• Advisory ID: DRUPAL-SA-CONTRIB-2015-147
• Project: RESTful (third-party module)
• Version: 7.x
• Date: 2015-September-09
• Security risk: 12/25 ( Moderately Critical) AC:Basic/A:None/CI:Some/II:None/E:Theoretical/TD:Default
• Vulnerability: Access bypass

Description

This module enables you to expose your Drupal backend by generating a RESTful API.

The module doesn’t sufficiently account for core’s page cache generation for anonymous users, when using non-cookie authentication providers. Authenticated users, via one of the authentication providers, can have their pages cached as anonymous users, and therefore allowing access to potentially restricted information during subsequent anonymous requests.

CVE identifier(s) issued

• A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.

Versions affected

• RESTful 7.x-1.x versions prior to 7.x-1.3.

Drupal core is not affected. If you do not use the contributed RESTful module, there is nothing you need to do.

Solution

Install the latest version:

• If you use the RESTful module for Drupal 7.x, upgrade to RESTful 7.x-1.3

Also see the RESTful project page.

Reported by

• Richard Thomas

Fixed by

• Mateu Aguiló the module maintainer
• Lee Rowlands of the Drupal Security Team

Coordinated by

• Lee Rowlands of the Drupal Security Team

Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

• Advisory ID: DRUPAL-SA-CONTRIB-2015-146
• Project: Twitter (third-party module)
• Version: 6.x, 7.x
• Date: 2015-September-09
• Security risk: 12/25 ( Moderately Critical) AC:Basic/A:User/CI:None/II:Some/E:Exploit/TD:Uncommon
• Vulnerability: Access bypass

Description

This module enables you to pull in public tweets from Twitter accounts, post messages to Twitter to announce content changes, and authenticate using Twitter.

The module doesn’t sufficiently check for access when using the Twitter Post submodule to post messages to Twitter and allows a tweet to be posted to any authenticated account, not just one that the user owns.

The module also doesn’t sufficiently check for access when listing a user’s connected Twitter accounts, allowing any user to change the options for any other account, including deleting the attached Twitter account.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission “post to twitter” in order to post to Twitter, and have either the permission “add twitter accounts” or “add authenticated twitter accounts” in order to access the accounts list.

CVE identifier(s) issued

• A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.

Versions affected

• Twitter 6.x-5.x versions prior to 6.x-5.2.
• Twitter 7.x-5.x versions prior to 7.x-5.9.
• Twitter 7.x-6.x versions prior to 7.x-6.0.

Drupal core is not affected. If you do not use the contributed Twitter module, there is nothing you need to do.

Solution

Install the latest version:

• If you use the Twitter 5.x module for Drupal 6.x, upgrade to Twitter 6.x-5.2 or later.
• If you use the Twitter 5.x module for Drupal 7.x, upgrade to Twitter 7.x-5.9 or later.
• If you use the Twitter 6.x module for Drupal 7.x, upgrade to Twitter 7.x-6.0 or later.

Also see the Twitter project page.

Reported by

• Chris Car
• Carl Bowles
• Stein Magne Bjørklund
• Omnia Ibrahim
• Daniel Roman Sabate
• mshepherd
• voughndutch

Fixed by

• adirael
• arcovia
• Michael Nielson
• Damien McKenna, the module maintainer.

Coordinated by

• David Snopek of the Drupal Security Team.

Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

• Advisory ID: DRUPAL-SA-CONTRIB-2014-145
• Project: Fieldable Panels Panes (FPP) (third-party module)
• Version: 7.x
• Date: 2015-September-02
• Security risk: 8/25 ( Less Critical) AC:Basic/A:Admin/CI:None/II:Some/E:Theoretical/TD:Uncommon
• Vulnerability: Access bypass

Description

Fieldable Panels Panes enables you to create custom panes for embedding in Panels-based displays (Page Manager, Panelizer, Panels Everywhere) via a fieldable custom entity type.

