July 2016

Drupal Core - Highly Critical - Injection

* Advisory ID: DRUPAL-SA-2016-002
* Project: Drupal core
* Version: 8.x
* Date: 2016-July-18
* Security risk: 20/25 ( Highly Critical)
* Vulnerability: Injection

DESCRIPTION

Drupal 8 uses the third-party PHP library Guzzle for making server-side HTTP requests. An attacker can provide a proxy server that Guzzle will use. The details of this are explained at https://httpoxy.org/.

VERSIONS AFFECTED

Drupal 8.x core release on Monday

* Advisory ID: DRUPAL-PSA-2016-002
* Project: Drupal
* Version: 8.x
* Date: 2016-July-17
* Security risk: TBD
* Vulnerability: TBD

DESCRIPTION

We will be doing a Drupal 8 core patch release on Monday, July 18th. This
will occur between 14:15 UTC and 19:00 UTC.

There will not be a Drupal 7 release during this window.

WHY IS THIS RELEASE BEING ISSUED?

Coder - Highly Critical - Remote Code Execution

* Advisory ID: DRUPAL-SA-CONTRIB-2016-039
* Project: Coder (third-party module)
* Version: 7.x
* Date: 2016-July-13
* Security risk: 20/25 ( Highly Critical)
* Vulnerability: Arbitrary PHP code execution

DESCRIPTION

The Coder module checks your Drupal code against coding standards and other best practices. It can also fix coding standard violations and perform basic upgrades on modules.

RESTWS - Highly critical - Remote code execution

* Advisory ID: DRUPAL-SA-CONTRIB-2016-040
* Project: RESTful Web Services (third-party module)
* Version: 7.x
* Date: 2016-July-13
* Security risk: 22/25 ( Highly Critical)
* Vulnerability: Arbitrary PHP code execution

DESCRIPTION

This module enables you to expose Drupal entities as RESTful web services.

RESTWS alters the default page callbacks for entities to provide additional functionality.

Webform Multiple File Upload - Critical - Remote Code Execution

* Advisory ID: DRUPAL-SA-CONTRIB-2016-038
* Project: Webform Multiple File Upload
* Version: 7.x
* Date: 2016-July-13
* Security risk: 17/25
* Vulnerability: Arbitrary PHP code execution

DESCRIPTION

The Webform Multiple File Upload module allows users to upload multiple files on a Webform.

Instagram Block - Moderately Critical - Information Disclosure

* Advisory ID: DRUPAL-SA-CONTRIB-2016-037
* Project: Instagram Block [1] (third-party module)
* Version: 7.x, 8.x
* Date: 2016-July-06
* Security risk: 12/25 ( Moderately Critical)
AC:Basic/A:User/CI:Some/II:None/E:Proof/TD:All [2]
* Vulnerability: Information Disclosure

DESCRIPTION

This module enables you to authenticate with Instagram's API via an intermediary service (instagram.yanniboi.com). The module doesn't sufficiently advise that your authentication tokens could be intercepted.

VERSIONS AFFECTED