This module allows content-changes to be committed to Apache Solr in real-time.
The module doesn’t check the status of an entity being indexed which means that unpublished content will get indexed by Solr and the title and partial content may be exposed to any user who has permission to search site content.
CVE identifier(s) issued
A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
Apache Solr Real-Time 7.x-2.x versions prior to 7.x-2.2.
Drupal core is not affected. If you do not use the contributed Apache Solr Real-Time module, there is nothing you need to do.
The contributed HSTS module makes it easy for site administrators to implement HTTP Strict Transport Security (HSTS) by setting the Strict-Transport-Security header on each page generated by Drupal.
HSTS module provides a configuration UI for the HSTS “include subdomains” directive, which indicates that the browser should apply the HSTS policy to all subdomains on the site’s domain.
HSTS module did not implement the “include subdomains” directive correctly (it is misspelled as include_subdomains rather than includeSubDomains). As a result, the HSTS policy was not applied to subdomains as site administrators had expected.
This vulnerability is mitigated by the fact that only subdomains where HSTS was expected to be enabled are affected and an attacker would still need to execute a man-in-the-middle attack to exploit the issue.
CVE identifier(s) issued
A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
HSTS 7.x-1.x versions prior to 7.x-1.2.
HSTS 6.x-1.x versions prior to 6.x-1.1.
Drupal core is not affected. If you do not use the contributed HTTP Strict Transport Security module, there is nothing you need to do.
Solution
Install the latest version:
If you use the HSTS module for Drupal 7.x, upgrade to HSTS 7.x-1.2
If you use the HSTS module for Drupal 6.x, upgrade to HSTS 6.x-1.1
This module enables you add the Novalnet payment service provider to Drupal Commerce.
The module fails to sanitize a database query by not using the database API properly, thereby leading to a SQL Injection vulnerability. Since the affected path is not protected against CSRF, a malicious user can exploit this vulnerability by triggering a request to a specially-crafted URL.
This vulnerability is mitigated by the fact that the malicious request must come from a specific Novalnet IP address.
CVE identifier(s) issued
A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
All versions of Novalnet Payment Module Drupal Commerce module
This module enables you add the Novalnet payment service provider to Ubercart.
The module fails to sanitize a database query by not using the database API properly, thereby leading to a SQL Injection vulnerability. Since the affected path is not protected against CSRF, a malicious user can exploit this vulnerability by triggering a request to a specially-crafted URL.
This vulnerability is mitigated by the fact that the malicious request must come from a specific Novalnet IP address.
CVE identifier(s) issued
A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
All versions of Novalnet Payment Module Ubercart module
Drupal core is not affected. If you do not use the contributed Novalnet Payment Module Ubercart module, there is nothing you need to do.
Solution
If you use the Novalnet Payment Module Ubercart module you should uninstall it.
Chamilo integration module integrates Drupal with Chamilo LMS.
The module has an Open Redirect vulnerability, it doesn’t sufficiently check passed parameters in the URL. An attacker could trick users to visit malicious sites without realizing it.
CVE identifier(s) issued
A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
Chamilo integration 7.x-1.x versions prior to 7.x-1.2
Drupal core is not affected. If you do not use the contributed Chamilo integration module, there is nothing you need to do.
The Storage API module creates an underlying agnostic storage layer for Drupal using many different underlying storage methods. Storage API can be used to create fields for entities to hold data.
The module failed to restrict access to the Storage API fields attached to entities that are not nodes.
This is mitigated by the fact that only entities with fields using storage classes that have access restrictions are affected (they don’t have by default).
CVE identifier(s) issued
A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
Storage API 7.x-1.x versions prior to 7.x-1.8.
Drupal core is not affected. If you do not use the contributed Storage API module, there is nothing you need to do.
Solution
Install the latest version:
If you use the Storage API module for Drupal 7.x, upgrade to Storage API 7.x-1.8
The Aegir Hosting System enables you to deploy and manage Drupal sites.
When writing Apache vhost files for hosted sites on a common platform (multi-site), Aegir doesn’t block execution of code uploaded to another site on the same platform.
This vulnerability is mitigated by the fact that an attacker must already have compromised another site, on the same multi-site install, sufficiently to upload executable code to its files directory.
CVE identifier(s) issued
A CVE identifier will be requested, and added upon issuance, in accordance
with Drupal Security Team processes.
Versions affected
Aegir Hosting System 6.x-2.x versions prior to 6.x-2.4.
Aegir Hosting System 7.x-3.x versions prior to 7.x-3.0-beta2.
Drupal core is not affected. If you do not use the contributed Hostmaster (Aegir) distribution,
there is nothing you need to do.
Solution
Install the latest version:
If you use the Aegir Hosting System for Drupal 6.x, upgrade to Aegir 6.x-2.4
If you use the Aegir Hosting System for Drupal 7.x, upgrade to Aegir 7.x-3.0-beta2
After installation you need to run a verify task on all hosted sites. The easiest method is to use the Views Bulk Operations on the hosting/sites page.
Vulnerability: Cross Site Scripting, Access bypass
Description
Navigate is a customizable navigation tool for Drupal.
Access Bypass
In certain situations the module does not adequately check content permissions, allowing a malicious user with “navigate view” permission to modify custom widgets and create new widget database records.
Cross-site scripting
The module also doesn’t sufficiently filter text, creating an XSS vulnerability.
This vulnerability is mitigated by the fact that an attacker must have a role with the permissions “navigate view”, “navigate_custom use” and either “navigate customize” or “navigate administer”.
CVE identifier(s) issued
A CVE identifier will be requested, and added upon issuance, in accordance
with Drupal Security Team processes.
Versions affected
All versions of Navigate module.
Drupal core is not affected. If you do not use the contributed Navigate module,
there is nothing you need to do.
Solution
If you use the Navigate module you should uninstall it.
The Shipwire API module handles communication with the Shipwire shipping service.
The Shipwire module doesn’t check view permission for the shipments overview page when installed (admin/shipwire/shipments). Limited non-public information is displayed on the page.
CVE identifier(s) issued
A CVE identifier will be requested, and added upon issuance, in accordance
with Drupal Security Team processes.
Versions affected
Shipwire 7.x-1.x versions prior to 7.x-1.03.
Drupal core is not affected. If you do not use the contributed Shipwire module,
there is nothing you need to do.
Solution
Install the latest version:
If you use the Shipwire module for Drupal 7.x, please upgrade to Shipwire 7.x-1.03 or greater.
Check the settings have been updated by navigating to Structure -> Views -> Shipwire shipment. Under ‘Page settings’ make sure that ‘Access’ is set to ‘Permission’ -> ‘View all Shipwire Shipments’.