Drupal Security

Project: Fast AutocompleteVersion: 8.x-1.78.x-1.68.x-1.58.x-1.48.x-1.38.x-1.28.x-1.18.x-1.0Date: 2021-March-17Security risk: Moderately critical 12∕25 AC:Basic/A:None/CI:Some/II:None/E:Theoretical/TD:DefaultVulnerability: Access bypassDescription: 

The Fast Autocomplete module provides fast IMDB-like suggestions below a text input field. Suggestions are stored as JSON files in the public files folder so that they can be provided to the browser relatively fast without the need for Drupal to be bootstrapped.

The module doesn't correctly generate certain hashes when the configuration option "Perform search as anonymous user only" is switched from the default on value to off.

This enables a malicious user to read search results generated by users with other roles, disclosing search results the user normally has no access to.

Solution: 

Install the latest version:

• If you use the Fast Autocomplete module for Drupal 8.x or 9.x, upgrade to Fast Autocomplete 8.x-1.8

Alternatively, re-enable the setting "Perform search as anonymous user only" to only display anonymous search results and delete the generated files by using the "Delete json files" option in all Fast Autocomplete configurations.

Fast Autocomplete for Drupal 7.x is not affected.

Reported By: 

• Heine Deelstra of the Drupal Security Team

Fixed By: 

• Heine Deelstra of the Drupal Security Team
• Martijn Vermeulen

Coordinated By: 

• Heine Deelstra of the Drupal Security Team

Project: WebformDate: 2021-March-03Security risk: Moderately critical 12∕25 AC:Basic/A:None/CI:None/II:None/E:Exploit/TD:DefaultVulnerability: Access bypassDescription: 

The Webform module for Drupal 8/9 includes a default Contact webform, which sends a notification email to the site owner and a confirmation email to the email address supplied via the form.

The confirmation email can be used as an open mail relay to send an email to any email address.

This vulnerability is mitigated by the fact that the site owner's email address is also receiving a notification email, which should alert the site owner to the exploitation. If the site owner's mailbox is not monitored, the open mail relay can be more easily exploited.

With the Webform module's latest release, the default Contact's confirmation email will only be sent to an authenticated user's email address. Anonymous users will no longer receive a confirmation email.

If anonymous users need to receive a confirmation email, we recommend you add SPAM protection to the form and update the email handler.

Solution: 

Install the latest version:

• If you use the Webform module module for Drupal 8/9 upgrade to Webform 8.x-5.25 or Webform 6.0.2

If you are using a previous release of the Webform module you can immediately do one of several options.

1. Delete the default Contact form. (/form/contact)
2. Delete the default Contact form's confirmation email handler.(/admin/structure/webform/manage/contact/handlers)
3. Update the default Contact form's confirmation email to only email the current user's email address using the [current-user:mail] token. (/admin/structure/webform/manage/contact/handlers/email_confirmation/edit)
4. Add SPAM protection to the default Contact form.

Reported By: 

• KarinG

Fixed By: 

• Jacob Rockowitz
• Dan Chadwick
• KarinG

Coordinated By: 

• Greg Knaddison of the Drupal Security Team

Project: SubgroupVersion: 1.0.x-devDate: 2021-January-27Security risk: Less critical 9∕25 AC:Basic/A:User/CI:Some/II:None/E:Theoretical/TD:UncommonVulnerability: Access bypassDescription: 

This module enables you to add groups to other groups in a tree structure where access can be inherited up or down the tree.

When you configure Subgroup to have a tree with at least three levels, users may inadvertently get permissions in a group that is an uncle or cousin of the source group, rather than a direct ancestor or descendant. Trees with only multiple nodes at the lowest tier (or nowhere) are unaffected.

Solution: 

Install the latest version, Subgroup 1.0.1, and clear your caches.

Reported By: 

• Mori Sugimoto of the Drupal Security Team
• kyk

Fixed By: 

• Kristiaan Van den Eynde

Coordinated By: 

• Greg Knaddison of the Drupal Security Team

Project: Open SocialVersion: 8.x-9.x-dev8.x-8.x-devDate: 2021-January-27Security risk: Moderately critical 10∕25 AC:Basic/A:User/CI:Some/II:None/E:Theoretical/TD:DefaultVulnerability: Access bypassDescription: 

The Social User Export module enables users within Open Social to create an export of users and download this to a CSV file.

The module doesn't sufficiently check access when building the CSV file, allowing logged-in users without the manage members permission to be able to export all data from a selected user in certain scenarios.

This vulnerability is mitigated by the fact that an attacker must have the authenticated user role and the site must have the configuration set in such a way a logged in user is able to export users.

Solution: 

Install the latest version:

• If you use Open Social major version 8, upgrade to 8.x-8.10
• If you use Open Social major version 9, upgrade to 8.x-9.8

Reported By: 

• Robert Ragas

Fixed By: 

• Ronald te Brake
• Alexander Varwijk
• Bram ten Hove

Coordinated By: 

• Greg Knaddison of the Drupal Security Team

Project: Open SocialVersion: 8.x-9.x-dev8.x-8.x-devDate: 2021-January-27Security risk: Moderately critical 12∕25 AC:Basic/A:None/CI:Some/II:None/E:Theoretical/TD:DefaultVulnerability: Access bypassDescription: 

The optional Social Auth Extra module enables you to use the single sign-on methods provided by Open Social e.g. Facebook, LinkedIn, Google and Twitter.

The module doesn't implement a proper cache strategy for anonymous users allowing the registration form to be cached with disclosed information in certain scenarios. The information is usually only available for logged-in users of the community.

This vulnerability is mitigated by the fact that social_auth_extra needs to be enabled, one of the single sign-on methods needs to be configured. There is no impact for regular registration without single sign-on.

Removing the single sign-on providers from configuration will allow this vulnerability to be blocked.

Solution: 

Install the latest version:

• If you use Open Social major version 8, upgrade to 8.x-8.10
• If you use Open Social major version 9, upgrade to 8.x-9.8

Reported By: 

• Alexander Varwijk

Fixed By: 

• Alexander Varwijk
• Ronald te Brake

Coordinated By: 

• Greg Knaddison of the Drupal Security Team

Project: Drupal coreDate: 2021-January-20Security risk: Critical 18∕25 AC:Complex/A:User/CI:All/II:All/E:Exploit/TD:UncommonVulnerability: Third-party librariesDescription: 

The Drupal project uses the pear Archive_Tar library, which has released a security update that impacts Drupal. For more information please see:

• CVE-2020-36193

Exploits may be possible if Drupal is configured to allow .tar, .tar.gz, .bz2, or .tlz file uploads and processes them.

Solution: 

Install the latest version:

• If you are using Drupal 9.1, update to Drupal 9.1.3.
• If you are using Drupal 9.0, update to Drupal 9.0.11.
• If you are using Drupal 8.9, update to Drupal 8.9.13.
• If you are using Drupal 7, update to Drupal 7.78.

Versions of Drupal 8 prior to 8.9.x are end-of-life and do not receive security coverage.

Disable uploads of .tar, .tar.gz, .bz2, or .tlz files to mitigate the vulnerability.

Reported By: 

• Richard Sheppard
• Stephen Cross
• Jonathan Danaher
• Kim Pepper

Fixed By: 

• Lee Rowlands of the Drupal Security Team
• Drew Webber of the Drupal Security Team
• Greg Knaddison of the Drupal Security Team
• Vijay Mani Provisional Member of the Drupal Security Team
• Jess of the Drupal Security Team
• Michael Hess of the Drupal Security Team