Drupal Security

Project: Block Content Revision UIDate: 2021-June-16Security risk: Moderately critical 11∕25 AC:Complex/A:User/CI:Some/II:Some/E:Theoretical/TD:UncommonVulnerability: Access bypassDescription: 

This module provides a revision UI to Block Content entities.

The module doesn't sufficiently respect access restrictions to certain entities when used in conjunction with specific modules.

This vulnerability is mitigated by the fact that an attacker must have a role with any of the permissions provided by Block Content Revision UI, and another affected module must be enabled.

Solution: 

Install the latest version:

• If you use the Block Content Revision UI module for Drupal 8.x, upgrade to Block Content Revision UI 2.127.1

Reported By: 

• Michael Strelan

Fixed By: 

• Michael Strelan

Coordinated By: 

• Greg Knaddison of the Drupal Security Team
• Lee Rowlands of the Drupal Security Team
• Drew Webber of the Drupal Security Team

Project: Linky Revision UIDate: 2021-June-16Security risk: Moderately critical 11∕25 AC:Complex/A:User/CI:Some/II:Some/E:Theoretical/TD:UncommonVulnerability: Access bypassDescription: 

This module provides a revision UI to Linky entities.

The module doesn't sufficiently respect access restrictions to certain entities when used in conjunction with specific modules.

This vulnerability is mitigated by the fact that an attacker must have a role with any of the permissions provided by Linky Revision UI, and another affected module must be enabled.

Solution: 

Install the latest version:

• If you use the Linky Revision UI module for Drupal 8.x, upgrade to Linky Revision UI 2.127.1

Reported By: 

• Michael Strelan

Fixed By: 

• Michael Strelan
• Lee Rowlands of the Drupal Security Team

Coordinated By: 

• Greg Knaddison of the Drupal Security Team
• Drew Webber of the Drupal Security Team
• Lee Rowlands of the Drupal Security Team

Project: Chaos Tool Suite (ctools)Date: 2021-June-16Security risk: Moderately critical 13∕25 AC:None/A:None/CI:Some/II:None/E:Theoretical/TD:UncommonVulnerability: Access bypassDescription: 

Chaos tool suite (ctools) module provides a number of APIs and extensions for Drupal, its 8.x-3.x branch is a start from scratch to evaluate the features of ctools that didn't make it into Drupal Core 8.0.x and port them.

The module doesn't sufficiently handle block access control on its EntityView plugin. This is a followup to more fully implement the fixes from SA-CONTRIB-2021-009

This vulnerability is mitigated by the fact that successful exploitation requires special conditions in place such as custom blockAccess() method that differs from the default return value of 'AccessResult::allowed()' and extending from EntityView.

Solution: 

Install the latest version:

• If you use the CTools module for Drupal 8.x, upgrade to CTools 8.x-3.7

Reported By: 

• Michael Vanetta

Fixed By: 

• Michael Vanetta
• Joël Pittet

Coordinated By: 

• Greg Knaddison of the Drupal Security Team
• Drew Webber of the Drupal Security Team

Project: OpenID Connect / OAuth clientDate: 2021-June-02Security risk: Moderately critical 14∕25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:AllVulnerability: Access bypassDescription: 

This module allows users to authenticate against an Oauth 2.0 / OpenID Connect identity provider to login to your Drupal site.

The module doesn't sufficiently protect against unauthorized local access, by way of using the 'password reset' facility, for users who are supposed to only be able to log in through the identity provider. This creates a scenario where after such a user is blocked from logging in through the identity provider but not explicitly blocked in Drupal, they are still able to log in by sending themselves a Drupal 'password reset' e-mail.

Solution: 

Install the latest version:

• If you use the openid_connect module for Drupal 8/9, upgrade to openid_connect 8.x-1.1
• If you use the openid_connect module for Drupal 7, upgrade to openid_connect 7.x-1.0

Reported By: 

• Jeffrey Bertoen

Fixed By: 

• João Ventura
• Philip Frilling
• Jeffrey Bertoen

Coordinated By: 

• Greg Knaddison of the Drupal Security Team
• Drew Webber of the Drupal Security Team

Project: GraphQLDate: 2021-June-02Security risk: Moderately critical 11∕25 AC:Basic/A:None/CI:Some/II:None/E:Theoretical/TD:UncommonVulnerability: Information DisclosureDescription: 

This module lets you craft and expose a GraphQL web service API.

The module does not sufficiently protect arbitrary exception and error messages thereby exposing an information disclosure vulnerability.

This vulnerability is mitigated by the fact that a GraphQL server must be enabled and a data producer be configured that throws exceptions with confidential error messages that must not be exposed over the GraphQL API.

