Drupal Security

Project: Multiple RegistrationDate: 2019-May-15Security risk: Critical 19∕25 AC:Basic/A:None/CI:All/II:All/E:Theoretical/TD:DefaultVulnerability: Access bypassDescription: 

This module enables you to use special routes for user registration with special roles and custom field sets defined for the role.

The module doesn't sufficiently check which user roles can be registered under the scenario when the user tries to register the user with the administrator role.

This vulnerability is mitigated on sites where account approval is required as the user starts as blocked but still gets the "Administrator" role.

Solution: 

Install the latest version:

• If you use the Multiple registration module for Drupal 8.x, upgrade to Multiple registration 8.x-2.8

Reported By: 

• iswilson

Fixed By: 

• Yaroslav Samoylenko
• iswilson
• Cash Williams of the Drupal Security Team

Coordinated By: 

Cash Williams of the Drupal Security Team

Project: Opigno Learning pathDate: 2019-May-15Security risk: Moderately critical 10∕25 AC:Basic/A:User/CI:Some/II:None/E:Theoretical/TD:DefaultVulnerability: Access bypassDescription: 

In certain configuration cases, when a learning path is configured as semi-private, anonymous users are allowed to join a learning path when they should not.

Solution: 

Install the latest version:

• If you use the opigno learning path module for Drupal 8.x, upgrade to opigno_learning_path 8.x-1.4
• If using the opigno lms distribution it is recommended to update the whole distribution to the latest version Opigno lms 8.x-1.5

Also see the Opigno Learning path project page.

Reported By: 

• Nathaniel Catchpole of the Drupal Security Team

Fixed By: 

• James Aparicio
• Nathaniel Catchpole of the Drupal Security Team

Coordinated By: 

• Nathaniel Catchpole of the Drupal Security Team

Project: Opigno forumDate: 2019-May-15Security risk: Less critical 9∕25 AC:Basic/A:User/CI:Some/II:None/E:Theoretical/TD:UncommonVulnerability: Access bypassDescription: 

In certain circumstances it is possible that certain forum information is available to unprivileged users because the access check is done with node access instead of grants.

This vulnerability is mitigated by the fact that the module itself does not disclose information but only if there are listings such as views where the site builder / developer has not taken this into account.

Solution: 

Install the latest version:

• If you use the opigno_forum module for Drupal 8.x, upgrade to opigno_forum 8.x-1.2

Also see the Opigno forum project page.

Reported By: 

• Nathaniel Catchpole of the Drupal Security Team

Fixed By: 

• James Aparicio
• Nathaniel Catchpole of the Drupal Security Team

Coordinated By: 

• Nathaniel Catchpole of the Drupal Security Team

Project: Drupal coreDate: 2019-May-08Security risk: Moderately critical 14∕25 AC:Complex/A:Admin/CI:All/II:All/E:Theoretical/TD:UncommonVulnerability: Third-party librariesCVE IDs: CVE-2019-11831Description: 

This security release fixes third-party dependencies included in or required by Drupal core. As described in TYPO3-PSA-2019-007: By-passing protection of Phar Stream Wrapper Interceptor:

In order to intercept file invocations like file_exists or stat on compromised Phar archives the base name has to be determined and checked before allowing to be handled by PHP Phar stream handling. [...]

The current implementation is vulnerable to path traversal leading to scenarios where the Phar archive to be assessed is not the actual (compromised) file.

The known vulnerability in Drupal core requires the "administer themes" permission. However, additional vulnerabilities may exist in contributed or custom modules, so site should still update even if they do not grant this permission.

Solution: 

Install the latest version:

• If you are using Drupal 8.7, update to Drupal 8.7.1
• If you are using Drupal 8.6 or earlier, update to Drupal 8.6.16.
• If you are using Drupal 7, update to Drupal 7.67.

Versions of Drupal 8 prior to 8.6.x are end-of-life and do not receive security coverage.

Also see the Drupal core project page.

Reported By: 

• Daniel Le Gall

Fixed By: 

• Jess of the Drupal Security Team
• Michael Hess of the Drupal Security Team
• Oliver Hader
• David Snopek of the Drupal Security Team
• Alex Pott of the Drupal Security Team
• Daniel Le Gall
• Tim Plunkett

Date: 2019-May-07Vulnerability: Drupal 7 and 8 release on May 8th, 2019Description: 

The Drupal Security Team will be coordinating a security release for Drupal 7 and 8 this week on Wednesday, May 8th, 2019.

