Vulnerability: Cross Site Request Forgery, Denial of Service
Description
This module enables you to organize and export configuration data.
The module doesn’t sufficiently protect the admin/structure/features/cleanup path with a token. If an attacker can trick an admin with the “manage features” permission to request a special URL, it could lead to clearing the cache repeatedly and a Denial of Service (DoS) attack.
This vulnerability is mitigated by the fact that the admin with the “manage features” permissions must be logged in when they request the special URL.
CVE identifier(s) issued
A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
Features 7.x-2.x versions prior to 7.x-2.9.
Features 7.x-1.x which is no longer supported.
Drupal core is not affected. If you do not use the contributed Features module, there is nothing you need to do.
Solution
Install the latest version:
If you use the Features module for Drupal 7.x, upgrade to Features 7.x-2.9
This module enables you to build an online store that uses nodes to display products through the use of product reference fields. The default widget for those fields is an autocomplete textfield similar to the taxonomy term reference field’s autocomplete widget. As you type in the textfield, the Commerce Product module returns a JSON array of matching product SKUs / titles for you to select.
The module doesn’t sufficiently restrict access to the autocomplete path under the default configuration of the field. A visitor to the website could browse directly to the autocomplete path to see a list of products that would ordinarily be returned to the autocomplete JavaScript to populate the autocomplete dropdown. Default parameters on the function used to generate this list cause it to bypass the product access control check that would ordinarily restrict product visibility to end users based on your site’s permissions.
This vulnerability is mitigated by the fact that an attacker must know what the autocomplete path is and what arguments to include in it to generate a valid response based on your site’s architecture. Additionally, in most eCommerce sites, product SKUs and titles are not by themselves considered private information.
CVE identifier(s) issued
A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
Drupal Commerce 7.x-1.x versions prior to 7.x-1.13.
Drupal core is not affected. If you do not use the contributed Drupal Commerce module, there is nothing you need to do.
Vulnerability: Information Disclosure, Open Redirect
Description
The HybridAuth Social Login module enables you to allow visitors to authenticate or login to a Drupal site using their identities from social networks like Facebook or Twitter.
Open redirect
The module doesn’t verify the “destination” redirect after a login to be a non-external URL causing an open redirect vulnerability. This vulnerability can be used by any attacker crafting a special login link.
Information disclosure
The module doesn’t check the tokens in the “destination” redirect value allowing an attacker to specify arbitrary tokens. Any token value is exposed in the redirect URL.
This vulnerability is mitigated by the fact that there must be secret data on the site that is exposed through the token system (for example an access protected field). An attacker must have a knowledge on what fields/tokens contain secret information.
CVE identifier(s) issued
A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
HybridAuth Social Login 7.x-2.x versions prior to 7.x-2.15.
Drupal core is not affected. If you do not use the contributed HybridAuth Social Login module, there is nothing you need to do.
This module enables you to show IMDB-like suggestions when entering terms into an input field using json files to “cache” suggestions making the autocomplete very fast.
The module doesn’t sufficiently validate the incoming language parameter in the request path when a json file of the module is requested resulting in folders being created in the public files directory where the module stores its json files. This vulnerability can be exploited to perform a DOS-attack by depletion of available inodes on the webserver.
CVE identifier(s) issued
A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
Fast Autocomplete 7.x-1.x versions prior to 7.x-1.1.
Drupal core is not affected. If you do not use the contributed Fast Autocomplete module, there is nothing you need to do.
When a PDF is uploaded in Scald File, various tools can be executed if they’re installed on the server, to try to generate a thumbnail out of that PDF.
This is mitigated by the need to have the sufficient permissions to upload a file in Scald, and also to have at least one of the thumbnail creation tools installed on the server (pdfdraw, convert or mudraw).
It could also be partially mitigated by using the transliteration module for uploaded files.
CVE identifier(s) issued
A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
Scald File module 7.x-1.x versions prior to 7.x-1.2.
Drupal core is not affected. If you do not use the contributed Scald File Provider module, there is nothing you need to do.
Solution
Install the latest version:
If you use the Scald File module for Drupal 7.x, upgrade to Scald File 7.x-1.3
This module enables you to create fieldable entities that have special integration with Panels.
The module doesn’t check access permissions on a file when it is attached to a field on a Fieldable Panels Panes entity that has been made private and where the file field is set to store files using the private file storage system.
This vulnerability is mitigated by the fact that it is an uncommon use case for the module.
CVE identifier(s) issued
A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
Fieldable Panels Panes 7.x-1.x versions prior to 7.x-1.8.
Drupal core is not affected. If you do not use the contributed Fieldable Panels Panes (FPP) module, there is nothing you need to do.
Vulnerability: Cross Site Scripting, Cross Site Request Forgery
Description
Node Notify is a lightweight module to allow subscription to comments on nodes for registered and anonymous users.
The module doesn’t sufficiently sanitize some user provided content, leading to a Cross Site Scripting vulnerability.
Additionally, some paths were not protected against CSRF. An attacker could cause another user to subscribe and unsubscribe notifications by getting the user’s browser to make a request to a specially-crafted URL.
CVE identifier(s) issued
A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
All versions of Node Notify module.
Drupal core is not affected. If you do not use the contributed Node Notify module, there is nothing you need to do.
Solution
If you use the Node Notify module for Drupal 7.x you should uninstall it.
This module enables you to embed a Hubspot CTA buttons widget in a Bean block.
The module allows configuration of a CTA ID and Account ID while adding a bean block for a CTA button, but doesn’t sufficiently sanitise these parameters, allowing a potential cross-site scripting attack.
This vulnerability is mitigated by the fact that an attacker must have a role with the permissions “administer beans” or “Hubspot Calls-to-action: Add Bean”.
CVE identifier(s) issued
A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
All versions of Hubspot CTA module.
Drupal core is not affected. If you do not use the contributed Hubspot CTA module, there is nothing you need to do.
Solution
If you use the Hubspot CTA module you should uninstall it.
The Google Analytics Counter module provides total pageview counts for each page on a website. In that it is similar to the core Statistics module counter, but it is much lighter and ultimately faster because it draws on data from Google Analytics. This is why it is also able to effortlessly count views of cached pages.
The module doesn’t sufficiently protect against cross-site request forgery when it comes to the configuration reset link on its dashboard page. If the reset link were to be sent to a user with the right permissions, it could lead to an unwanted reset of the module’s settings (including its OAuth credentials).
CVE identifier(s) issued
A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
Google Analytics Counter 7.x-3.x versions prior to 7.x-3.2.
Drupal core is not affected. If you do not use the contributed Google Analytics Counter module, there is nothing you need to do.