This module enables you to showcase featured content at a prominent place on the front page of the site in an attractive way.
The module doesn’t sufficiently protect access to content a user has no access to. In certain scenarios a user with the “administer ddblock” permission can see titles of content for which this user has no access.
This vulnerability is mitigated by the fact that an attacker must have a role with the permission “administer ddblock” permission.
CVE identifier(s) issued
A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
All versions of Dynamic display block module.
Drupal core is not affected. If you do not use the contributed Dynamic display block module, there is nothing you need to do.
Solution
If you use the Dynamic display block module you should uninstall it.
The Views module provides a flexible method for Drupal site designers to control how lists and tables of content, users, taxonomy terms and other data are presented.
Access bypass due cache inconsistency
Due to an issue in the caching mechanism of Views it’s possible that configured filters loose their effect.
This can lead to exposure of content that otherwise would be hidden from visitors.
This vulnerability is mitigated by the fact that it can’t be exploited directly but occurs when certain prerequisites meet.
Systems that use in-memory cache backends like redis / memcache are more likely to be affected by this issue. This is due the common strategy used to free cache space if the configured memory limit of the cache is reached.
CVE identifier(s) issued
A CVE identifier will be requested, and added upon issuance, in accordance
with Drupal Security Team processes.
Versions affected
Views 7.x-3.x versions from 7.x-3.5 to 7.x-3.10.
Drupal core is not affected. If you do not use the contributed Views module,
there is nothing you need to do.
Solution
Install the latest version:
If you use the Views module for Drupal 7.x, upgrade to Views 7.x-3.11
This module implements a new field formatter for textfields (text, text_long, and text_with_summary, if you want to get technical) that improves upon the “Summary or Trimmed” formatter built into Drupal 7.
The module doesn’t sufficiently filter user input via the field settings form.
This vulnerability is mitigated by the fact that only administrative users who can administer field types can exploit it.
CVE identifier(s) issued
A CVE identifier will be requested, and added upon issuance, in accordance
with Drupal Security Team processes.
Versions affected
Smart Trim 7.x-1.x versions prior to 7.x-1.5.
Drupal core is not affected. If you do not use the contributed Smart Trim module,
there is nothing you need to do.
Solution
Install the latest version:
If you use the smart_trim module for Drupal 7.x, upgrade to smart_trim-7.x-1.5
The MailChimp module allows you to create and manage mailing lists via MailChimp’s API.
The MailChimp Signup submodule does not properly sanitize some user input, allowing a malicious user to embed scripts within a page, resulting in a Cross-site Scripting (XSS) vulnerability.
This vulnerability is mitigated by the fact that an attacker must have a role with the “administer mailchimp” permission and the “MailChimp Signup” submodule must be enabled.
CVE identifier(s) issued
A CVE identifier will be requested, and added upon issuance, in accordance
with Drupal Security Team processes.
Versions affected
MailChimp 7.x-3.x versions prior to 7.x-3.3. (Mailchimp 7.x-2.x versions are not affected)
Drupal core is not affected. If you do not use the contributed MailChimp module,
there is nothing you need to do.
Solution
Install the latest version:
If you use the MailChimp module for Drupal 7.x, upgrade to MailChimp 7.x-3.3
This module enables you to integrate your Drupal site with TechSmith Relay software.
The module doesn’t sufficiently sanitize user input under the meta access tab.
This vulnerability is mitigated by the fact that an attacker must have a role with the permission “view meta information”.
CVE identifier(s) issued
A CVE identifier will be requested, and added upon issuance, in accordance
with Drupal Security Team processes.
Versions affected
camtasia_relay 6.x-2.x versions prior to 6.x-3.2.
camtasia_relay 7.x-2.x versions prior to 7.x-1.3.
Drupal core is not affected. If you do not use the contributed Camtasia Relay module,
there is nothing you need to do.