Drupal Security
Zircon - Critical - Unsupported - SA-CONTRIB-2018-037
The security team is marking this theme unsupported. There is a known security issue with the theme that has not been fixed by the maintainer. If you would like to maintain this theme, please read: https://www.drupal.org/node/251466.
The security team marks all unsupported themes and modules critical by default.
Solution:If you use this theme, you should uninstall it.
Reported By:Education - Critical - Unsupported - SA-CONTRIB-2018-036
The security team is marking this theme unsupported. There is a known security issue with the theme that has not been fixed by the maintainer. If you would like to maintain this theme, please read: https://www.drupal.org/node/251466.
The security team marks all unsupported themes and modules critical by default.
Solution:If you use this theme, you should uninstall it.
Reported By:TB Sirate - Critical - Unsupported - SA-CONTRIB-2018-035
The security team is marking this theme unsupported. There is a known security issue with the theme that has not been fixed by the maintainer. If you would like to maintain this theme, please read: https://www.drupal.org/node/251466.
The security team marks all unsupported themes and modules critical by default.
Solution:If you use this theme, you should uninstall it.
Reported By:Hotel - Critical - Unsupported - SA-CONTRIB-2018-034
The security team is marking this theme unsupported. There is a known security issue with the theme that has not been fixed by the maintainer. If you would like to maintain this theme, please read: https://www.drupal.org/node/251466.
The security team marks all unsupported themes and modules critical by default.
Solution:If you use this theme, you should uninstall it.
Reported By:iShopping - Critical - Unsupported - SA-CONTRIB-2018-033
The security team is marking this theme unsupported. There is a known security issue with the theme that has not been fixed by the maintainer. If you would like to maintain this theme, please read: https://www.drupal.org/node/251466.
The security team marks all unsupported themes and modules critical by default.
Solution:If you use this theme, you should uninstall it.
Reported By:Corporate Site - Critical - Unsupported - SA-CONTRIB-2018-032
The security team is marking this theme unsupported. There is a known security issue with the theme that has not been fixed by the maintainer. If you would like to maintain this theme, please read: https://www.drupal.org/node/251466.
The security team marks all unsupported themes and modules critical by default.
Solution:If you use this theme, you should uninstall it.
Reported By:TB Nucleus - Critical - Unsupported - SA-CONTRIB-2018-031
The security team is marking this theme unsupported. There is a known security issue with the theme that has not been fixed by the maintainer. If you would like to maintain this theme, please read: https://www.drupal.org/node/251466.
The security team marks all unsupported themes and modules critical by default.
Solution:If you use this theme, you should uninstall it.
Reported By:SimpleCrop - Critical - Unsupported - SA-CONTRIB-2018-030
The security team is marking this module unsupported. There is a known security issue with the module that has not been fixed by the maintainer. If you would like to maintain this module, please read: https://www.drupal.org/node/251466.
The security team marks all unsupported modules critical by default.
Solution:If you use this module, you should uninstall it.
Reported By:- Pere Orga of the Drupal Security Team
Baidu Analytics - Critical - Unsupported - SA-CONTRIB-2018-029
The security team is marking this module unsupported. There is a known security issue with the module that has not been fixed by the maintainer. If you would like to maintain this module, please read: https://www.drupal.org/node/251466.
The security team marks all unsupported modules critical by default.
Solution:If you use this module, you should uninstall it.
Reported By:Protected Pages - Critical - Unsupported - SA-CONTRIB-2018-028
The security team is marking this module unsupported. There is a known security issue with the module that has not been fixed by the maintainer. If you would like to maintain this module, please read: https://www.drupal.org/node/251466.
The security team marks all unsupported modules critical by default.
Solution:If you use this module, you should uninstall it.
Reported By:SVG Formatter - Critical - Cross Site Scripting - SA-CONTRIB-2018-027
This module adds a new formatter for the file fields, which allows any file extension to be uploaded.
The module doesn't sufficiently handle sanitization under the scenario uploaded SVG files.
This vulnerability is mitigated by the fact that an attacker must have a role with the permission create or edit on certain content types that allows SVG files to be uploaded.
Install the latest version:
- If you use the SVG Formatter module for Drupal 8.x, upgrade to SVG Formatter 8.x-1.06
Also see the SVG Formatter project page.
Reported By:- Balazs Janos Tatar Provisional member of the Security Team
- Balazs Janos Tatar Provisional member of the Security Team
- Rick Manelius of the Drupal Security Team
- Goran Nikolovski
- Balazs Janos Tatar Provisional member of the Security Team
Scrollable Content - Critical - Unsupported - SA-CONTRIB-2018-026
Scrollable Content provides a scrolling functionality for your content. Scrollable Content will give you a nice content slider preview of your site's nodes, and provides some display options.
