January 2018

Taxonomy Term Reference Tree Widget - Moderately critical - Cross Site Scripting - SA-CONTRIB-2018-006

Project: Taxonomy Term Reference Tree Widget
Date: 2018-January-31
Security risk: *Moderately critical* 13∕25
Vulnerability: Cross Site Scripting

Description

 
This module provides an expandable tree widget for the Taxonomy Term
Reference field in Drupal 7.

The module doesn't sufficiently sanitize the output of its own defined field
formatter.

Backup and Migrate - Critical - Arbitrary PHP code execution - SA-CONTRIB-2018-004

Project: Backup and Migrate
Date: 2018-January-24
Security risk: *Critical* 15∕25
Vulnerability: Arbitrary PHP code execution

Description

This module enables you to create manual and scheduled backups of a site, and restore the site from backup.

The module doesn't sufficiently identify that its custom permissions are risky and should only be granted to highly trusted roles.

stevenchodges.com

Steven Hodges's picture
Steven Hodges
stevenchodges.com22 January 2018

Honestly I've tried a lot of Drupal hosting sites. Yours (Shared Entry) was the best I have seen, and honestly I have no problem sticking with you as a host. However, I switched to another host because I like the idea of having a full VPS to play with and it was also a tad bit cheaper. Thanks for the refund, I actually didn't realize you had a refund policy!

Steven Hodges

stevenchodges.com

Bible - Critical - Multiple Vulnerabilities - SA-CONTRIB-2018-003

Project: Bible
Date: 2018-January-17
Security risk: *Critical* 17∕25
Vulnerability: Multiple Vulnerabilities

Description

This module enables you to display a Bible on your website. Users can
associate notes with a Bible version.

This module has a vulnerability that would allow an attacker to wipe out,
update or read notes from other users with a carefully crafted title.

WordPress 4.9.2 Security and Maintenance Release

WordPress 4.9.2 is now available. This is a security and maintenance release for all versions since WordPress 3.7. We strongly encourage you to update your sites immediately.

An XSS vulnerability was discovered in the Flash fallback files in MediaElement, a library that is included with WordPress. Because the Flash files are no longer needed for most use cases, they have been removed from WordPress.

Node View Permissions - Moderately critical - Access Bypass - SA-CONTRIB-2018-002

Project: Node View Permissions
Version: 8.x-1.x-dev7.x-1.x-dev
Date: 2018-January-10
Security risk: *Moderately critical* 14∕25
Vulnerability: Access Bypass

Description

The Node view permissions module enables the "View own content" and "View any
content" permissions for each content type on the permissions page.

This module has a vulnerability that allows users with these permissions to
view unpublished content that they are not otherwise authorized to view.

Solution

Install the latest version:

Drupal and WordPress websites hosted on Drupion are protected from Meltdown and Spectre Attacks

Recent press reports talk about the latest security issues with CPUs that affect Intel, AMD, and ARM processors. The attacks, named Meltdown and Spectre, take advantage of the same basic security vulnerability in those chips, could hypothetically be used by malicious actors to read sensitive information in the system's memory such as passwords, encryption keys, or sensitive information open in applications.