specially crafted request to modify the query or potentially perform additional queries.

This vulnerability is mitigated by the fact that an attacker must have a role with the "administer entity queue taxonomy" permission.

Solution: 

Install the latest version:

• If you use the Taxonomy Entity Queue module for Drupal 7.x, upgrade to Taxonomy Entity Queue 7.x-1.1

Also see the Taxonomy Entity Queue project page.

Reported By: 

• Drew Webber

Fixed By: 

• Bappa Sarkar
• Drew Webber

Coordinated By: 

• Michael Hess of the Drupal Security Team

Project: TapestryDate: 2018-July-11Security risk: Moderately critical 14∕25 AC:Basic/A:None/CI:Some/II:Some/E:Theoretical/TD:UncommonVulnerability: Cross Site ScriptingDescription: 

This theme provides Drupal users with many advanced features including 20 Different Color Styles, 30 User Regions, Custom Block Theme Templates, Suckerfish Menus, Icon Support, Advanced Page Layout Options, Simple Configuration, Custom Typography...

The theme doesn't sufficiently sanitize user input.

This vulnerability is mitigated by the fact that the theme is only exploitable with non-default settings and under certain site configurations.

Solution: 

Install the latest version:

• If you use the Tapestry theme for Drupal 7.x, upgrade to Tapestry 7.x-2.2

Also see the Tapestry project page.

Reported By: 

• Drew Webber

Fixed By: 

• Kisugi Ai

Coordinated By: 

• Michael Hess of the Drupal Security Team

Project: litejazzDate: 2018-July-11Security risk: Moderately critical 14∕25 AC:Basic/A:None/CI:Some/II:Some/E:Theoretical/TD:UncommonVulnerability: Cross Site ScriptingDescription: 

This theme features 3 color styles, 12 fully collapsible regions, suckerfish menus, fluid or fixed widths, easy configuration, and more.

The theme doesn't sufficiently sanitize user input.

This vulnerability is mitigated by the fact that the theme is only exploitable with non-default settings and under certain site configurations.

Solution: 

Install the latest version:

• If you use the litejazz theme for Drupal 7.x, upgrade to litejazz 7.x-2.3

Also see the litejazz project page.

Reported By: 

• Drew Webber

Fixed By: 

• Kisugi Ai

Coordinated By: 

• Michael Hess of the Drupal Security Team

Project: NewsFlashDate: 2018-July-11Security risk: Moderately critical 14∕25 AC:Basic/A:None/CI:Some/II:Some/E:Theoretical/TD:UncommonVulnerability: Cross Site ScriptingDescription: 

This theme features 7 color styles, 12 collapsible regions, suckerfish menus, fluid or fixed widths, and lots more.

The theme doesn't sufficiently sanitize user input.

This vulnerability is mitigated by the fact that the theme is only exploitable with non-default settings and under certain site configurations.

Solution: 

Install the latest version:

• If you use the NewsFlash theme for Drupal 7.x, upgrade to NewsFlash 7.x-2.6

Also see the NewsFlash project page.

Reported By: 

• Drew Webber

Fixed By: 

• Kisugi Ai

Coordinated By: 

• Michael Hess of the Drupal Security Team

Project: Beale StreetDate: 2018-July-11Security risk: Moderately critical 13∕25 AC:Complex/A:None/CI:Some/II:Some/E:Theoretical/TD:UncommonVulnerability: Cross Site ScriptingDescription: 

This theme features 4 built-in color styles, 18 collapsible regions, Suckerfish menus, flexible widths, adjustable sidebars, configurable font family, and lots more.

The theme doesn't sufficiently sanitize user input.

This vulnerability is mitigated by the fact that the theme is not exploitable under common site configurations.

Solution: 

• If you use the Beale Street theme for Drupal 7.x, upgrade to Beale Street 7.x-1.2

Also see the Beale Street project page.

Reported By: 

• Drew Webber

Fixed By: 

• Kisugi Ai

Coordinated By: 

• Michael Hess of the Drupal Security Team

Project: EU Cookie ComplianceDate: 2018-July-11Security risk: Moderately critical 12∕25 AC:Basic/A:Admin/CI:Some/II:Some/E:Theoretical/TD:DefaultVulnerability: Cross Site ScriptingDescription: 

This module addresses the General Data Protection Regulation (GDPR) that came into effect 25th May 2018, and the EU Directive on Privacy and Electronic Communications from 2012. It provides a banner where you can gather consent from the user to store cookies on their computer and handle their personal information.