The security team is marking this module unsupported. There is a known security issue with the module that has not been fixed by the maintainer. If you would like to maintain this module, please read: https://www.drupal.org/node/251466.
The security team marks all unsupported modules critical by default.
Solution:If you use the Scrollable Content module you should uninstall it.
Reported By:N/A
Simple Taxonomy Revision - Critical - Unsupported - SA-CONTRIB-2018-025
Simple Taxonomy Revision module enables revisions for taxonomy terms for Drupal 8.
The security team is marking this module unsupported. There is a known security issue with the module that has not been fixed by the maintainer. If you would like to maintain this module, please read: https://www.drupal.org/node/251466.
The security team marks all unsupported modules critical by default.
Solution:If you use the Simple Taxonomy Revision module you should uninstall it.
Reported By:N/A
KCFinder integration - Critical - Unsupported Module - SA-CONTRIB-2018-024
KCFinder is a multi-language file / image manager you can use to easily select, insert, upload and arrange images, flash movies, and other kinds of files.
The security team is marking this module unsupported. There is a known security issue with the module that has not been fixed by the maintainer. If you would like to maintain this module, please read: https://www.drupal.org/node/251466.
The security team marks all unsupported modules critical by default.
Solution:If you use the KCFinder integration you should uninstall it.
Reported By:Neil Drumm of the Drupal Security Team
Fixed By:N/A
Multi-Step Registration - Critical - Unsupported Module - SA-CONTRIB-2018-023
With Multi-Step Registration you can create multi-step (wizard) user account registration forms.
The security team is marking this module unsupported. There is a known security issue with the module that has not been fixed by the maintainer. If you would like to maintain this module, please read: https://www.drupal.org/node/251466.
The security team marks all unsupported modules critical by default.
Solution:If you use the step module for Drupal you should uninstall it.
Reported By: Fixed By:N/A
JSON API - Moderately critical - Cross Site Request Forgery - SA-CONTRIB-2018-021
This module provides a JSON API standards-compliant API for accessing and manipulating Drupal content and configuration entities.
The module doesn't provide CSRF protection when processing authenticated traffic using cookie-based authentication.
This vulnerability is mitigated by the fact that an attacker must be allowed to create or modify entities of a certain type, and a very specific and uncommon CORS configuration that allows all other pre-checks to be skipped.
Solution:Install the latest version:
- If you use the JSON API module for Drupal 8.x, upgrade to 8.x-1.16
- Michael Hess of the Drupal Security Team
DRD Agent - Critical - PHP object injection - SA-CONTRIB-2018-022
This module enables you to monitor and manage any number of remote Drupal sites and aggregate useful information for administrators in a central dashboard.
The modules (DRD and DRD Agent) encrypt the data which is exchanged between them but in order to do so, they use the PHP serialize/unserialize functions instead of the json_encode/json_decode combination. As the unserialize function is called on unauthenticated content, this introduces a PHP object injection vulnerability.
Solution:Install the latest version:
- If you use the DRD module for Drupal 8.x, upgrade to DRD 8.x-3.14
- If you use the DRD Agent module for Drupal 8.x, upgrade to DRD Agent 8.x-3.7
- If you use the DRD Agent module for Drupal 7.x, upgrade to DRD Agent 7.x-3.5
- David Snopek of the Drupal Security Team
- David Snopek of the Drupal Security Team
- Jürgen Haas
- David Snopek of the Drupal Security Team
Media - Critical - Remote Code Execution - SA-CONTRIB-2018-020
The Media module provides an extensible framework for managing files and multimedia assets, regardless of whether they are hosted on your own site or a third party site.
The module contained a vulnerability similar to SA-CORE-2018-004, leading to a possible remote code execution (RCE) attack.
Solution:Install the latest version:
- If you use the Media module for Drupal 7.x-2.x, upgrade to Media 7.x-2.19
- Dave Reid the module maintainer and member of the Drupal Security Team
Drupal core - Highly critical - Remote Code Execution - SA-CORE-2018-004
CVE: CVE-2018-7602
A remote code execution vulnerability exists within multiple subsystems of Drupal 7.x and 8.x. This potentially allows attackers to exploit multiple attack vectors on a Drupal site, which could result in the site being compromised. This vulnerability is related to Drupal core - Highly critical - Remote Code Execution - SA-CORE-2018-002. Both SA-CORE-2018-002 and this vulnerability are being exploited in the wild.
