Drupal Security

Project: Simple hierarchical selectDate: 2019-March-13Security risk: Moderately critical 10∕25 AC:Basic/A:User/CI:None/II:Some/E:Theoretical/TD:DefaultVulnerability: Cross site request forgeryDescription: 

Simple hierarchical select defines a new form widget for taxonomy fields to select a term by "browsing" through the vocabularies hierarchy. It also allows users to create new taxonomy terms using its widget directly in the node form.

Version 7.x of Simple hierarchical select doesn't sufficiently checks permission when creating new terms so attackers can create arbitrary taxonomy terms in any vocabularies the victim has access to..
This vulnerability is mitigated by the fact that an attacker must trick a user with permission to create terms to visit a specially prepared web page controlled by the attacker.

Solution: 

Install the latest version:

• If you use Simple hierarchical select prior to 7.x-1.7 update to 7.x-1.8
• If you are unable to update, simply deactivate the option to allow creating new terms in the widget settings.

Note that the Drupal 8 version of this module is unaffected.

Reported By: 

• Ayesh Karunaratne

Fixed By: 

• Ayesh Karunaratne
• Stefan Borchert
• Greg Knaddison of the Drupal Security Team

Coordinated By: 

Greg Knaddison of the Drupal Security Team

Project: VideoDate: 2019-March-13Security risk: Critical 19∕25 AC:None/A:Admin/CI:All/II:All/E:Theoretical/TD:AllVulnerability: Remote Code ExecutionDescription: 

This module provides a field where editors can add videos to their content and this module offers functionality to transcode these videos to different sizes and formats.

The module doesn't sufficiently sanitize some user input on administrative forms.

Solution: 

• If you use the Video module for Drupal 7.x, upgrade to Video 7.x-2.14

Also see the Video project page

Note that the Drupal 8 version of this module is unaffected.

Reported By: 

• Samuel Mortenson of the Drupal Security Team

Fixed By: 

• Michael Hess of the Drupal Security Team
• Jorrit Schippers
• Samuel Mortenson of the Drupal Security Team
• Greg Knaddison of the Drupal Security Team

Coordinated By: 

• Michael Hess of the Drupal Security Team

Project: ViewsVersion: 7.x-3.x-devDate: 2019-March-13Security risk: Less critical 7∕25 AC:Complex/A:None/CI:None/II:None/E:Theoretical/TD:UncommonVulnerability: Cross site scriptingDescription: 

This module enables you to create customized lists of data.

The module doesn't sufficiently sanitize certain field types, leading to a Cross Site Scripting (XSS) vulnerability.

This vulnerability is mitigated by the fact that a view must display a field with the format "Full data (serialized)" and an attacker must have the ability to store malicious markup in that field.

Solution: 

Install the latest version:

• If you use the Views module for Drupal 7.x, upgrade to Views 7.x-3.21

Also see the Views project page.

Reported By: 

• Ralf Stamm

Fixed By: 

• Ralf Stamm
• Damian Lee
• Daniel Wehner
• David Snopek of the Drupal Security Team
• Nate Lampton

Coordinated By: 

• Michael Hess of the Drupal Security Team.

Additional information

Note: Drupal issues individual security advisories for separate vulnerabilities included in a release, rather than lumping "multiple vulnerabilities" into a single advisory. All advisories released today for Views:

• SA-CONTRIB-2019-034
• SA-CONTRIB-2019-035
• SA-CONTRIB-2019-036

Project: ViewsVersion: 7.x-3.x-devDate: 2019-March-13Security risk: Moderately critical 10∕25 AC:Complex/A:None/CI:Some/II:None/E:Theoretical/TD:UncommonVulnerability: Information disclosureDescription: 

This module enables you to create customized lists of data.

The module doesn't sufficiently build queries when used with exposed filters, leading to a possible information disclosure vulnerability in certain rare circumstances.

This vulnerability is mitigated by the fact that a view must have an exposed filter on a field that is used on multiple entity types, both of which are included in the view.

Solution: 

Install the latest version:

• If you use the Views module for Drupal 7.x, upgrade to Views 7.x-3.21

Also see the Views project page.