This module does not sanitize some inputs leading to XSS. This is mitigated by the attacker having the permission "Administer EU Cookie Compliance."

Solution: 

Install the latest version:

• If you use the eu_cookie_compliance module for Drupal 7.x, upgrade to eu_cookie_compliance 7.x-1.24
• If you use the eu_cookie_compliance module for Drupal 8.x, upgrade to eu_cookie_compliance 8.x-1.1

Also see the EU Cookie Compliance project page.

Reported By: 

• Alexander Hass

Fixed By: 

• Sven Berg Ryen
• Alexander Hass

Coordinated By: 

• Michael Hess of the Drupal Security Team

Project: Commerce Custom Order StatusDate: 2018-July-11Security risk: Moderately critical 13∕25 AC:Basic/A:Admin/CI:Some/II:Some/E:Theoretical/TD:AllVulnerability:  Cross Site ScriptingDescription: 

Commerce Custom Order Status provides forms for administrators to add, edit, and delete order statuses from the order settings screen.

The module doesn't sufficiently sanitize the output of the status names.

This vulnerability is mitigated by the fact that an attacker must have a role with the "configure order settings" permission.

Solution: 

Install the latest version:

• If you use the Commerce Custom Order Status module for Drupal 7.x, upgrade to Commerce Custom Order Status 7.x-1.1

Also see the Commerce Custom Order Status project page.

Reported By: 

• bucefal91

Fixed By: 

• bucefal91
• Fabien Leroux

Coordinated By: 

• Greg Knaddison of the Drupal Security Team

Project: Universally Unique IDentifierDate: 2018-July-04Security risk: Moderately critical 12∕25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:UncommonVulnerability: Arbitrary file uploadDescription: 

This module provides an API for adding universally unique identifiers (UUID) to Drupal objects, most notably entities.

The module module has an arbitrary file upload vulnerability when it's used in combination with the services REST server.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission to allow to upload to the file create REST endpoint.

Solution: 

If you use the uuid module for Drupal 7.x, upgrade to uuid 7.x-1.1

Also see the Universally Unique IDentifier project page

Reported By: 

• Gustavo Iñiguez Goia

Fixed By: 

• Manuel Garcia

Coordinated By: 

• Michael Hess Of the Drupal Security Team

Project: TFA Basic pluginsVersion: 7.x-1.0Date: 2018-June-27Security risk: Less critical 9∕25 AC:Complex/A:User/CI:Some/II:None/E:Theoretical/TD:DefaultVulnerability: Insecure RandomnessDescription: 

The TFA Basic module enables you to use Two Factor Authentication via a variety of plugins including TOTP and one-time codes delivered via email or sms.

The module doesn't use a strong source of randomness, creating weak and predictable one-time login codes that are then delivered using SMS. This weakness does not affect the more common TOTP second factor.

This vulnerability is mitigated by the fact that the site must be configured to use SMS to deliver one-time login codes which is an uncommon configuration.

Solution: 

• If you use the TFA Basic module for Drupal 7.x, upgrade to TFA Basic 7.x-1.1

Also see the TFA Basic plugins project page.

Reported By: 

• Greg Knaddison of the Drupal Security Team

Fixed By: 

• Greg Knaddison of the Drupal Security Team
• Ben Jeavons of the Drupal Security Team

Coordinated By: 

• Greg Knaddison of the Drupal Security Team

Project: Mass Password ResetVersion: 7.x-1.0Date: 2018-June-27Security risk: Less critical 9∕25 AC:Complex/A:User/CI:Some/II:None/E:Theoretical/TD:DefaultVulnerability: Insecure RandomnessDescription: 

This module enables you to reset passwords for all users based upon their user role.

The module doesn't use a strong source of randomness, creating weak and predictable passwords.

This vulnerability is mitigated by the fact that the site must be configured to reveal the password to the attacker, which is a common configuration.

Solution: 

Install the latest version:

• If you use the Mass Password Reset module for Drupal 7.x, upgrade to Mass Password Reset 7.x-1.1.

Also see the Mass Password Reset project page.

Reported By: 

• Greg Knaddison of the Drupal Security Team

Fixed By: 

• Greg Knaddison of the Drupal Security Team
• Mark Shropshire

Coordinated By: 

• Greg Knaddison of the Drupal Security Team