Drupal Security

Project: The Better Mega MenuDate: 2021-September-22Security risk: Moderately critical 14∕25 AC:Basic/A:User/CI:Some/II:Some/E:Proof/TD:DefaultVulnerability: Access bypassDescription: 

This module provides an admin interface for creating drop down menus that combine Drupal menu items with rich media content.

This module has a vulnerability whereby users can select blocks as a menu item they don't have permission to view.

The vulnerability is mitigated by the fact that it can only be exploited by an attacker with the "Administer TB Mega Menu" permission.

Solution: 

Install the latest version:

• If you use the TB Mega Menu module for Drupal 8.x, upgrade to TB MegaMenu 8.x-1.4

Reported By: 

• Patrick Fey

Fixed By: 

• Patrick Fey
• Henry Odiete
• quondam

Coordinated By: 

• Damien McKenna of the Drupal Security Team

Project: The Better Mega MenuDate: 2021-September-22Security risk: Critical 15∕25 AC:Complex/A:None/CI:Some/II:Some/E:Theoretical/TD:AllVulnerability: Cross Site Request ForgeryDescription: 

This module provides an admin interface for creating drop down menus that combine Drupal menu items with rich media content.

The module does not use CSRF tokens to protect routes for saving menu configurations.

This vulnerability can be exploited by an anonymous user.

Solution: 

Install the latest version:

• If you use the TB Mega Menu module for Drupal 8.x, upgrade to TB MegaMenu 8.x-1.4

Reported By: 

• Patrick Fey

Fixed By: 

• Patrick Fey
• knaffles

Coordinated By: 

• Damien McKenna of the Drupal Security Team

Project: The Better Mega MenuDate: 2021-September-22Security risk: Moderately critical 13∕25 AC:Complex/A:User/CI:Some/II:Some/E:Theoretical/TD:AllVulnerability: Cross Site ScriptingDescription: 

This module provides an admin interface for creating drop down menus that combine Drupal menu items with rich media content.

It does not sufficiently sanitize user input such that an admin with permissions to edit a menu may be able to exploit one or more Cross-Site-Scripting (XSS) vulnerabilities.

This vulnerability is mitigated by the fact that an attacker must have permission to administer mega menus and/or create or edit menu links, to inject the XSS.

Solution: 

Install the latest version:

• If you use the TB Mega Menu module for Drupal 8.x, upgrade to TB MegaMenu 8.x-1.4

Reported By: 

• Patrick Fey

Fixed By: 

• Patrick Fey
• Wade Stewart
• Greg Knaddison of the Drupal Security Team
• Chris Panza
• knaffles

Coordinated By: 

• Damien McKenna of the Drupal Security Team
• Greg Knaddison of the Drupal Security Team

Project: The Better Mega MenuDate: 2021-September-22Security risk: Moderately critical 12∕25 AC:Complex/A:Admin/CI:Some/II:Some/E:Theoretical/TD:AllVulnerability: Cross Site Scripting, Information Disclosure, Multiple vulnerabilitiesDescription: 

This module provides an admin interface for creating drop down menus that combine Drupal menu items with rich media content.

The module does not sanitize values for CSS properties that are added by admins and rendered on the front-end, allowing attackers to inject malicious code into the front-end markup.

This vulnerability is mitigated by the fact that it can only be exploited by an attacker with permissions to administer TB Mega Menu, or a sophisticated anonymous user using a site-specific attack that exploits the Cross Site Request Forgery vulnerability that is fixed by this same release.

Solution: 

Install the latest version:

• If you use the TB Mega Menu module for Drupal 8.x, upgrade to TB MegaMenu 8.x-1.4

Reported By: 

• Patrick Fey

Fixed By: 

• Patrick Fey
• knaffles

Coordinated By: 

• Damien McKenna of the Drupal Security Team
• Greg Knaddison of the Drupal Security Team

Project: Domain GroupDate: 2021-September-22Security risk: Critical 18∕25 AC:None/A:None/CI:Some/II:Some/E:Theoretical/TD:AllVulnerability: Access bypassDescription: 

This module enables sites to define a domain from Domain Access that points directly to a group page.

The module doesn't sufficiently manage the access to content administrative paths allowing an attacker to see and take actions on content (nodes) they should be allowed to.

