Drupal Contrib Security
Open Social - Moderately critical - Access bypass - SA-CONTRIB-2024-076
Open Social is a Drupal distribution for online communities, which ships with a default (optional) module social_file_private to ensure the images and files provided by the distribution are stored in the private instead of the public filesystem.
For installations of Open Social prior to version 11.8.0, after updating to 11.8.0 or higher, newly uploaded files were no longer stored in the private file system as intended. Instead, they were stored in the public file system.
Solution:Install the latest version and make sure to run the update hooks.
- If you use Open Social 12.3.x upgrade to Open Social 12.3.10
- If you use Open Social 12.4.x upgrade to Open Social 12.4.9
Note: If some files were uploaded during that time and became unused, the update hook cannot move them. These files will require manual cleanup. Read the module release notes linked above for advice on how to handle that situation.
Reported By: Fixed By: Coordinated By:- Greg Knaddison of the Drupal Security Team
Allow All File Extensions for file fields - Critical - Unsupported - SA-CONTRIB-2024-075
The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: https://www.drupal.org/node/251466#s-becoming-owner-maintainer-or-co-mai...
Solution:If you use this project, you should uninstall it. To take over maintainership, please read https://www.drupal.org/node/251466#s-becoming-owner-maintainer-or-co-mai...
Git Utilities for Drupal - Critical - Unsupported - SA-CONTRIB-2024-074
The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: https://www.drupal.org/node/251466#s-becoming-owner-maintainer-or-co-mai...
Solution:If you use this project, you should uninstall it. To take over maintainership, please read https://www.drupal.org/node/251466#s-becoming-owner-maintainer-or-co-mai...
Login Disable - Critical - Access bypass - SA-CONTRIB-2024-073
This module enables you to prevent existing users from logging in to your Drupal site unless they know the secret key to add to the end of the ?q=user login form page.
The Login Disable module does not correctly prevent a user with a disabled login from logging in, allowing those users to by-pass the protection offered by the module.
This vulnerability is mitigated by the fact that an attacker must already have a user account to log in. This bug therefore allows users to log in even if their login is disabled.
Solution:Install the latest version:
- If you use the Login Disable module for Drupal 9.x / 10.x, upgrade to Login Disable 2.1.1
The Drupal 7 version of the module is not affected.
Reported By: Fixed By: Coordinated By:- Ivo Van Geertruyen of the Drupal Security Team
- Greg Knaddison of the Drupal Security Team
- Benji Fisher of the Drupal Security Team
Browser Back Button - Moderately critical - Cross site scripting - SA-CONTRIB-2024-072
This module provides a block that renders a link providing the functionality of a browser's back button.
The module does not sufficiently escape text entered by an administrator, resulting in a cross scripting vulnerability.
This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer blocks".
Solution:Install the latest version:
- If you use the Browser Back Button module for Drupal 9.x/10.x, upgrade to Browser Back Button 2.0.2
- Ivo Van Geertruyen of the Drupal Security Team
Entity Form Steps - Moderately critical - Cross site scripting - SA-CONTRIB-2024-071
This module allows a site builder to create multi-step entity forms leveraging the Field Group field type plugins.
The module doesn't escape plain text administrative configurations. An attacker with admin access could inject arbitrary JavaScript code.
This vulnerability is mitigated by the fact that an attacker must have a role with the 'administer [entity_type] form display' permission allowing access to configure entity form displays.
Solution:Install the latest version:
- If you use the Entity Form Steps module for Drupal 9.x/10.x, upgrade to Entity Form Steps 1.1.4
- Ivo Van Geertruyen of the Drupal Security Team
Minify JS - Moderately critical - Cross site request forgery - SA-CONTRIB-2024-070
The Minify JS module allows a site administrator to minify all javascript files that exist in the site's code base and use those minified files on the front end of the website.
Several administrator routes are unprotected against Cross-Site Request Forgery (CRSF) attacks.
Solution:Install the latest version:
- If you use the Minify JS module for Drupal 7.x, upgrade to Minify JS 7.x-1.11
- If you use the Minify JS module for Drupal 8.x, upgrade to Minify JS 3.0.3
- Ivo Van Geertruyen of the Drupal Security Team
- Scott Joudry
- Ivo Van Geertruyen of the Drupal Security Team
Download All Files - Critical - Access bypass - SA-CONTRIB-2024-069
This module provides a field formatter for the field type 'file' called `Table of files with download all link` .
The module had vulnerabilities allowing a user to download files they normally should not be able to download.
