Field Group module enables you to group fields on entity forms and entity displays.
When adding a HTML element as group, the user has the option to add custom HTML attributes on the group. Via this option, a malicious user can embed scripts within the page, resulting in a Cross-site Scripting (XSS) vulnerability.
This vulnerability is mitigated by the fact that an attacker has to be able to configure field display settings, which usually needs a higher level permission such as Administer vocabularies and terms.
CVE identifier(s) issued
A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
Field Group 7.x-1.x versions prior to 7.x-1.5.
Drupal core is not affected. If you do not use the contributed Field Group module, there is nothing you need to do.
Solution
Install the latest version:
If you use the Field Group module for Drupal 7.x, upgrade to Field Group 7.x-1.5
This module enables you to add custom classes to blocks.
The module doesn’t sufficiently scrub class names written by a malicious block class administrator.
This vulnerability is mitigated by the fact that an attacker must have a role with the permission “Administer block classes”.
CVE identifier(s) issued
A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
block_class 7.x-2.x versions prior to 7.x-2.2.
Drupal core is not affected. If you do not use the contributed Block Class module, there is nothing you need to do.
Solution
Install the latest version:
If you use the block_class module for Drupal 7.x, upgrade to block_class 7.x-2.2
Open Atrium distribution enables you to create an intranet.
Open Atrium Core module doesn’t sufficiently sanitize some user supplied text, leading to a reflected Cross Site Scripting vulnerability (XSS).
CVE identifier(s) issued
A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
Open Atrium distribution 7.x-2.x versions prior to 7.x-2.51
Open Atrium Core module 7.x-2.x versions prior to 7.x-2.66
Drupal core is not affected. If you do not use the contributed Open Atrium Core module or the Open Atrium distribution, there is nothing you need to do.
Solution
If you use the Open Atrium distribution for Drupal 7.x:
If you are unable to update to Open Atrium 2.51 or oa_core 2.66, you can apply this patch to the oa_core module to fix the vulnerability until such time as you are able to completely upgrade to Open Atrium 2.51 or oa_core 2.66.
This module enables you to create key|value pairs for use in list fields, webforms etc.
The module includes an import page that runs eval() on an exported code block (ctools), but the permission for the page does not warn about security concerns of importing raw php code like this (trusted permission).
This vulnerability is mitigated by the fact that an attacker must have a role with the permission “import value sets”.
CVE identifier(s) issued
A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
Values 7.x-1.x versions prior to 7.x-1.2.
Drupal core is not affected. If you do not use the contributed Values module, there is nothing you need to do.
Solution
Install the latest version:
If you use the values module for Drupal 7.x, upgrade to Values 7.x-1.2
Vulnerability: Access bypass, Information Disclosure
Description
This module offers a WYSIWYG button to embed rendered entities in fields using a WYSIWYG (normally the body of a node).
There is a vulnerability because a user that can create or edit content and has the “insert entity token” permission can insert tokens relating to e.g. an unpublished node and allow any (including anonymous) users to see this rendered node embedded into the main node.
CVE identifier(s) issued
A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
Token Insert Entity 7.x-1.x versions prior to 7.x-1.1.
Drupal core is not affected. If you do not use the contributed Token Insert Entity module, there is nothing you need to do.
This module enables you to connect to an Apache Solr search server to provide a replacement for Drupal core content search and provide both extra features and better search performance and relevance.
The module doesn’t correctly check access when attempting to delete non-default search environments.
This vulnerability is mitigated by the fact that the site must have a non-default environment configured and an attacker must discover the ID of the environment.
CVE identifier(s) issued
A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
Apache Solr Search 6.x-3.x versions prior to 6.x-3.1.
Apache Solr Search 7.x-1.x versions prior to 7.x-1.8.
Drupal core is not affected. If you do not use the contributed Apache Solr Search module, there is nothing you need to do.
Chat Room enables site owners to integrate chats into nodes by adding the chat room field to them. The module relies on a websocket connection to send chat messages to the client.
The module doesn’t sufficiently validate access before setting up the websocket. As a result, users may receive messages from chat rooms they don’t have access to via the websocket.
CVE identifier(s) issued
A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
Chat Room 7.x-2.x versions prior to 7.x-2.2.
Drupal core is not affected. If you do not use the contributed Chat Room module, there is nothing you need to do.
Solution
Install the latest version:
If you use the Chat Room module for Drupal 7.x, upgrade to Chat Room 7.x-2.2
The Mollom module allows users to protect their website from spam. As part of the spam protection, Mollom enables the website administrator to create a blacklist. When content is submitted that matches terms on the black list it will be automatically marked as spam and rejected per the site configuration.
The module doesn’t sufficiently check for access when accessing or modifying the blacklist for the site. This enables a potential attacker to add, update, or remove their own terms to a site-wide blacklist. The potential exists for an attacker to remove existing blacklist terms which could allow their content to be accepted onto the site.
CVE identifier(s) issued
A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
Mollom 6.x-2.x versions between 6.x-2.7 through 6.x-2.14.
This does not affect the modules for Drupal 7 or Drupal 8.
Drupal core is not affected. If you do not use the contributed Mollom module, there is nothing you need to do.
Solution
Install the latest version:
If you use the Mollom module for Drupal 6.x, upgrade to Mollom 6.x-2.15
RESTful module allows Drupal to be operated via RESTful HTTP requests, using best practices for security, performance, and usability.
The module doesn’t sufficiently validate some user input. Specific code could be run arbitrarily by an attacker in certain circumstances.
This vulnerability is mitigated by the fact that only sites with a custom implementation of methods from a specific class are affected. Also, that custom code would need to affect data or impact the site in some way.
CVE identifier(s) issued
A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
RESTful 7.x-1.x versions prior to 7.x-1.6.
Drupal core is not affected. If you do not use the contributed RESTful module, there is nothing you need to do.
Solution
Install the latest version:
If you use the RESTful 7.x-1.x module for Drupal 7.x, upgrade to RESTful 7.x-1.6