We are issuing this PSA in advance because according to the regular security release window schedule, May 8th would not typically be a core security window.

This release is rated as moderately critical.

The Drupal 7 and 8 core release will be made between 16:00 – 21:00 UTC (noon – 5:00pm Eastern).

May 8th also remains a normal security release window for contributed projects.

Project: Drupal coreDate: 2019-April-17Security risk: Moderately critical 10∕25 AC:Complex/A:Admin/CI:Some/II:Some/E:Theoretical/TD:UncommonVulnerability: Cross Site ScriptingCVE IDs: CVE-2019-11358Description: 

The jQuery project released version 3.4.0, and as part of that, disclosed a security vulnerability that affects all prior versions. As described in their release notes:

jQuery 3.4.0 includes a fix for some unintended behavior when using jQuery.extend(true, {}, ...). If an unsanitized source object contained an enumerable __proto__ property, it could extend the native Object.prototype. This fix is included in jQuery 3.4.0, but patch diffs exist to patch previous jQuery versions.

It's possible that this vulnerability is exploitable with some Drupal modules. As a precaution, this Drupal security release backports the fix to jQuery.extend(), without making any other changes to the jQuery version that is included in Drupal core (3.2.1 for Drupal 8 and 1.4.4 for Drupal 7) or running on the site via some other module such as jQuery Update.

2019-04-22, edited to add CVE.

Solution: 

Install the latest version:

• If you are using Drupal 8.6, update to Drupal 8.6.15.
• If you are using Drupal 8.5 or earlier, update to Drupal 8.5.15.
• If you are using Drupal 7, update to Drupal 7.66.

Versions of Drupal 8 prior to 8.5.x are end-of-life and do not receive security coverage.

Also see the Drupal core project page.

Additional information

All advisories released today:

• SA-CORE-2019-005
• SA-CORE-2019-006

Updating to the latest Drupal core release will apply the fixes for all the above advisories.

Reported By: 

• dtv_rb
• Jess of the Drupal Security Team

Fixed By: 

• Alex Bronstein of the Drupal Security Team
• Lee Rowlands of the Drupal Security Team
• Jess of the Drupal Security Team
• Lauri Eskola
• Greg Knaddison of the Drupal Security Team
• Neil Drumm of the Drupal Security Team
• Samuel Mortenson of the Drupal Security Team

Project: Drupal coreDate: 2019-April-17Security risk: Moderately critical 14∕25 AC:Basic/A:User/CI:Some/II:Some/E:Proof/TD:DefaultVulnerability: Multiple Vulnerabilities Description: 

This security release fixes third-party dependencies included in or required by Drupal core.

• CVE-2019-10909: Escape validation messages in the PHP templating engine. From that advisory:
  

  Validation messages were not escaped when using the form theme of the PHP templating engine which, when validation messages may contain user input, could result in an XSS.

• CVE-2019-10910: Check service IDs are valid. From that advisory:

  Service IDs derived from unfiltered user input could result in the execution of any arbitrary code, resulting in possible remote code execution.

• CVE-2019-10911: Add a separator in the remember me cookie hash. From that advisory:

  This fixes situations where part of an expiry time in a cookie could be considered part of the username, or part of the username could be considered part of the expiry time. An attacker could modify the remember me cookie and authenticate as a different user. This attack is only possible if remember me functionality is enabled and the two users share a password hash or the password hashes (e.g. UserInterface::getPassword()) are null for all users (which is valid if passwords are checked by an external system, e.g. an SSO).

Solution: 

Install the latest version:

• If you are using Drupal 8.6, update to Drupal 8.6.15.
• If you are using Drupal 8.5 or earlier, update to Drupal 8.5.15.

Versions of Drupal 8 prior to 8.5.x are end-of-life and do not receive security coverage.

Also see the Drupal core project page.

Additional information

All advisories released today:

• SA-CORE-2019-005
• SA-CORE-2019-006

Updating to the latest Drupal core release will apply the fixes for all the above advisories.

Reported By: 

• Michael Cullum

Fixed By: 

• Michael Hess of the Drupal Security Team
• Alex Pott of the Drupal Security Team
• Jess of the Drupal Security Team
• Samuel Mortenson of the Drupal Security Team
• Michael Cullum
• Lee Rowlands of the Drupal Security Team

Project: TableFieldDate: 2019-April-17Security risk: Critical 16∕25 AC:Complex/A:User/CI:All/II:All/E:Theoretical/TD:DefaultVulnerability: Remote Code ExecutionDescription: 

This module allows you to attach tabular data to an entity.

