Drupal Security

Project: Search APIDate: 2022-October-19Security risk: Moderately critical 13∕25 AC:None/A:None/CI:Some/II:None/E:Theoretical/TD:UncommonVulnerability: Information DisclosureDescription: 

This module enables you to build searches using a wide range of features, data sources and backends.

The module doesn't in all cases correctly detect whether a given search is active on the current page, leading to potential information disclosure for some setups.

This vulnerability is mitigated by the fact that only very specific setups will have this problem and there is no way for an attacker to trigger it.

Solution: 

Install the latest version:

• If you use the Search API module for Drupal 9.x/10.x, upgrade to Search API 8.x-1.27

Reported By: 

• Markus Kalkbrenner

Fixed By: 

• Gerhard Killesreiter of the Drupal Security Team
• Joris Vercammen
• Markus Kalkbrenner
• Thomas Seidl
• Damien McKenna of the Drupal Security Team

Coordinated By: 

• Michael Hess of the Drupal Security Team

Project: Twig Field ValueDate: 2022-October-12Security risk: Moderately critical 12∕25 AC:Basic/A:None/CI:Some/II:None/E:Theoretical/TD:DefaultVulnerability: Access bypassDescription: 

This module enables themers to get partial data from field render arrays. It gives them more control over the output without drilling deep into the render array or using preprocess functions.

The module doesn't sufficiently apply access restrictions when using the filters field_label, field_value, field_raw and field_target_entity.

This vulnerability is mitigated by the fact that these filters must be used in combination with either unpublished content or access control modules.

Solution: 

Install the latest version:

• If you use the Twig Field Value module version 8.x-1.x or 2.0.x, upgrade to Twig Field Value 2.0.1

Reported By: 

• Erik Stielstra

Fixed By: 

• Erik Stielstra

Coordinated By: 

• Damien McKenna of the Drupal Security Team
• Greg Knaddison of the Drupal Security Team
• Ivo Van Geertruyen of the Drupal Security Team

Project: S3 File SystemDate: 2022-September-28Security risk: Moderately critical 10∕25 AC:Complex/A:None/CI:Some/II:None/E:Theoretical/TD:UncommonVulnerability: Access bypassDescription: 

This module enables you to utilize S3-compatible storage as a Drupal filesystem.

The module doesn't sufficiently prevent file access across multiple filesystem schemes stored in the same bucket.

This vulnerability is mitigated by the fact that an attacker must obtain a method to access arbitrary file paths, the site must have public or private takeover enabled, and the file metadata cache must be ignored.

Solution: 

Install the latest version:

• If you use the S3 File System module for Drupal 7.x, upgrade to S3 File System 7.x-2.14

Reported By: 

• Conrad Lara
• Guy Elsmore-Paddock

Fixed By: 

• Conrad Lara
• Ron Shimshock

Coordinated By: 

• Greg Knaddison of the Drupal Security Team

Project: Drupal coreDate: 2022-September-28Security risk: Critical 18∕25 AC:Basic/A:Admin/CI:All/II:All/E:Proof/TD:AllVulnerability: Multiple vulnerabilitiesAffected versions: >= 8.0.0 <9.3.22 || >= 9.4.0 <9.4.7CVE IDs: CVE-2022-39261Description: 

Drupal uses the Twig third-party library for content templating and sanitization. Twig has released a security update that affects Drupal. Twig has rated the vulnerability as high severity.

Drupal core's code extending Twig has also been updated to mitigate a related vulnerability.

Multiple vulnerabilities are possible if an untrusted user has access to write Twig code, including potential unauthorized read access to private files, the contents of other files on the server, or database credentials.

The vulnerability is mitigated by the fact that an exploit is only possible in Drupal core with a restricted access administrative permission. Additional exploit paths for the same vulnerability may exist with contributed or custom code that allows users to write Twig templates.

Solution: 

Install the latest version:

• If you are using Drupal 9.4, update to Drupal 9.4.7.
• If you are using Drupal 9.3, update to Drupal 9.3.22.

All versions of Drupal 9 prior to 9.3.x are end-of-life and do not receive security coverage. Note that Drupal 8 has reached its end of life.

Drupal 7 core does not include Twig and therefore is not affected.