Updated — this vulnerability is being exploited in the wild.
Solution:Upgrade to the most recent version of Drupal 7 or 8 core.
- If you are running 7.x, upgrade to Drupal 7.59.
- If you are running 8.5.x, upgrade to Drupal 8.5.3.
- If you are running 8.4.x, upgrade to Drupal 8.4.8. (Drupal 8.4.x is no longer supported and we don't normally provide security releases for unsupported minor releases. However, we are providing this 8.4.x release so that sites can update as quickly as possible. You should update to 8.4.8 immediately, then update to 8.5.3 or the latest secure release as soon as possible.)
If you are unable to update immediately, or if you are running a Drupal distribution that does not yet include this security release, you can attempt to apply the patch below to fix the vulnerability until you are able to update completely:
- Patch for Drupal 8.x (8.5.x and below)
- Patch for Drupal 7.x
These patches will only work if your site already has the fix from SA-CORE-2018-002 applied. (If your site does not have that fix, it may already be compromised.)
Reported By:- David Rothstein of the Drupal Security Team
- Alex Pott of the Drupal Security Team
- Heine Deelstra of the Drupal Security Team
- Jasper Mattsson
- David Rothstein of the Drupal Security Team
- xjm of the Drupal Security Team
- Samuel Mortenson of the Drupal Security Team
- Alex Pott of the Drupal Security Team
- Lee Rowlands of the Drupal Security Team
- Heine Deelstra of the Drupal Security Team
- Pere Orga of the Drupal Security Team
- Peter Wolanin of the Drupal Security Team
- Tim Plunkett
- Michael Hess of the Drupal Security Team
- Nate Lampton
- Jasper Mattsson
- Neil Drumm of the Drupal Security Team
- Cash Williams of the Drupal Security Team
- Daniel Wehner
Drupal 7 and 8 core critical release on April 25th, 2018 PSA-2018-003
There will be a security release of Drupal 7.x, 8.4.x, and 8.5.x on April 25th, 2018 between 16:00 - 18:00 UTC. This PSA is to notify that the Drupal core release is outside of the regular schedule of security releases. For all security updates, the Drupal Security Team urges you to reserve time for core updates at that time because there is some risk that exploits might be developed within hours or days. Security release announcements will appear on the Drupal.org security advisory page.
This security release is a follow-up to the one released as SA-CORE-2018-002 on March 28.
- Sites on 7.x or 8.5.x can immediately update when the advisory is released using the normal procedure.
- Sites on 8.4.x should immediately update to the 8.4.8 release that will be provided in the advisory, and then plan to update to 8.5.3 or the latest security release as soon as possible (since 8.4.x no longer receives official security coverage).
The security advisory will list the appropriate version numbers for each branch. Your site's update report page will recommend the 8.5.x release even if you are on 8.4.x or an older release, but temporarily updating to the provided backport for your site's current version will ensure you can update quickly without the possible side effects of a minor version update.
Patches for Drupal 7.x, 8.4.x, 8.5.x and 8.6.x will be provided in addition to the releases mentioned above. (If your site is on a Drupal 8 release older than 8.4.x, it no longer receives security coverage and will not receive a security update. The provided patches may work for your site, but upgrading is strongly recommended as older Drupal versions contain other disclosed security vulnerabilities.)
This release will not require a database update.
The CVE for this issue is CVE-2018-7602. The Drupal-specific identifier for the issue will be SA-CORE-2018-004.
The Security Team or any other party is not able to release any more information about this vulnerability until the announcement is made. The announcement will be made public at https://www.drupal.org/security, over Twitter, and in email for those who have subscribed to our email list. To subscribe to the email list: login on Drupal.org, go to your user profile page, and subscribe to the security newsletter on the Edit » My newsletters tab.
Journalists interested in covering the story are encouraged to email security-press@drupal.org to be sure they will get a copy of the journalist-focused release. The Security Team will release a journalist-focused summary email at the same time as the new code release and advisory.
If you find a security issue, please report it at https://www.drupal.org/security-team/report-issue.
Neue Kommentare
vor 1 Stunde 41 Minuten
vor 21 Stunden 3 Minuten
vor 21 Stunden 8 Minuten
vor 1 Tag 11 Stunden
vor 1 Tag 12 Stunden
vor 1 Tag 15 Stunden
vor 1 Tag 19 Stunden
vor 1 Tag 22 Stunden
vor 2 Tagen 14 Stunden
vor 2 Tagen 17 Stunden