Amazon AWS module provides integration with Amazon Web Services (AWS).
A malicious user could potentially guess an access token and trigger the creation of new backups by making a request to a specially-crafted URL. If the number of stored backups was limited, an attacker could exceed the limit by calling the URL multiple times, thereby resulting in the loss of older backup states that would get replaced with the newly generated ones.
This vulnerability is mitigated by the fact that an attacker must know the AWS Access Key Id (these are not secret).
CVE identifier(s) issued
A CVE identifier will be requested, and added upon issuance, in accordance
with Drupal Security Team processes.
Versions affected
Amazon AWS versions prior to 7.x-1.3.
Drupal core is not affected. If you do not use the contributed Amazon AWS module,
there is nothing you need to do.
Solution
Install the latest version:
If you use the Amazon AWS module for Drupal 7, upgrade to Amazon AWS 7.x-1.3
This module enables you to add configurable corners to your site.
A malicious user can cause an administrator to enable and disable corners by getting the administrator’s browser to make a request to a specially-crafted URL while the administrator is logged in.
CVE identifier(s) issued
A CVE identifier will be requested, and added upon issuance, in accordance
with Drupal Security Team processes.
Versions affected
All versions of Corner module
Drupal core is not affected. If you do not use the contributed Corner module,
there is nothing you need to do.
Solution
If you use the Corner module you should uninstall it.
Shibboleth Authentication module allows users to log in and get permissions based on federated (SAML2) authentication.
The roles that are assigned to users are based on a matching list. A malicious attacker can delete matching rules from the list by getting the administrator’s browser to make a request to a specially-crafted URL while the administrator is logged in.
CVE identifier(s) issued
A CVE identifier will be requested, and added upon issuance, in accordance
with Drupal Security Team processes.
Versions affected
Shibboleth Authentication 6.x-4.x versions prior to 6.x-4.1.
Shibboleth Authentication 7.x-4.x versions prior to 7.x-4.1.
Drupal core is not affected. If you do not use the contributed Shibboleth authentication module,
there is nothing you need to do.
Solution
Install the latest version:
If you use the Shibboleth Authentication module for Drupal 6.x, upgrade to 6.x-4.1
If you use the Shibboleth Authentication module for Drupal 7.x, upgrade to 7.x-4.1
The Quizzler module allows you to create online quizzes and tests. Quizzes are nodes with questions attached.
The module does not sanitize user input in the node title when displaying it on the page, allowing a malicious user to inject code, a Cross Site Scripting (XSS) attack.
This vulnerability is mitigated by the fact that an attacker must have a role that allows them to create nodes or edit nodes that are assigned as quizzes.
CVE identifier(s) issued
A CVE identifier will be requested, and added upon issuance, in accordance
with Drupal Security Team processes.
Versions affected
All versions prior to 7.x-1.16.
Drupal core is not affected. If you do not use the contributed Quizzler module,
there is nothing you need to do.
This module enables you to create blocks of nodes carrying a given taxonomy term.
The module doesn’t sufficiently escape term names in the blocks it builds leading to a Cross Site Scripting (XSS) vulnerability.
This vulnerability is mitigated by the fact that an attacker must have a role with the permission “administer taxonomy” or the ability to create terms in some other way.
CVE identifier(s) issued
A CVE identifier will be requested, and added upon issuance, in accordance
with Drupal Security Team processes.
Versions affected
Taxonews 7.x-1.x versions prior to 7.x-1.1.
Taxonews 6.x-1.x versions prior to 6.x-1.2.
Drupal core is not affected. If you do not use the contributed Taxonews module,
there is nothing you need to do.
Patterns module manages and automates site configuration. Site configurations stored in XML or YAML are called Patterns, and these are easy to read, modify, manage & share and can be executed manually or as a part of an automated web site deployment.
Some links were not protected against CSRF. A malicious user could cause an administrator to restore, publish and unpublish patterns by getting the administrator’s browser to make a request to a specially-crafted URL.
CVE identifier(s) issued
A CVE identifier will be requested, and added upon issuance, in accordance
with Drupal Security Team processes.
Versions affected
Patterns 7.x-2.x versions prior to 7.x-2.2.
Drupal core is not affected. If you do not use the contributed Patterns module,
there is nothing you need to do.
Solution
Install the latest version:
If you use the Patterns module for Drupal 7.x, upgrade to Patterns 7.x-2.2
The Alfresco module provides integration between Drupal and Alfresco via Content Management Web Services (SOAP) and Repository RESTful API. The Alfresco Browser submodule provides an AJAX-based repository browser that allows users to visualize, upload, search and retrieve nodes from the Alfresco repository.
Some links from Alfresco Browser were not properly protected from CSRF. A malicious user could cause a user to delete alfresco nodes by getting the user’s browser to make a request to a specially-crafted URL while the user was logged in.
CVE identifier(s) issued
A CVE identifier will be requested, and added upon issuance, in accordance
with Drupal Security Team processes.
Versions affected
Alfresco 6.x-1.x versions prior to 6.x-1.3.
Drupal core is not affected. If you do not use the contributed Alfresco module,
there is nothing you need to do.
Solution
Install the latest version:
If you use the Alfresco module for Drupal 6.x, upgrade to Alfresco 6.x-1.3
The Content Analysis module is an API designed to help modules that need to analyze content.
The module fails to sanitize user input in log messages, leading to a Cross Site Scripting (XSS) vulnerability.
This vulnerability is mitigated by the fact that only sites with dblog module enabled are affected.
CVE identifier(s) issued
A CVE identifier will be requested, and added upon issuance, in accordance
with Drupal Security Team processes.
Versions affected
Content Analysis 6.x-1.x versions prior to 6.x-1.7.
Drupal core is not affected. If you do not use the contributed Content Analysis module,
there is nothing you need to do.