Reported By: 

• Lucas Hedding

Fixed By: 

• Klaus Purer
• Lucas Hedding
• Greg Knaddison of the Drupal Security Team
• Aaron Zinck
• Daniel Wehner
• Damien McKenna of the Drupal Security Team
• Vijaya Chandran Mani

Coordinated By: 

• Damien McKenna of the Drupal Security Team.

Additional information

Note: Drupal issues individual security advisories for separate vulnerabilities included in a release, rather than lumping "multiple vulnerabilities" into a single advisory. All advisories released today for Views:

• SA-CONTRIB-2019-034
• SA-CONTRIB-2019-035
• SA-CONTRIB-2019-036

Project: ViewsVersion: 7.x-3.x-devDate: 2019-March-13Security risk: Moderately critical 10∕25 AC:Complex/A:None/CI:Some/II:None/E:Theoretical/TD:UncommonVulnerability: Information DisclosureDescription: 

This module enables you to create customized lists of data.

The module doesn't sufficiently protect against argument definitions failing.

This vulnerability is mitigated by the fact that a view must have custom PHP code used as a field validator.

Solution: 

Install the latest version:

• If you use the Views module for Drupal 7.x, upgrade to Views 7.x-3.21

Also see the Views project page.

Reported By: 

• Fabien Leroux

Fixed By: 

• Fabien Leroux
• Daniel Wehner
• Damien McKenna of the Drupal Security Team
• Len Swaneveld

Coordinated By: 

• Michael Hess of the Drupal Security Team.

Additional information

Note: Drupal issues individual security advisories for separate vulnerabilities included in a release, rather than lumping "multiple vulnerabilities" into a single advisory. All advisories released today for Views:

• SA-CONTRIB-2019-034
• SA-CONTRIB-2019-035
• SA-CONTRIB-2019-036

Project: EU Cookie ComplianceVersion: 7.x-1.x-dev8.x-1.x-devDate: 2019-March-06Security risk: Critical 15∕25 AC:None/A:Admin/CI:Some/II:Some/E:Theoretical/TD:AllVulnerability: Cross site scriptingDescription: 

This module addresses the General Data Protection Regulation (GDPR) that came into effect 25th May 2018, and the EU Directive on Privacy and Electronic Communications from 2012. It provides a banner where you can gather consent from the user when the website stores cookies on their computer or otherwise handles their personal information.

The module doesn't sufficiently sanitize data for some interface labels and strings shown in the cookie policy banner, opening up possibility of Cross Site Scripting exploits that can be created by somebody that has access to the admin interface of the module.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission "Administer EU Cookie Compliance banner". For Drupal 8, the vulnerability also requires access to a text format that doesn't sanitize data.

Solution: 

Install the latest version:

• If you use EU Cookie Compliance module for Drupal 7.x, upgrade to EU Cookie Compliance 7.x-1.26
• If you use EU Cookie Compliance module for Drupal 8.x, upgrade to EU Cookie Compliance 8.x-1.3

Also see the EU Cookie Compliance project page.

Reported By: 

• Yonatan Offek

Fixed By: 

• Luigi Guevara
• Sven Berg Ryen

Coordinated By: 

• Greg Knaddison of the Drupal Security Team
• Michael Hess of the Drupal Security Team

Project: UbercartDate: 2019-March-06Security risk: Moderately critical 12∕25 AC:None/A:Admin/CI:None/II:Some/E:Proof/TD:DefaultVulnerability: Cross Site Request ForgeryDescription: 

The Ubercart module provides a shopping cart and e-commerce features for Drupal.

The taxes module doesn't sufficiently protect the tax rate cloning feature. A malicious user could trick a store administrator into duplicating an existing tax rate by getting them to visit a specially-crafted URL.

Solution: 

Install the latest version:

• If you use the Ubercart module for Drupal 7.x, upgrade to Ubercart 7.x-3.12

Reported By: 

• Ayesh Karunaratne

Fixed By: 

• Dave Long
• Ayesh Karunaratne
• Tim Rohaly

Coordinated By: 

• Michael Hess of the Drupal Security Team

Project: Drupal voor GemeentenDate: 2019-March-06Security risk: Moderately critical 13∕25 AC:None/A:None/CI:None/II:Some/E:Theoretical/TD:UncommonVulnerability: Access BypassDescription: 

The DvG distrubition contains the feature module dvg_domains to support multiple domains.