Reported By: 

• Fabien Potencier
• Nicolas Grekas
• James Williams
• Samuel Mortenson

Fixed By: 

• xjm of the Drupal Security Team
• Alex Pott of the Drupal Security Team
• Sascha Grossenbacher
• Lee Rowlands of the Drupal Security Team
• Lauri Eskola, provisional member of the Drupal Security Team
• Nathaniel Catchpole of the Drupal Security Team
• Dave Long, provisional member of the Drupal Security Team
• cilefen of the Drupal Security Team
• James Williams
• Benji Fisher, provisional member of the Drupal Security Team
• Luke Leber
• pooja saraah

Project: Permissions by TermVersion: 3.1.18Date: 2022-September-07Security risk: Moderately critical 14∕25 AC:None/A:None/CI:Some/II:None/E:Theoretical/TD:DefaultVulnerability: Access bypassDescription: 

This module enables you to set content permissions based on taxonomy terms.

The module doesn't sufficiently restrict access to translated and unpublished nodes.

This vulnerability is mitigated by the fact that it only affects sites with translated content.

Solution: 

Install the latest version:

• If you use the Permissions by Term module for Drupal 9.x, upgrade to version 3.1.19

Reported By: 

• federico prato

Fixed By: 

• federico prato
• Peter Majmesku
• Jess of the Drupal Security Team

Coordinated By: 

• Damien McKenna of the Drupal Security Team
• Greg Knaddison of the Drupal Security Team

Project: Permissions by TermVersion: 3.1.173.1.163.1.153.1.143.1.133.1.123.1.113.1.103.1.93.1.83.1.73.1.63.1.53.1.43.1.33.1.23.1.13.1.03.0.13.0.0Date: 2022-September-07Security risk: Moderately critical 14∕25 AC:None/A:None/CI:Some/II:None/E:Theoretical/TD:DefaultVulnerability: Access bypassDescription: 

This module enables you to restrict content via taxonomy terms and related permissions.

The module doesn't sufficiently restrict cached content in certain circumstances.

This vulnerability is mitigated by the fact that it only occurs when multiple entity types are enabled in the module.

Solution: 

Install the latest version:

• If you use the Permissions by Term module for Drupal 9.x, upgrade to version 3.1.19

Reported By: 

• ytsurk
• Andy Fowlston
• Joseph
• Julian Pustkuchen
• Aleksi Peebles

Fixed By: 

• Peter Majmesku
• ytsurk
• Joseph
• Julian Pustkuchen
• Aleksi Peebles
• Ambient.Impact
• Stephen Mustgrave
• Jay McGraw

Coordinated By: 

• Damien McKenna of the Drupal Security Team
• Greg Knaddison of the Drupal Security Team

Project: Next.jsVersion: 1.2.01.1.01.0.0Date: 2022-September-07Security risk: Moderately critical 12∕25 AC:Basic/A:None/CI:Some/II:None/E:Theoretical/TD:DefaultVulnerability: Access bypassDescription: 

The Next.js module provides an inline preview for content. Authenticated requests are made to Drupal to fetch JSON:API content and render them in an iframe from the decoupled Next.js site.

The current implementation doesn’t sufficiently check access for fetching data. All requests made to Drupal are authenticated using a single scope with elevated content access. Users without access to content could be exposed to unauthorized content.

Solution: 

If you use the Next.js module for Drupal 9.x:

1. Upgrade to version v1.3.0.
2. Edit the Next.js user and assign all roles that can be used as scopes. The granted roles will be filtered based on roles assigned to the current user.

See the upgrade guide at https://next-drupal.org/docs/upgrade-guide.

Reported By: 

• Lauri Eskola

Fixed By: 

• Lauri Eskola
• shadcn
• Minnur Yunusov

Coordinated By: 

• Damien McKenna of the Drupal Security Team

Project: Commerce ElavonVersion: 8.x-2.28.x-2.18.x-2.08.x-2.0-beta28.x-2.0-beta17.x-1.47.x-1.37.x-1.27.x-1.17.x-1.0Date: 2022-August-24Security risk: Moderately critical 11∕25 AC:Complex/A:None/CI:None/II:Some/E:Theoretical/TD:DefaultVulnerability: Access bypassAffected versions: <=2.2.0Description: 

This module enables you to accept payments from the Elavon payment provider.

The module doesn't sufficiently verify that it's communicating with the correct server when using the Elavon (On-site) payment gateway, which could lead to leaking valid payment details as well as accepting invalid payment details.

This vulnerability is mitigated by the fact that an attacker must be able to spoof the Elavon DNS received by your site.

Solution: 

Install the latest version:

• If you use the Commerce Elavon module for Drupal 8.x/9.x, upgrade to Commerce Elavon 8.x-2.3
• If you use the Commerce Elavon module version 1.x for Drupal 7.x, upgrade to Commerce Elavon 7.x-1.5

Reported By: 

• Andy Fowlston

Fixed By: 

• Andy Fowlston
• Greg Knaddison of the Drupal Security Team

Coordinated By: 

• Damien McKenna of the Drupal Security Team
• Greg Knaddison of the Drupal Security Team