SA-CONTRIB-2015-003 – PHPlist Integration Module – SQL Injection

January 7, 2015 007admin Leave a comment

Advisory ID: DRUPAL-SA-CONTRIB-2015-003
Project: PHPlist Integration Module (third-party module)
Version: 6.x
Date: 2015-January-07
Security risk: 13/25 ( Moderately Critical) AC:Basic/A:Admin/CI:Some/II:Some/E:Theoretical/TD:All
Vulnerability: SQL Injection

Description

The PHPlist Integration module provides an integration between a Drupal website and phpList newsletter manager. The module provides two main features: user sync and sending a node as a newsletter.

The module introduces a SQL Injection vulnerability to the phpList database. The Drupal database is not affected.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission “administer PHPlist”.

CVE identifier(s) issued

A CVE identifier will be requested, and added upon issuance, in accordance
with Drupal Security Team processes.

Versions affected

PHPlist Integration Module 6.x-1.x versions prior to 6.x-1.7.

Drupal core is not affected. If you do not use the contributed PHPlist Integration Module module, there is nothing you need to do.

Solution

Install the latest version:

If you use the PHPlist Integration Module for Drupal 6.x, upgrade to PHPlist Integration Module 6.x-1.7

Also see the PHPlist Integration Module project page.

Reported by

Pere Orga provisional member of the Drupal Security Team

Fixed by

Tarek Djebali the module maintainer
Pere Orga provisional member of the Drupal Security Team

Coordinated by

Pere Orga provisional member of the Drupal Security Team
Klaus Purer of the Drupal Security Team

Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version:

Drupal 6.x

Drupal

SA-CONTRIB-2015-002 – Course – Cross Site Scripting (XSS)

January 7, 2015 007admin Leave a comment

Advisory ID: DRUPAL-SA-CONTRIB-2015-002
Project: Course (third-party module)
Version: 6.x, 7.x
Date: 2015-January-07
Security risk: 14/25 ( Moderately Critical) AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:All
Vulnerability: Cross Site Scripting

Description

Course module enables you to create e-learning courses with any number of requirements for completion.

The module doesn’t sufficiently filter node title displays when being used in a course.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission to create course content.

CVE identifier(s) issued

A CVE identifier will be requested, and added upon issuance, in accordance
with Drupal Security Team processes.

Versions affected

Course 7.x-1.x versions prior to 7.x-1.4
Course 6.x-1.x versions prior to 6.x-1.2

Drupal core is not affected. If you do not use the contributed Course module,
there is nothing you need to do.

Solution

Install the latest version:

If you use the Course module for Drupal 7.x, upgrade to Course 7.x-1.4
If you use the Course module for Drupal 6.x, upgrade to Course 6.x-1.2

Also see the Course project page.

Reported by

Pere Orga provisional member of the Drupal Security Team

Fixed by

Pere Orga provisional member of the Drupal Security Team
Devin Zuczek the module maintainer

Coordinated by

Pere Orga provisional member of the Drupal Security Team

Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version:

Drupal 6.x

Drupal 7.x

Drupal

SA-CONTRIB-2015-001 – OPAC – Cross-Site Request Forgery (CSRF)

January 7, 2015 007admin Leave a comment

Advisory ID: DRUPAL-SA-CONTRIB-2015-001
Project: OPAC (third-party module)
Version: 7.x
Date: 2015-January-07
Security risk: 13/25 ( Moderately Critical) AC:Basic/A:None/CI:None/II:Some/E:Theoretical/TD:All
Vulnerability: Cross Site Request Forgery

Description

OPAC module enables you to create mappings between node fields and ILS record fields.

The module doesn’t ask for confirmation when removing a mapping, leaving this operation vulnerable to cross-site request forgery (CSRF) attacks.

CVE identifier(s) issued

A CVE identifier will be requested, and added upon issuance, in accordance
with Drupal Security Team processes.

Versions affected

OPAC 7.x-2.x versions prior to 7.x-2.3.

Drupal core is not affected. If you do not use the contributed OPAC module,
there is nothing you need to do.

Solution

Install the latest version:

If you use the OPAC module 7.x-2.0, upgrade to OPAC 7.x-2.3

Also see the OPAC project page.

Reported by

Pere Orga provisional member of the Drupal Security Team

Fixed by

Julian Maurice the module maintainer
Pere Orga provisional member of the Drupal Security Team

Coordinated by

Pere Orga provisional member of the Drupal Security Team

Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version:

Drupal 7.x

Security

North Korea Doubles Size Of Cyber Army After Sony Accusations

January 7, 2015 007admin Leave a comment

Security

CES 2015: Warning Over Data Grabbed By Smart Gadgets

January 7, 2015 007admin Leave a comment

Security

ATMs Are Being Jackpotted Via USB And A Samsung Galaxy S4

January 7, 2015 007admin Leave a comment

Security

Buffer Overflow Reported In UEFI EDK1

January 7, 2015 007admin Leave a comment

ESET

AOL blocks malicious ads from its advertising platform

January 7, 2015 007admin Leave a comment

AOL has taken steps to stop a set of malicious advertisements being served through their sites, including The Huffington Post, Computer Business Review reports.

The post AOL blocks malicious ads from its advertising platform appeared first on We Live Security.

Security

Microsoft Dynamics CRM 2013 SP1 Cross Site Scripting

January 7, 2015 007admin Leave a comment

Microsoft Dynamics CRM 2013 SP1 suffers from self-inflicted cross site scripting vulnerability.

007 Software

Monthly Archives: January 2015

SA-CONTRIB-2015-003 – PHPlist Integration Module – SQL Injection

Description

CVE identifier(s) issued

Versions affected

Solution

Reported by

Fixed by

Coordinated by

Contact and More Information

SA-CONTRIB-2015-002 – Course – Cross Site Scripting (XSS)

Description

CVE identifier(s) issued

Versions affected

Solution

Reported by

Fixed by

Coordinated by

Contact and More Information

SA-CONTRIB-2015-001 – OPAC – Cross-Site Request Forgery (CSRF)

Description

CVE identifier(s) issued

Versions affected

Solution

Reported by

Fixed by

Coordinated by

Contact and More Information

North Korea Doubles Size Of Cyber Army After Sony Accusations

CES 2015: Warning Over Data Grabbed By Smart Gadgets

ATMs Are Being Jackpotted Via USB And A Samsung Galaxy S4

Buffer Overflow Reported In UEFI EDK1

AOL blocks malicious ads from its advertising platform

Microsoft Dynamics CRM 2013 SP1 Cross Site Scripting

Software and Security Information