December 2017

Directory based organizational layer - Critical - Unsupported - SA-CONTRIB-2017-096

Project: Directory based organizational layer
Date: 2017-December-20
Security risk: *Critical* 18∕25
Vulnerability: Unsupported

Description

This module adds a new organizational layer to Drupal, making it easy for
managing large numbers of files and nodes.

me aliases - Highly critical - Arbitrary code execution - SA-CONTRIB-2017-097

Project: me aliases
Date: 2017-December-20
Security risk: *Highly critical* 20∕25
Vulnerability: Arbitrary code execution

Description

'me' module provides shortcut paths to current user's pages, eg user/me, blog/me, user/me/edit, tracker/me etc.

The way 'me' module handles URL arguments allows an attacker to execute arbitrary code strings.

Solution

Install the latest version:

Link Click Count - Critical - Unsupported - SA-CONTRIB-2017-094

Project: Link Click Count
Date: 2017-December-20
Security risk: *Critical* 18∕25
Vulnerability: Unsupported

Description

The Link Click Count module helps you to monitor the traffic to your website
by creating link fields. These link fields can be individual links or
internal/external links that can be added to the content type.

Panopoly Core - Moderately critical - Cross Site Scripting - SA-CONTRIB-2017-093

Project: Panopoly Core
Version: 7.x-1.x-dev
Date: 2017-December-13
Security risk: *Moderately critical* 13∕25
Vulnerability: Cross Site Scripting

Description

This module provides common functionality used by other modules in the
Panopoly distribution and child distributions, like, Open Atrium.

The module doesn't sufficiently filter node titles used in breadcrumbs when
the "Append Page Title to Site Breadcrumb" setting is enabled.

Node feedback - Moderately critical - Access Bypass - SA-CONTRIB-2017-092

Project: Node feedback
Version: 7.x-1.2
Date: 2017-December-06
Security risk: *Moderately critical* 12∕25
Vulnerability: Access Bypass

Description

This module enables you to set nodes to send feedbacks by personal/site wide contact forms.

The module doesn't sufficiently handle the access to nodes whose titles will be shown on contact forms.

Configuration Update Manager - Moderately critical - Cross Site Request Forgery (CSRF) - SA-CONTRIB-2017-091

Project: Configuration Update Manager
Version: 8.x-1.4
Date: 2017-December-06
Security risk: *Moderately critical* 12∕25
Vulnerability: Cross Site Request Forgery (CSRF)

Description

The Configuration Update Reports sub-module in the Configuration Update
module project enables you to run reports to see what configuration on your
site differs from the configuration distributed by a module, theme, or
installation profile, and to revert, delete, or import configuration.

Feedback Collect - Moderately critical - Cross Site Scripting (XSS) - SA-CONTRIB-2017-090

Project: Feedback Collect
Version: 7.x-1.5
Date: 2017-December-06
Security risk: *Moderately critical* 14∕25
Vulnerability: Cross Site Scripting (XSS)

Description

This module enables you to add feedback forms and gather end user feedback,
bug reports or any kind of suggestions. 

The module doesn't sufficiently filter output of its own fields under the
scenario of creating or editing feedback-collect content types.

Mailhandler - Critical - Remote Code Execution - SA-CONTRIB-2017-089

Project: Mailhandler
Version: 7.x-2.10
Date: 2017-December-06
Security risk: *Critical* 17∕25
Vulnerability: Remote Code Execution

Description

The Mailhandler module enables you to create nodes by email.

The Mailhandler module does not validate file attachments. By sending a correctly crafted e-mail to a mailhandler mailbox an attacker can execute arbitrary code.

The vulnerability applies to any active mailhandler mailbox, whether or not attachments are mapped to a field.

How does acquisition of Symantec's Certificate Authority business by DigiCert, Inc. affect Drupion customers?

As of October 31, 2017, DigiCert, Inc. completed the acquisition of Symantec Corporation's Certificate Authority business which includes all website security assets related to SSL & PKI. The transition is already completed and there is some end-user actions required if you own and use one of GeoTrust, Thawte & RapidSSL SSL certificates. But don't worry if you are a Drupion customer as you are in good hands.