This module provides hooks and rules integration to leverage the Twilio API to send/receive phone calls and text messages.
The module relies on existing permissions for providing administration which can lead to untrusted users having access to perform actions that may not be intended.
This vulnerability is mitigated by the fact that an attacker must have access to a session with the role that has the permission “access administration pages”.
CVE identifier(s) issued
A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
Twilio 7.x-1.x versions prior to 7.x-1.11
Drupal core is not affected. If you do not use the contributed Twilio module, there is nothing you need to do.
Solution
Install the latest version:
If you use the Twilio module for Drupal 7.x, upgrade to Twilio 7.x-1.11
Grant the permission “administer twilio” to any roles that should be able to administer the Twilio module.
This module allows for integration of Colorbox, a jQuery lightbox plugin, into Drupal.
The module allows unprivileged users to add unexpected content to a Colorbox, including content from external sites. This allows an unprivileged user to deface a site.
This vulnerability is mitigated by the fact that an attacker must have permission to post comments with a text format that allows links.
CVE identifier(s) issued
A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
Colorbox 7.x-2.x versions prior to 7.x-2.10.
Drupal core is not affected. If you do not use the contributed Colorbox module, there is nothing you need to do.
Solution
Install the latest version:
If you use the Colorbox module for Drupal 7.x, upgrade to Colorbox 7.x-2.10
This module enables you to manage registrations for events.
The module doesn’t sufficiently protect information about who is registered to attend specific events when anonymous users are granted a permission that is commonly recommended when allowing anonymous registrations.
This vulnerability is mitigated by the fact that anonymous users must have the permission “Register other accounts.”
CVE identifier(s) issued
A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
Entity Registration 7.x-1.x versions prior to 7.x-1.5.
Drupal core is not affected. If you do not use the contributed Entity Registration module, there is nothing you need to do.
Note on releases: the security bug was fixed in the 7.x-1.5 release, however that release included many other bug fixes and features. The 7.x-1.6 release is intended to fix a critical, non-security bug in the 7.x-1.5 release.
Update permissions configuration:
Remove the “Register other accounts” permission for anonymous users or other unprivileged roles
If needed, add the “Register Self” permission for anonymous users and other unprivileged roles
This module enables you to add a simple search interface to lookup taxonomy terms by name.
The module doesn’t sufficiently sanitize output of taxonomy vocabulary names and term names.
This vulnerability is mitigated by the fact that an attacker must have a role with the permission “Administer vocabularies and terms” or the ability to add or edit nodes or entities with taxonomy fields attached.
CVE identifier(s) issued
A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
MODULE 6.x-2.x versions up to 6.x-1.2.
MODULE 7.x-2.x versions up to 7.x-1.0.
Drupal core is not affected. If you do not use the contributed Taxonomy Find module, there is nothing you need to do.
Solution
If you use the Taxonomy Find module you should uninstall it.
This module enables you to easily manage your media assets and re-use them in all your content.
The module provided a “debug” context that gave access to all the atom properties, including all the fields attached to this atom, without applying the corresponding field restrictions.
This vulnerability is mitigated by the fact that only sites that added fields to an atom type and then restricted access to those fields are vulnerable.
CVE identifier(s) issued
A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
Scald 7.x-1.x versions prior to 7.x-1.5.
Drupal core is not affected. If you do not use the contributed Scald: Media Management made easy module, there is nothing you need to do.
Solution
Install the latest version:
If you use the Scald module for Drupal 7.x, upgrade to Scald 7.x-1.5
Vulnerability: Cross Site Scripting, Access bypass
Description
CMS Updater allows to update Drupal core automatically with a subscription service.
Access bypass
The module does not sufficiently protect the settings page allowing any user with the permission “access administration pages” to change settings.
This vulnerability is mitigated by the fact that an attacker must have the “access administration pages” permission on the site.
Cross Site Scripting (XSS)
The module does not sanitize user provided text on the configuration page thereby exposing a cross site scripting vulnerability.
There are no mitigating factors for the cross site scripting.
CVE identifier(s) issued
A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
CMS Updater 7.x-1.x versions prior to 7.x-1.3.
Drupal core is not affected. If you do not use the contributed CMS Updater module, there is nothing you need to do.
Solution
Install the latest version:
If you use the CMS Updater module for Drupal 7.x, upgrade to CMS Updater 7.x-1.3
This module enables you to integrate with amoCRM service using webhooks.
The module does not sufficiently sanitize the logged data when malicious POST data is received.
This vulnerability is mitigated by the fact that a module such “Database logging” (dblog) must be enabled which displays log messages in a HTML context.
CVE identifier(s) issued
A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
amoCRM 7.x-1.x versions prior to 7.x-1.2.
Drupal core is not affected. If you do not use the contributed amoCRM module, there is nothing you need to do.
Solution
Install the latest version:
If you use the amoCRM module for Drupal 7.x, upgrade to amoCRM 7.x-1.2
Drupal 7 driver for SQL Server and SQL Azure module has a SQL injection vulnerability.
Certain characters aren’t properly escaped by the Drupal database API. A malicious user may be able to access restricted information by performing a specially-crafted search.
Only sites that use contrib or custom modules which rely on the db_like() function may be affected.
CVE identifier(s) issued
A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
Drupal 7 driver for SQL Server and SQL Azure 7.x-1.x versions prior to 7.x-1.4