When the dvg_domains feature module is enabled, anonymous users are able to access some administration pages and change the settings exposed on those pages.

This issue can be mitigated by disabling the dvg_domains module.

Solution: 

Install the latest version:

• If you use the module dvg_domains from the DvG distribution upgrade to DvG 7.x-1.9

Reported By: 

• Bernard Skibinski

Fixed By: 

• paulvandenburg

Coordinated By: 

• Greg Knaddison of the Drupal Security Team

Project: FacetsVersion: 8.x-1.x-devDate: 2019-February-27Security risk: Moderately critical 13∕25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:DefaultVulnerability: Cross site scriptingDescription: 

This module enables you to create facet-filters for results of a search query and exposes them as blocks

The module doesn't sufficiently escape HTML under the scenario leading to a Cross Site Scripting (XSS) vulnerability.

This vulnerability is mitigated by two factors. First, an attacker must have a way to insert results in the dataset that is exposed as a facet before this can happen. The permission to inject malicious strings depends on the site's search configuration but could be available to any user who can create content in a site. Second, the site must be using the Javascript-based dropdown widget.

Solution: 

• Install the latest version Facets 8.x-1.3

An effective mitigation is to change the widget to use links instead of the dropdown widget.

Reported By: 

• Ide Braakman

Fixed By: 

• Jimmy Henderickx
• Joris Vercammen

Coordinated By: 

• Greg Knaddison of the Drupal Security Team

Project: Rabbit HoleVersion: 7.x-2.x-devDate: 2019-February-27Security risk: Moderately critical 14∕25 AC:None/A:None/CI:Some/II:None/E:Theoretical/TD:DefaultVulnerability: Access bypassDescription: 

The Rabbit Hole module allows administrators to control what should happen when a regular user tries to view an entity at its own page; for example, it may deliver a 403 Access Denied or 404 Page Not Found response, or redirect the user to another path.

The module doesn't respect the Rabbit Hole settings when an entity is being requested with a certain header. This could lead to certain data being exposed even if it shouldn't be. The vulnerability is mitigated by the fact that the user also needs permission to view the content being requested.

Solution: 

Install version 7.x-2.25, available at https://www.drupal.org/project/rabbit_hole/releases/7.x-2.25.

Reported By: 

• Fabian Iwand

Fixed By: 

• Fabian Iwand
• M Parker
• Olof Bokedal

Coordinated By: 

• Greg Knaddison of the Drupal Security Team

Project: ContextVersion: 7.x-3.x-devDate: 2019-February-27Security risk: Moderately critical 14∕25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:AllVulnerability: Cross site scriptingDescription: 

This module enables you to manage contextual conditions and reactions for different portions of your site.

The module doesn't sufficiently sanitize user output when displayed leading to a Cross Site Scripting (XSS) vulnerability.

This vulnerability is mitigated by the fact that an attacker must have the ability to store malicious markup in the site (e.g. permission to create a node with a field that accepts "filtered html").

Solution: 

Install the latest version:

• If you use the context module for Drupal 7.x, upgrade to context 7.x-3.10

Also see the Context project page.

Reported By: 

• poiu

Fixed By: 

• Bostjan Kovac

Coordinated By: 

• Ivo Van Geertruyen of the Drupal Security Team
• Greg Knaddison of the Drupal Security Team
• Cash Williams of the Drupal Security Team

Project: Path BreadcrumbsVersion: 7.x-3.x-devDate: 2019-February-27Security risk: Moderately critical 13∕25 AC:Basic/A:Admin/CI:Some/II:Some/E:Theoretical/TD:AllVulnerability: Cross site scriptingDescription: 

This module enables you to configure breadcrumbs for any Drupal page.

This module doesn't properly sanitize custom breadcrumb configuration in all cases, leading to an XSS vulnerability.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission "Administer Path Breadcrumbs".

