Drupal Security

Project: SpamSpan filterDate: 2020-January-22Security risk: Moderately critical 11∕25 AC:Basic/A:None/CI:None/II:Some/E:Theoretical/TD:UncommonVulnerability: Cross site scriptingDescription: 

The SpamSpan module obfuscates email addresses to help prevent spambots from collecting them.

This module contains a spamspan twig filter which doesn't sanitize the passed HTML string.

This vulnerability is mitigated by the fact that sites must have custom twig template files that use the SpamSpan filter on a field that an attacker could populate. By default the SpamSpan module does not use the vulnerable twig filter.

Solution: 

Install the latest version:

• If you use the SpamSpan module for Drupal 8.x, upgrade to SpamSpan 8.x-1.1

Also see the SpamSpan filter project page.

Reported By: 

• Jeroen Tubex

Fixed By: 

• Jeroen Tubex
• vitalie

Coordinated By: 

• Ben Jeavons of the Drupal Security Team

Project: RadixDate: 2020-January-15Security risk: Moderately critical 13∕25 AC:Basic/A:Admin/CI:Some/II:Some/E:Theoretical/TD:AllVulnerability: Cross site scriptingDescription: 

Radix is a base theme for Drupal, with Bootstrap 4, Sass, ES6 and BrowserSync built-in.

The module doesn't sufficiently filter menu titles when used in a dropdown in the main menu.

This vulnerability is mitigated by the fact that an attacker must have permission to edit a menu title used in the main menu.

Solution: 

Install the latest version:

• If you use the Radix theme for Drupal 7.x, upgrade to Radix 7.x-3.8

Also see the Radix project page.

Reported By: 

• annagaz

Fixed By: 

• David Snopek of the Drupal Security Team

Coordinated By: 

• David Snopek of the Drupal Security Team

Project: Drupal coreVersion: 8.8.x-dev8.7.x-dev7.x-devDate: 2019-December-18Security risk: Critical 17∕25 AC:Basic/A:User/CI:All/II:All/E:Proof/TD:UncommonVulnerability: Multiple vulnerabilitiesDescription: 

The Drupal project uses the third-party library Archive_Tar, which has released a security improvement that is needed to protect some Drupal configurations.

Multiple vulnerabilities are possible if Drupal is configured to allow .tar, .tar.gz, .bz2 or .tlz file uploads and processes them.

The latest versions of Drupal update Archive_Tar to 1.4.9 to mitigate the file processing vulnerabilities.

Edited to clarify the nature of the upstream release.

Solution: 

Install the latest version:

• If you are using Drupal 7.x, upgrade to Drupal 7.69.
• If you are using Drupal 8.7.x, upgrade to Drupal 8.7.11.
• If you are using Drupal 8.8.x, upgrade to Drupal 8.8.1.

Versions of Drupal 8 prior to 8.7.x are end-of-life and do not receive security coverage.

Additional information

All advisories released today:

• SA-CORE-2019-009
• SA-CORE-2019-010
• SA-CORE-2019-011
• SA-CORE-2019-012

Updating to the latest Drupal core release will apply the fixes for all the above advisories.

(Note that this SA is the only one in the list that applies to Drupal 7.x)

Reported By: 

• Jasper Mattsson

Fixed By: 

• Lee Rowlands of the Drupal Security Team
• Peter Wolanin of the Drupal Security Team
• Sam Becker
• Jasper Mattsson
• David Rothstein of the Drupal Security Team
• michieltcs
• Ayesh Karunaratne
• Alex Pott of the Drupal Security Team
• Jess of the Drupal Security Team
• Samuel Mortenson of the Drupal Security Team
• Vijaya Chandran Mani Provisional Security Team Member
• Drew Webber of the Drupal Security Team

Project: Drupal coreVersion: 8.8.x-dev8.7.x-devDate: 2019-December-18Security risk: Moderately critical 10∕25 AC:Basic/A:User/CI:Some/II:None/E:Theoretical/TD:DefaultVulnerability: Access bypassDescription: 

The Media Library module has a security vulnerability whereby it doesn't sufficiently restrict access to media items in certain configurations.

