Drupal

Entity Reference - Moderately Critical - Access Bypass - DRUPAL-SA-CONTRIB-2017-067

* Advisory ID: DRUPAL-SA-CONTRIB-2017-067
* Project: Entity reference (third-party module)
* Version: 7.x
* Date: 2017-August-16
* Security risk: 12/25 ( Moderately Critical)
* Vulnerability: Access bypass

DESCRIPTION

The entity reference module provides a field type that can reference
arbitrary entities.

In a vulnerable configuration, an attacker could determine the titles of
nodes they do not have access to.

Drupal 8 Core - Multiple Vulnerabilities

The following alert is for general Drupal public. All the Drupal projects on Drupion platform are updated automatically unless opted out per instructions on https://www.drupion.com/blog/automatic-drupal-core-updates-website-basis.... Drupion users can ask questions under this post on https://www.drupion.com/blog/drupal-8-core-multiple-vulnerabilities

Views - Moderately Critical - Access Bypass

Drupion customers should pay special attention the contributed modules are not covered by Automatic Drupal Core updates announced on https://www.drupion.com/blog/automatic-drupal-core-updates-website-basis....

* Advisory ID: DRUPAL-SA-CONTRIB-2014-0XX
* Project: Views
* Version: 7.x, 8.x
* Date: 2017-August-16
* Security risk: 14/25 ( Moderately Critical)
* Vulnerability: Access bypass

DESCRIPTION

Views refresh - Moderately Critical - Access Bypass - DRUPAL-SA-CONTRIB-2017-069

* Advisory ID: DRUPAL-SA-CONTRIB-2017-069
* Project: Views Refresh (third-party module)
* Version: 7.x, 8.x
* Date: 2017-August-16
* Security risk: 14/25 ( Moderately Critical)
* Vulnerability: Access bypass

DESCRIPTION

When creating a view, you can optionally use Ajax to update the displayed
data via filter parameters. The views refresh module did not restrict
access to the Ajax endpoint to only views configured to use Ajax. This is
mitigated if you have access restrictions on the view.

Automatic Drupal core updates on per website basis on Drupion

Just four days ago Drupion switched the Automatic Drupal Core Update feature from only security updates to taking care of all core updates, including regular maintenance releases. It was then announced that all Drupal websites on Drupion platform are covered by such Automatic Drupal Core Updates.

The same day later we updated the announcement with the following addition:

Automatic background updates for Drupal core on Drupion servers

While Drupal community is still deciding on implementing automatic background updates (https://www.drupal.org/node/2367319 and https://www.drupal.org/node/606592) similar to WordPress' Automatic Background Updates feature, Drupion customers have already been enjoying automatic Drupal core security updates for already several years.

Session Cache API - Critical - Multiple vulnerabilities

* Advisory ID: DRUPAL-SA-CONTRIB-2017-065
* Project: Session Cache API (third-party module)
* Version: 7.x, 8.x
* Date: 2017-August-09
* Security risk: 18/25 ( Critical)
* Vulnerability: Multiple vulnerabilities

DESCRIPTION

This module does not safely deal with serialization.

VERSIONS AFFECTED

* Session Cache API 7.x-1.4

Drupal core is not affected. If you do not use the contributed Session Cache API module, there is nothing you need to do.

SOLUTION

Facebook Like Button - Moderately Critical - XSS

* Advisory ID: DRUPAL-SA-CONTRIB-2014-0XX
* Project: Facebook Like Button (third-party module)
* Version: 7.x
* Date: 2017-August-09
* Security risk: 13/25 ( Moderately Critical)
* Vulnerability: Cross Site Scripting

DESCRIPTION

This module provides a Facebook Like button on node pages and blocks.
The module does not sufficiently sanitize output when configured to use
custom css rules.

Better field descriptions - Critical - XSS

* Advisory ID: DRUPAL-SA-CONTRIB-2017-064
* Project: Better field descriptions (third-party module)
* Version: 7.x
* Date: 2017-Aug-09
* Security risk: 16/25 ( Critical)
* Vulnerability: Cross Site Scripting

DESCRIPTION

This module enables you to add themeable descriptions to fields in forms.

The module doesn't sufficiently sanitize descriptions.

This vulnerability is mitigated by the fact that an attacker must have a role
with the permission "add better descriptions to fields".

VERSIONS AFFECTED

Pages

Subscribe to Drupal