Solution: 

Install the latest version:

• Upgrade to Path Breadcrumbs 7.x-3.4

Also see the Path Breadcrumbs project page.

Reported By: 

• poiu

Fixed By: 

• Kate Marshalkina

Coordinated By: 

• Greg Knaddison of the Drupal Security Team

Project: ServicesVersion: 7.x-3.x-devDate: 2019-February-27Security risk: Critical 19∕25 AC:None/A:None/CI:All/II:Some/E:Theoretical/TD:DefaultVulnerability: SQL InjectionDescription: 

This module provides a standardized solution for building API's so that external clients can communicate with Drupal.

The module doesn't sufficiently sanitize user input for entity index resources thus allowing SQL Injection attacks.

This vulnerability is mitigated by the fact that the Drupal 7 site must have an "index" resource(s) enabled under the Services endpoint configuration (admin/structure/services/list/MY-ENDPOINT/resources) and an attacker must know the endpoint's machine name.

Install the 7.x-3.22 version of the Services module for the fix, or simply disable any "index" resources to stop the attack vector.

Solution: 

Install the latest version:

• If you use the 7.x-3.x Services module for Drupal, upgrade to Services 7.x-3.22

Reported By: 

• Samuel Mortenson of the Drupal Security Team

Fixed By: 

• Tyler Frankenstein
• Samuel Mortenson of the Drupal Security Team
• Ivo Van Geertruyen of the Drupal Security Team

Coordinated By: 

• Samuel Mortenson of the Drupal Security Team

Date: 2019-February-25Vulnerability:  Drupal 7 will reach end-of-life in November of 2021Description: 

Drupal 7 was first released in January 2011. In November 2021, after over a decade, Drupal 7 will reach end of life (EOL). (More information on why this date was chosen.) Official community support for version 7 will end, along with support provided by the Drupal Association on Drupal.org. This means that automated testing services for Drupal 7 will be shut down, and there will be no more updates provided by the Drupal Security Team.

When this occurs, Drupal 7 will be marked end-of-life in the update manager, which appears in the Drupal administrative interface. Updates, security fixes, and enhancements will no longer be provided by the community, but may be available on a limited basis from select commercial vendors.

If you have a site that is running on Drupal 7, now is the time to start planning the upgrade. Note that the transition from Drupal 8 to Drupal 9 will not be the significant effort that the transition from 7 to 8 was. In fact, the first release of Drupal 9 will be identical to the last release of Drupal 8, except with deprecated code removed and dependencies updated to newer versions. (See Plan for Drupal 9 for more information on Drupal 9.)

What this means for your Drupal 7 sites is, as of November 2021:

• Drupal 7 will no longer be supported by the community at large. The community at large will no longer create new projects, fix bugs in existing projects, write documentation, etc. around Drupal 7.
• There will be no more core commits to Drupal 7.
• The Drupal Security Team will no longer provide support or Security Advisories for Drupal 7 core or contributed modules, themes, or other projects. Reports about Drupal 7 vulnerabilities might become public creating 0 day exploits.
• All Drupal 7 releases on all project pages will be flagged as not supported. Maintainers can change that flag if they desire to.
• On Drupal 7 sites with the update status module, Drupal Core will show up as unsupported.
• After November 2021, using Drupal 7 may be flagged as insecure in 3rd party scans as it no longer gets support.
• Best practice is to not use unsupported software, it would not be advisable to continue to build new Drupal 7 sites.
• Now is the time to start planning your migration to Drupal 8.

If, for any reason, you are unable to migrate to Drupal 8 or 9 by the time version 7 reaches end of life, there will be a select number of organizations that will provide Drupal 7 Vendor Extended Support (D7ES) for their paying clients. This program is the successor to the successful Drupal 6 LTS program. Like that program, it will be an additional paid service, fully operated by these organizations with some help from the Security Team.

The Drupal Association and Drupal Security Team will publish an announcement once we have selected the Drupal 7 Vendor Extended Support partners.

If you would like more information about the Drupal release cycle, consult the official documentation on Drupal.org. If you would like more information about the upcoming release of Drupal 9, join us at DrupalCon Seattle.