The module doesn't sufficiently determine that the data being unserialized is the contents of a tablefield when users request a CSV export, which could lead to Remote Code Execution via Object Injection.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission 'export tablefield', and be able to insert a payload into an entity's field.

Solution: 

Install the latest version:

• If you use the Tablefield module 7.x-3.x branch for Drupal 7.x, upgrade to tablefield 7.x-3.4

Reported By: 

• Drew Webber Provisional Security Team Member

Fixed By: 

• Drew Webber Provisional Security Team Member
• Martin Postma
• Jen Lampton

Coordinated By: 

• Greg Knaddison of the Drupal Security Team

Project: Stage File ProxyVersion: 7.x-1.x-devDate: 2019-April-17Security risk: Less critical 9∕25 AC:Basic/A:None/CI:None/II:None/E:Theoretical/TD:DefaultVulnerability: Denial of ServiceDescription: 

Stage File Proxy is a general solution for getting production files on a development server on demand.

The module doesn't sufficiently validate requested urls, allowing an attacker to send repeated requests for files that do not exist which could exhaust resources on the server where Stage File Proxy is installed.

This vulnerability is mitigated by the fact that an attacker must make repeated requests. The vulnerability only exists on environments where Stage File Proxy is installed (it generally is not installed on production). It only affects sites where the "Hot Link" option is disabled (disabled is the default configuration).

Solution: 

Install the latest version:

• If you use the Stage File Proxy module for Drupal 7.x, upgrade to Stage File Proxy 7.x-1.9

Also see the Stage File Proxy project page.

Reported By: 

• remydenton
• Axel Rutz
• Drew Webber Provisional Security Team Member

Fixed By: 

• remydenton
• Axel Rutz
• Drew Webber Provisional Security Team Member

Coordinated By: 

• Greg Knaddison of the Drupal Security Team

Project: ServicesVersion: 7.x-3.x-devDate: 2019-April-03Security risk: Less critical 9∕25 AC:Complex/A:User/CI:Some/II:None/E:Theoretical/TD:DefaultVulnerability: Access bypassDescription: 

This module provides a standardized solution for building API's so that external clients can communicate with Drupal.

The Services module has an access bypass vulnerability in its "attach_file" resource that allows users who have access to create or update nodes that include file fields to arbitrarily reference files they do not have access to, which can expose private files.

This vulnerability is mitigated by the fact that an attacker must have a role with permission to create or edit a node.

Solution: 

Install the latest version:

• If you use the Services module for Drupal 7.x, upgrade to Services 7.x-3.24

Also see the Services project page.

Reported By: 

• Samuel Mortenson of the Drupal Security Team

Fixed By: 

• Tyler Frankenstein

Coordinated By: 

• Samuel Mortenson of the Drupal Security Team
• Greg Knaddison of the Drupal Security Team

Project: Module FilterVersion: 7.x-2.x-devDate: 2019-March-27Security risk: Moderately critical 12∕25 AC:Basic/A:Admin/CI:Some/II:Some/E:Theoretical/TD:DefaultVulnerability: Cross site scriptingDescription: 

This module enables you to filter the list of modules on the admin modules page, and organizes packages into vertical tabs.

The module doesn't sufficiently escape HTML under the scenario leading to a Cross Site Scripting (XSS) vulnerability.

This vulnerability is mitigated by the fact that the attacker must have access to input filtered html that will be included on the modules administration page e.g. in a block (this configuration is not common). Further, the Module Filter vertical tabs setting must be enabled.

Solution: 

Install the latest version:

• If you use the Module Filter module for Drupal 7.x, upgrade to Module Filter 7.x-2.2

Also see the Module Filter project page.

Reported By: 

• Yonatan Offek

Fixed By: 

• greenSkin

Coordinated By: 

• Greg Knaddison of the Drupal Security Team

Project: Drupal coreDate: 2019-March-20Security risk: Moderately critical 13∕25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:DefaultVulnerability: Cross Site ScriptingCVE IDs: CVE-2019-6341Description: 

Under certain circumstances the File module/subsystem allows a malicious user to upload a file that can trigger a cross-site scripting (XSS) vulnerability.

Solution: 

• If you are using Drupal 8.6, update to Drupal 8.6.13.
• If you are using Drupal 8.5 or earlier, update to Drupal 8.5.14.
• If you are using Drupal 7, update to Drupal 7.65.