Solution: 

• If you are using Drupal 8.7.x, you should upgrade to Drupal 8.7.11.
• If you are using Drupal 8.8.x, you should upgrade to Drupal 8.8.1.

Versions of Drupal 8 prior to 8.7.x are end-of-life and do not receive security coverage.

Alternatively, you may mitigate this vulnerability by unchecking the "Enable advanced UI" checkbox on /admin/config/media/media-library. (This mitigation is not available in 8.7.x.)

Additional information

All advisories released today:

• SA-CORE-2019-009
• SA-CORE-2019-010
• SA-CORE-2019-011
• SA-CORE-2019-012

Updating to the latest Drupal core release will apply the fixes for all the above advisories.

Reported By: 

• Adam G-H

Fixed By: 

• Adam G-H
• Jess of the Drupal Security Team
• Andrei Mateescu
• Greg Knaddison of the Drupal Security Team
• Alex Bronstein of the Drupal Security Team
• Sean Blommaert
• Lee Rowlands of the Drupal Security Team

Project: Drupal coreVersion: 8.8.x-dev8.7.x-devDate: 2019-December-18Security risk: Moderately critical 14∕25 AC:Basic/A:Admin/CI:Some/II:All/E:Theoretical/TD:DefaultVulnerability: Multiple vulnerabilitiesDescription: 

Drupal 8 core's file_save_upload() function does not strip the leading and trailing dot ('.') from filenames, like Drupal 7 did.

Users with the ability to upload files with any extension in conjunction with contributed modules may be able to use this to upload system files such as .htaccess in order to bypass protections afforded by Drupal's default .htaccess file.

After this fix, file_save_upload() now trims leading and trailing dots from filenames.

Solution: 

Install the latest version:

• If you use Drupal core 8.7.x: 8.7.11
• If you use Drupal core 8.8.x: 8.8.1

Versions of Drupal 8 prior to 8.7.x are end-of-life and do not receive security coverage.

Additional information

All advisories released today:

• SA-CORE-2019-009
• SA-CORE-2019-010
• SA-CORE-2019-011
• SA-CORE-2019-012

Updating to the latest Drupal core release will apply the fixes for all the above advisories.

Reported By: 

• Rohit Kapur
• Filipe Reis
• Dan Reif
• mramydnei

Fixed By: 

• Lee Rowlands of the Drupal Security Team
• Greg Knaddison of the Drupal Security Team
• Michael Hess of the Drupal Security Team
• Kim Pepper
• Alex Pott of the Drupal Security Team
• Derek Wright
• Jess of the Drupal Security Team
• David Rothstein of the Drupal Security Team

Project: Drupal coreVersion: 8.8.x-dev8.7.x-devDate: 2019-December-18Security risk: Moderately critical 12∕25 AC:None/A:None/CI:None/II:None/E:Theoretical/TD:AllVulnerability: Denial of ServiceDescription: 

A visit to install.php can cause cached data to become corrupted. This could cause a site to be impaired until caches are rebuilt.

Solution: 

Install the latest version:

• If you are using Drupal 8.7.x, upgrade to Drupal 8.7.11.
• If you are using Drupal 8.8.x, upgrade to Drupal 8.8.1.

Versions of Drupal 8 prior to 8.7.x are end-of-life and do not receive security coverage.

To mitigate this issue in any version of Drupal 8, you can also block access to install.php if it's not required.

Additional information

All advisories released today:

• SA-CORE-2019-009
• SA-CORE-2019-010
• SA-CORE-2019-011
• SA-CORE-2019-012

Updating to the latest Drupal core release will apply the fixes for all the above advisories.

Reported By: 

• Drew Webber of the Drupal Security Team

Fixed By: 

• Drew Webber of the Drupal Security Team
• Lee Rowlands of the Drupal Security Team
• Heine of the Drupal Security Team
• Alex Pott of the Drupal Security Team
• Jess of the Drupal Security Team
• Damien McKenna of the Drupal Security Team
• David Snopek of the Drupal Security Team
• Nathaniel Catchpole of the Drupal Security Team
• Greg Knaddison of the Drupal Security Team