Information for organizations interested in providing commercial Drupal 7 Vendor Extended Support

Organizations interested in providing commercial Drupal 7 Vendor Extended Support to their customers and who have the technical knowledge to maintain Drupal 7 are invited to fill out the
application for the Drupal 7 Vendor Extended Support team. The application submission should explain why the vendor is a good fit for the program, and explain how they meet the requirements as outlined below.

Base requirements for this program include:

• You must have experience in the public issue queue supporting Drupal 7 core or Drupal 7 Modules. You should be able to point to a history of such contribution. One way to measure this is issue credits, but there are other ways. You must continue this throughout your enrollment in the program. If you have other ways to show your experience, feel free to highlight them.
• You must make a commitment to the Security Team, the Drupal Association, and your customers that you will remain active in this program for 3 years.
• As a partner, you must contribute to at least 20% of all Drupal 7 Vendor Extended Support module patches and 80% of D7ES core patches in a given year. (Modules that have been moved into core in Drupal 8 count as part of core metrics in Drupal 7) .
• Any organization involved in this program must have at least 1 member on the Drupal Security Team for at least 3 months prior to joining the program and while a member of the program. (See How to join the Drupal Security Team for information.) This person will need a positive evaluation of their contributions from the Security Working Group.
• Payment of an Drupal 7 Vendor Extended Support annual fee for program participation is required (around $3000 a year). These fees will go to communication tools for the Drupal 7 Vendor Extended Support vendors and/or the greater community.
• Payment of a $450 application fee is required.
• Your company must provide paid support to Drupal 7 clients. This program is not for companies that don't provide services to external clients.

Application review process:

1. We will confirm that each vendor meets the requirements outlined above and is a good fit for the program.
2. If the Security Working Group does not think you are a good fit, we will explain why and decline your application. If you are rejected, you are able to reapply. Most rejections will be due to Organizations not having enough ongoing contribution to Drupal 7 and Organizations not having a Drupal Security Team member at their organization.
3. The Drupal Association signs off on your participation in the program.
4. If you are accepted, you will be added to the Drupal 7 Vendor Extended Support vendor mailing list.
5. The Security Working Group will do a coordinated announcement with the vendors to promote the program.

If you have any questions you can email D7ES@drupal.org

Date: 2019-February-23Vulnerability: SA-CORE-2019-003 Notice of increased risk and Additional exploit pathDescription: 

This Public Service Announcement is a follow-up to SA-CORE-2019-003. This is not an announcement of a new vulnerability. If you have not updated your site as described in SA-CORE-2019-003 you should do that now.

There are public exploits now available for this SA.

Update, February 25: Mass exploits are now being reported in the wild.

In the original SA we indicated this could be mitigated by blocking POST, PATCH and PUT requests to web services resources, there is now a new way to exploit this using GET requests.

The best mitigation is:

• If you are using Drupal 8.6.x, upgrade to Drupal 8.6.10.
• If you are using Drupal 8.5.x or earlier, upgrade to Drupal 8.5.11.
• Be sure to install any available security updates for contributed projects after updating Drupal core.

This only applies to your site if:

• The site has the Drupal 8 core RESTful Web Services (rest) module enabled.

OR

• The site has another web services module enabled, like JSON:API in Drupal 8, or Services or RESTful Web Services in Drupal 7, or custom code that allows entity updates via non-form sources.

What to do if your site may be compromised

Take a look at our existing documentation, ”Your Drupal site got hacked, now what”.
We’ll continue to update the SA if novel types of exploit appear.

Project: Drupal coreDate: 2019-February-20Security risk: Highly critical 23∕25 AC:None/A:None/CI:All/II:All/E:Exploit/TD:UncommonVulnerability: Remote Code ExecutionCVE IDs: CVE-2019-6340Description: 

Some field types do not properly sanitize data from non-form sources. This can lead to arbitrary PHP code execution in some cases.

A site is only affected by this if one of the following conditions is met:

• The site has the Drupal 8 core RESTful Web Services (rest) module enabled and allows GET, PATCH or POST requests, or
• the site has another web services module enabled, like JSON:API in Drupal 8, or Services or RESTful Web Services in Drupal 7.

