The Custom Sitemap module enables you to add custom sitemaps to a site.
The module doesn’t sufficiently protect some URLs against CSRF. A malicious user could trick an administrator into deleting sitemaps by getting their browser to make a request to a specially-crafted URL.
CVE identifier(s) issued
A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
All versions of Custom Sitemap module.
Drupal core is not affected. If you do not use the contributed Custom Sitemap module, there is nothing you need to do.
Solution
If you use the Custom Sitemap module you should uninstall it.
Vulnerability: Access bypass, Cross Site Request Forgery, Multiple vulnerabilities
Description
Spider Video Player module enables you to add HTML5 and Flash videos to your site.
The module doesn’t sufficiently check user input when deleting files. A malicious user could delete arbitrary files by making a request to a specially-crafted URL. This vulnerability is mitigated by the fact that the attacker must have a role with the permission “access Spider Video Player administration”.
Additionally, the module doesn’t sufficiently protect some URLs against CSRF. A malicious user could trick an administrator into deleting videos by getting their browser to make a request to a specially-crafted URL.
CVE identifier(s) issued
A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
All versions of Spider Video Player module.
Drupal core is not affected. If you do not use the contributed Spider Video Player module, there is nothing you need to do.
Solution
If you use the Spider Video Player module you should uninstall it.
Spider Catalog module enables you to build product catalogs.
The module doesn’t sufficiently protect some URLs against CSRF. A malicious user can cause an administrator to delete products, ratings and categories by getting their browser to make a request to a specially-crafted URL.
CVE identifier(s) issued
A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
All versions of Spider Catalog module.
Drupal core is not affected. If you do not use the contributed Spider Catalog module, there is nothing you need to do.
Solution
If you use the Spider Catalog module you should uninstall it.
Vulnerability: Cross Site Request Forgery, SQL Injection, Multiple vulnerabilities
Description
Spider Contacts module provides a user-friendly way to manage and display contacts.
The module doesn’t use Drupal’s Database API properly, not sanitizing user input on SQL queries and thereby exposing a SQL Injection vulnerability. This vulnerability is mitigated by the fact that the attacker must have a role with the permission “access Spider Contacts category administration”.
Additionally, the module doesn’t sufficiently protect some URLs against CSRF. A malicious user could trick an administrator into deleting contact categories by getting their browser to make a request to a specially-crafted URL.
CVE identifier(s) issued
A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
All versions of Spider Contacts module.
Drupal core is not affected. If you do not use the contributed Spider Contacts module, there is nothing you need to do.
Solution
If you use the Spider Contacts module you should uninstall it.
Services single sign-on server helper module provides functionality to facilitate account information editing on a remote SSO site.
The module doesn’t validate some user supplied URLs in parameters used for page redirection. An attacker could trick users to visit malicious sites without realizing it.
CVE identifier(s) issued
A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
All versions of Services single sign-on server helper module.
SMS Framework module enables you to send and receive SMS messages from and into Drupal.
The module doesn’t sufficiently sanitize user supplied text in message previews, thereby exposing a reflected Cross Site Scripting vulnerability. An attacker could exploit this vulnerability by getting the victim to visit a specially-crafted URL.
This vulnerability is mitigated by the fact that the “Send to phone” submodule must be enabled.
CVE identifier(s) issued
A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
SMS Framework 6.x-1.x versions prior to 6.x-1.1.
Drupal core is not affected. If you do not use the contributed SMS Framework module, there is nothing you need to do.
Solution
Install the latest version:
If you use the SMS Framework module for Drupal 6.x, upgrade to SMS Framework 6.x-1.1
The Entity API module extends the entity API of Drupal core in order to provide a unified way to deal with entities and their properties.
The module doesn’t sufficiently sanitize field labels when exposing them through the Token API thereby exposing a Cross Site Scripting (XSS) vulnerability.
This vulnerability is mitigated by the fact that an attacker must have a role with the permission to administer fields such as “administer taxonomy”.
CVE identifier(s) issued
A CVE identifier will be requested, and added upon issuance, in accordance
with Drupal Security Team processes.
Versions affected
Entity API 7.x-1.x versions prior to 7.x-1.6.
Drupal core is not affected. If you do not use the contributed Entity API module,
there is nothing you need to do.
Solution
Install the latest version:
If you use the Entity API module for Drupal 7.x, upgrade to Entity API 7.x-1.6
This module enables you to expose Drupal entities as RESTful web services. It provides a machine-readable interface to exchange resources in JSON, XML and RDF.
The RESTWS Basic Auth submodule doesn’t sufficiently disable page caching for authenticated requests thereby leaking potentially confidential data to unauthorized users.
This vulnerability is mitigated by the fact that the RESTWS Basic Auth submodule must be enabled, page caching must be enabled and permissions for a resource containing sensitive data must be enabled (for example the User resource).
CVE identifier(s) issued
A CVE identifier will be requested, and added upon issuance, in accordance
with Drupal Security Team processes.
Versions affected
RESTWS 7.x-1.x versions prior to 7.x-1.5.
RESTWS 7.x-2.x versions prior to 7.x-2.3.
Drupal core is not affected. If you do not use the contributed RESTful Web Services module,
there is nothing you need to do.