Node Template module enables you to define any node as a node template and it can be duplicated later.
The module doesn’t sufficiently protect some URLs against CSRF. A malicious user can cause a user with “access node template” permission to delete node templates by getting their browser to make a request to a specially-crafted URL.
CVE identifier(s) issued
A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
All versions of Node Template module.
Drupal core is not affected. If you do not use the contributed Node Template module, there is nothing you need to do.
Solution
If you use the Node Template module you should uninstall it.
Keyword Research module enables you to tag and prioritize keywords on a site and node level basis.
The module doesn’t sufficiently protect some URLs against CSRF. A malicious user can cause another user with “kwresearch admin site keywords” permission to create, delete and set priorities to keywords by getting their browser to make a request to a specially-crafted URL.
CVE identifier(s) issued
A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
Keyword Research 6.x-1.x versions prior to 6.x-1.2.
Drupal core is not affected. If you do not use the contributed Keyword Research module, there is nothing you need to do.
HybridAuth Social Login module enables you to allow visitors to authenticate or login to a Drupal site using their identities from social networks like Facebook or Twitter.
The module may store user passwords in plain text.
This vulnerability is mitigated by the fact that the option “Ask user for a password when registering” must be enabled. The information is disclosed to anyone with access to the database, “administer users” or “administer site configuration” permission.
CVE identifier(s) issued
A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
HybridAuth Social Login 7.x-2.x versions prior to 7.x-2.10.
Drupal core is not affected. If you do not use the contributed HybridAuth Social Login module, there is nothing you need to do.
Services module enables you to expose an API to third party systems.
Access bypass (file upload and execution)
The resource/endpoint for uploading files does not properly sanitize the filename of uploaded files. This vulnerability is mitigated by the fact that the “File > Create” resource must be enabled and an attacker must have a role with the Services “Save file information” permission.
Private fields information displayed
Services does not check field_access when displaying entities so some private field information may be displayed. This vulnerability only affects sites using the field access system (for example, via the Field Permissions module) to hide fields from anonymous users.
CVE identifier(s) issued
A CVE identifier will be requested, and added upon issuance, in accordance
with Drupal Security Team processes.
Versions affected
Services 7.x-3.x versions prior to 7.x-3.12.
Drupal core is not affected. If you do not use the contributed Services module,
there is nothing you need to do.
Display Suite allows you to take full control over how your content is displayed using a drag and drop interface.
In certain situations, Display Suite does not properly sanitize some of the output, allowing a malicious user to embed scripts within a page, resulting in a Cross-site Scripting (XSS) vulnerability.
This vulnerability is mitigated by the fact that an attacker has to be able to configure field display settings, which usually needs a higher level permission such as administer taxonomy.
CVE identifier(s) issued
A CVE identifier will be requested, and added upon issuance, in accordance
with Drupal Security Team processes.
Versions affected
Display Suite version 7.x-2.7. Versions prior to Display Suite 7.x-2.7 are not vulnerable.
Drupal core is not affected. If you do not use the contributed Display Suite module,
there is nothing you need to do.
Solution
Install the latest version:
If you use the Display Suite module for Drupal 7.x-2.7, upgrade to Display Suite 7.x-2.8
CiviCRM private report module enables users to create their own private copies of CiviCRM reports, which they can modify and save to meet their needs without requiring the “Administer reports” permission.
The module doesn’t sufficiently protect some links against CSRF. A malicious user can cause another user to delete reports by getting their browser to make a request to a specially-crafted URL.
CVE identifier(s) issued
A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
CiviCRM private report 6.x-1.x versions prior to 6.x-1.2.
CiviCRM private report 7.x-1.x versions prior to 7.x-1.3.
Drupal core is not affected. If you do not use the contributed CiviCRM private report module, there is nothing you need to do.
This module enables the import of users into Drupal, or the update of existing users, with data from a CSV file (comma separated file).
Some management URLs were not properly protected. A malicious user could trick an administrator into continuing or deleting an ongoing import by getting them to request certain URLs, thereby leading to a Cross Site Request Forgery (CSRF) vulnerability.
CVE identifier(s) issued
A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
User Import 6.x-4.x versions prior to 6.x-4.4
User Import 7.x-2.x versions prior to 7.x-2.3
Drupal core is not affected. If you do not use the contributed User Import module, there is nothing you need to do.
Solution
Install the latest version:
If you use the User Import module for Drupal 6.x, upgrade to User Import 6.x-4.4
If you use the User Import module for Drupal 7.x, upgrade to User Import 7.x-2.3
This module enables you to import content from a web page by scraping its Open Graph data.
The module doesn’t sufficiently check for “create” permission to the content type that is configured as the destination for imported content, thus allowing a user with the “import og_tag_importer” permission to create content regardless of other permissions.
CVE identifier(s) issued
A CVE identifier will be requested, and added upon issuance, in accordance
with Drupal Security Team processes.
Versions affected
og_tag_importer 7.x-1.x versions.
Drupal core is not affected. If you do not use the contributed Open Graph Importer module,
there is nothing you need to do.
Solution
Disable the module. There is no safe version of the module to use.
Current Search Links module is an extension to the Facet API Current Search Blocks module. Instead of just showing the current search it turns the current search keywords into links that you can drop from the search.
The module doesn’t sufficiently sanitize the entered search query, thereby exposing a XSS vulnerability. An attacker could exploit this vulnerability by getting the victim to visit a specially-crafted URL.
This is mitigated by the fact that only sites with the option “Append the keywords passed by the user to the list” disabled are affected.
CVE identifier(s) issued
A CVE identifier will be requested, and added upon issuance, in accordance
with Drupal Security Team processes.
Versions affected
Current Search Links 7.x-1.x versions prior to 7.x-1.1.
Drupal core is not affected. If you do not use the contributed Current Search Links module,
there is nothing you need to do.
The Password Policy module allows enforcing restrictions on user passwords by defining password policies.
The module doesn’t sufficiently sanitize usernames in some administration pages, thereby exposing a Cross Site Scripting vulnerability.
This vulnerability is mitigated by the fact that only sites with a policy that uses the username constraint are affected. Also, only sites importing users from an external source (like distributed authentication) may allow non-standard usernames that might contain malicious characters, as Drupal core has validation when creating users via the user interface.
CVE identifier(s) issued
A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
Password Policy 6.x-1.x versions prior to 6.x-1.11.
Password Policy 7.x-1.x versions prior to 7.x-1.11.
Drupal core is not affected. If you do not use the contributed Password policy module, there is nothing you need to do.
Solution
Install the latest version:
If you use the Password Policy 6.x-1.x module for Drupal 6.x, upgrade to Password Policy 6.x-1.11
If you use the Password Policy 7.x-1.x module for Drupal 7.x, upgrade to Password Policy 7.x-1.11