Security

Page Access - Unsupported - SA-CONTRIB-2017-75

* Advisory ID: DRUPAL-SA-CONTRIB-2017-75
* Project: Page Access (third-party module)
* Date: 20-September-2017

DESCRIPTION

This module will provide the option to give the View and Edit access for
users and roles on each node pages.

The security team is marking this module unsupported. There is a known
security issue with the module that has not been fixed by the maintainer. If
you would like to maintain this module, please read:
https://www.drupal.org/node/251466

Skype Status - Moderately Critical - Cross Site Scripting - DRUPAL-SA-CONTRIB-2017-076

* Advisory ID: DRUPAL-SA-CONTRIB-2017-076
* Project: Skype Status
* Version: 7.x
* Date: 2017-September-20
* Security risk: 14/25 ( Moderately Critical)
* Vulnerability: Cross Site Scripting

DESCRIPTION

This module enables you to obtain the status for a user's Skype account

The module doesn't sufficiently sanitize the user input for their Skype ID.

This vulnerability is mitigated by the fact that an attacker must have an
account on the site and be allowed to edit/input their Skype ID.

VERSIONS AFFECTED

Flag clear - Moderately Critical - CSRF - DRUPAL-SA-CONTRIB-2017-074

* Advisory ID: DRUPAL-SA-CONTRIB-2017-074
* Project: Flag clear
* Version: 7.x
* Date: 2017-September-13
* Security risk: 14/25 ( Moderately Critical)
* Vulnerability: Cross Site Request Forgery

DESCRIPTION

The Flag clear module allows administrators to remove user flags for content.
This functionality is often useful in user-submission use-cases, where users
do not necessarily need to unflag things on their own.

The module doesn't sufficiently confirm a user's intent to take unflagging
actions.

CAPTCHA - Moderately Critical - Denial of Service - SA-CONTRIB-2017-073

* Advisory ID: DRUPAL-SA-CONTRIB-2017-073
* Project: CAPTCHA (third-party module)
* Version: 7.x
* Date: 2017-September-06
* Security risk: 10/25 ( Moderately Critical)
* Vulnerability: Denial of Service

DESCRIPTION

This module enables you to use various techniques to block automated scripts
/ robots from submitting content to a site, e.g. to block spam comments.

The module doesn't properly store the session ID of visitors who are given a
session which could lead to a Denial of Service attack.

Clientside Validation - Critical - Arbitrary PHP Execution - DRUPAL-SA-CONTRIB-2017-072

* Advisory ID: DRUPAL-SA-CONTRIB-2017-072
* Project: Clientside Validation (third-party module)
* Version: 7.x
* Date: 2017-September-06
* Security risk: 16/25 ( Critical)
* Vulnerability: Arbitrary PHP code execution

DESCRIPTION

The Clientside Validation module enables you to have clientside (Javascript)
validation on your forms.

The module does not sufficiently validate parameters of a POST request made
when validating a CAPTCHA.

Commerce invoices - Highly Critical - SQL Injection and Cross Site scripting - DRUPAL-SA-CONTRIB-2017-070

* Advisory ID: DRUPAL-SA-CONTRIB-2017-070
* Project: Commerce Invoices (third-party module)
* Version: 7.x
* Date: 2017-August-30
* Security risk: 20/25 ( Highly Critical)
* Vulnerability: Cross Site Scripting, SQL Injection

DESCRIPTION

Commerce Invoices allows you to enter an Invoice number, Company name and
Amount and it will generate an Invoice that the client can pay on your site
using any payment method supported by Drupal commerce.

SQL INJECTION

H5P - Critical - Reflected Cross Site Scripting (XSS) - DRUPAL-SA-CONTRIB-2017-071

* Advisory ID: DRUPAL-SA-CONTRIB-2017-071
* Project: H5P- Create and Share Rich Content and Applications (third-party module)
* Version: 7.x
* Date: 2017-August-30
* Security risk: 18/25 ( Critical)
* Vulnerability: Cross Site Scripting

DESCRIPTION

The H5P module helps create interactive videos, question sets, drag and drop
questions, multichoice questions, boardgames, presentations, flashcards and
more using Drupal.

Entity Reference - Moderately Critical - Access Bypass - DRUPAL-SA-CONTRIB-2017-067

* Advisory ID: DRUPAL-SA-CONTRIB-2017-067
* Project: Entity reference (third-party module)
* Version: 7.x
* Date: 2017-August-16
* Security risk: 12/25 ( Moderately Critical)
* Vulnerability: Access bypass

DESCRIPTION

The entity reference module provides a field type that can reference
arbitrary entities.

In a vulnerable configuration, an attacker could determine the titles of
nodes they do not have access to.

Pages

Subscribe to Security