(Note: The Drupal 7 Services module itself does not require an update at this time, but you should still apply other contributed updates associated with this advisory if Services is in use.)

Updates

• 2019-02-20: Updated risk score given new information; see PSA-2019-02-22. The security risk score has been updated to 23/25 as there are now known exploits in the wild. In addition, any enabled REST resource end-point, even if it only accepts GET requests, is also vulnerable. Note this does not include REST exports from Views module.

Solution: 

• If you are using Drupal 8.6.x, upgrade to Drupal 8.6.10.
• If you are using Drupal 8.5.x or earlier, upgrade to Drupal 8.5.11.
• Be sure to install any available security updates for contributed projects after updating Drupal core.
• No core update is required for Drupal 7, but several Drupal 7 contributed modules do require updates.

Versions of Drupal 8 prior to 8.5.x are end-of-life and do not receive security coverage.

To immediately mitigate the vulnerability, you can disable all web services modules, or configure your web server(s) to not allow GET/PUT/PATCH/POST requests to web services resources. Note that web services resources may be available on multiple paths depending on the configuration of your server(s). For Drupal 7, resources are for example typically available via paths (clean URLs) and via arguments to the "q" query argument. For Drupal 8, paths may still function when prefixed with index.php/.

Reported By: 

• Samuel Mortenson of the Drupal Security Team

Fixed By: 

• Sascha Grossenbacher
• Peter Wolanin of the Drupal Security Team
• Samuel Mortenson of the Drupal Security Team
• Daniel Wehner
• Cash Williams of the Drupal Security Team
• Wim Leers
• Jess of the Drupal Security Team
• Lee Rowlands of the Drupal Security Team
• Alex Pott of the Drupal Security Team
• Francesco Placella
• Damian Lee
• Tobias Zimmermann
• Ted Bowman
• Damien McKenna of the Drupal Security Team
• Alex Bronstein of the Drupal Security Team
• Rob Loach
• Gabe Sullice
• Michael Hess of the Drupal Security Team
• Neil Drumm of the Drupal Security Team
• Heshan Wanigasooriya
• David Snopek of the Drupal Security Team
• Wolfgang Ziegler
• Miro Dietiker
• Truls S. Yggeseth

Project: Font Awesome IconsDate: 2019-February-20Security risk: Critical 18∕25 AC:None/A:User/CI:All/II:All/E:Theoretical/TD:UncommonVulnerability: Remote Code ExecutionDescription: 

This resolves issues described in SA-CORE-2019-003 for this module. Not all configurations are affected. See SA-CORE-2019-003 for details.

Solution: 

• If you use the Font Awesome Icons module for Drupal 8.x, upgrade to Font Awesome Icons 8.x-2.12.

Project: Translation Management ToolDate: 2019-February-20Security risk: Critical 16∕25 AC:Basic/A:User/CI:All/II:All/E:Theoretical/TD:UncommonVulnerability: Remote Code ExecutionDescription: 

This resolves issues described in SA-CORE-2019-003 for this module. Not all configurations are affected. See SA-CORE-2019-003 for details.

Solution: 

• If you use the TMGMT module for Drupal 8.x, upgrade to TMGMT 8.x-1.7.

Project: ParagraphsDate: 2019-February-20Security risk: Critical 18∕25 AC:None/A:User/CI:All/II:All/E:Theoretical/TD:UncommonVulnerability: Remote Code ExecutionDescription: 

This resolves issues described in SA-CORE-2019-003 for this module. Not all configurations are affected. See SA-CORE-2019-003 for details.

Solution: 

• If you use the Paragraphs module for Drupal 8.x, upgrade to Paragraphs 8.x-1.6.

Project: VideoDate: 2019-February-20Security risk: Critical 18∕25 AC:None/A:User/CI:All/II:All/E:Theoretical/TD:UncommonVulnerability: Remote Code ExecutionDescription: 

This resolves issues described in SA-CORE-2019-003 for this module. Not all configurations are affected. See SA-CORE-2019-003 for details.

Solution: 

Install the latest version:

• If you use the Video module for Drupal 8, upgrade to Video 8.x-1.4