The Views module provides a flexible method for Drupal site designers to control how lists and tables of content, users, taxonomy terms and other data are presented.
Open redirect vulnerability
The module does not sanitize user provided URLs when processing the page to break the lock on Views being edited, thereby exposing an open redirect attack vector.
This vulnerability is mitigated by the fact that the Views UI submodule must be enabled.
Access bypass vulnerability
The module does not protect the default Views configurations that ship with the module sufficiently, thereby exposing possibly protected information to unprivileged users.
This vulnerability is mitigated by the fact that it only affects sites that have not granted the common “access content” or “access comments” permission to untrusted users. Furthermore, these default views configurations are disabled by default and must be enabled by an administrator.
CVE identifier(s) issued
A CVE identifier will be requested, and added upon issuance, in accordance
with Drupal Security Team processes.
Versions affected
Views 6.x-2.x versions prior to 6.x-2.18.
Views 6.x-3.x versions prior to 6.x-3.2.
Views 7.x-3.x versions prior to 7.x-3.10.
Drupal core is not affected. If you do not use the contributed Views module,
there is nothing you need to do.
This module enables you to configure breadcrumbs for any Drupal page.
The module doesn’t check node access on 403 Not Found pages. As a result, unpublished content data can be shown to unprivileged user.
This vulnerability is mitigated by the fact that it is possible to configure proper access control in Path Breadcrumbs items with “Selection Rules” from the UI.
CVE identifier(s) issued
A CVE identifier will be requested, and added upon issuance, in accordance
with Drupal Security Team processes.
Versions affected
Path Breadcrumbs 7.x-3.x versions prior to 7.x-3.2
Drupal core is not affected. If you do not use the contributed Path Breadcrumbs module,
there is nothing you need to do.
Ajax Timeline module enables you to display a vertical timeline of nodes based off a date field or created date of the configured nodes.
The module doesn’t sufficiently escape node titles when displaying the timeline, allowing a malicious user to inject code.
This vulnerability is mitigated by the fact that an attacker must have a role with permission to create or edit nodes of the type configured for the timeline.
CVE identifier(s) issued
A CVE identifier will be requested, and added upon issuance, in accordance
with Drupal Security Team processes.
Versions affected
Ajax Timeline 7.x-1.x versions prior to 7.x-1.1.
Drupal core is not affected. If you do not use the contributed Ajax Timeline module,
there is nothing you need to do.
Solution
Install the latest version:
If you use the Ajax Timeline module for Drupal 7.x, upgrade to Ajax Timeline 7.x-1.1.
Vulnerability: Access bypass, Information Disclosure, Multiple vulnerabilities
Description
Certify enables you to automatically issue PDF certificates to users upon completion of a set of conditions.
The module does not sufficiently check node access when showing (and creating) the PDF certificates. This can lead to users seeing certificates they should not have access to.
This vulnerability is mitigated by the fact that an attacker must have completed the conditions of the certificate.
CVE identifier(s) issued
A CVE identifier will be requested, and added upon issuance, in accordance
with Drupal Security Team processes.
Versions affected
Certify 6.x-2.x versions prior to 6.x-2.3.
Drupal core is not affected. If you do not use the contributed Certify module,
there is nothing you need to do.
Solution
Install the latest version:
If you use the Certify module for Drupal 6.x, upgrade to Certify 6.x-2.3
Vulnerability: Cross Site Scripting, Cross Site Request Forgery, Open Redirect, Multiple vulnerabilities
Description
Node Invite module enables you to invite people to RSVP on node types that have been configured to represent events.
The module doesn’t sufficiently sanitize the titles of nodes in some listings, allowing a malicious user to inject code, thereby leading to a Cross Site Scripting (XSS) vulnerability. This vulnerability is mitigated by the fact that the attacker must have permission to create or edit nodes configured to be used for RSVP.
Additionally, some URLs are not protected against CSRF. A malicious user can cause a user with the “node_invite_can_manage_invite” permission to re-enable node invitations by getting his browser to make a request to a specially-crafted URL.
Lastly, the module is not checking that some destination parameters are internal URLs, thereby leading to an Open Redirect vulnerability.
CVE identifier(s) issued
A CVE identifier will be requested, and added upon issuance, in accordance
with Drupal Security Team processes.
Versions affected
Node Invite 6.x-2.x versions prior to 6.x-2.5.
Drupal core is not affected. If you do not use the contributed Node Invite module,
there is nothing you need to do.
Solution
Install the latest version:
If you use the Node Invite module for Drupal 6.x, upgrade to Node Invite 6.x-2.5
Vulnerability: Cross Site Scripting, Cross Site Request Forgery, Multiple vulnerabilities
Description
GD Infinite Scroll module enables you to use the “infinite scroll jQuery plugin : auto-pager” on custom pages.
Some links were not protected against CSRF. A malicious user could cause another user with the “edit gd infinite scroll settings” permission to delete settings by getting his browser to make a request to a specially-crafted URL.
Also, the module fails to sanitize user input in its admin page, leading to a Cross Site Scripting (XSS) vulnerability. This vulnerability is mitigated by the fact that an attacker must have a role with the permission “edit gd infinite scroll settings”.
CVE identifier(s) issued
A CVE identifier will be requested, and added upon issuance, in accordance
with Drupal Security Team processes.
Versions affected
All GD Infinite Scroll versions prior to 7.x-1.4
Drupal core is not affected. If you do not use the contributed GD Infinite Scroll module,
there is nothing you need to do.