The module doesn’t sufficiently check for permission to edit existing Fieldable Panels Panes entities, thus allowing someone to modify a pane they don’t have permission to edit.

This vulnerability is mitigated by the fact that an attacker must have a role with the necessary permissions to edit a panels display that has a custom pane, and it’s uncommon that someone is given access to this functionality and not also permission to edit the panes.

CVE identifier(s) issued

• A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.

Versions affected

• Fieldable Panels Panes 7.x-1.x versions prior to 7.x-1.7.

Drupal core is not affected. If you do not use the contributed Fieldable Panels Panes (FPP) module, there is nothing you need to do.

Solution

Install the latest version:

• If you use the Fieldable Panels Panes for Drupal 7, upgrade to Fieldable Panels Panels 7.x-1.7.

Also see the Fieldable Panels Panes (FPP) project page.

Reported by

• Chris Burge

Fixed by

• Chris Burge
• Damien McKenna, the module maintainer.
• David Snopek of the Drupal Security Team.

Coordinated by

• David Snopek of the Drupal Security Team.

Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

• Advisory ID: DRUPAL-SA-CONTRIB-2015-144
• Project: Mass Contact (third-party module)
• Version: 6.x, 7.x
• Date: 2015-September-02
• Security risk: 13/25 ( Moderately Critical) AC:Basic/A:Admin/CI:Some/II:Some/E:Theoretical/TD:All
• Vulnerability: Cross Site Scripting

Description

This module allows anyone with permission to send a single message to multiple users of a site, using the site’s roles and/or taxonomy functionality.

The module doesn’t sufficiently sanitize the category labels when they are displayed.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission “administer mass contact”.

CVE identifier(s) issued

• A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.

Versions affected

• Mass Contact 6.x-1.x versions prior to 6.x-1.6.
• Mass Contact 7.x-1.x versions prior to 7.x-1.1.

Drupal core is not affected. If you do not use the contributed Mass Contact module, there is nothing you need to do.

Solution

Install the latest version:

• If you use the Mass Contact module for Drupal 6.x, upgrade to Mass Contact 6.x-1.6
• If you use the Mass Contact module for Drupal 7.x, upgrade to Mass Contact 7.x-1.1

Also see the Mass Contact project page.

Reported by

• Daniel Johnson

Fixed by

• Jason Flatt the module maintainer

Coordinated by

• Aaron Ott, provisional member of the Drupal Security Team

Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

• Advisory ID: DRUPAL-SA-CONTRIB-2015-143
• Project: Zendesk Feedback Tab (third-party module)
• Version: 7.x
• Date: 2015-September-02
• Security risk: 13/25 ( Moderately Critical) AC:Basic/A:Admin/CI:Some/II:Some/E:Theoretical/TD:All
• Vulnerability: Cross Site Scripting

Description

This module enables you to easily integrate the Zendesk Support Tab on your Drupal website.

The module allows Javascript code to be embedded via its administration interface, allowing for the potential of cross-site scripting attacks. The module did not properly indicate that site administrators should restrict access to that permission to only trusted users.

This vulnerability is mitigated by the fact that an attacker must have a role with the Configure Zendesk Feedback Tab permission.

CVE identifier(s) issued

• A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.

Versions affected

• Zendesk Feedback Tab 7.x-1.x versions prior to 7.x-1.1.

Drupal core is not affected. If you do not use the contributed Zendesk Feedback Tab module, there is nothing you need to do.

Solution

Install the latest version:

• If you use the zendesk_feedbacktab module for Drupal 7.x, upgrade to Zendesk Feedback Tab 7.x-1.1

Also see the Zendesk Feedback Tab project page.

