Todo Filter module provides an input filter to display check-boxes that can be used as a task list.
Some paths were not protected against CSRF, meaning that an attacker could cause users to toggle tasks they did not intend to toggle by getting the user’s browser to make a request to a specially-crafted URL while the user was logged in.
CVE identifier(s) issued
A CVE identifier will be requested, and added upon issuance, in accordance
with Drupal Security Team processes.
Versions affected
Todo Filter 6.x-1.x versions prior to 6.x-1.1.
Todo Filter 7.x-1.x versions prior to 7.x-1.1.
Drupal core is not affected. If you do not use the contributed Todo Filter module, there is nothing you need to do.
Drupal core is not affected. If you do not use the contributed Todo Filter module,
there is nothing you need to do.
Solution
Install the latest version:
If you use the Todo Filter module for Drupal 6.x, upgrade to Todo Filter 6.x-1.1
If you use the Todo Filter module for Drupal 7.x, upgrade to Todo Filter 7.x-1.1
Linkit provides an easy interface for internal and external linking with wysiwyg editors and fields by using an autocomplete field.
The module doesn’t sufficiently sanitize node titles in the result list if the node search plugin is enabled.
This vulnerability is mitigated by the fact that an attacker must have a role with the permission to add or edit any type of node and that the linkit node search plugin is enabled.
CVE identifier(s) issued
A CVE identifier will be requested, and added upon issuance, in accordance
with Drupal Security Team processes.
Versions affected
Linkit 7.x-2.x versions prior to 7.x-2.7.
Linkit 7.x-3.x versions prior to 7.x-3.3.
Drupal core is not affected. If you do not use the contributed Linkit module,
there is nothing you need to do.
Solution
Install the latest version:
If you use the Linkit module for Drupal 7.x and Linkit 7.x-2.x, upgrade to Linkit 7.x-2.7
If you use the Linkit module for Drupal 7.x and Linkit 7.x-3.x, upgrade to Linkit 7.x-3.3
The Batch Jobs project is a scalable way to execute a list of tasks.
Links that take actions on batch jobs are not protected from Cross Site Request Forgery (CSRF). A malicious individual could cause a user that has permission to access a particular batch job (or an administrator) to dele the record of that batch job or possibly execute a task by getting the user’s browser to make a request to a specially-crafted URL while the user is logged in.
This vulnerability only exists when batch job data exists – i.e. during the short period it is running or if it is retained (not deleted after completion of the batch job).
CVE identifier(s) issued
A CVE identifier will be requested, and added upon issuance, in accordance
with Drupal Security Team processes.
Versions affected
Batch Jobs 7.x-1.x versions prior to 7.x-1.2.
Drupal core is not affected. If you do not use the contributed Batch Jobs module,
there is nothing you need to do.
Solution
Make sure that all batch jobs are deleted or install the latest version:
If you use the Batch Jobs project for Drupal 7.x, upgrade to Batch Jobs 7.x-1.2
The Htaccess module allows the creation and deployment of .htaccess files based on custom settings.
Some administration links were not properly protected from Cross Site Request Forgery (CSRF). A malicious user could cause an administrator to deploy or delete .htaccess files by getting the administrator’s browser to request specially crafted URLS while the administrator was logged in.
CVE identifier(s) issued
A CVE identifier will be requested, and added upon issuance, in accordance
with Drupal Security Team processes.
Versions affected
All Htaccess 7.x-2.x versions prior to 7.x-2.3.
Drupal core is not affected. If you do not use the contributed htaccess module,
there is nothing you need to do.
Solution
Install the latest version:
If you use the Htaccess module for Drupal 7.x, upgrade to Htaccess 7.x-2.3
Context allows you to manage contextual conditions and reactions for different portions of your site.
Context UI module wasn’t checking for external URLs in the HTTP GET destination parameter when redirecting users that are activating/deactivating the Context UI inline editor dialog, thereby leading to an Open Redirect vulnerability.
This vulnerability is mitigated by the fact that the victim must have the permission “administer contexts” and that Context UI module must be enabled.
CVE identifier(s) issued
A CVE identifier will be requested, and added upon issuance, in accordance
with Drupal Security Team processes.
Versions affected
Context 7.x-3.x versions prior to 7.x-3.6
Drupal core is not affected. If you do not use the contributed Context module,
there is nothing you need to do.
Solution
Install the latest version:
If you use the Context module for Drupal 7, upgrade to Context 7.x-3.6
The PHPlist Integration module provides an integration between a Drupal website and phpList newsletter manager. The module provides two main features: user sync and sending a node as a newsletter.
The module introduces a SQL Injection vulnerability to the phpList database. The Drupal database is not affected.
This vulnerability is mitigated by the fact that an attacker must have a role with the permission “administer PHPlist”.
CVE identifier(s) issued
A CVE identifier will be requested, and added upon issuance, in accordance
with Drupal Security Team processes.
Versions affected
PHPlist Integration Module 6.x-1.x versions prior to 6.x-1.7.
Drupal core is not affected. If you do not use the contributed PHPlist Integration Module module, there is nothing you need to do.