February 2017

Better Exposed Filters - Less Critical - Cross Site Sscripting

* Advisory ID: DRUPAL-SA-CONTRIB-2017-009
* Project: Better Exposed Filters
* Version: 7.x
* Date: 2017-February-01
* Security risk: 7/25 ( Less Critical)
* Vulnerability: Cross Site Scripting

DESCRIPTION

The Better Exposed Filters module gives site builders more choices for
rendering Views' exposed form elements.

The module does not sufficiently sanitize taxonomy term descriptions when the
"Include the term description" option is selected.

Storage API stream wrappers - Moderately Critical - Access bypass

* Advisory ID: DRUPAL-SA-CONTRIB-2017-010
* Project: Storage API stream wrappers
* Version: 7.x
* Date: 2017-February-08
* Security risk: 13/25 ( Moderately Critical)
* Vulnerability: Access bypass

DESCRIPTION

This module provides stream wrappers to integrate Storage API with
Drupal, as an alternative to Storage API's core_bridge submodule.

It provides two stream wrappers: "Storage API Public" and "Storage API
Private".

Facebook Pull - Critical - Cross Site Scripting (XSS)

* Advisory ID: DRUPAL-SA-CONTRIB-2017-011
* Project: Facebook Pull
* Version: 7.x
* Date: 2017-February-08
* Security risk: 15/25 ( Critical)
* Vulnerability: Cross Site Scripting

DESCRIPTION

This module enables you to add integration with Facebook API.

The module doesn't sufficiently sanitize incoming data from Facebook.

Wetkit Omega - Moderately Critical - Access Bypass

* Advisory ID: DRUPAL-SA-CONTRIB-2017-012
* Project: Web Experience Toolkit: Omega
* Version: 7.x
* Date: 2017-February-08
* Security risk: 10/25 ( Moderately Critical)
* Vulnerability: Access bypass

DESCRIPTION

WetKit Omega 4.x is a modern, Sass and Compass enabled Drupal 7 theme
powered by the Omega base theme.

When using the Drupal page cache, some links intended for privileged users
can get cached and displayed to users who shouldn't have access to them.

OSF for Drupal - Less Critical - Cross Site Scripting (XSS)

* Advisory ID: DRUPAL-SA-CONTRIB-2017-014
* Project: OSF for Drupal
* Version: 7.x
* Date: 2017-February-08
* Security risk: 5/25 ( Less Critical)
* Vulnerability: Cross Site Scripting

DESCRIPTION

This module enables administrators to use a user interface to create complex
semantic queries that can be saved to be used in different locations of a
Drupal instance that uses OSF.

VERSIONS AFFECTED

* osf_querybuilder 7.x-3.3 versions prior to 7.x-3.3.

Hotjar - Moderately Critical - Cross Site Scripting (XSS)

* Advisory ID: DRUPAL-SA-CONTRIB-2017-015
* Project: Hotjar (third-party module)
* Version: 7.x, 8.x
* Date: 2017-February-15
* Security risk: 12/25 ( Moderately Critical)
* Vulnerability: Cross Site Scripting

DESCRIPTION

This module enables you to add the Hotjar tracking system to your website.

The module doesn't sufficiently sanitize the Hotjar ID when including
tracking code.

This vulnerability is mitigated by the fact that an attacker must have a role
with the permission "administer hotjar".

Search API Sorts - Moderately Critical - Cross Site Scripting (XSS)

* Advisory ID: DRUPAL-SA-CONTRIB-2017-015
* Project: Search API sorts (third-party module)
* Version: 7.x
* Date: 2017-February-15
* Security risk: 12/25 ( Moderately Critical)
* Vulnerability: Cross Site Scripting

DESCRIPTION

The Search API Sorts module allows the site administrator to configure custom
sort options for their search results and expose the control interface via
the core block system.

The module doesn't sufficiently sanitize the name of the sort option which is
displayed to users.

Flag clear - Moderately Critical - Cross Site Request Forgery (CSRF)

* Advisory ID: DRUPAL-SA-CONTRIB-2017-017
* Project: Flag clear (third-party module)
* Version: 7.x
* Date: 2017-February-15
* Security risk: 10/25 ( Moderately Critical)
* Vulnerability: Cross Site Request Forgery

DESCRIPTION

The Flag clear module allows administrators to remove user flags for content.
This functionality is often useful in user-submission use-cases, where users
do not necessarily need to unflag things on their own.

RESTful - Moderately Critical - Access Bypass

* Advisory ID: DRUPAL-SA-CONTRIB-2017-018
* Project: RESTful
* Version: 7.x
* Date: 2017-February-15
* Security risk: 11/25 ( Moderately Critical)
* Vulnerability: Access bypass

DESCRIPTION

This module enables you to build a RESTful API for your Drupal site.

The restful_token_auth module (a sub-module) doesn't validate the status of
users when logging them in. This results in a blocked user being able to
operate normally with the RESTful actions, even after being blocked.

Metatag -Moderately Critical - Information disclosure

* Advisory ID: DRUPAL-SA-CONTRIB-2017-019
* Project: Metatag (third-party module)
* Version: 7.x
* Date: 2017-February-15
* Security risk: 11/25 ( Moderately Critical)
* Vulnerability: Information Disclosure

DESCRIPTION

This module enables you to add a variety of meta tags to a site for helping
with a site's search engine results and to customize how content is shared on
social networks.

Pages