The Contact Form Fields module enables you to create additional fields to site-wide contact form.
Some links were not properly protected from CSRF. A malicious user could cause an administrator to delete fields by getting the administrator’s browser to make a request to a specially-crafted URL while the administrator was logged in.
CVE identifier(s) issued
A CVE identifier will be requested, and added upon issuance, in accordance
with Drupal Security Team processes.
Versions affected
All Contact Form Fields versions prior to 6.x-2.3.
Drupal core is not affected. If you do not use the contributed Contact form fields module,
there is nothing you need to do.
This module enables users to change the currency of Ubercart products.
When switching the currency, the user is redirected to a page specified in the destination query parameter. The module was not checking that the passed argument was an internal URL, thereby leading to an open redirect vulnerability.
CVE identifier(s) issued
A CVE identifier will be requested, and added upon issuance, in accordance
with Drupal Security Team processes.
Versions affected
Ubercart Currency Conversion 6.x-1.x versions prior to 6.x-1.2
Drupal core is not affected. If you do not use the contributed Ubercart Currency Conversion module, there is nothing you need to do.
This module enables you to upload, convert and playback videos.
The module doesn’t sufficiently sanitize node titles when using the video WYSIWYG plugin, thereby opening a Cross Site Scripting (XSS) vulnerability.
This vulnerability is mitigated by the fact that an attacker must have a role with the permission “create video nodes” and that WYSIWYG video plugin must be enabled.
CVE identifier(s) issued
A CVE identifier will be requested, and added upon issuance, in accordance
with Drupal Security Team processes.
Versions affected
Video 7.x-2.x versions from 7.x-2.2-beta1 to 7.x-2.10.
Drupal core is not affected. If you do not use the contributed Video module,
there is nothing you need to do.
Solution
Install the latest version:
If you use the video module for Drupal 7.x-2.x, upgrade to Video 7.x-2.11
Room Reservations module enables you to manage a room reservation system.
The module doesn’t sufficiently sanitize the node title of “Room Reservations Category” nodes and the body of “Room Reservations Room” nodes, thereby leading to a Cross Site Scripting (XSS) vulnerability.
This vulnerability is mitigated by the fact that an attacker must have a user with the permission “Administer the room reservations system”.
CVE identifier(s) issued
A CVE identifier will be requested, and added upon issuance, in accordance
with Drupal Security Team processes.
Versions affected
Room Reservations 7.x-1.x versions prior to 7.x-1.1.
Drupal core is not affected. If you do not use the contributed Room Reservations module,
there is nothing you need to do.
Vulnerability: Cross Site Request Forgery, Open Redirect
Description
Tadaa! is a module aimed at simplifying the process of enabling/disabling modules and altering configuration when switching between different environments, e.g. Production/Staging/Development.
The module exposes multiple paths that were not protected against Cross Site Request Forgeries (CSRF). A malicious user could cause a user with “Use Tadaa!” permission to enable and disable modules or change variables by getting his browser to make a request to a specially-crafted URL while logged in.
Also, these callbacks had a destination query parameter that was not protected against open redirects.
CVE identifier(s) issued
A CVE identifier will be requested, and added upon issuance, in accordance
with Drupal Security Team processes.
Versions affected
Tadaa! 7.x-1.x versions prior to 7.x-1.4.
Drupal core is not affected. If you do not use the contributed Tadaa! module,
there is nothing you need to do.
Solution
Install the latest version:
If you use the Tadaa! module for Drupal 7.x, upgrade to Tadaa! 7.x-1.4
Vulnerability: Cross Site Scripting, Cross Site Request Forgery
Description
The Wishlist module enables authorized users to create wishlist nodes which describe items they would like for a special occasion. Also, it allows users to indicate their intention to purchase items for other users.
The module fails to sanitize user input in log messages, leading to a Cross Site Scripting (XSS) vulnerability. This vulnerability is mitigated by the fact that an attacker must have a role with the permission “access wishlists”, and that only sites with dblog module enabled are affected (dblog module is enabled by default).
Also, the paths to manage wishlist purchase intentions do not confirm the intent of a user. A malicious user could cause another user to delete wishlist purchase intentions by getting their browser to make a request to a specially-crafted URL, a Cross-Site Request Forgery (CSRF).
CVE identifier(s) issued
A CVE identifier will be requested, and added upon issuance, in accordance
with Drupal Security Team processes.
Versions affected
Wishlist 7.x-2.x versions prior to 7.x-2.7.
Wishlist 6.x-2.x versions prior to 6.x-2.7.
Drupal core is not affected. If you do not use the contributed Wishlist Module module,
there is nothing you need to do.
Solution
Install the latest version:
If you use the Wishlist module for Drupal 7.x, upgrade to Wishlist 7.x-2.7.
If you use the Wishlist module for Drupal 6.x, upgrade to Wishlist 6.x-2.7.
Log Watcher allows you to monitor your site logs in a systematic way by setting up scheduled aggregations for specific log types.
The report administration links are not properly protected from CSRF. A malicious user could cause a log administrator to enable, disable, or delete a Log Watcher report by getting the administrator’s browser to make a request to a specially-crafted URL while the administrator was logged in.
CVE identifier(s) issued
A CVE identifier will be requested, and added upon issuance, in accordance
with Drupal Security Team processes.
Versions affected
Log Watcher 6.x-1.x versions prior to 6.x-1.2.
Drupal core is not affected. If you do not use the contributed Log Watcher module,
there is nothing you need to do.
Solution
Install the latest version:
If you use the Log Watcher module for Drupal 6.x, upgrade to Log Watcher 6.x-1.2
This module enables you to hide or remove items from displaying including the node and comment preview buttons, node delete button, revision log textarea, workflow form on the workflow tab, and feed icon.
The report administration links are not properly protected from CSRF. A malicious user could cause an administrator to delete settings for hidden form elements or status messages by getting the administrator’s browser to make a request to a specially-crafted URL while the administrator was logged in.
CVE identifier(s) issued
A CVE identifier will be requested, and added upon issuance, in accordance
with Drupal Security Team processes.
Versions affected
Jammer 6.x-1.x versions prior to 6.x-1.8.
Jammer 7.x-1.x versions prior to 7.x-1.4.
Drupal core is not affected. If you do not use the contributed Jammer module,
there is nothing you need to do.
Solution
Install the latest version:
If you use the Jammer module for Drupal 6.x, upgrade to Jammer 6.x-1.8
If you use the Jammer module for Drupal 7.x, upgrade to Jammer 7.x-1.4