February 2017

Timezone Detect - Moderately Critical - Cross Site Request Forgery

* Advisory ID: DRUPAL-SA-CONTRIB-2017-020
* Project: Timezone Detect (third-party module)
* Version: 7.x
* Date: 2017-February-22
* Security risk: 13/25 ( Moderately Critical)
* Vulnerability: Cross Site Request Forgery

DESCRIPTION

This module enables sites to automatically detect and set user timezones via
JavaScript.

Metatag -Moderately Critical - Information disclosure

* Advisory ID: DRUPAL-SA-CONTRIB-2017-019
* Project: Metatag (third-party module)
* Version: 7.x
* Date: 2017-February-15
* Security risk: 11/25 ( Moderately Critical)
* Vulnerability: Information Disclosure

DESCRIPTION

This module enables you to add a variety of meta tags to a site for helping
with a site's search engine results and to customize how content is shared on
social networks.

RESTful - Moderately Critical - Access Bypass

* Advisory ID: DRUPAL-SA-CONTRIB-2017-018
* Project: RESTful
* Version: 7.x
* Date: 2017-February-15
* Security risk: 11/25 ( Moderately Critical)
* Vulnerability: Access bypass

DESCRIPTION

This module enables you to build a RESTful API for your Drupal site.

The restful_token_auth module (a sub-module) doesn't validate the status of
users when logging them in. This results in a blocked user being able to
operate normally with the RESTful actions, even after being blocked.

Flag clear - Moderately Critical - Cross Site Request Forgery (CSRF)

* Advisory ID: DRUPAL-SA-CONTRIB-2017-017
* Project: Flag clear (third-party module)
* Version: 7.x
* Date: 2017-February-15
* Security risk: 10/25 ( Moderately Critical)
* Vulnerability: Cross Site Request Forgery

DESCRIPTION

The Flag clear module allows administrators to remove user flags for content.
This functionality is often useful in user-submission use-cases, where users
do not necessarily need to unflag things on their own.

Search API Sorts - Moderately Critical - Cross Site Scripting (XSS)

* Advisory ID: DRUPAL-SA-CONTRIB-2017-015
* Project: Search API sorts (third-party module)
* Version: 7.x
* Date: 2017-February-15
* Security risk: 12/25 ( Moderately Critical)
* Vulnerability: Cross Site Scripting

DESCRIPTION

The Search API Sorts module allows the site administrator to configure custom
sort options for their search results and expose the control interface via
the core block system.

The module doesn't sufficiently sanitize the name of the sort option which is
displayed to users.

Hotjar - Moderately Critical - Cross Site Scripting (XSS)

* Advisory ID: DRUPAL-SA-CONTRIB-2017-015
* Project: Hotjar (third-party module)
* Version: 7.x, 8.x
* Date: 2017-February-15
* Security risk: 12/25 ( Moderately Critical)
* Vulnerability: Cross Site Scripting

DESCRIPTION

This module enables you to add the Hotjar tracking system to your website.

The module doesn't sufficiently sanitize the Hotjar ID when including
tracking code.

This vulnerability is mitigated by the fact that an attacker must have a role
with the permission "administer hotjar".

OSF for Drupal - Less Critical - Cross Site Scripting (XSS)

* Advisory ID: DRUPAL-SA-CONTRIB-2017-014
* Project: OSF for Drupal
* Version: 7.x
* Date: 2017-February-08
* Security risk: 5/25 ( Less Critical)
* Vulnerability: Cross Site Scripting

DESCRIPTION

This module enables administrators to use a user interface to create complex
semantic queries that can be saved to be used in different locations of a
Drupal instance that uses OSF.

VERSIONS AFFECTED

* osf_querybuilder 7.x-3.3 versions prior to 7.x-3.3.

Pages