Reported by

• Greg Knaddison of the Drupal Security Team

Fixed by

• Blaine Lang the module maintainer
• Greg Knaddison of the Drupal Security Team

Coordinated by

• Greg Knaddison of the Drupal Security Team

Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

• Advisory ID: DRUPAL-SA-CONTRIB-2015-142
• Project: Spotlight (third-party module)
• Version: 7.x
• Date: 2015-September-01
• Security risk: 13/25 ( Moderately Critical) AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:Default
• Vulnerability: Cross Site Scripting

Description

The Spotlight module provides a tool that mimics Mac OS X Spotlight functionality. It provides faster access to content, paths and uploaded files.

The module doesn’t sufficiently sanitize node titles when displayed in results.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission to create content.

CVE identifier(s) issued

• A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.

Versions affected

• Spotlight 7.x-1.x versions prior to 7.x-1.4.

Drupal core is not affected. If you do not use the contributed Spotlight module, there is nothing you need to do.

Solution

Install the latest version:

• If you use the Spotlight module for Drupal 7.x, upgrade to Spotlight 7.x-1.5

Also see the Spotlight project page.

Reported by

• David Rothstein of the Drupal Security Team

Fixed by

• David Rothstein of the Drupal Security Team

Coordinated by

• David Rothstein of the Drupal Security Team
• Cash Williams of the Drupal Security Team

Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

• Advisory ID: DRUPAL-SA-CONTRIB-2015-141
• Project: Chaos tool suite (ctools) (third-party module)
• Version: 6.x, 7.x
• Date: 2015-August-19
• Security risk: 14/25 ( Moderately Critical) AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:All
• Vulnerability: Cross Site Scripting, Access bypass, Multiple vulnerabilities

Description

Cross Site Scripting (XSS)

Ctools in Drupal 6 provides a number of APIs and extensions for Drupal, and is a dependency for many of the most popular modules, including Views, Panels and Entityreference. Many features introduced in Drupal Core once lived in ctools.

This vulnerability can be mitigated by the fact that ctools must load its javascript on the page and the user has access to submit data through a form (such as a comment or node) that allows ‘a’ tags.

This patch is a backport for SA-CORE-2015-003.

Access bypass

This module provides a number of APIs and extensions for Drupal, and is a dependency for many of the most popular modules, including Views, Panels and Features.

The module doesn’t sufficiently verify the “edit” permission for the “content type” plugins that are used on Panels and similar systems to place content and functionality on a page.

This vulnerability is mitigated by the fact that the user must have access to edit a display via a Panels display system, e.g. via Panels pages, Mini Panels, Panel Nodes, Panelizer displays, IPE, Panels Everywhere, etc. Furthermore, either a contributed module provides a CTools content type plugin, or a custom plugin must be written that inherits permissions from another plugin and must have a different permission defined; if no “edit” permission is set up for the child object CTools did not check the permissions of the parent object. One potential scenario would allow people who did not have edit access to Fieldable Panels Panes panes, which were specifically set to not be reusable, to edit them despite the person’s lack of access.

CVE identifier(s) issued

• A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.

Versions affected

Cross Site Scripting:

• ctools 6.x-1.x versions prior to 6.x-1.14.

Access bypass:

• ctools 6.x-1.x versions prior to 6.x-1.14.
• ctools 7.x-1.x versions prior to 7.x-1.8.

Drupal core is not affected. If you do not use the contributed Chaos tool suite (ctools) module, there is nothing you need to do.

Solution

Install the latest version:

• If you use the ctools module for Drupal 6.x, upgrade to ctools 6.x-1.14
• If you use the ctools module for Drupal 7.x, upgrade to ctools 7.x-1.8

Also see the Chaos tool suite (ctools) project page.

