Drupion Newsletter

Bible - Critical - Multiple Vulnerabilities - SA-CONTRIB-2018-003

Project: Bible
Date: 2018-January-17
Security risk: *Critical* 17∕25
Vulnerability: Multiple Vulnerabilities

Description

This module enables you to display a Bible on your website. Users can
associate notes with a Bible version.

This module has a vulnerability that would allow an attacker to wipe out,
update or read notes from other users with a carefully crafted title.

WordPress 4.9.2 Security and Maintenance Release

WordPress 4.9.2 is now available. This is a security and maintenance release for all versions since WordPress 3.7. We strongly encourage you to update your sites immediately.

An XSS vulnerability was discovered in the Flash fallback files in MediaElement, a library that is included with WordPress. Because the Flash files are no longer needed for most use cases, they have been removed from WordPress.

Node View Permissions - Moderately critical - Access Bypass - SA-CONTRIB-2018-002

Project: Node View Permissions
Version: 8.x-1.x-dev7.x-1.x-dev
Date: 2018-January-10
Security risk: *Moderately critical* 14∕25
Vulnerability: Access Bypass

Description

The Node view permissions module enables the "View own content" and "View any
content" permissions for each content type on the permissions page.

This module has a vulnerability that allows users with these permissions to
view unpublished content that they are not otherwise authorized to view.

Solution

Install the latest version:

Drupal and WordPress websites hosted on Drupion are protected from Meltdown and Spectre Attacks

Recent press reports talk about the latest security issues with CPUs that affect Intel, AMD, and ARM processors. The attacks, named Meltdown and Spectre, take advantage of the same basic security vulnerability in those chips, could hypothetically be used by malicious actors to read sensitive information in the system's memory such as passwords, encryption keys, or sensitive information open in applications.

Link Click Count - Critical - Unsupported - SA-CONTRIB-2017-094

Project: Link Click Count
Date: 2017-December-20
Security risk: *Critical* 18∕25
Vulnerability: Unsupported

Description

The Link Click Count module helps you to monitor the traffic to your website
by creating link fields. These link fields can be individual links or
internal/external links that can be added to the content type.

me aliases - Highly critical - Arbitrary code execution - SA-CONTRIB-2017-097

Project: me aliases
Date: 2017-December-20
Security risk: *Highly critical* 20∕25
Vulnerability: Arbitrary code execution

Description

'me' module provides shortcut paths to current user's pages, eg user/me, blog/me, user/me/edit, tracker/me etc.

The way 'me' module handles URL arguments allows an attacker to execute arbitrary code strings.

Solution

Install the latest version:

Directory based organizational layer - Critical - Unsupported - SA-CONTRIB-2017-096

Project: Directory based organizational layer
Date: 2017-December-20
Security risk: *Critical* 18∕25
Vulnerability: Unsupported

Description

This module adds a new organizational layer to Drupal, making it easy for
managing large numbers of files and nodes.

Panopoly Core - Moderately critical - Cross Site Scripting - SA-CONTRIB-2017-093

Project: Panopoly Core
Version: 7.x-1.x-dev
Date: 2017-December-13
Security risk: *Moderately critical* 13∕25
Vulnerability: Cross Site Scripting

Description

This module provides common functionality used by other modules in the
Panopoly distribution and child distributions, like, Open Atrium.

The module doesn't sufficiently filter node titles used in breadcrumbs when
the "Append Page Title to Site Breadcrumb" setting is enabled.

Pages

Subscribe to Drupion Newsletter