DownloadFile is a module to direct download files or images.
The security team is marking this module unsupported. There is a known security issue with the module that has not been fixed by the maintainer. If you would like to maintain this module, please read: https://www.drupal.org/node/251466
CVE identifier(s) issued
A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
All versions
Drupal core is not affected. If you do not use the contributed download file module, there is nothing you need to do.
Solution
If you use the download_file module for Drupal 7.x you should uninstall it.
The purpose of this module is to emit a 404 error when a user tries to access a unpublished pages.
The security team is marking this module unsupported. There is a known security issue with the module that has not been fixed by the maintainer. If you would like to maintain this module, please read: https://www.drupal.org/node/251466
CVE identifier(s) issued
A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
All versions
Drupal core is not affected. If you do not use the contributed unpublished 404 module, there is nothing you need to do.
Solution
If you use the unpublished_404 module for Drupal 7.x you should uninstall it.
The Views module allows site builders to create listings of various data in the Drupal database.
The Views module fails to add the required query tags to listings of Taxonomy Terms, which could cause private data stored on Taxonomy Terms to be leaked to users without permision to view it.
This is mitigated by the fact that a View must exist that lists Taxonomy Terms which contain private data. If all the data on Taxonomy Terms is public or there are no applicable Views, then your site is unaffected.
CVE identifier(s) issued
A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
views 7.x-3.x versions prior to 7.x-3.15.
Drupal core is not affected. If you do not use the contributed Views module, there is nothing you need to do.
Solution
Install the latest version:
If you use the views module for Drupal 7.x, upgrade to views 7.x-3.15
This module enables sites to automatically detect and set user timezones via JavaScript.
The module does not sufficiently protect against Cross-Site Request Forgery (CSRF): an attacker could use this vulnerability to manipulate a user’s timezone setting. The security implication of this issue depends on the site. It can range from minor annoyance to some level of a bigger bug on a site that relies on the timezone for some more important purpose.
CVE identifier(s) issued
A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
Timezone Detect 7.x-1.x versions prior to 7.x-1.2.
Drupal core is not affected. If you do not use the contributed Timezone Detect module, there is nothing you need to do.
This module enables you to add a variety of meta tags to a site for helping with a site’s search engine results and to customize how content is shared on social networks.
The module doesn’t sufficiently protect against data being cached that might contain information related to a specific user.
This vulnerability is mitigated by the fact that a site must have a page with sensitive data in the page title that varies per logged in user.
CVE identifier(s) issued
A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
Metatag 7.x-1.x versions prior to 7.x-1.21.
Drupal core is not affected. If you do not use the contributed Metatag module, there is nothing you need to do.
Solution
Install the latest version:
If you use the Metatag module for Drupal 7.x, upgrade to Metatag 7.x-1.21.
This module enables you to build a RESTful API for your Drupal site.
The restful_token_auth module (a sub-module) doesn’t validate the status of users when logging them in. This results in a blocked user being able to operate normally with the RESTful actions, even after being blocked.
This vulnerability is mitigated by the fact that an attacker must be in possession of the credentials of a previously blocked user. It is also mitigated by the attacker only will have the access corresponding to the roles of the blocked user. Finally this only affects sites that use the sub-module, restful_token_auth.
CVE identifier(s) issued
A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
RESTful 7.x-1.x versions prior to 7.x-1.8.
RESTful 7.x-2.x versions prior to 7.x-2.16.
Drupal core is not affected. If you do not use the contributed RESTful module, there is nothing you need to do.
The Flag clear module allows administrators to remove user flags for content. This functionality is often useful in user-submission use-cases, where users do not necessarily need to unflag things on their own.
The module doesn’t sufficiently protect from CSRF attacks. The unflagging links do not include a token.
This vulnerability is mitigated by the fact that an attacker must be targeting users with the ‘clear flags’ role. They must also discover a valid combination of flag, content and user IDs for flagged content.
CVE identifier(s) issued
A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
All Flag clear module versions prior to 7.x-2.0.
Drupal core is not affected. If you do not use the contributed Flag clear module, there is nothing you need to do.
Solution
Install the latest version:
If you use the Flag clear module for Drupal 7.x, upgrade to Flag clear 7.x-2.0
The Search API Sorts module allows the site administrator to configure custom sort options for their search results and expose the control interface via the core block system.
The module doesn’t sufficiently sanitise the name of the sort option which is displayed to users.
This vulnerability is mitigated by the fact that an attacker must have a role with permission ‘administer search_api’.
CVE identifier(s) issued
A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
Search API Sorts 7.x-1.x versions prior to 7.x-1.7
Drupal core is not affected. If you do not use the contributed Search API sorts module, there is nothing you need to do.
This module enables administrators to use a user interface to create complex semantic queries that can be saved to be used in different locations of a Drupal instance that uses OSF.
CVE identifier(s) issued
A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
osf_querybuilder 7.x-3.3 versions prior to 7.x-3.3.
Drupal core is not affected. If you do not use the contributed OSF for Drupal module, there is nothing you need to do.