Solution: 

Install the latest version:

• If you use the GraphQL module 8.x-4.x for Drupal 8.x, upgrade to GraphQL 8.x-4.1
• If you use the GraphQL module 8.x-3.x for Drupal 8.x no action is needed as a result of this advisory. The 8.x-3.x branch is not affected by this issue.

Reported By: 

• Alex Tkachev

Fixed By: 

• Klaus Purer
• Radoslav Terezka

Coordinated By: 

• Greg Knaddison of the Drupal Security Team

Project: Frequently Asked QuestionsDate: 2021-June-02Security risk: Moderately critical 11∕25 AC:Basic/A:User/CI:None/II:Some/E:Theoretical/TD:AllVulnerability: Cross Site ScriptingDescription: 

The Frequently Asked Questions (faq) module allows users, with appropriate permissions, to create question and answer pairs which they want displayed on the 'faq' page. The 'faq' page is automatically generated from the FAQ nodes configured. Basic Views layouts are also provided and can be customised via the Views UI (rather than via the module settings page).

The module doesn't sufficiently sanitize editor input leading to a Cross Site Scripting (XSS) vulnerability.

This vulnerability is mitigated by the fact that an attacker must have a role with the "create faq content" permission.

Solution: 

Install the latest version:

• If you use the Frequently Asked Questions module for Drupal 7.x, upgrade to Frequently Asked Questions 7.x-1.3

Reported By: 

• Mitch Portier

Fixed By: 

• Mitch Portier
• Mohammed Razem
• Vijay Mani Provisional Member of the Drupal Security Team

Coordinated By: 

• Greg Knaddison of the Drupal Security Team

Project: Open SocialDate: 2021-June-02Security risk: Critical 15∕25 AC:Basic/A:None/CI:Some/II:Some/E:Theoretical/TD:DefaultVulnerability: Authentication BypassDescription: 

Open Social is a Drupal distribution for online communities.

The included social_magic_login module doesn't sufficiently validate magic login URLs for user accounts. The lack of validation makes it possible for an adversary to forge valid login URLs and login to such an account.

This vulnerability is mitigated by the fact the module social_magic_login needs to be enabled.

Solution: 

Install the latest version of Open Social:

• If you use the Open Social distribution for Drupal 10.0.x, upgrade to Open Social 10.0.13
• If you use the Open Social distribution for Drupal 10.1.x, upgrade to Open social 10.1.6

Alternatively, disable the module social_magic_login.

Reported By: 

• Ronald te Brake
• Alexander Varwijk
• Robert Ragas

Fixed By: 

• Ronald te Brake
• Alexander Varwijk
• Robert Ragas

Coordinated By: 

• Greg Knaddison of the Drupal Security Team

Project: Open SocialDate: 2021-June-02Security risk: Moderately critical 11∕25 AC:Complex/A:User/CI:All/II:None/E:Theoretical/TD:DefaultVulnerability: SQL InjectionDescription: 

This Open Social distribution provides a turn-key system for building customized social networks.

The module doesn't sufficiently process data in certain circumstances.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission "access mentions".

Solution: 

Install the latest version:

• If you use Open Social 9.x, upgrade to 8.x-9.17
• If you use Open Social 10.0.x, upgrade to 10.0.13
• If you use Open Social 10.1.x, upgrade to 10.1.6

Reported By: 

• mindaugasd

Fixed By: 

• mindaugasd
• Alexander Varwijk
• Drew Webber of the Drupal Security Team
• Ronald te Brake
• Neil Drumm of the Drupal Security Team

Coordinated By: 

• Greg Knaddison of the Drupal Security Team

Project: Drupal coreDate: 2021-May-26Security risk: Moderately critical 14∕25 AC:Basic/A:User/CI:Some/II:Some/E:Proof/TD:DefaultVulnerability: Cross Site ScriptingCVE IDs: CVE-2021-33829Description: 

Update: 2021-06-11: Added CVE-2021-33829 identifier

Drupal core uses the third-party CKEditor library. This library has an error in parsing HTML that could lead to an XSS attack. CKEditor 4.16.1 and later include the fix.

Update: 2021-06-11: More details are available on CKEditor's blog.

Users of the CKEditor library via means other than Drupal core should update their 3rd party code (e.g. the WYSIWYG module for Drupal 7). The Drupal Security Team policy is not to alert for issues affecting 3rd party libraries unless those are shipped with Drupal core. See DRUPAL-SA-PSA-2016-004 for more details.

This issue is mitigated by the fact that it only affects sites with CKEditor enabled.

Solution: 

Install the latest version:

• If you are using Drupal 9.1, update to Drupal 9.1.9.
• If you are using Drupal 9.0, update to Drupal 9.0.14.
• If you are using Drupal 8.9, update to Drupal 8.9.16.

Versions of Drupal 8 prior to 8.9.x are end-of-life and do not receive security coverage.

