Profile 2 Registration Path – Critical – Cross Site Scripting (XSS) and Access Bypass DRUPAL-SA-CONTRIB-2015-057

Description

This module enables administrators to set unique registration paths per Profile2 profile type.

The module allows users to register even though a site is configured to prevent registration.

The module fails to filter some configuration text. This vulnerability is mitigated by the fact that an attacker must have the “Administer profiles” permission.

CVE identifier(s) issued

  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.

Versions affected

    All versions are affected.

Drupal core is not affected. If you do not use the contributed Profile2 Registration Path module, there is nothing you need to do.

Solution

Install the latest version:

Also see the Profile 2 Registration Path project page.

Reported by

Fixed by

Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Like/Dislike – Critical – Unsupported- SA-CONTRIB-2016-056

Description

Like/Dislike module can be used to Like and Dislike actions on any content. It is powered by Drupal field concept.

CVE identifier(s) issued

  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.

Versions affected

  • All versions of like/dislike module.

Drupal core is not affected. If you do not use the contributed Like/Dislike module, there is nothing you need to do.

Solution

If you use the like/dislike module for Drupal 7.x you should uninstall it.

Also see the Like/Dislike project page.

Reported by

Fixed by

Not applicable.

Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Menu Views – Moderately Critical – Cross Site Scripting (XSS) – SA-CONTRIB-2016-055

Description

This module enables users to create menu items that render views instead of links. This is useful for creating “mega-menus”.

The module doesn’t sufficiently filter title and breadcrumb fields for possible cross-site scripting.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission “administer menu views”.

CVE identifier(s) issued

  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.

Versions affected

  • Menu Views 7.x-2.x versions prior to 7.x-2.4.

Drupal core is not affected. If you do not use the contributed Menu Views module, there is nothing you need to do.

Solution

Install the latest version:

Also see the Menu Views project page.

Reported by

Fixed by

Coordinated by

Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: 

CVE-2016-8864 (bind)

named in ISC BIND 9.x before 9.9.9-P4, 9.10.x before 9.10.4-P4, and 9.11.x before 9.11.0-P1 allows remote attackers to cause a denial of service (assertion failure and daemon exit) via a DNAME record in the answer section of a response to a recursive query, related to db.c and resolver.c.