January 2017

Doubleclick for Publishers (DFP) - Moderately Critical - Multiple vulnerabilities - SA-CONTRIB-2017-002

* Advisory ID: DRUPAL-SA-CONTRIB-2017-002
* Project: Doubleclick for Publishers (DFP) (third-party module)
* Version: 7.x
* Date: 2017-January-04
* Security risk: 10/25 ( Moderately Critical)
* Vulnerability: Cross Site Scripting

DESCRIPTION

This module enables you to to place advertisements on your site that are
served by Google's DFP (Doubleclick for Publisher) service.

Autocomplete Deluxe - Moderately Critical - Cross Site Scripting

* Advisory ID: DRUPAL-SA-CONTRIB-2017-003
* Project: Autocomplete Deluxe (third-party module)
* Version: 7.x
* Date: 2017-January-11
* Security risk: 13/25 ( Moderately Critical)
* Vulnerability: Cross Site Scripting

DESCRIPTION

This module creates a new widget for taxonomy fields based on JQuery UI
autocomplete.

Mailjet - Highly critical - Arbitrary PHP code execution

* Advisory ID: DRUPAL-SA-CONTRIB-2017-005
* Project:
(third-party module)
* Version: 7.x
* Date: 2017-January-11
* Security risk: 23/25 ( Highly Critical)
* Vulnerability: Arbitrary PHP code execution

DESCRIPTION

The Mailjet module integrates with a 3rd party system to deliver
site-generated emails, including newsletters, system notifications, etc.

Drupion switches to multi-byte UTF-8 supported MariaDB database

Since Drupal 7.50 introduced multi-byte UTF-8 support for MySQL and other database drivers, allowing for emojis, Asian symbols, mathematical symbols, etc., it has been possible to get such symbols to be properly stored by and displayed on Drupal 7 sites.

However, the 4 byte UTF-8 support on most Drupal 7 websites remain still disabled because of mainly two reasons:

Oauth - Critical - Unsupported

* Advisory ID: DRUPAL-SA-CONTRIB-2017-006
* Project: oauth
* Version: 7.x
* Date: 2017-Jan-25
* Security risk: 19/25 ( Critical)

DESCRIPTION

This module implements the OAuth 1.0 standard for use with Drupal and acts as
a support module for other modules that wish to use OAuth.

VERSIONS AFFECTED

* All versions

Drupal core is not affected. If you do not use the contributed Oauth module, there is nothing you need to do.

SOLUTION

Microblog - Critical - Unsupported

* Advisory ID: DRUPAL-SA-CONTRIB-2017-007
* Project: microblog
* Version: 7.x
* Date: 2017-Jan-25
* Security risk: 19/25 ( Critical)

DESCRIPTION

This module enables microblogging on Drupal sites using it.

VERSIONS AFFECTED

* All versions

Drupal core is not affected. If you do not use the contributed microblog module, there is nothing you need to do.

SOLUTION

SalesCloud - Critical - Unsupported

* Advisory ID: DRUPAL-SA-CONTRIB-2017-008
* Project: Salescloud
* Version: 7.x
* Date: 2017-Jan-25
* Security risk: 19/25 ( Critical)

DESCRIPTION

This module Connects Drupal to SalesCloud's API, a Commerce Platform as a
Service.

VERSIONS AFFECTED

* All versions

Drupal core is not affected. If you do not use the contributed salescloud module, there is nothing you need to do.

SOLUTION

Highfields Center for Composting

Daniel Shearer's picture
Daniel Shearer
Highfields Center for Composting2 January 2017

Drupion has supported our non-profit by providing free hosting for several years. We recently had an account mixup and it was addressed within minutes (on a federal holiday!). Thanks!

Our mission at Highfields is to close the loop on community-based, sustainable food and agricultural systems, thus addressing soil health, water quality, solid waste, farm viability, and climate change.

http://www.highfieldscomposting.org