Versions of Drupal 8 prior to 8.5.x are end-of-life and do not receive security coverage.

Reported By: 

• Sam Thomas

Fixed By: 

• Alex Pott of the Drupal Security Team
• Lee Rowlands of the Drupal Security Team
• Greg Knaddison of the Drupal Security Team
• Neil Drumm of the Drupal Security Team
• Michael Hess of the Drupal Security Team
• David Rothstein of the Drupal Security Team
• Peter Wolanin of the Drupal Security Team

Project: RESTfulVersion: 7.x-2.x-dev7.x-1.x-devDate: 2019-March-20Security risk: Critical 18∕25 AC:Complex/A:User/CI:All/II:All/E:Exploit/TD:UncommonVulnerability: Remote code executionDescription: 

This resolves issues described in SA-CORE-2019-003 for this module.

Solution: 

• If you use the RESTful module for Drupal 7.x, upgrade to RESTful 7.x-1.10 or RESTful 7.x-2.17

Project: Back To TopVersion: 7.x-1.x-devDate: 2019-March-20Security risk: Moderately critical 13∕25 AC:Basic/A:Admin/CI:Some/II:Some/E:Theoretical/TD:AllVulnerability: Cross Site ScriptingDescription: 

This module enables you to add a button that hovers in the bottom of your screen and allows users to smoothly scroll up the page using jQuery.

The module doesn't sufficiently sanitize the code that gets printed on pages leading to a Cross Site Scripting (XSS) issue.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission "access backtotop settings".

Solution: 

Install the latest version:

• If you use the Back To Top module for Drupal 7.x, upgrade to Back To Top 7.x-1.6

Reported By: 

• Balazs Janos Tatar

Fixed By: 

• Mattias Axelsson
• Balazs Janos Tatar

Coordinated By: 

• Balazs Janos Tatar

Project: AddToAny Share ButtonsVersion: 7.x-4.x-dev8.x-1.x-devDate: 2019-March-20Security risk: Moderately critical 13∕25 AC:Basic/A:Admin/CI:Some/II:Some/E:Theoretical/TD:AllVulnerability: Cross Site ScriptingDescription: 

This module enables you to add social media share buttons on your website to its content and pages.

The module doesn't sufficiently mark its administration permission restricted, allowing cross site scripting vulnerabilities to users who have access to its admin settings.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer addtoany".

This advisory was edited on March 25th to add the affected 8.x-1.11 release.

Solution: 

• If you use the AddToAny Share Buttons module for Drupal 7.x, upgrade to AddToAny Share Buttons 7.x-4.16
• If you use the AddToAny Share Buttons module for Drupal 8.x, upgrade to AddToAny Share Buttons 8.x-1.11

Reported By: 

• Balazs Janos Tatar

Fixed By: 

• Balazs Janos Tatar
• micropat

Coordinated By: 

• Balazs Janos Tatar

Project: Simple hierarchical selectDate: 2019-March-13Security risk: Moderately critical 10∕25 AC:Basic/A:User/CI:None/II:Some/E:Theoretical/TD:DefaultVulnerability: Cross site request forgeryDescription: 

Simple hierarchical select defines a new form widget for taxonomy fields to select a term by "browsing" through the vocabularies hierarchy. It also allows users to create new taxonomy terms using its widget directly in the node form.

Version 7.x of Simple hierarchical select doesn't sufficiently checks permission when creating new terms so attackers can create arbitrary taxonomy terms in any vocabularies the victim has access to..
This vulnerability is mitigated by the fact that an attacker must trick a user with permission to create terms to visit a specially prepared web page controlled by the attacker.

Solution: 

Install the latest version:

• If you use Simple hierarchical select prior to 7.x-1.7 update to 7.x-1.8
• If you are unable to update, simply deactivate the option to allow creating new terms in the widget settings.

Note that the Drupal 8 version of this module is unaffected.

Reported By: 

• Ayesh Karunaratne

Fixed By: 

• Ayesh Karunaratne
• Stefan Borchert
• Greg Knaddison of the Drupal Security Team

Coordinated By: 

Greg Knaddison of the Drupal Security Team

Project: VideoDate: 2019-March-13Security risk: Critical 19∕25 AC:None/A:Admin/CI:All/II:All/E:Theoretical/TD:AllVulnerability: Remote Code ExecutionDescription: 

This module provides a field where editors can add videos to their content and this module offers functionality to transcode these videos to different sizes and formats.