Solution: 

Install the latest version:

• If you use the domain_group module for Drupal 8.x, upgrade to domain_group 8.x-1.04
• If you use the domain_group module for Drupal 9.x, upgrade to domain_group 2.0.1

Reported By: 

• Kalle Kipinä

Fixed By: 

• Ivan Duarte
• Kalle Kipinä

Coordinated By: 

• Damien McKenna of the Drupal Security Team

Project: SAML SP 2.0 Single Sign On (SSO) - SAML Service ProviderDate: 2021-September-22Security risk: Moderately critical 14∕25 AC:Basic/A:None/CI:Some/II:Some/E:Theoretical/TD:UncommonVulnerability: Multiple vulnerabilitiesDescription: 

This module provides a solution to authenticate visitors using existing SAML providers.

Certain non-default configurations allow a malicious user to login as any chosen user.

The vulnerability is mitigated by the module's default settings which require the options "Either sign SAML assertions" and "x509 certificate".

Solution: 

Ensure that the "Either SAML response or SAML assertion must be signed" and "x509 certificate" options on the dedicated plugin page are both enabled.

Install the latest version:

• If you use the SAML SP 2.0 Single Sign On (SSO) - SAML Service Provider module for Drupal 8.x or 9.x, upgrade to SAML SP 2.0 Single Sign On (SSO) - SAML Service Provider 8.x-2.24
• If you use the SAML SP 2.0 Single Sign On (SSO) - SAML Service Provider module for Drupal 7.x, upgrade to SAML SP 2.0 Single Sign On (SSO) - SAML Service Provider 7.x-2.57

Reported By: 

• Cristian 'void' Giustini

Fixed By: 

• Cristian 'void' Giustini
• abhay19

Coordinated By: 

• Damien McKenna of the Drupal Security Team

Project: Taxonomy ManagerDate: 2021-September-22Security risk: Moderately critical 10∕25 AC:Basic/A:User/CI:None/II:Some/E:Theoretical/TD:DefaultVulnerability: Access bypassDescription: 

This module provides a powerful interface for managing a taxonomy vocabulary. A vocabulary gets displayed in a dynamic tree view, where parent terms can be expanded to list their nested child terms or can be collapsed.

The module does not take the correct user permissions into account, allowing an attacker to delete and move terms.

The issue is mitigated by the fact that an attacker must have permission to create terms in the targeted vocabulary.

Solution: 

Install the latest version:

• If you use the Taxonomy Manager module for Drupal 8 or 9, upgrade to Taxonomy Manager 2.0.6

Reported By: 

• Klaus Purer

Fixed By: 

• Matthias Hutterer
• Klaus Purer
• Ales Bencina

Coordinated By: 

• Damien McKenna of the Drupal Security Team
• Greg Knaddison of the Drupal Security Team

Project: Search API attachmentsDate: 2021-September-22Security risk: Critical 15∕25 AC:Complex/A:Admin/CI:All/II:All/E:Theoretical/TD:DefaultVulnerability: Arbitrary PHP code executionDescription: 

This module enables you to extract the textual content of files for use on a website, e.g. to display it or use it in search indexes.

The module doesn't sufficiently protect the administrator-defined commands that are executed on the server, which leads to post-authentication remote code execution by a limited set of users.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer search_api". Sites are encouraged to review which roles have that permission and which users have that role, to ensure that only trusted users have that permission.

Solution: 

Install the latest version:

• If you use the search_api_attachments module for Drupal 7.x, upgrade to search_api_attachments 7.x-1.19

The 8.x branch does not have Security Coverage.

Reported By: 

• Florent Torregrosa

Fixed By: 

• Damien McKenna of the Drupal Security Team
• Ismaeil Abouljamal

Coordinated By: 

• Damien McKenna of the Drupal Security Team
• Greg Knaddison of the Drupal Security Team

Project: File ExtractorDate: 2021-September-22Security risk: Critical 15∕25 AC:Complex/A:Admin/CI:All/II:All/E:Theoretical/TD:DefaultVulnerability: Arbitrary PHP code executionDescription: 

This module enables you to extract the textual content of files for use on a website, e.g. to display it or use it in search indexes.

The module doesn't sufficiently protect the administrator-defined commands that are executed on the server, which leads to post-authentication remote code execution by a limited set of users.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission "Administer File Extractor" to access the settings form. Sites are encouraged to review which roles have that permission and which users have that role, to ensure that only trusted users have that permission.

Solution: 

Install the latest version:

• If you use the File Extractor 2.0.2 or below, upgrade to File Extractor 2.0.3
• If you use the File Extractor 3.0.0, upgrade to File Extractor 3.0.1
• If you use the File Extractor 4.0.0, upgrade to File Extractor 4.0.1

Reported By: 

• Florent Torregrosa

Fixed By: 

• Florent Torregrosa

Coordinated By: 

• Damien McKenna of the Drupal Security Team

Project: Commerce CoreDate: 2021-September-22Security risk: Moderately critical 14∕25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:AllVulnerability: Access bypass, Information DisclosureDescription: 

This module provides a system for building an ecommerce solution in their Drupal site.