Project: WebformVersion: 7.x-4.207.x-4.20-rc17.x-4.197.x-4.19-rc17.x-4.187.x-4.18-rc17.x-4.177.x-4.17-rc17.x-4.167.x-4.16-rc17.x-4.157.x-4.15-rc17.x-4.147.x-4.137.x-4.127.x-4.117.x-4.107.x-4.97.x-4.87.x-4.77.x-4.67.x-4.57.x-4.47.x-4.37.x-4.27.x-4.17.x-4.07.x-4.0-rc67.x-4.0-rc57.x-4.0-rc47.x-4.0-rc37.x-4.0-rc27.x-4.0-rc17.x-4.0-beta37.x-4.0-beta27.x-4.0-beta17.x-4.0-alpha107.x-4.0-alpha97.x-4.0-alpha87.x-4.0-alpha77.x-4.0-alpha67.x-4.0-alpha57.x-4.0-alpha47.x-4.0-alpha37.x-4.0-alpha27.x-4.0-alpha17.x-3.28-rc17.x-3.277.x-3.27-rc17.x-3.267.x-3.26-rc17.x-3.257.x-3.247.x-3.237.x-3.227.x-3.217.x-3.207.x-3.197.x-3.187.x-3.177.x-3.167.x-3.157.x-3.137.x-3.127.x-3.117.x-3.107.x-3.97.x-3.87.x-3.77.x-3.67.x-3.4-beta17.x-3.3-beta17.x-3.0-beta87.x-3.0-beta77.x-3.0-beta67.x-3.0-beta57.x-3.0-beta47.x-3.0-beta37.x-3.0-beta2Date: 2019-December-11Security risk: Critical 15∕25 AC:Basic/A:None/CI:Some/II:Some/E:Theoretical/TD:DefaultVulnerability: Multiple vulnerabilitiesDescription: 

This module enables you to create forms to collect information from users and report, analyze and distribute it by email.

The 7.x-3.x module doesn't sufficiently sanitize token values taken from query strings. If a query string token is used as the value of a markup component, an attacker can inject JavaScript into a page.

The 7.x-4.x module doesn't sufficiently protect against an attacker changing the submission identifier of a draft webform, thereby overwriting another user's submission. Confidential information is not disclosed, but information can be overwritten and therefore lost or forged.

The 7.x-4.x vulnerability is mitigated by the fact that an attacker must have a role with permission to submit a webform and the webform must have the advanced form setting of either 'Show "Save draft" button' and/or "Automatically save as draft between pages and when there are validation errors". Neither of these two options are enabled by default. Anonymous users cannot submit drafts and therefore cannot exploit this vulnerability.

Solution: 

Install the latest version:

• If you use the Webform 3.x module for Drupal 7.x, upgrade to Webform 7.x-3.29 or to Webform 7.x-4.21.
• If you use the Webform 4.x module for Drupal 7.x, upgrade to Webform 7.x-4.21

Reported By: 

• Robin De Herdt
• Ayesh Karunaratne

Fixed By: 

• Robin De Herdt
• Ayesh Karunaratne
• Liam Morland
• Dan Chadwick
• Roman Zimmermann

Coordinated By: 

• Greg Knaddison of the Drupal Security Team
• Michael Hess of the Drupal Security Team

Project: Permissions by TermDate: 2019-December-11Security risk: Moderately critical 13∕25 AC:None/A:None/CI:Some/II:None/E:Theoretical/TD:UncommonVulnerability: Access bypassDescription: 

The Permissions by Term module extends Drupal by functionality for restricting access to single nodes via taxonomy terms.

The module doesn't sufficiently restrict access to node previews, when the Search API module is used to display nodes in search result lists.

Solution: 

Install the latest version:

• If you use the Permissions by Term module for Drupal 8.x, including all of the 8.x-1.x branch, upgrade to Version 8.x-2.0 or later.
• The settings have been refactored. They are now bundled in the "permissions_by_term.settings.yml" file. There are not so many settings, so you can simply visit PbT's settings page and set the settings manually. Like the setting for "single term restriction".

Also see the Permissions by Term project page.