The module doesn't sufficiently sanitize some user input on administrative forms.

Solution: 

• If you use the Video module for Drupal 7.x, upgrade to Video 7.x-2.14

Also see the Video project page

Note that the Drupal 8 version of this module is unaffected.

Reported By: 

• Samuel Mortenson of the Drupal Security Team

Fixed By: 

• Michael Hess of the Drupal Security Team
• Jorrit Schippers
• Samuel Mortenson of the Drupal Security Team
• Greg Knaddison of the Drupal Security Team

Coordinated By: 

• Michael Hess of the Drupal Security Team

Project: ViewsVersion: 7.x-3.x-devDate: 2019-March-13Security risk: Less critical 7∕25 AC:Complex/A:None/CI:None/II:None/E:Theoretical/TD:UncommonVulnerability: Cross site scriptingDescription: 

This module enables you to create customized lists of data.

The module doesn't sufficiently sanitize certain field types, leading to a Cross Site Scripting (XSS) vulnerability.

This vulnerability is mitigated by the fact that a view must display a field with the format "Full data (serialized)" and an attacker must have the ability to store malicious markup in that field.

Solution: 

Install the latest version:

• If you use the Views module for Drupal 7.x, upgrade to Views 7.x-3.21

Also see the Views project page.

Reported By: 

• Ralf Stamm

Fixed By: 

• Ralf Stamm
• Damian Lee
• Daniel Wehner
• David Snopek of the Drupal Security Team
• Nate Lampton

Coordinated By: 

• Michael Hess of the Drupal Security Team.

Additional information

Note: Drupal issues individual security advisories for separate vulnerabilities included in a release, rather than lumping "multiple vulnerabilities" into a single advisory. All advisories released today for Views:

• SA-CONTRIB-2019-034
• SA-CONTRIB-2019-035
• SA-CONTRIB-2019-036

Project: ViewsVersion: 7.x-3.x-devDate: 2019-March-13Security risk: Moderately critical 10∕25 AC:Complex/A:None/CI:Some/II:None/E:Theoretical/TD:UncommonVulnerability: Information disclosureDescription: 

This module enables you to create customized lists of data.

The module doesn't sufficiently build queries when used with exposed filters, leading to a possible information disclosure vulnerability in certain rare circumstances.

This vulnerability is mitigated by the fact that a view must have an exposed filter on a field that is used on multiple entity types, both of which are included in the view.

Solution: 

Install the latest version:

• If you use the Views module for Drupal 7.x, upgrade to Views 7.x-3.21

Also see the Views project page.

Reported By: 

• Lucas Hedding

Fixed By: 

• Klaus Purer
• Lucas Hedding
• Greg Knaddison of the Drupal Security Team
• Aaron Zinck
• Daniel Wehner
• Damien McKenna of the Drupal Security Team
• Vijaya Chandran Mani

Coordinated By: 

• Damien McKenna of the Drupal Security Team.

Additional information

Note: Drupal issues individual security advisories for separate vulnerabilities included in a release, rather than lumping "multiple vulnerabilities" into a single advisory. All advisories released today for Views:

• SA-CONTRIB-2019-034
• SA-CONTRIB-2019-035
• SA-CONTRIB-2019-036

Project: ViewsVersion: 7.x-3.x-devDate: 2019-March-13Security risk: Moderately critical 10∕25 AC:Complex/A:None/CI:Some/II:None/E:Theoretical/TD:UncommonVulnerability: Information DisclosureDescription: 

This module enables you to create customized lists of data.

The module doesn't sufficiently protect against argument definitions failing.

This vulnerability is mitigated by the fact that a view must have custom PHP code used as a field validator.

Solution: 

Install the latest version:

• If you use the Views module for Drupal 7.x, upgrade to Views 7.x-3.21

Also see the Views project page.

Reported By: 

• Fabien Leroux

Fixed By: 

• Fabien Leroux
• Daniel Wehner
• Damien McKenna of the Drupal Security Team
• Len Swaneveld

Coordinated By: 

• Michael Hess of the Drupal Security Team.

Additional information

Note: Drupal issues individual security advisories for separate vulnerabilities included in a release, rather than lumping "multiple vulnerabilities" into a single advisory. All advisories released today for Views:

• SA-CONTRIB-2019-034
• SA-CONTRIB-2019-035
• SA-CONTRIB-2019-036