November 2017

Bootstrap Carousel - Moderately critical - Cross Site Scripting - SA-CONTRIB-2017-088

Project: bootstrap_carousel
Version: 7.x-1.x-dev
Date: 2017-November-29
Security risk: *Moderately critical* 14∕25
Vulnerability: Cross Site Scripting

Description

This module provides a way to make carousels, based on bootstrap-carousel.js. The module doesn't sufficiently handle output of img HTML tag's alt property.

Cloud - Critical - CSRF - SA-CONTRIB-2017-086

Project: Cloud
Version: 7.x-1.x-dev
Date: 2017-November-29
Security risk: *Critical* 18∕25
Vulnerability: CSRF

Description

This module enables sites to manage public clouds like Amazon EC2 and also
private clouds like OpenStack.

The module doesn't sufficiently protect the deletion of audit reports,
thereby exposing a cross-site request vulnerability which can be exploited by
unprivileged users to trick an administrator into unwanted deletion of audit
reports.

MoneySuite - Moderately critical - Access bypass - SA-CONTRIB-2017-085

Project: MoneySuite
Version: 7.x-10.x-dev
Date: 2017-November-29
Security risk: *Moderately critical* 14∕25
Vulnerability: Access bypass

Description

MoneySuite provides a set of modules for Drupal sites that rely on the sale of memberships and/or content for revenue.

Services single sign-on client - Critical - Cross-site scripting - SA-CONTRIB-2017-087

Project: Services single sign-on client
Version: 7.x-1.x-dev
Date: 2017-November-29
Security risk: *Critical* 16∕25
Vulnerability: Cross-site scripting

Description

 

This module allows users of a remote Services-enabled Drupal site to sign on to a second site with their credentials.

The module does not sanitize information from the request before displaying it, thereby exposing a cross-site scripting vulnerability.

Domain Integration - Moderately critical - Access bypass - SA-CONTRIB-2017-084

Project: Domain Integration
Version: 7.x-1.x-dev
Date: 2017-November-29
Security risk: *Moderately critical* 13∕25
Vulnerability: Access bypass

Description

This module enables you to integrate the Domain module with other popular
Drupal modules. The Domain Integration Login Restrict sub-module enables you
to restrict access to a domain based on the assigned domains on a user.

WordPress 4.9.1 Security and Maintenance Release

WordPress 4.9.1 is now available. This is a security and maintenance release for all versions since WordPress 3.7. We strongly encourage you to update your sites immediately.

WordPress versions 4.9 and earlier are affected by four security issues which could potentially be exploited as part of a multi-vector attack. As part of the core team's ongoing commitment to security hardening, the following fixes have been implemented in 4.9.1:

WordPress 4.9 “Tipton”. Major Customizer Improvements, Code Error Checking, and More!

Version 4.9 of WordPress, named “Tipton” in honor of jazz musician and band leader Billy Tipton, is available for download or update in your WordPress dashboard. New features in 4.9 will smooth your design workflow and keep you safe from coding errors.

Permissions by Term - Moderately critical - Access bypass - SA-CONTRIB-2017-082

Project: Permissions by Term
Version: 8.x-1.x-dev
Date: 2017-November-08
Security risk: *Moderately critical* 14∕25
Vulnerability: Access bypass

Description

 

The Permissions by Term module extends Drupal by adding functionality for
restricting access to single nodes via taxonomy terms.

Custom Permissions - Moderately critical - Access bypass - SA-CONTRIB-2017-083

Project: Custom Permissions
Version: 8.x-1.x-dev
Date: 2017-November-08
Security risk: *Moderately critical* 13∕25
Vulnerability: Access bypass

Description

 

Custom Permissions is a lightweight module that allows permissions to be
created and managed through an administrative form.

Automated Logout - Moderately critical - Cross Site Scripting - SA-CONTRIB-2017-081

Project: Automated Logout
Version: 7.x-4.x-dev
Date: 2017-November-01
Security risk: *Moderately critical* 14∕25
Vulnerability: Cross Site Scripting

Description

This module provides a site administrator the ability to log users out after
a specified time of inactivity. It is highly customizable and includes "site
policies" by role to enforce log out.

The module does not sufficiently filter user-supplied text that is stored in
the configuration, resulting in a persistent Cross Site Scripting
vulnerability (XSS).