Solution:Install the latest version:
- If you use the Download All Files module, upgrade to 2.0.2 version
- Greg Knaddison of the Drupal Security Team
- Damien McKenna of the Drupal Security Team
- Ivo Van Geertruyen of the Drupal Security Team
Pages Restriction Access - Critical - Access bypass - SA-CONTRIB-2024-068
Module to restrict access from anonymous and regular users to configured pre-defined pages.
The module does not adequately handle protecting certain types of URLs.
Solution:Install the latest version:
- If you use the Pages Restriction Access for Drupal 8.x or higher, upgrade to Pages Restriction Access for Drupal 2.0.3
- Pierre Rudloff
- Ivo Van Geertruyen of the Drupal Security Team
- Greg Knaddison of the Drupal Security Team
- Damien McKenna of the Drupal Security Team
- Juraj Nemec of the Drupal Security Team
- Ivo Van Geertruyen of the Drupal Security Team
OAuth & OpenID Connect Single Sign On – SSO (OAuth/OIDC Client) - Critical - Cross Site Scripting - SA-CONTRIB-2024-067
This module enables you to authenticate users through an Identity Provider (IdP) or OAuth Server, allowing them to log in to your Drupal site.
The module does not sufficiently escape query parameters sent to the callback URL when displaying error messages, particularly if the code parameter is missing in the response.
Solution:Install the latest version:
- If you use the OAuth & OpenID Connect Single Sign On – SSO (OAuth/OIDC Client) module 8.x-3.x for Drupal 9 and Drupal 10, upgrade to miniorange_oauth_client 8.x-3.44 .
- If you use the OAuth & OpenID Connect Single Sign On – SSO (OAuth/OIDC Client) module 4.x for Drupal 9, Drupal 10 and Drupal 11, upgrade to miniorange_oauth_client 4.0.19.
- If you use the OAuth & OpenID Connect Single Sign On – SSO (OAuth/OIDC Client) module 7.x-1.x for Drupal 7, upgrade to miniorange_oauth_client 7.x-1.355.
- Borut Piletic
- singh_ankit
- Ivo Van Geertruyen of the Drupal Security Team
- Greg Knaddison of the Drupal Security Team
- Damien McKenna of the Drupal Security Team
Print Anything - Critical - Unsupported - SA-CONTRIB-2024-066
The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: https://www.drupal.org/node/251466#s-becoming-owner-maintainer-or-co-mai...
Solution:If you use this project, you should uninstall it. To take over maintainership, please read https://www.drupal.org/node/251466#s-becoming-owner-maintainer-or-co-mai...
Reported By:- Drew Webber of the Drupal Security Team
Megamenu Framework - Critical - Unsupported - SA-CONTRIB-2024-065
The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: https://www.drupal.org/node/251466#s-becoming-owner-maintainer-or-co-mai...
Solution:If you use this project, you should uninstall it. To take over maintainership, please read https://www.drupal.org/node/251466#s-becoming-owner-maintainer-or-co-mai...
Reported By:- Drew Webber of the Drupal Security Team
Tarte au Citron - Moderately critical - Cross Site Scripting - SA-CONTRIB-2024-064
This module integrates Tarte au citron JS library with Drupal and prevent services to be loaded without user consent. Administrators can enable and configure services which will be managed by Tarte au citron.
When Google Tag Manager (GTM) service is enabled, an attacker can load a GTM container that can completely change the page or insert malicious JS.
This vulnerability is mitigated by the fact that the attacker must have a role with the permission "administer tarte au citron".
Solution:Install the latest version and confirm only trusted roles have the "Administer Tarte au citron" permission.
- If you use the Tarte au citron module for Drupal 10.x, upgrade to Tarte au citron 2.0.5
- Greg Knaddison of the Drupal Security Team
- Juraj Nemec of the Drupal Security Team
- cilefen of the Drupal Security Team
Eloqua - Moderately critical - Arbitrary PHP code execution - SA-CONTRIB-2024-063
This module integrates webforms with eloqua, an automated marketing and demand generation software built to improve the quality and quantity of customers' sales leads and streamline their sales processes.
In certain cases the module doesn't sufficiently sanitize data before passing it to PHP's unserialize() function, which could result in Remote Code Execution via PHP Object Injection.
This vulnerability is mitigated by the fact that an attack must operate with the permission "access administration pages", however this could be the case if this issue were combined with others in an "attack chain".