The module doesn't sufficiently verify access to profile data in certain circumstances.

This vulnerability is mitigated by the fact that an attacker must have permission to perform the checkout operation.

Solution: 

Install the latest version:

• If you use the Commerce module for Drupal 8.x, upgrade to Commerce 8.x-2.27

Reported By: 

• Sasanka Jandhyala

Fixed By: 

• Sasanka Jandhyala
• Matt Glaman
• Jonathan Sacksick

Coordinated By: 

• Damien McKenna of the Drupal Security Team

Project: Client-side Hierarchical SelectDate: 2021-September-22Security risk: Moderately critical 13∕25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:DefaultVulnerability: Cross-site scriptingDescription: 

The module provides a field widget for selecting taxonomy terms in a hierarchical fashion.

The module doesn't sanitize user input in certain cases, leading to a possible Cross-Site-Scripting (XSS) vulnerability.

This vulnerability is mitigated by the fact that an attacker must have a role with permission to create or edit taxonomy terms to which the widget may apply.

Solution: 

Install the latest version:

• If you use the cshs module for Drupal 8 or 9, upgrade to Client-side Hierarchical Select 8.x-3.5.

Reported By: 

• Patrick Fey

Fixed By: 

• Sergii Bondarenko
• Patrick Fey

Coordinated By: 

• Damien McKenna of the Drupal Security Team
• Greg Knaddison of the Drupal Security Team

Project: User hashDate: 2021-September-22Security risk: Moderately critical 12∕25 AC:Complex/A:None/CI:Some/II:None/E:Theoretical/TD:AllVulnerability: Cache poisoningDescription: 

This module enables you to create an individual hash for each user. These hashes can be used for authentication instead of the user's password, e.g. for views exporters.

The module doesn't sufficiently invalidate page output when the page_cache module is used.

This vulnerability is mitigated by the fact that an attacker must have a user hash that grants access to specific content and the attack must be timed to the reset of the page cache.

Solution: 

Install the latest version:

• If you use the user_hash module for Drupal 8 or 9, upgrade to User Hash 2.0.1

Reported By: 

• Jürgen Haas
• Lee Rowlands of the Drupal Security Team

Fixed By: 

• Jürgen Haas
• Lee Rowlands of the Drupal Security Team

Coordinated By: 

• Damien McKenna of the Drupal Security Team

Project: GraphQLDate: 2021-September-15Security risk: Moderately critical 13∕25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:DefaultVulnerability: Access bypassCVE IDs: CVE-2020-13675Description: 

This advisory addresses a similar issue to Drupal core - Moderately critical - Access bypass - SA-CORE-2021-008.

The GraphQL module allows file uploads through its HTTP API. The module does not correctly run all file validation, which causes an access bypass vulnerability. An attacker might be able to upload files that bypass the file validation process implemented by modules on the site.

This vulnerability is mitigated by four factors:

1. The GraphQL module must be enabled on the site.
2. The GraphQL schema must expose a file upload by using the helper "src/GraphQL/Utility/FileUpload.php" in the module.
3. An attacker must have access to that file upload via the GraphQL API.
4. The site must employ a file validation module.

Solution: 

Install the latest version:

• If you use the GraphQL module 8.x-4.x for Drupal 8.x or 9.x, upgrade to GraphQL 8.x-4.2
• If you use the GraphQL module 8.x-3.x for Drupal 8.x no action is needed as a result of this advisory as the 8.x-3.x branch is not affected by this issue.

Reported By: 

• Klaus Purer

Fixed By: 

• Klaus Purer
• Jess of the Drupal Security Team
• pmelab
• Drew Webber of the Drupal Security Team
• Lee Rowlands of the Drupal Security Team
• Alex Pott of the Drupal Security Team
• Samuel Mortenson
• Kim Pepper

Coordinated By: 

• xjm of the Drupal Security Team
• Drew Webber of the Drupal Security Team

Project: Entity EmbedDate: 2021-September-15Security risk: Moderately critical 11∕25 AC:Basic/A:User/CI:None/II:Some/E:Theoretical/TD:AllVulnerability: Cross Site Request ForgeryCVE IDs: CVE-2020-13673Description: 

This advisory addresses a similar issue to Drupal core - Moderately critical - Cross Site Request Forgery - SA-CORE-2021-006.

The Entity Embed module provides a filter to allow embedding entities in content fields. In certain circumstances, the filter could allow an unprivileged user to inject HTML into a page when it is accessed by a trusted user with permission to embed entities. In some cases, this could lead to cross-site scripting.