Reported by

Cross Site Scripting:

• Peter Wolanin of the Drupal Security Team

Access bypass:

• Andor Dávid

Fixed by

Cross Site Scripting:

• James Gilliland of the Drupal Security Team
• Alex Bronstein, Drupal core patch coordinator
• Kris Vanderwater the module maintainer
• Jakob Perry the module maintainer

Access bypass:

• Andor Dávid
• Damien McKenna, provisional member of the Drupal Security Team
• Michael Miles of the Drupal Security Team
• Jakob Perry the module maintainer

Coordinated by

• Pere Orga of the Drupal Security Team

Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

• Advisory ID: DRUPAL-SA-CORE-2015-003
• Project: Drupal core
• Version: 6.x, 7.x
• Date: 2015-August-19
• Security risk: 18/25 ( Critical) AC:Complex/A:User/CI:All/II:All/E:Proof/TD:All
• Vulnerability: Cross Site Scripting, Access bypass, SQL Injection, Open Redirect, Multiple vulnerabilities

This security advisory fixes multiple vulnerabilities. See below for a list.

Cross-site Scripting – Ajax system – Drupal 7

A vulnerability was found that allows a malicious user to perform a cross-site scripting attack by invoking Drupal.ajax() on a whitelisted HTML element.

This vulnerability is mitigated on sites that do not allow untrusted users to enter HTML.

Drupal 6 core is not affected, but see the similar advisory for the Drupal 6 contributed Ctools module: SA-CONTRIB-2015-141.

Cross-site Scripting – Autocomplete system – Drupal 6 and 7

A cross-site scripting vulnerability was found in the autocomplete functionality of forms. The requested URL is not sufficiently sanitized.

This vulnerability is mitigated by the fact that the malicious user must be allowed to upload files.

SQL Injection – Database API – Drupal 7

A vulnerability was found in the SQL comment filtering system which could allow a user with elevated permissions to inject malicious code in SQL comments.

This vulnerability is mitigated by the fact that only one contributed module that the security team found uses the comment filtering system in a way that would trigger the vulnerability. That module requires you to have a very high level of access in order to perform the attack.

Cross-site Request Forgery – Form API – Drupal 6 and 7

A vulnerability was discovered in Drupal’s form API that could allow file upload value callbacks to run with untrusted input, due to form token validation not being performed early enough. This vulnerability could allow a malicious user to upload files to the site under another user’s account.

This vulnerability is mitigated by the fact that the uploaded files would be temporary, and Drupal normally deletes temporary files automatically after 6 hours.

Information Disclosure in Menu Links – Access system – Drupal 6 and 7

Users without the “access content” permission can see the titles of nodes that they do not have access to, if the nodes are added to a menu on the site that the users have access to.

CVE identifier(s) issued

• CVE identifiers have been requested and will be added upon issuance, in accordance with Drupal Security Team processes.

Versions affected

• Drupal core 6.x versions prior to 6.37
• Drupal core 7.x versions prior to 7.39

Solution

Install the latest version:

• If you use Drupal 6.x, upgrade to Drupal core 6.37
• If you use Drupal 7.x, upgrade to Drupal core 7.39

Also see the Drupal core project page.

Credits

Cross-site Scripting – Ajax system – Drupal 7

Reported by

• Régis Leroy
• Kay Leung, Drupal core JavaScript maintainer
• Samuel Mortenson
• Pere Orga of the Drupal Security Team

Fixed by

• Théodore Biadala, Drupal core JavaScript maintainer
• Alex Bronstein of the Drupal Security Team
• Ben Dougherty of the Drupal Security Team
• Gábor Hojtsy of the Drupal Security Team
• Greg Knaddison of the Drupal Security Team
• Kay Leung, Drupal core JavaScript maintainer
• Wim Leers
• Samuel Mortenson
• Pere Orga of the Drupal Security Team
• Tim Plunkett
• David Rothstein of the Drupal Security Team
• Lee Rowlands of the Drupal Security Team
• Peter Wolanin of the Drupal Security Team
• znerol, maintainer of Authcache module

Cross-site Scripting – Autocomplete system – Drupal 6 and 7

Reported by

• Alex Bronstein of the Drupal Security Team
• Pere Orga of the Drupal Security Team