Reported By: 

• Or Sahar

Fixed By: 

• Greg Knaddison of the Drupal Security Team
• Jess of the Drupal Security Team
• Krzysztof Krzton
• Lee Rowlands of the Drupal Security Team
• Michael Hess of the Drupal Security Team

Date: 2021-May-25Description: 

Update: After some delays, the new estimate for this release is 20:00UTC on May 26th, 2021. Apologies for the inconvenience.

There will be a security release of Drupal Core 8.9.x, and 9.1.x on May 26th, 2021 between 16:00 - 18:00 UTC. This Public Service Advisory is to notify that the Drupal core release is outside of the regular schedule of security releases. For all security updates, the Drupal Security Team urges you to reserve time for core updates at that time because there is some risk that exploits might be developed within hours or days. Security release announcements will appear on the Drupal.org security advisory page.

The security risk of the advisory is currently rated as Moderately Critical.
This is not a mass-exploitable vulnerability as far as the security team is currently aware.

Given that this is a moderately critical vulnerability and is not believed to be mass exploitable it is not covered by Drupal Steward partners.

Project: Chaos Tool Suite (ctools)Version: 8.x-3.58.x-3.48.x-3.38.x-3.28.x-3.18.x-3.0Date: 2021-May-12Security risk: Moderately critical 12∕25 AC:Complex/A:None/CI:Some/II:None/E:Theoretical/TD:AllVulnerability: Information disclosureDescription: 

Chaos tool suite (ctools) module provides a number of APIs and extensions for Drupal, it's 8.x-3.x branch is a start from scratch to evaluate the features of ctools that didn't make it into Drupal Core 8.0.x and port them.

The module doesn't sufficiently handle access control on its EntityView plugin.

This vulnerability is mitigated by the fact that successful exploitation requires special conditions in place such as custom solutions that allow injecting the context by means other than the route.

Solution: 

Install the latest version:

• If you use the Chaos tool suite module for Drupal 8.x, upgrade to Chaos tool suite 8.x-3.6

Reported By: 

• Jonathan Hedstrom

Fixed By: 

• Jonathan Hedstrom
• Balazs Janos Tatar
• Jakob Perry

Coordinated By: 

• Greg Knaddison of the Drupal Security Team

Project: FacetsVersion: 8.x-1.x-devDate: 2021-May-12Security risk: Moderately critical 11∕25 AC:Complex/A:Admin/CI:Some/II:Some/E:Theoretical/TD:DefaultVulnerability: Cross site scriptingDescription: 

This module enables you to add customizable facets on search pages, from core search or searches provided by Search API.

The module doesn't sufficiently filter all output in certain circumstances.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer facets".

Solution: 

Install the latest version:

• If you use the Facets module for Drupal 8.x/9.x, upgrade to Facets 8.x-1.8

Reported By: 

• Ide Braakman

Fixed By: 

• Markus Kalkbrenner
• Ide Braakman
• Joris Vercammen

Coordinated By: 

• Damien McKenna of the Drupal Security Team

Project: GutenbergVersion: 8.x-2.x-dev8.x-1.x-devDate: 2021-May-12Security risk: Critical 18∕25 AC:None/A:None/CI:Some/II:Some/E:Theoretical/TD:AllVulnerability: Access bypassDescription: 

This module provides a new UI experience for node editing using the Gutenberg Editor library.

The module did not correctly validate access rules in certain situations allowing anonymous users to delete blocks.

Solution: 

Install the latest version:

• If you use the Gutenberg module 8.x-1.x, upgrade to 8.x-1.12
• If you use the Gutenberg module 8.x-2.x, upgrade to 8.x-2.0
• For roles other than administrator, the "Administer Gutenberg" (8.x-1.x) or the "Use Gutenberg" (8.x-2.x) permission must be given to view and delete reusable blocks.

Reported By: 

• Stephan Zeidler
• Mariusz Andrzejewski

Fixed By: 

• Stephan Zeidler
• codebymikey
• Marco Fernandes

Coordinated By: 

• Damien McKenna of the Drupal Security Team

Project: SAML AuthenticationDate: 2021-April-28Security risk: Moderately critical 14∕25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:AllVulnerability: Access bypassDescription: 

The SAML Authentication module allows users to authenticate against a SAML identity provider to login to your Drupal site.

The module doesn't sufficiently protect against unauthorized local access, by way of using the 'password reset' facility, for users who are supposed to only be able to log in through the identity provider. This creates a scenario where after such a user is blocked from logging in through the identity provider but not explicitly blocked in Drupal, they are still able to log in by sending themselves a Drupal 'password reset' e-mail.

Solution: 

Install the latest version:

• for all versions of Drupal 8/9, upgrade to samlauth 8.x-3.1.
• for Drupal 7, upgrade to samlauth 7.x-1.1.