Solution: 

Install the latest version:

• If you use the Entity Embed module for Drupal 8 or 9, upgrade to Entity Embed 8.x-1.2.

Drupal 7 versions of Entity Embed do not have a stable release and therefore do not receive security coverage.

Reported By: 

• Aaron Zinck

Fixed By: 

• Jess of the Drupal Security Team
• Adam G-H
• Drew Webber of the Drupal Security Team

Coordinated By: 

• xjm of the Drupal Security Team
• Drew Webber of the Drupal Security Team

Project: Drupal coreDate: 2021-September-15Security risk: Moderately critical 12∕25 AC:Basic/A:None/CI:Some/II:None/E:Theoretical/TD:DefaultVulnerability: Access BypassCVE IDs: CVE-2020-13677Description: 

Under some circumstances, the Drupal core JSON:API module does not properly restrict access to certain content, which may result in unintended access bypass.

Sites that do not have the JSON:API module enabled are not affected.

This advisory is not covered by Drupal Steward.

Solution: 

Install the latest version:

• If you are using Drupal 9.2, update to Drupal 9.2.6.
• If you are using Drupal 9.1, update to Drupal 9.1.13.
• If you are using Drupal 8.9, update to Drupal 8.9.19.

Versions of Drupal 8 prior to 8.9.x and versions of Drupal 9 prior to 9.1.x are end-of-life and do not receive security coverage.

Drupal 7 core does not include the JSON:API module and therefore is not affected.

Reported By: 

• Brad Jones

Fixed By: 

• Brad Jones
• Jess of the Drupal Security Team
• Björn Brala
• Gabe Sullice
• Mateu Aguiló Bosch

Project: Drupal coreDate: 2021-September-15Security risk: Moderately critical 10∕25 AC:Basic/A:User/CI:Some/II:None/E:Theoretical/TD:DefaultVulnerability: Access bypassCVE IDs: CVE-2020-13676Description: 

The QuickEdit module does not properly check access to fields in some circumstances, which can lead to unintended disclosure of field data.

Sites are only affected if the QuickEdit module (which comes with the Standard profile) is installed.

This advisory is not covered by Drupal Steward.

Solution: 

Install the latest version:

• If you are using Drupal 9.2, update to Drupal 9.2.6.
• If you are using Drupal 9.1, update to Drupal 9.1.13.
• If you are using Drupal 8.9, update to Drupal 8.9.19.

Versions of Drupal 8 prior to 8.9.x and versions of Drupal 9 prior to 9.1.x are end-of-life and do not receive security coverage.

Drupal 7 core does not include the QuickEdit module and therefore is not affected.

Uninstalling the QuickEdit module will also mitigate the vulnerability. Site owners may wish to consider this option as the QuickEdit module will be removed from core in Drupal 10.

Reported By: 

• Greg Watson

Fixed By: 

• Greg Watson
• Wim Leers
• Jess of the Drupal Security Team
• Alex Bronstein of the Drupal Security Team
• Lee Rowlands of the Drupal Security Team
• Joseph Zhao
• Vijay Mani
• Adam G-H
• Drew Webber of the Drupal Security Team

Project: Drupal coreDate: 2021-September-15Security risk: Moderately critical 11∕25 AC:Basic/A:None/CI:None/II:Some/E:Theoretical/TD:UncommonVulnerability: Access bypassCVE IDs: CVE-2020-13675Description: 

Drupal's JSON:API and REST/File modules allow file uploads through their HTTP APIs. The modules do not correctly run all file validation, which causes an access bypass vulnerability. An attacker might be able to upload files that bypass the file validation process implemented by modules on the site.

This vulnerability is mitigated by three factors:

1. The JSON:API or REST File upload modules must be enabled on the site.
2. An attacker must have access to a file upload via JSON:API or REST.
3. The site must employ a file validation module.

This advisory is not covered by Drupal Steward.

Also see GraphQL - Moderately critical - Access bypass - SA-CONTRIB-2021-029 which addresses a similar vulnerability for that module.

Solution: 

Install the latest version:

• If you are using Drupal 9.2, update to Drupal 9.2.6.
• If you are using Drupal 9.1, update to Drupal 9.1.13.
• If you are using Drupal 8.9, update to Drupal 8.9.19.

Versions of Drupal 8 prior to 8.9.x and versions of Drupal 9 prior to 9.1.x are end-of-life and do not receive security coverage.

Drupal 7 core is not affected.

