Feed aggregatorSources

Drupal contributed modules

Syndicate content
URL: https://drupal.org/security/contrib
Updated: 30 min 1 sec ago

SA-CONTRIB-2013-052 - Display Suite - Cross Site Scripting (XSS)

Wed, 06/12/2013 - 15:34
  • Advisory ID: DRUPAL-SA-CONTRIB-2013-052
  • Project: Display Suite (third-party module)
  • Version: 7.x
  • Date: 2013-June-12
  • Security risk: Moderately critical
  • Exploitable from: Remote
  • Vulnerability: Cross Site Scripting
Description

Display Suite allows you to take full control over how your content is displayed using a drag and drop interface.

In certain situations, Display Suite does not properly sanitize entity bundle labels, allowing a malicious user to embed scripts within a page, resulting in a Cross-site Scripting (XSS) vulnerability.

This vulnerability is mitigated by the fact that an attacker has to be able to create entity bundle labels of some sort, which usually needs a higher level permission such as administer taxonomy.

CVE identifier(s) issued
  • CVE-2013-2177
Versions affected
  • Display Suite 7.x-1.x versions prior to 7.x-1.7.
  • Display Suite 7.x-2.x versions prior to 7.x-2.3.

Drupal core is not affected. If you do not use the contributed Display Suite module, there is nothing you need to do.

Solution

Install the latest version:

Also see the Display Suite project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Categories: security

SA-CONTRIB-2013-051 - Services - Cross site request forgery (CSRF)

Wed, 06/05/2013 - 18:54
  • Advisory ID: DRUPAL-SA-CONTRIB-2013-051
  • Project: Services (third-party module)
  • Version: 6.x, 7.x
  • Date: 2013-June-05
  • Security risk: Moderately critical
  • Exploitable from: Remote
  • Vulnerability: Cross Site Request Forgery
Description

This module enables you to expose an API to third party systems using REST, XML-RPC or other protocols.

The module doesn't sufficiently verify writing requests (POST, PUT, DELETE) with session cookie authentication, thereby exposing a Cross Site Request Forgery vulnerability.

This vulnerability is mitigated by the fact that session based authentication must be enabled for an endpoint.

CVE identifier(s) issued
  • CVE-2013-2158
Versions affected
  • Services 6.x-3.x versions.
  • Services 7.x-3.x versions prior to 7.x-3.4.

Drupal core is not affected. If you do not use the contributed Services module, there is nothing you need to do.

Solution

Install the latest version or uninstall the module.

  • If you use the Services module for Drupal 7.x, upgrade to Services 7.x-3.4
  • If you use the Services module for Drupal 6.x, uninstall the module.

Note that Services clients using session authentication now should supply a special X-CSRF-Token header with a token that can be retrieved from http://example.com/services/session/token. This is needed for writing HTTP methods calls (POST, PUT, DELETE).

Also see the Services project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Categories: security

SA-CONTRIB-2013-050 - Webform - Cross Site Scripting (XSS)

Wed, 05/29/2013 - 22:36
  • Advisory ID: DRUPAL-SA-CONTRIB-2013-050
  • Project: Webform (third-party module)
  • Version: 6.x
  • Date: 2013-May-29
  • Security risk: Moderately critical
  • Exploitable from: Remote
  • Vulnerability: Cross Site Scripting
Description

The Webform module allows the creation of custom webforms and surveys.
Webform module does not sanitize the labels of created components (fields) when displaying a list of components to be used in e-mails or downloaded CSV files.
This vulnerability is mitigated by the fact that an attacker must have a role with the permission "edit own webform content" or "edit all webform content".

CVE identifier(s) issued
  • CVE-2013-2129
Versions affected
  • Webform 6.x-3.x versions prior to 6.x-3.19.

Drupal core is not affected. If you do not use the contributed Webform module, there is nothing you need to do.

Solution

If you use the Webform module for Drupal 6, install the latest version, Webform 6.x-3.19. Drupal 7 versions of this module are not affected.

Also see the Webform project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Categories: security

SA-CONTRIB-2013-049 - Node access user reference - Access Bypass

Wed, 05/29/2013 - 15:22
Description

This module allows different access permissions to be given to authors, referenced users and non-referenced users.

When an author has created content containing a user reference field (with author update/delete grants enabled) and the author's user account is later deleted, content created by them can be edited by anonymous users.

CVE identifier(s) issued
  • CVE-2013-2123
Versions affected
  • nodeaccess_userreference 6.x-3.x versions prior to 6.x-3.5.
  • nodeaccess_userreference 7.x-3.x versions prior to 7.x-3.10.

Drupal core is not affected. If you do not use the contributed Node access user reference module, there is nothing you need to do.

Solution

Install the latest version:

Also see the Node access user reference project page.

Reported by Fixed by Coordinated by
  • Dan Smith provisional member of the Drupal Security Team
Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Categories: security

SA-CONTRIB-2013-048 - Edit Limit - Access Bypass

Wed, 05/29/2013 - 14:26
  • Advisory ID: DRUPAL-SA-CONTRIB-2013-048
  • Project: Edit Limit (third-party module)
  • Version: 7.x
  • Date: 2013-May-29
  • Security risk: Moderately critical
  • Exploitable from: Remote
  • Vulnerability: Access bypass
Description

Edit Limit enables you to set time and count-based limits on how and when a user can edit nodes or comments.

The module doesn't sufficiently check user access when editing comments to see if the user has the necessary permissions to edit a comment outside of the limits applied by this module. This makes it possible for a user who can edit their own comments to edit the comments of any other user.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission "edit comments".

CVE identifier(s) issued
  • CVE-2013-2122
Versions affected
  • Edit Limit 7.x-1.x versions prior to 7.x-1.3.

Drupal core is not affected. If you do not use the contributed Edit Limit module, there is nothing you need to do.

Solution

Install the latest version:

Also see the Edit Limit project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Categories: security