Reported By: 

• Bobby Gryzynger
• Mark Shropshire

Fixed By: 

• Bobby Gryzynger
• Roderik Muit
• Jakob Perry
• Sascha Grossenbacher
• Cameron Eagans
• Drew Webber of the Drupal Security Team

Coordinated By: 

• Greg Knaddison of the Drupal Security Team

Project: Drupal coreDate: 2021-April-21Security risk: Critical 15∕25 AC:Basic/A:None/CI:Some/II:Some/E:Theoretical/TD:DefaultVulnerability: Cross-site scriptingCVE IDs: CVE-2020-13672Description: 

Drupal core's sanitization API fails to properly filter cross-site scripting under certain circumstances.

Not all sites and users are affected, but configuration changes to prevent the exploit might be impractical and will vary between sites. Therefore, we recommend all sites update to this release as soon as possible.

Solution: 

Install the latest version:

• If you are using Drupal 9.1, update to Drupal 9.1.7.
• If you are using Drupal 9.0, update to Drupal 9.0.12.
• If you are using Drupal 8.9, update to Drupal 8.9.14.
• If you are using Drupal 7, update to Drupal 7.80.

Versions of Drupal 8 prior to 8.9.x are end-of-life and do not receive security coverage.

Reported By: 

• Jasper Mattsson

Fixed By: 

• Alex Pott of the Drupal Security Team
• Jasper Mattsson
• Michael Hess of the Drupal Security Team
• Wim Leers
• Heine of the Drupal Security Team
• Peter Wolanin of the Drupal Security Team
• Jess (xjm) of the Drupal Security Team
• Samuel Mortenson of the Drupal Security Team
• nwellnhof
• Alex Bronstein of the Drupal Security Team
• Lee Rowlands of the Drupal Security Team
• Adam G-H
• Drew Webber of the Drupal Security Team

Project: Fast AutocompleteVersion: 8.x-1.78.x-1.68.x-1.58.x-1.48.x-1.38.x-1.28.x-1.18.x-1.0Date: 2021-March-17Security risk: Moderately critical 12∕25 AC:Basic/A:None/CI:Some/II:None/E:Theoretical/TD:DefaultVulnerability: Access bypassDescription: 

The Fast Autocomplete module provides fast IMDB-like suggestions below a text input field. Suggestions are stored as JSON files in the public files folder so that they can be provided to the browser relatively fast without the need for Drupal to be bootstrapped.

The module doesn't correctly generate certain hashes when the configuration option "Perform search as anonymous user only" is switched from the default on value to off.

This enables a malicious user to read search results generated by users with other roles, disclosing search results the user normally has no access to.

Solution: 

Install the latest version:

• If you use the Fast Autocomplete module for Drupal 8.x or 9.x, upgrade to Fast Autocomplete 8.x-1.8

Alternatively, re-enable the setting "Perform search as anonymous user only" to only display anonymous search results and delete the generated files by using the "Delete json files" option in all Fast Autocomplete configurations.

Fast Autocomplete for Drupal 7.x is not affected.

Reported By: 

• Heine Deelstra of the Drupal Security Team

Fixed By: 

• Heine Deelstra of the Drupal Security Team
• Martijn Vermeulen

Coordinated By: 

• Heine Deelstra of the Drupal Security Team

Project: WebformDate: 2021-March-03Security risk: Moderately critical 12∕25 AC:Basic/A:None/CI:None/II:None/E:Exploit/TD:DefaultVulnerability: Access bypassDescription: 

The Webform module for Drupal 8/9 includes a default Contact webform, which sends a notification email to the site owner and a confirmation email to the email address supplied via the form.

The confirmation email can be used as an open mail relay to send an email to any email address.

This vulnerability is mitigated by the fact that the site owner's email address is also receiving a notification email, which should alert the site owner to the exploitation. If the site owner's mailbox is not monitored, the open mail relay can be more easily exploited.

With the Webform module's latest release, the default Contact's confirmation email will only be sent to an authenticated user's email address. Anonymous users will no longer receive a confirmation email.

If anonymous users need to receive a confirmation email, we recommend you add SPAM protection to the form and update the email handler.

Solution: 

Install the latest version:

• If you use the Webform module module for Drupal 8/9 upgrade to Webform 8.x-5.25 or Webform 6.0.2

If you are using a previous release of the Webform module you can immediately do one of several options.

1. Delete the default Contact form. (/form/contact)
2. Delete the default Contact form's confirmation email handler.(/admin/structure/webform/manage/contact/handlers)
3. Update the default Contact form's confirmation email to only email the current user's email address using the [current-user:mail] token. (/admin/structure/webform/manage/contact/handlers/email_confirmation/edit)
4. Add SPAM protection to the default Contact form.

Reported By: 

• KarinG

Fixed By: 

• Jacob Rockowitz
• Dan Chadwick
• KarinG

Coordinated By: 

• Greg Knaddison of the Drupal Security Team