Navigate is a customizable navigation bar for Drupal.
The module doesn’t sufficiently sanitize user input when displaying the Navigate bar.
Because the vulnerability is a Reflected Cross Site Scripting, the only mitigating factor is that the victim must be tricked into visiting a specially crafted malicious url.
CVE identifier(s) issued
A CVE identifier will be requested, and added upon issuance, in accordance
with Drupal Security Team processes.
Versions affected
Navigate 6.x-1.x versions prior to 6.x-1.1.
Navigate 7.x-1.x versions prior to 7.x-1.1.
Drupal core is not affected. If you do not use the contributed Navigate module,
there is nothing you need to do.
Solution
Install the latest version:
If you use the Navigate module for Drupal 6.x, upgrade to Navigate 6.x-1.1
If you use the Navigate module for Drupal 7.x, upgrade to Navigate 7.x-1.1
Avatar Uploader module provides an alternative way to upload user pictures.
The module doesn’t sufficiently enforce file extensions when an avatar is uploaded, allowing users to bypass Drupal’s normal file upload protections to install malicious HTML or executable code to the server.
The Node Access Product module provides ‘Node access’ settings for product nodes, whereby users who purchase the product are granted view access to content, which can be predefined either by taxonomy, by node, or by Views.
The module doesn’t sufficiently sanitize node titles leading to the possibility of cross-site scripting by an attacker.
This vulnerability is mitigated by the fact that an attacker must have a role with permission to create/edit content.
CVE identifier(s) issued
A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
All versions of Node Access Product
Drupal core is not affected. If you do not use the contributed Node Access Product module, there is nothing you need to do.
Solution
If you use the Node Access Product module you should uninstall it.
Taxonomy Path module enables you to create custom links to taxonomy terms within a display mode.
The module doesn’t sufficiently sanitize user provided text in the provided “Link to path” field formatter, thereby exposing a Cross Site Scripting vulnerability.
This vulnerability is mitigated by the fact that an attacker must have a role with permission to create/edit taxonomy terms.
CVE identifier(s) issued
A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
Taxonomy Path 7.x-1.x versions prior to 7.x-1.2.
Drupal core is not affected. If you do not use the contributed Taxonomy Path module, there is nothing you need to do.
Solution
Install the latest version:
If you use the Taxonomy Path module for Drupal 7.x, upgrade to Taxonomy Path 7.x-1.2
Vulnerability: Cross Site Scripting, Cross Site Request Forgery, Multiple vulnerabilities
Description
Commerce Balanced Payments module integrates Drupal Commerce with the Balanced Payments third-party service.
The module doesn’t sufficiently sanitize user supplied text in the Bank Account Listing Page, thereby exposing a Cross Site Scripting vulnerability.
Also, some URLs were not protected against CSRF. A malicious user can cause another user to delete their configured bank accounts by getting their browser to make a request to a specially-crafted URL.
CVE identifier(s) issued
A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
All versions of Commerce Balanced Payments.
Drupal core is not affected. If you do not use the contributed Commerce Balanced Payments module, there is nothing you need to do.
Solution
If you use the Commerce Balanced Payments module you should uninstall it.
Vulnerability: Cross Site Scripting, Cross Site Request Forgery, Open Redirect, Multiple vulnerabilities
Description
Node basket module enables you to pick up nodes in a basket.
The module doesn’t sufficiently sanitize user supplied text in some pages, thereby exposing a Cross Site Scripting (XSS) vulnerability. This vulnerability is mitigated by the fact that an attacker must have a user with permission to create/edit nodes.
Also, the module has CSRF vulnerabilities. A malicious user can cause another user to add/remove nodes of the basket by getting his browser to make a request to a specially-crafted URL.
Also, the module has an Open Redirect vulnerability.
CVE identifier(s) issued
A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
All versions of Node basket module.
Drupal core is not affected. If you do not use the contributed Node basket module, there is nothing you need to do.
Solution
If you use the Node basket module you should uninstall it.
Feature Set module enables you to enable or disable sets of features or modules.
The module doesn’t sufficiently protect some URLs against CSRF. A malicious user can cause an administrator to enable and disable modules by getting the administrator’s browser to make a request to a specially-crafted URL.
CVE identifier(s) issued
A CVE identifier will be requested, and added upon issuance, in accordance
with Drupal Security Team processes.
Versions affected
All versions of Feature Set module.
Drupal core is not affected. If you do not use the contributed Feature Set module, there is nothing you need to do.
Solution
If you use the Feature Set module you should uninstall it.