Fixed by

• Alex Bronstein of the Drupal Security Team
• Ben Dougherty of the Drupal Security Team
• Tim Plunkett
• Lee Rowlands of the Drupal Security Team
• Peter Wolanin of the Drupal Security Team
• David Rothstein of the Drupal Security Team

SQL Injection – Database API – Drupal 7

Reported by

• Carl Sabottke

Fixed by

• Anthony Ferrara
• Larry Garfield
• Greg Knaddison of the Drupal Security Team
• Cathy Theys provisional member of the Drupal Security Team
• Peter Wolanin of the Drupal Security Team

Cross-site Request Forgery – Form API – Drupal 6 and 7

Reported by

• Abdullah Hussam

Fixed by

• Greg Knaddison of the Drupal Security Team
• Wim Leers
• David Rothstein of the Drupal Security Team
• Lee Rowlands of the Drupal Security Team
• Peter Wolanin of the Drupal Security Team

Information Disclosure in Menu Links – Access system – Drupal 6 and 7

Reported by

• David_Rothstein of the Drupal Security Team

Fixed by

• Matt Chapman of the Drupal Security Team
• Stéphane Corlosquet of the Drupal Security Team
• Greg Knaddison of the Drupal Security Team
• Christian Meilinger
• David_Rothstein of the Drupal Security Team
• Lee Rowlands of the Drupal Security Team

Coordinated by

• Alex Bronstein, Angie Byron, Michael Hess, Pere Orga, David Rothstein and Peter Wolanin of the Drupal Security Team

Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

• Advisory ID: DRUPAL-SA-CONTRIB-2015-140
• Project: Search API Autocomplete (third-party module)
• Version: 7.x
• Date: 2015-August-19
• Security risk: 6/25 ( Less Critical) AC:Complex/A:User/CI:None/II:None/E:Theoretical/TD:Default
• Vulnerability: Cross Site Scripting

Description

This module enables you to add autocomplete suggestions for search forms created with the Search API module.

The module doesn’t sufficiently sanitize the HTML output for the returned suggestions, theoretically allowing an attacker to include custom HTML there.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission to create new content (or other indexed entities) and that the search index must be configured to use the HTML filter processor.

CVE identifier(s) issued

• A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.

Versions affected

• Search API Autocomplete 7.x-1.x versions prior to 7.x-1.3.

Drupal core is not affected. If you do not use the contributed Search API Autocomplete module, there is nothing you need to do.

Solution

Install the latest version:

• If you use the Search API Autocomplete module for Drupal 7.x, upgrade to Search API Autocomplete 7.x-1.3

Also see the Search API Autocomplete project page.

Reported by

• Thomas Seidl the module maintainer

Fixed by

• Thomas Seidl the module maintainer

Coordinated by

• Klaus Purer of the Drupal Security Team

Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

• Advisory ID: DRUPAL-SA-CONTRIB-2015-139
• Project: Workbench Email (third-party module)
• Version: 7.x
• Date: 2015-August-19
• Security risk: 10/25 ( Moderately Critical) AC:Basic/A:User/CI:None/II:Some/E:Theoretical/TD:Default
• Vulnerability: Access bypass

Description

Workbench Email module provides a way for administrators to define email transitions and configurable email subject / messages between those transitions.

The module causes node and field validations to be skipped when saving nodes.

The vulnerability is mitigated by the fact that an attacker must have a role with permission to create or update nodes.

CVE identifier(s) issued

• A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.

Versions affected

• Workbench Email 7.x-3.x versions prior to 7.x-3.4

Drupal core is not affected. If you do not use the contributed Workbench Email module, there is nothing you need to do.

Solution

Install the latest version:

• If you use the Workbench Email module for Drupal 7.x, upgrade to Workbench Email 7.x-3.4

Also see the Workbench Email project page.

Reported by

• Yves Chedemois

Fixed by

• Brandon Tate the module maintainer

Coordinated by

• Pere orga of the Drupal Security Team

Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity