November 2016

Elysia Cron - Critical - Arbitrary PHP code execution

* Advisory ID: DRUPAL-SA-CONTRIB-2016-062
* Project: Elysia Cron
* Version: 7.x
* Date: 2016-November-30
* Security risk: 11/25 ( Moderately Critical)
* Vulnerability: Arbitrary PHP code execution

DESCRIPTION

This module enables you to manage cron jobs.

The module allows users with the permission "Administer elysia cron" to
execute arbitrary PHP code via cron.

[Security-news] Drupal Core - Moderately Critical - Multiple Vulnerabilities

* Advisory ID: DRUPAL-SA-CORE-2016-005
* Project: Drupal core
* Version: 7.x, 8.x
* Date: 2016-November-16
* Security risk: 13/25 ( Moderately Critical)
* Vulnerability: Multiple vulnerabilities

DESCRIPTION

.... Inconsistent name for term access query (Less critical - Drupal 7 and Drupal 8)

Views Send - Moderately Critical - Cross Site Scripting (XSS)

* Advisory ID: DRUPAL-SA-CONTRIB-2016-061
* Project: Views Send
* Version: 7.x
* Date: 2016-November-09
* Security risk: 13/25 ( Moderately Critical)
* Vulnerability: Cross Site Scripting

DESCRIPTION

The Views Send module enables you to send mail to multiple users from a View.

The module doesn't sufficiently filter potential user-supplied data when
previewing the e-mail which can lead to a Cross Site Scripting (XSS)
vulnerability.

Workbench Moderation - Moderately Critical - Information Disclosure

* Advisory ID: DRUPAL-SA-CONTRIB-2016-060
* Project: Workbench Moderation (third-party module)
* Version: 7.x
* Date: 2016-November-02
* Security risk: 11/25 ( Moderately Critical)
* Vulnerability: Information Disclosure

DESCRIPTION

This module enables you to create and manage custom editorial workflows
around a site's content.

Bootstrap - ModeratelyCritical - Cross Site Scripting (XSS)

* Advisory ID: DRUPAL-SA-CONTRIB-2014-0XX
* Project: Bootstrap (third-party theme)
* Version: 7.x
* Date: 2016-November-02
* Security risk: 13/25 ( Moderately Critical)
* Vulnerability: Cross Site Scripting

DESCRIPTION

The Bootstrap theme enables you to integrate the Bootstrap framework with
Drupal.

The theme does not sufficiently filter potential user-supplied data when it's
passed to certain templates can which lead to a Persistent Cross Site
Scripting (XSS) vulnerability.

D8 Editor File upload - Moderately Critical - Cross Site Scripting (XSS)

* Advisory ID: DRUPAL-SA-CONTRIB-2016-059
* Project: D8 Editor File upload (third-party module)
* Version: 8.x
* Date: 2016-November-02
* Security risk: 12/25 ( Moderately Critical)
* Vulnerability:

DESCRIPTION

This module enables you to upload files directly within the CKEditor and
create a link to download the given file.

The module doesn't sufficiently check the uploaded file extensions when the
allowed extensions list is not the default one.

Menu Views - Moderately Critical - Cross Site Scripting (XSS)

* Advisory ID: DRUPAL-SA-CONTRIB-2016-055
* Project: Menu Views (third-party module)
* Version: 7.x
* Date: 2016-November-02
* Security risk: 12/25 ( Moderately Critical)
* Vulnerability: Cross Site Scripting

DESCRIPTION

This module enables users to create menu items that render views instead of
links. This is useful for creating "mega-menus".

The module doesn't sufficiently filter title and breadcrumb fields for
possible cross-site scripting.

Like/Dislike - Critical - Unsupported- SA-CONTRIB-2016-056

* Advisory ID: DRUPAL-SA-CONTRIB-2016-056
* Project: Like/Dislike (third-party module)
* Version: 7.x
* Date: 2016-November-02
* Security risk: 15/25 ( Moderately Critical)
* Cross Site Request Forgery

DESCRIPTION

Like/Dislike module can be used to Like and Dislike actions on any content.
It is powered by Drupal field concept.

VERSIONS AFFECTED

* All versions of like/dislike module.

Profile 2 Registration Path - Critical - Unsupported

* Advisory ID: DRUPAL-SA-CONTRIB-2015-057
* Project: Profile2 Registration Path (third-party module)
* Version: 7.x
* Date: 2016-November-02
* Security risk: 19/25 ( Critical)
* Vulnerability: Access bypass

DESCRIPTION

This module enables administrators to set unique registration paths per
Profile2 profile type.

VERSIONS AFFECTED

All versions are affected.