Reported By: 

• Tamás Nagy

Fixed By: 

• Peter Majmesku

Coordinated By: 

• Greg Knaddison of the Drupal Security Team

Project: Modal PageVersion: 8.x-2.48.x-2.38.x-2.28.x-2.18.x-2.0Date: 2019-December-11Security risk: Moderately critical 10∕25 AC:Basic/A:User/CI:Some/II:None/E:Theoretical/TD:DefaultVulnerability: Access bypassDescription: 

This project enables administrators to create modal dialogs.

The routes used by the module lacked proper permissions, allowing untrusted users to access, create and modify modal configurations.

Solution: 

• If you use the Modal Page module 8.x-2.x, upgrade to 8.x-2.5
• Review user permissions after updating to ensure only trusted users have access to manage modals.

Reported By: 

• Will Mowlam

Fixed By: 

• Renato Gonçalves H
• Thalles Ferreira

Coordinated By: 

• Damien McKenna of the Drupal Security Team

Project: Taxonomy access fixVersion: 8.x-2.68.x-2.58.x-2.4Date: 2019-December-11Security risk: Moderately critical 13∕25 AC:None/A:User/CI:Some/II:None/E:Theoretical/TD:AllVulnerability: Access bypassDescription: 

This module extends access handling of Drupal Core's Taxonomy module.

The module doesn't sufficiently check,

• if a given entity should be access controlled, defaulting to allowing access even to unpublished Taxonomy Terms.
• if certain administrative routes should be access controlled, defaulting to allowing access even to users without permission to access these administrative routes.

The vulnerability is mitigated by the facts, that

• the user interface to change the status of Taxonomy Terms has been released in Drupal Core 8.8 and a custom or contributed module is required in earlier versions of Drupal Core to mark Taxonomy Terms as unpublished.
• all entity operations (except the view operation) available on affected administrative routes still require appropriate permissions.
• an attacker must have a role with permission to either access content or view a Taxonomy Term in a vocabulary.

Solution: 

Install the latest version:

• If you use taxonomy_access_fix 8.x-2.4 or later, upgrade to Taxonomy Access Fix 8.x-2.7

Also see the Taxonomy Access Fix project page.

Reported By: 

• guedressel

Fixed By: 

• Julian Pustkuchen
• Patrick Fey
• Oleh Vehera
• guedressel

Coordinated By: 

• Greg Knaddison of the Drupal Security Team
• Damien McKenna of the Drupal Security Team

Project: Smart TrimVersion: 8.x-1.18.x-1.08.x-1.0-beta1Date: 2019-December-11Security risk: Moderately critical 13∕25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:DefaultVulnerability: Cross site scriptingDescription: 

The Smart Trim module allows site builders additional control with text summary fields.

The module doesn't sufficiently filter text when certain options are selected.

This vulnerability is mitigated by the fact that an attacker must have a role with the ability to create content on the site when certain options are selected for the trimmed output.

Solution: 

Install the latest version:

• If you use the Smart Trim module for Drupal 8.x, upgrade to smart_trim-8.x-1.2

Also see the Smart Trim project page.

Reported By: 

• Anne
• Adam Shepherd

Fixed By: 

• Anne
• Mark Casias

Coordinated By: 

• Damien McKenna of the Drupal Security Team

Project: Floating Button MenuDate: 2019-November-13Security risk: Critical 15∕25 AC:Basic/A:User/CI:Some/II:Some/E:Proof/TD:AllVulnerability: UnsupportedDescription: 

The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: https://www.drupal.org/node/251466#procedure---own-project---unsupported

Solution: 

If you use this project, you should uninstall it. To take over maintainership, please read https://www.drupal.org/node/251466#procedure---own-project---unsupported in full.

Project: Webform Multiple File UploadDate: 2019-November-13Security risk: Critical 15∕25 AC:Basic/A:User/CI:Some/II:Some/E:Proof/TD:AllVulnerability: UnsupportedDescription: 

The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: https://www.drupal.org/node/251466#procedure---own-project---unsupported

Solution: 

If you use this project, you should uninstall it. To take over maintainership, please read https://www.drupal.org/node/251466#procedure---own-project---unsupported in full.

Project: Commerce IngenicoDate: 2019-November-13Security risk: Critical 15∕25 AC:Basic/A:User/CI:Some/II:Some/E:Proof/TD:AllVulnerability: UnsupportedDescription: 

The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: https://www.drupal.org/node/251466#procedure---own-project---unsupported

Solution: 

If you use this project, you should uninstall it. To take over maintainership, please read https://www.drupal.org/node/251466#procedure---own-project---unsupported in full.

