Description
EntityBulkDelete module allows you to delete entities in bulk using the Batch API.
The module doesn’t sufficiently sanitize user supplied text in some administration pages, thereby exposing a Cross Site Scripting vulnerability.
This vulnerability is mitigated by the fact that an attacker must be allowed to create/edit comments, create/edit taxonomy terms or create/edit nodes.
CVE identifier(s) issued
A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
Drupal core is not affected. If you do not use the contributed EntityBulkDelete module, there is nothing you need to do.
Solution
Install the latest version:
Also see the EntityBulkDelete project page.
Reported by
Fixed by
Coordinated by
Contact and More Information
The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact .
Learn more about the Drupal Security team and their policies , writing secure code for Drupal , and securing your site .
Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity
Description
Imagefield Info module enables you to view image field paths so you can easily use them with a WYSIWYG editor.
The module doesn’t sufficiently sanitize user supplied text in some administration pages, thereby exposing a Cross Site Scripting vulnerability.
This vulnerability is mitigated by the fact that an attacker must have a role with the permission “Administer image styles”.
CVE identifier(s) issued
A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
Imagefield Info 7.x-1.x versions prior to 7.x-1.2
Drupal core is not affected. If you do not use the contributed Imagefield Info module, there is nothing you need to do.
Solution
Install the latest version:
Also see the Imagefield Info project page.
Reported by
Fixed by
Coordinated by
Contact and More Information
The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact .
Learn more about the Drupal Security team and their policies , writing secure code for Drupal , and securing your site .
Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity
Description
Ubercart Webform Checkout Pane module allows you to define Webform nodes as checkout/order panes in Ubercart.
The module doesn’t sufficiently sanitize user supplied text in some pages, thereby exposing a Cross Site Scripting vulnerability.
This vulnerability is mitigated by the fact that an attacker must have a user with permission to create/edit Ubercart products or webforms.
CVE identifier(s) issued
A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
All versions of Ubercart Webform Checkout Pane module
Drupal core is not affected. If you do not use the contributed Ubercart Webform Checkout Pane module, there is nothing you need to do.
Solution
If you use the Ubercart Webform Checkout Pane module you should uninstall it.
Also see the Ubercart Webform Checkout Pane project page.
Reported by
Fixed by
Not applicable.
Coordinated by
Contact and More Information
The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact .
Learn more about the Drupal Security team and their policies , writing secure code for Drupal , and securing your site .
Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity
Description
Decisions module is a replacement for the Poll module and provides advanced voting systems and decision-making tools.
The module doesn’t sufficiently protect some links against CSRF. A malicious user can cause another user to remove individual voters by getting their browser to make a request to a specially-crafted URL.
CVE identifier(s) issued
A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
All versions of Decisions module
Drupal core is not affected. If you do not use the contributed Decisions module, there is nothing you need to do.
Solution
If you use the Decisions module you should uninstall it.
Also see the Decisions project page.
Reported by
Fixed by
Not applicable.
Coordinated by
Contact and More Information
The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact .
Learn more about the Drupal Security team and their policies , writing secure code for Drupal , and securing your site .
Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity
Description
Invoice module allows you to create invoices in Drupal.
The module doesn’t sufficiently sanitize user supplied text in some pages, thereby exposing a Cross Site Scripting vulnerability.
Additionally, some URLs were not protected against CSRF. A malicious user can cause another user to create, delete and alter invoices by getting their browser to make a request to a specially-crafted URL.
The XSS vulnerability is mitigated by the fact that an attacker must have a role with the permission “Administer own invoices” and be able to create/edit nodes of the “Invoice” content type.
CVE identifier(s) issued
A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
All versions of Invoice module
Drupal core is not affected. If you do not use the contributed Invoice module, there is nothing you need to do.
Solution
If you use the Invoice module you should uninstall it.
Also see the Invoice project page.
Reported by
Fixed by
Not applicable.
Coordinated by
Contact and More Information
The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact .
Learn more about the Drupal Security team and their policies , writing secure code for Drupal , and securing your site .
Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity
Description
Linear Case module allows you to organize Closed Question documents in case studies.
