Compass Rose module provides a type of CCK field that allows to represent the most common orientations (North, North-East, East, South-East, South, South-West, West and North-West).
The module was embedding a JavaScript library from an external source that was not reliable, thereby exposing the site to a Cross Site Scripting (XSS) vulnerability.
CVE identifier(s) issued
A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
Compass Rose 6.x-1.x versions prior to 6.x-1.1.
Drupal core is not affected. If you do not use the contributed Compass Rose module, there is nothing you need to do.
Solution
Install the latest version:
If you use the Compass Rose module for Drupal 6.x, upgrade to Compass Rose 6.x-1.1
Vulnerability: Cross Site Scripting, Multiple vulnerabilities
Description
This module enables you to in-place edit entities’ fields.
The module doesn’t sufficiently filter entity titles under the scenario where the user starts in-place editing an entity. The module also doesn’t sufficiently filter node titles under the scenario where a node is displayed (albeit only on pages that are not the node page, so e.g. Views listings).
This vulnerability is mitigated by the fact that an attacker must have a role with the permission to create or edit node entities (e.g. page, article …).
CVE identifier(s) issued
A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
Quick Edit 7.x-1.x versions prior to 7.x-1.2.
Drupal core is not affected. If you do not use the contributed Quick Edit module, there is nothing you need to do.
Solution
Install the latest version:
If you use the Quick Edit module for Drupal 7.x, upgrade to Quick Edit 7.x-1.2
This module enables you to pay for items on Drupal Commerce, using Commerce Commonwealth payment gateway.
The module doesn’t sufficiently validate the payment under certain specific scenarios. A malicious user can modify the urls used in gateway interaction with Commbank to make a failed payment appear to be a successful payment.
CVE identifier(s) issued
A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
Commerce Commonwealth (CBA) 7.x-1.x versions prior to 7.x-1.5.
Drupal core is not affected. If you do not use the contributed Commerce Commonwealth (CBA) module, there is nothing you need to do.
Vulnerability: Cross Site Scripting, Multiple vulnerabilities
Description
This module enables you to track time on entities and comments.
The module doesn’t sufficiently filter notes added to time entries, leading to an XSS/JavaScript injection vulnerability. This vulnerability is mitigated by the fact that an attacker must have a role with the permission “Add Time Tracker Entries“.
The module doesn’t sufficiently filter activities used to categorize time tracker entries. This vulnerability is mitigated by the fact that an attacker must have a role with the “Administer Time Tracker” permission. This role has also been properly marked as “restrict access“.
CVE identifier(s) issued
A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
Time Tracker 7.x-1.x versions prior to 7.x-1.4.
Drupal core is not affected. If you do not use the contributed Time Tracker module, there is nothing you need to do.
Solution
Install the latest version:
If you use the Time Tracker module for Drupal 7.x, update to Time Tracker 7.x-1.4.
Vulnerability: Cross Site Scripting, Access bypass, Cross Site Request Forgery
Description
The Open Semantic Framework (OSF) for Drupal is a middleware layer that allows structured data (RDF) and associated vocabularies (ontologies) to “drive” tailored tools and data displays within Drupal.
The module is vulnerable to reflected Cross Site Scripting (XSS) because it did not sufficiently filter user input values in some administration pages. An attacker could exploit this vulnerability by making other users visit a specially-crafted URL. Only sites with OSF Ontology module enabled are affected.
Additionally, the module is vulnerable to Arbitrary file deletion. A malicious user can cause an administrator to delete files by getting their browser to make a request to a specially-crafted URL. Only sites with OSF Ontology and OSF Import modules enabled are affected.
Also, some forms were vulnerable to Cross Site Request Forgery (CSRF). An attacker could create new OSF datasets by getting an administrator’s browser to make a request to a specially-crafted URL. Only sites with OSF Import module enabled are affected.
CVE identifier(s) issued
A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
OSF 7.x-3.x versions prior to 7.x-3.1.
Drupal core is not affected. If you do not use the contributed OSF for Drupal module, there is nothing you need to do.
Solution
Install the latest version:
If you use the OSF for Drupal module for Drupal 7.x, upgrade to OSF 7.x-3.1
Administration Views module replaces overview/listing pages with actual views for superior usability.
The module does not check access properly under certain circumstances. Anonymous users could get access to read information they should not have access to.
CVE identifier(s) issued
A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
Administration Views 7.x-1.x versions prior to 7.x-1.5.
Drupal core is not affected. If you do not use the contributed Administration Views module, there is nothing you need to do.
The Views Bulk Operations module enables you to add bulk operations to administration views, executing actions on multiple selected rows.
The module doesn’t sufficiently guard user entities against unauthorized modification. If a user has access to a user account listing view with VBO enabled (such as admin/people when the administration_views module is used), they will be able to edit their own account and give themselves a higher role (such as “administrator”) even if they don’t have the “‘administer users'” permission.
This vulnerability is mitigated by the fact that an attacker must have access to such a user listing page and that the bulk operation for changing Roles is enabled.
CVE identifier(s) issued
A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
Views Bulk Operations 7.x-3.x versions prior to 7.x-3.3.
Views Bulk Operations 6.x-1.x versions.
Drupal core is not affected. If you do not use the contributed Views Bulk Operations (VBO) module, there is nothing you need to do.
This module enables you to manage migration processes through the administrative UI.
The module doesn’t sufficiently sanitize destination field labels thereby exposing a Cross Site Scripting vulnerability (XSS).
This vulnerability is mitigated by the fact that an attacker must have a role
with permission to create/edit fields (such as “administer taxonomy”), or be able to modify source data being imported by an administrator. Furthermore, the migrate_ui submodule must be enabled.
CVE identifier(s) issued
A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
Migrate 7.x-2.x versions prior to 7.x-2.8.
Drupal core is not affected. If you do not use the contributed Migrate module, there is nothing you need to do.
Solution
Install the latest version:
If you use the migrate module’s migrate_ui submodule for Drupal 7.x, upgrade to Migrate 7.x-2.8