The Media module provides an extensible framework for managing files and multimedia assets, regardless of whether they are hosted on your own site or a 3rd party site – it is commonly referred to as a ‘file browser to the internet’.
Versions affected
Only the 1.x branch is affected. Version 2.0 does not have this vulnerability.
Drupal core is not affected. If you do not use the contributed Media module, there is nothing you need to do.
Solution
If you use the Media 1.x branch you should upgrade to version 2.0 or later.
See the Media 2.0 release notes for more information on how to upgrade (it’s more complex than most contrib upgrades – for example, it involves other contrib modules moving from media_entity to file_entity)!
Open Atrium is a distribution the enables collaboration sites to be built. It contains several custom modules to provide various functionality. While content is often protected behind private groups, public content can also be shared. When using Open Atrium as an internal Intranet, this “public” content might be restricted to only logged in users by disabling anonymous access to the site.
The oa_core and oa_comment modules do not properly respect the “view published content” permission and allows anonymous users to view this “public” content regardless of the permission setting.
This only affects sites that have disabled the “view published content” permission for anonymous users, and only affects a small number of views.
CVE identifier(s) issued
A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
Open Atrium distribution 7.x-2.x versions prior to 7.x-2.615
oa_core 7.x-2.x versions prior to 7.x-2.84.
oa_comment 7.x-2.x versions prior to 7.x-2.14.
Drupal core is not affected. If you do not use the contributed Open Atrium Core module, there is nothing you need to do.
Solution
Install the latest version of Open Atrium. Be sure to revert the following features:
oa_comments, oa_core, oa_news, oa_river, oa_section, oa_sections
Provide some more API for developer to work with Drupal 7.
The security team is marking this module unsupported. There is a known security issue with the module that has not been fixed by the maintainer. If you would like to maintain this module, please read: https://www.drupal.org/node/251466
Versions affected
All versions.
Drupal core is not affected. If you do not use the contributed @Base module, there is nothing you need to do.
Solution
If you use the @Base module for Drupal you should uninstall it.
Provides integration between the Scheduler module and the Workbench Moderation module.
The security team is marking this module unsupported. There is a known security issue with the module that has not been fixed by the maintainer. If you would like to maintain this module, please read: https://www.drupal.org/node/251466
Versions affected
All versions
Drupal core is not affected. If you do not use the contributed Scheduler Workbench Integration module, there is nothing you need to do.
Solution
If you use the Scheduler Workbench Integration module for Drupal you should uninstall it.
Please note, the security team will not release information on this vulnerability for up to a month, the recommendation is to migrate. Emails asking for details on the vulnerability will not be responded to. If you would like to maintain the module, please follow the directions below.
This project provides D7 versions of the ‘node_reference’ and ‘user_reference’ field types, that were part of the CCK package in D6, at functional parity with the D6 counterparts.
The security team is marking this module unsupported. There is a known security issue with the module that has not been fixed by the maintainer. If you would like to maintain this module, please read: https://www.drupal.org/node/251466
Versions affected
All versions
Drupal core is not affected. If you do not use the contributed References module, there is nothing you need to do.
Solution
If you use the References module for Drupal you should uninstall it.
Notably, if you started with References and need to maintain equivalent functionality, we recommend reviewing the feature set of Entity Reference. If Entity Reference can work for you, there is a Reference to EntityReference Field Migration module that can assist in the transition.
Easily create forms in Drupal that submit data to Filemaker databases which are hosted on Filemaker Server.
The security team is marking this module unsupported. There is a known security issue with the module that has not been fixed by the maintainer. If you would like to maintain this module, please read: https://www.drupal.org/node/251466
Versions affected
All versions
Drupal core is not affected. If you do not use the contributed Filemaker Form module, there is nothing you need to do.
Solution
If you use the Filemaker Form module for Drupal you should uninstall it.
Displays your Terms & Conditions to users who want to register, and requires that they accept the T&C before their registration is accepted.
The security team is marking this module unsupported. There is a known security issue with the module that has not been fixed by the maintainer. If you would like to maintain this module, please read: https://www.drupal.org/node/251466
Versions affected
All versions
Drupal core is not affected. If you do not use the contributed Legal module, there is nothing you need to do.
Solution
If you use the Legal module for Drupal you should uninstall it.
This module alters the book module permissions model by letting you specify access/modify/delete rights on a per-book basis. Normally, book-related permissions provided by drupal core apply across all books, but this module will let you drill down as granular as to letting specific users have specific rights for specific books.
The security team is marking this module unsupported. There is a known security issue with the module that has not been fixed by the maintainer. If you would like to maintain this module, please read: https://www.drupal.org/node/251466
Versions affected
All versions
Drupal core is not affected. If you do not use the contributed Book access module, there is nothing you need to do.
Solution
If you use the Book access module for Drupal you should uninstall it.
This module lets you create auto login URLs programmatically on demand and through tokens.
The module does not provide sufficient protection when generating login URLs. An attacker could rebuild login URLs independently thereby logging in as another user.
This vulnerability is mitigated by the fact that an attacker needs to be able to exactly guess the second when a login URL was generated for a user. Furthermore the attacker also needs to know the victim user ID and login destination of the generated login URL. The attack is also mitigated by the fact that the module has flood control, so an attacker has only limited attempts to guess login URLs.
CVE identifier(s) issued
A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
Auto Login URL 8.x-1.x versions prior to 8.x-1.2.
Auto Login URL 7.x-1.x versions prior to 7.x-1.7.
Drupal core is not affected. If you do not use the contributed Auto Login URL module, there is nothing you need to do.
Linkit provides an easy interface for internal and external linking with WYSIWYG editors by using an autocomplete field.
When searching for entities, this module doesn’t always enforce the access restrictions and users may see information about entities they should not be able to access.
This is mitigated by the fact that a user must have access to a text format that uses Linkit.
CVE identifier(s) issued
A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.