The Scheduler module allows nodes to be published and unpublished on specified dates. The module allows administrators to provide additional help text on the content editing form when scheduling is enabled.
The module doesn’t sufficiently filter the help text which could lead to a Cross Site Scripting (XSS) attack.
This vulnerability is mitigated by the fact that an attacker must have a role with the permission “administer scheduler”.
CVE identifier(s) issued
A CVE identifier will be requested, and added upon issuance, in accordance
with Drupal Security Team processes.
Versions affected
Scheduler 6.x-1.x versions prior to 6.x-1.10.
Scheduler 7.x-1.x versions prior to 7.x-1.3.
Drupal core is not affected. If you do not use the contributed Scheduler module,
there is nothing you need to do.
Solution
Install the latest version:
If you use the Scheduler module for Drupal 6.x, upgrade to Scheduler 6.x-1.10
If you use the Scheduler module for Drupal 7.x, upgrade to Scheduler 7.x-1.3
This module provides payment methods for the Drupal Commerce package to permit the use of the Authorize.Net payment gateway’s SIM and DPM payment protocols.
Access Bypass
The module doesn’t sufficiently protect the Drupal Commerce order number passed to the Authorize.Net payment gateway, allowing a specially modified payment POST transaction to Authorize.Net to be applied to a previous order still in the checkout state. This could allow the previous transaction to be marked as paid despite the fact that the payment applied was smaller than its outstanding balance.
CVE identifier(s) issued
A CVE identifier will be requested, and added upon issuance, in accordance
with Drupal Security Team processes.
Versions affected
Commerce Authorize.Net SIM/DPM Payment Methods 7.x-1.x versions prior to 7.x-1.1.
Vulnerability: Access bypass, Information Disclosure
Description
OG Menu allows using menus within Organic Groups.
The permissions for accessing the module settings were to broad, possibly granting access to users who would normally not be able to change the OG Menu configuration.
This vulnerability is mitigated by the fact that an attacker must have a role with the permission “access administration pages”.
CVE identifier(s) issued
A CVE identifier will be requested, and added upon issuance, in accordance
with Drupal Security Team processes.
Versions affected
OG Menu 7.x-2.x versions prior to 7.x-2.2.
Drupal core is not affected. If you do not use the contributed OG Menu module,
there is nothing you need to do.
Solution
Install the latest version of the 7.x-2.x branch:
If you use the OG Menu module for Drupal 7.x, upgrade to OG Menu 7.x-2.2
The Addressfield Tokens module extends the Addressfield module by adding full token support.
The module doesn’t sufficiently filter malicious user input, opening a Cross Site Scripting (XSS) vulnerability. This vulnerability is mitigated by the fact that an attacker must have a role with the permission “create content” or “edit content”.
CVE identifier(s) issued
A CVE identifier will be requested, and added upon issuance, in accordance
with Drupal Security Team processes.
Versions affected
Addressfield Tokens 7.x-1.x versions prior to 7.x-1.5.
Drupal core is not affected. If you do not use the contributed Addressfield Tokens module,
there is nothing you need to do.
This module replaces the regular Drupal login form with a modification of the password-request form, to give the possibility to log in without using a password.
The module doesn’t sufficiently sanitize user-generated text entered in the module’s configuration form.
This vulnerability is mitigated by the fact that an attacker must have a role with the permission “configure passwordless settings”.
CVE identifier(s) issued
A CVE identifier will be requested, and added upon issuance, in accordance
with Drupal Security Team processes.
Versions affected
Passwordless 7.x-1.x versions up to 7.x-1.8.
Drupal core is not affected. If you do not use the contributed Passwordless module,
there is nothing you need to do.
The Ubercart module provides a shopping cart and e-commerce features for Drupal.
Cross Site Request Forgery (CSRF)
The country administration links are not properly protected. A malicious user could trick a store administrator into enabling or disabling a country by getting them to visit a specially-crafted URL.
CVE identifier(s) issued
A CVE identifier will be requested, and added upon issuance, in accordance
with Drupal Security Team processes.
Versions affected
Ubercart 7.x-3.x versions prior to 7.x-3.8.
Ubercart 6.x-2.x versions prior to 6.x-2.14.
Drupal core is not affected. If you do not use the contributed Ubercart module,
there is nothing you need to do.
Solution
Install the latest version:
If you use the Ubercart module for Drupal 7.x, upgrade to Ubercart 7.x-3.8
If you use the Ubercart module for Drupal 6.x, upgrade to Ubercart 6.x-2.14
This module enables you to to target any malicious software directed at a Web site, whether it be a spambot, ill-designed search engine bot, or system crackers. It blocks such access and then logs their attempts.
Information Disclosure
The module doesn’t sufficiently sanitize log data, allowing usernames and passwords to get included in its logs.
This vulnerability is mitigated by the fact that an attacker must have a role with the permission “administer bad behavior”.
CVE identifier(s) issued
A CVE identifier will be requested, and added upon issuance, in accordance
with Drupal Security Team processes.
Versions affected
badbehavior 6.x-2.x versions prior to 6.x-2.2216.
badbehavior 7.x-2.x versions prior to 7.x-2.2216.
Drupal core is not affected. If you do not use the contributed Bad Behavior module,
there is nothing you need to do.
The oa_core module contains the base access control mechanism for the Open Atrium distribution (OA2). In OA2, file attachments are given the same access permission as the node they are attached to.
The vulnerability is when an attachment is removed from a node that has Revisions enabled. It allows anonymous users to view the file that is still attached to the previous revision.
This vulnerability is mitigated by the fact that it requires using Revisions and removing files attached to revisions. If revisions are disabled or files are not removed from nodes then access works as designed.
CVE identifier(s) issued
A CVE identifier will be requested, and added upon issuance, in accordance
with Drupal Security Team processes.