Project: SendinBlueDate: 2019-November-13Security risk: Critical 15∕25 AC:Basic/A:User/CI:Some/II:Some/E:Proof/TD:AllVulnerability: UnsupportedDescription: 

The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: https://www.drupal.org/node/251466#procedure---own-project---unsupported

Solution: 

If you use this project, you should uninstall it. To take over maintainership, please read https://www.drupal.org/node/251466#procedure---own-project---unsupported in full.

Project: Make Meeting SchedulerDate: 2019-November-13Security risk: Critical 15∕25 AC:Basic/A:User/CI:Some/II:Some/E:Proof/TD:AllVulnerability: UnsupportedDescription: 

The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: https://www.drupal.org/node/251466#procedure---own-project---unsupported

Solution: 

If you use this project, you should uninstall it. To take over maintainership, please read https://www.drupal.org/node/251466#procedure---own-project---unsupported in full.

Project: Webform ReportDate: 2019-November-13Security risk: Critical 15∕25 AC:Basic/A:User/CI:Some/II:Some/E:Proof/TD:AllVulnerability: UnsupportedDescription: 

The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: https://www.drupal.org/node/251466#procedure---own-project---unsupported

Solution: 

If you use this project, you should uninstall it. To take over maintainership, please read https://www.drupal.org/node/251466#procedure---own-project---unsupported in full.

Project: NodequeueVersion: 7.x-2.x-devDate: 2019-November-13Security risk: Critical 16∕25 AC:None/A:User/CI:Some/II:Some/E:Theoretical/TD:AllVulnerability: Cross Site ScriptingDescription: 

Updated November 22.

This module enables you to collect nodes in an arbitrarily ordered list.

Nodequeue's JavaScript can be leveraged to insert HTML from attacker-controlled JSON data. This is exploitable if user-submitted "Filtered HTML" content is displayed on a page where nodequeue.js is loaded.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission "manipulate queues".

Original advisory:
The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: https://www.drupal.org/node/251466#procedure---own-project---unsupported

Solution: 

Install the latest version:

• If you use the Nodequeue module for Drupal 7.x, upgrade to Nodequeue 7.x-2.2

Also see the Nodequeue project page.

Original solution

If you use this project, you should uninstall it. To take over maintainership, please read https://www.drupal.org/node/251466#procedure---own-project---unsupported in full.

Reported By: 

• Yonatan Offek

Fixed By: 

• Vijaya Chandran Mani
• Jen Lampton

Coordinated By: 

• Greg Knaddison of the Drupal Security Team
• Michael Hess of the Drupal Security Team

Project: Taxonomy CSV import/exportVersion: 7.x-5.x-devDate: 2019-November-13Security risk: Moderately critical 12∕25 AC:Basic/A:Admin/CI:All/II:None/E:Theoretical/TD:AllVulnerability: Information disclosureDescription: 

Updated January 9th, 2020

This module enables you to import taxonomy terms from different sources, including a text area, a file upload or a file present in the web server.

The module doesn't sufficiently validate user input when providing a local
filename to import.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission "import taxonomy by csv".

Original advisory:

The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: https://www.drupal.org/node/251466#procedure---own-project---unsupported

Solution: 

Install the latest version:

• If you use the Taxonomy CSV module for Drupal 7.x, upgrade to taxonomy_csv 7.x-5.11

Reported By: 

• Yonatan Offek

Fixed By: 

• Ariel Barreiro, the module maintainer

Coordinated By: 

• David Snopek of the Drupal Security Team

Project: Feeds JSONPath ParserDate: 2019-November-13Security risk: Critical 15∕25 AC:Basic/A:User/CI:Some/II:Some/E:Proof/TD:AllVulnerability: UnsupportedDescription: 

The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: https://www.drupal.org/node/251466#procedure---own-project---unsupported

Solution: 

If you use this project, you should uninstall it. To take over maintainership, please read https://www.drupal.org/node/251466#procedure---own-project---unsupported in full.