The module doesn’t sufficiently sanitize user supplied text in some pages, thereby exposing a Cross Site Scripting vulnerability.
This vulnerability is mitigated by the fact that an attacker must have a user with permission to edit/create Linear Case nodes.
CVE identifier(s) issued
A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
Linear Case 6.x-1.x versions prior to 6.x-1.3.
Drupal core is not affected. If you do not use the contributed Linear Case module, there is nothing you need to do.
Solution
Install the latest version:
Also see the Linear Case project page.
Reported by
Fixed by
Coordinated by
Contact and More Information
The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact .
Learn more about the Drupal Security team and their policies , writing secure code for Drupal , and securing your site .
Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity
Description
Webform Multiple File Upload module enables you to upload multiple files at once in webforms.
The module doesn’t sufficiently protect some URLs against CSRF. A malicious user can cause a user with edit access to webforms to delete files by getting their browser to make a request to a specially-crafted URL.
CVE identifier(s) issued
A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
Webform Multiple File Upload 6.x-1.x versions prior to 6.x-1.3.
Webform Multiple File Upload 7.x-1.x versions prior to 7.x-1.3.
Drupal core is not affected. If you do not use the contributed Webform Multiple File Upload module, there is nothing you need to do.
Solution
Install the latest version:
Also see the Webform Multiple File Upload project page.
Reported by
Fixed by
Coordinated by
Contact and More Information
The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact .
Learn more about the Drupal Security team and their policies , writing secure code for Drupal , and securing your site .
Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity
Description
This module enables you to add navigation to your webpages colloquially referred to as “breadcrumbs”.
The module doesn’t sufficiently sanitize custom HTML separators for breadcrumbs, thereby exposing a Cross Site Scripting vulnerability.
This vulnerability is mitigated by the fact that an attacker must have a role with the permission “Administer Crumbs”.
CVE identifier(s) issued
A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
Crumbs 7.x-2.x versions prior to 7.x-2.3
Drupal core is not affected. If you do not use the contributed Crumbs module, there is nothing you need to do.
Solution
Install the latest version:
If you use the Crumbs module for Drupal 7.x, upgrade to Crumbs 7.x-2.3
Also see the Crumbs project page.
Reported by
Fixed by
Coordinated by
Contact and More Information
The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact .
Learn more about the Drupal Security team and their policies , writing secure code for Drupal , and securing your site .
Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity
Description
The Petition module enables you to create petitions which users may sign.
The module doesn’t sufficiently sanitize user supplied text in some administration pages, thereby exposing a Cross Site Scripting vulnerability.
This vulnerability is mitigated by the fact that an attacker must have a role with the permission “create petition”.
CVE identifier(s) issued
A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
Petition 6.x-1.x versions prior to 6.x-1.3.
Drupal core is not affected. If you do not use the contributed Petition module, there is nothing you need to do.
Solution
Install the latest version:
Also see the Petition project page.
Reported by
Fixed by
Coordinated by
Contact and More Information
The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact .
Learn more about the Drupal Security team and their policies , writing secure code for Drupal , and securing your site .
Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity
Description
Profile2 Privacy module enables you to show or hide parts of a profile2 entity based on pre-configured field sets with a title and description.
The module doesn’t sufficiently sanitize user supplied text in some pages, thereby exposing a Cross Site Scripting vulnerability.
This vulnerability is mitigated by the fact that an attacker must have a role with the permission “Administer Profile2 Privacy Levels”.
CVE identifier(s) issued
A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
Profile2 Privacy 7.x-1.x versions prior to 7.x-1.5.
Drupal core is not affected. If you do not use the contributed Profile2 Privacy module, there is nothing you need to do.
Solution
Install the latest version:
Also see the Profile2 Privacy project page.
Reported by
Matt Vance provisional member of the Drupal Security Team
Fixed by
Coordinated by
Matt Vance provisional member of the Drupal Security Team
Contact and More Information
The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact .
Learn more about the Drupal Security team and their policies , writing secure code for Drupal , and securing your site .
Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity
Posts navigation
Software and Security Information