Reported By: 

• Klaus Purer

Fixed By: 

• Klaus Purer
• Lee Rowlands of the Drupal Security Team
• Alex Pott of the Drupal Security Team
• Jess of the Drupal Security Team
• Samuel Mortenson
• Drew Webber of the Drupal Security Team
• Kim Pepper

Project: Drupal coreDate: 2021-September-15Security risk: Moderately critical 14∕25 AC:Complex/A:None/CI:Some/II:Some/E:Theoretical/TD:DefaultVulnerability: Cross Site Request ForgeryCVE IDs: CVE-2020-13674Description: 

The QuickEdit module does not properly validate access to routes, which could allow cross-site request forgery under some circumstances and lead to possible data integrity issues.

Sites are only affected if the QuickEdit module (which comes with the Standard profile) is installed. Removing the "access in-place editing" permission from untrusted users will not fully mitigate the vulnerability.

This advisory is not covered by Drupal Steward.

Solution: 

Install the latest version:

• If you are using Drupal 9.2, update to Drupal 9.2.6.
• If you are using Drupal 9.1, update to Drupal 9.1.13.
• If you are using Drupal 8.9, update to Drupal 8.9.19.

Versions of Drupal 8 prior to 8.9.x and versions of Drupal 9 prior to 9.1.x are end-of-life and do not receive security coverage.

Drupal 7 core does not include the QuickEdit module and therefore is not affected.

Uninstalling the QuickEdit module will also mitigate the vulnerability. Site owners may wish to consider this option as the QuickEdit module will be removed from core in Drupal 10.

Reported By: 

• Samuel Mortenson

Fixed By: 

• Wim Leers
• Greg Knaddison of the Drupal Security Team
• Jess of the Drupal Security Team
• Lee Rowlands of the Drupal Security Team
• Vijay Mani
• Heine of the Drupal Security Team
• Alex Bronstein of the Drupal Security Team
• Adam G-H
• Drew Webber of the Drupal Security Team
• Théodore Biadala

Project: Drupal coreDate: 2021-September-15Security risk: Moderately critical 10∕25 AC:Basic/A:User/CI:None/II:Some/E:Theoretical/TD:DefaultVulnerability: Cross Site Request ForgeryCVE IDs: CVE-2020-13673Description: 

The Drupal core Media module allows embedding internal and external media in content fields. In certain circumstances, the filter could allow an unprivileged user to inject HTML into a page when it is accessed by a trusted user with permission to embed media. In some cases, this could lead to cross-site scripting.

This advisory is not covered by Drupal Steward.

Also see Entity Embed - Moderately critical - Cross Site Request Forgery - SA-CONTRIB-2021-028 which addresses a similar vulnerability for that module.

Updated 18:15 UTC to clarify text.

Solution: 

Install the latest version:

• If you are using Drupal 9.2, update to Drupal 9.2.6.
• If you are using Drupal 9.1, update to Drupal 9.1.13.
• If you are using Drupal 8.9, update to Drupal 8.9.19.

Versions of Drupal 8 prior to 8.9.x and versions of Drupal 9 prior to 9.1.x are end-of-life and do not receive security coverage.

Drupal 7 core is not affected.

Reported By: 

• Aaron Zinck

Fixed By: 

• Aaron Zinck
• Sean Blommaert
• Alex Bronstein of the Drupal Security Team
• Marcos Cano
• Lee Rowlands of the Drupal Security Team
• Adam G-H
• Jess of the Drupal Security Team
• Drew Webber of the Drupal Security Team
• Neil Drumm of the Drupal Security Team
• Brian Tofte-Schumacher

Project: WebformDate: 2021-August-25Security risk: Moderately critical 12∕25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:UncommonVulnerability: Cross Site ScriptingDescription: 

The Webform module uses the CKEditor, library for WYSIWYG editing. CKEditor has released a security update that impacts Webform.

An attacker that can create or edit content (even without access to CKEditor themselves) may be able to exploit one or more Cross-Site Scripting (XSS) vulnerabilities to target users with access to the WYSIWYG CKEditor, including site admins with privileged access.

For more information, see CKEditor's announcement of the release.

Solution: 

Install the latest version:

• If you use the Webform module module for Drupal 8/9 upgrade to Webform 8.x-5.28 or Webform 6.0.5

If you are using a previous release of the Webform module you can immediately do one of several options.

1. Update Drupal
2. If you are using Composer, run drush webform:libraries:composer > DRUPAL_ROOT/composer.libraries.json and run composer update
3. If you are using Drush, run drush webform:libraries:update

Learn more about updating Webform libraries.

Reported By: 

• Lee Rowlands of the Drupal Security Team

Fixed By: 

• Jacob Rockowitz

Coordinated By: 

• Greg Knaddison of the Drupal Security Team
• xjm of the Drupal Security Team