Campaign Monitor module integrates the Campaign Monitor API into Drupal.
The module doesn’t sufficiently protect some URLs against CSRF. A malicious user can cause another user to enable and disable list subscriptions by getting their browser to make a request to a specially-crafted URL.
CVE identifier(s) issued
A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
Campaign Monitor 7.x-1.0
Drupal core is not affected. If you do not use the contributed Campaign Monitor module, there is nothing you need to do.
Solution
If you use the Campaign Monitor module for Drupal 7 you should uninstall it.
Finder module allows you to create flexible faceted search forms to find entities such as nodes or users based on the values of fields and database attributes.
The provided function finder_form_goto() is susceptible to a phishing attack. An attacker could formulate a redirect in a way that gets the Drupal site to send the user to an arbitrarily provided URL.
CVE identifier(s) issued
A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
All versions of Finder module
Drupal core is not affected. If you do not use the contributed Finder module, there is nothing you need to do.
Solution
If you use the Finder module you should uninstall it.
Tracking Code module allows you to create tracking code snippets and control their visibility.
The module doesn’t sufficiently protect some URLs against CSRF. A malicious user can cause an administrator to disable tracking codes by getting their browser to make a request to a specially-crafted URL.
CVE identifier(s) issued
A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
All versions of Tracking Code module
Drupal core is not affected. If you do not use the contributed Tracking Code module, there is nothing you need to do.
Solution
If you use the Tracking Code module you should uninstall it.
Vulnerability: Cross Site Scripting, Cross Site Request Forgery
Description
Registration codes module allows new account registrations only for users who provide a valid registration code.
The module was not properly sanitizing user supplied text in some pages, thereby exposing XSS vulnerabilities.
Additionally, some URLs were not protected against CSRF, a malicious user can cause an administrator to delete rules by getting their browser to make a request to a specially-crafted URL.
The XSS vulnerabilities may be mitigated by the fact that an attacker must have a user allowed to create/edit taxonomy terms or nodes.
CVE identifier(s) issued
A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
All versions of Registration codes
Drupal core is not affected. If you do not use the contributed Registration codes module, there is nothing you need to do.
Solution
If you use the Registration codes module you should uninstall it.
Ubercart Discount Coupons module provides discount coupons for Ubercart stores.
The module doesn’t sufficiently sanitize user supplied text in some administration pages, thereby exposing a Cross Site Scripting vulnerability.
The vulnerability is mitigated by the fact that an attacker must have a user with permission to create/edit taxonomy terms. Note that for vocabularies with free tagging enabled, this includes any user with permission to add/edit content of a type to which the vocabulary applies.
CVE identifier(s) issued
A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
Ubercart Discount Coupons 6.x-1.x versions prior to 6.x-1.8
Drupal core is not affected. If you do not use the contributed Ubercart Discount Coupons module, there is nothing you need to do.
Webform enables you to create surveys, personalized contact forms, contests, and the like.
Cross Site Scripting Related to Webform Submissions
The module doesn’t sufficiently escape user data presented to administrative users in the webform results table. This issue affects the 7.x-4.x branch only.
This vulnerability is mitigated by the fact that an attacker must have a role with permission to submit a webform and the administrative user must subsequently visit the webform’s results table tab.
To mitigate this vulnerability, you can disable the view-based results table and restore the legacy hard-coded results table by adding this line to your settings.php file:
<?php $conf['webform_table'] = TRUE; ?>
Cross Site Scripting Related to Blocks
The module doesn’t sufficiently escape node titles of webforms which administrators may make available as blocks and displayed to any user. This issue affects all 6.x and 7.x branches of the module.
This vulnerability is mitigated by the fact that an attacker must have a role with permission to administer blocks and create or edit webform nodes.
CVE identifier(s) issued
A CVE identifier will be requested, and added upon issuance, in accordance
with Drupal Security Team processes.
Versions affected
webform 6.x versions prior to 6.x-3.22.
webform 7.x-3.x versions prior to 7.x-3.22.
webform 7.x-4.x versions prior to 7.x-4.4.
Drupal core is not affected. If you do not use the contributed Webform module,
there is nothing you need to do.
Solution
Install the latest version:
If you use the webform module for Drupal 6.x, upgrade to webform 6.x-3.22
Watchdog Aggregator collects watchdog messages from external sites.
The module doesn’t sufficiently protect some URLs against CSRF. A malicious user can cause an administrator to enable and disable monitoring sites by getting their browser to make a request to a specially-crafted URL.
CVE identifier(s) issued
A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
All versions of Watchdog Aggregator module.
Drupal core is not affected. If you do not use the contributed Watchdog Aggregator module, there is nothing you need to do.
Solution
If you use the Watchdog Aggregator module you should uninstall it.