Solution:Install the latest version:
- If you use the Eloqua module for Drupal 7.x, upgrade to Eloqua 7.x-1.15
- Drew Webber of the Drupal Security Team
- Greg Knaddison of the Drupal Security Team
Mailjet - Moderately critical - Arbitrary PHP code execution - SA-CONTRIB-2024-062
This module for Drupal provides complete control of Email settings with Drupal and Mailjet.
In certain cases the module doesn't securely pass data to PHP's unserialize() function, which could result in Remote Code Execution via PHP Object Injection.
This vulnerability is mitigated by the fact that an attack must operate with the permission "administer mailjet module", however this could be the case if this issue were combined with others in an "attack chain".
Solution:Install the latest version:
- Upgrade to Mailjet 4.0.1
- For Drupal 7.x, upgrade to Mailjet 7.x-2.23
- Drew Webber of the Drupal Security Team
- Drew Webber of the Drupal Security Team
- Bohdan Artemchuk
- Drew Webber of the Drupal Security Team
Node export - Moderately critical - Arbitrary PHP code execution - SA-CONTRIB-2024-061
This module allows users to export nodes and then import it into another Drupal installation, or on the same site.
In certain cases the module doesn't sufficiently sanitize data before passing it to PHP's unserialize() function, which could results in Remote Code Execution via PHP Object Injection.
This vulnerability is mitigated by the fact that an attack must operate with the permission "Use PHP to import nodes", however this could be the case if this issue were combined with others in an "attack chain".
In general, if this module is not in active use it is recommended to disable it.
Solution:Install the latest version:
- If you use the Node Export module for Drupal 7, upgrade to Node Export 7.x-3.3
- Drew Webber of the Drupal Security Team
- Drew Webber of the Drupal Security Team
- Ivan Trokhanenko
- Drew Webber of the Drupal Security Team
- Greg Knaddison of the Drupal Security Team
POST File - Critical - Cross Site Scripting, Arbitrary PHP code execution - SA-CONTRIB-2024-060
The module creates an endpoint on the site at /postfile/upload that accepts a POST request for uploading a single file into a specified file system (public, private, etc).
This module accepts any uploaded file extension, including dangerous file formats so it can be used to bypass the allow_insecure_uploads config.
This vulnerability is mitigated by the fact that an attacker must have a role with the permission "postfile upload".
Solution:Install the latest version:
- If you use the POST File module for Drupal 10.3.x/11.x, upgrade to POST File 1.0.2
- Greg Knaddison of the Drupal Security Team
- Juraj Nemec of the Drupal Security Team
POST File - Moderately critical - Cross Site Request Forgery - SA-CONTRIB-2024-059
The module creates an endpoint on the site at /postfile/upload that accepts a POST request for uploading a single file into a specified file system (public, private, etc).
The module doesn't sufficiently protect against Cross Site Request Forgery
under allowing an attacker to trick a site user into uploading a file.
Install the latest version:
- If you use the POST File module for Drupal 10.3.x/11.x, upgrade to Post File 1.0.2
- Greg Knaddison of the Drupal Security Team
- Juraj Nemec of the Drupal Security Team
Tooltip - Moderately critical - Cross site scripting - SA-CONTRIB-2024-058
This module enables you to add any HTML content you want in a tooltip displayed on mouse hover.
The module does not sufficiently escape the markup inserted in the tooltip block.
This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer blocks".
Solution:Install the latest version:
- If you use the Tooltip module for Drupal 8.x, 9.x or 10.x, upgrade to Tooltip 1.1.2
- Greg Knaddison of the Drupal Security Team
- Juraj Nemec of the Drupal Security Team
- Ivo Van Geertruyen of the Drupal Security Team
Basic HTTP Authentication - Critical - Access bypass - SA-CONTRIB-2024-057
The module provides a possibility to restrict access to specific paths using
basic HTTP authentication, in addition to standard Drupal access checks.
In some cases, the module removes existing access checks from some paths, resulting in an access bypass vulnerability.
Solution:Install the latest version:
- If you use the Basic HTTP Authentication module for Drupal 7.x, upgrade to Basic Authentication 7.x-1.4
- Roderik Muit
- Ivo Van Geertruyen of the Drupal Security Team
- Ivo Van Geertruyen of the Drupal Security Team
Neue Kommentare
vor 2 Tagen 20 Stunden
vor 3 Tagen 19 Stunden
vor 5 Tagen 14 Stunden
vor 5 Tagen 19 Stunden
vor 5 Tagen 22 Stunden
vor 6 Tagen 9 Stunden
vor 6 Tagen 12 Stunden
vor 6 Tagen 12 Stunden
vor 6 Tagen 12 Stunden
vor 6 Tagen 12 Stunden