• Advisory ID: DRUPAL-SA-CONTRIB-2017-013
• Project: Acquia Content Hub (third-party module)
• Version: 8.x
• Date: 2017-February-08
• Security risk: 13/25 ( Moderately Critical) AC:Basic/A:None/CI:Some/II:None/E:Theoretical/TD:All
• Vulnerability: Access bypass

Description

The Acquia Content Hub module enables the distribution and discovery of content from any source using the Acquia Content Hub service.

The module allows rendering of any arbitrary entity, without performing the appropriate access check. Users browsing to a well crafted URL could access information they may not be authorized to view.

CVE identifier(s) issued

• A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.

Versions affected

• Acquia Content Hub 8.x-1.x versions prior to 8.x-1.4.

Drupal core is not affected. If you do not use the contributed Acquia Content Hub module, there is nothing you need to do.

Solution

Install the latest version:

• If you use the Acquia Content Hub module for Drupal 8.x, upgrade to Acquia Content Hub 8.x-1.4

Also see the Acquia Content Hub project page.

Reported by

• Samuel Mortenson

Fixed by

• Alejandro Barrios the module maintainer
• Cash William of the Drupal Security Team
• Samuel Mortenson
• Kyle Browning
• Wim Leers

Coordinated by

• Stéphane Corlosquet of the Drupal Security Team

Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

• Advisory ID: DRUPAL-SA-CONTRIB-2017-012
• Project: Web Experience Toolkit: Omega (third-party module)
• Version: 7.x
• Date: 2017-February-08
• Security risk: 10/25 ( Moderately Critical) AC:Basic/A:User/CI:Some/II:None/E:Proof/TD:Uncommon
• Vulnerability: Access bypass

Description

WetKit Omega 4.x is a modern, Sass and Compass enabled Drupal 7 theme powered by the Omega base theme.

When using the Drupal page cache, some links intended for privileged users can get cached and displayed to users who shouldn’t have access to them.

This is mitigated by the fact that the unprivileged users won’t be able to actually visit the links.

CVE identifier(s) issued

• A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.

Versions affected

• wetkit_omega 7.x-1.x versions prior to 7.x-1.15.

Drupal core is not affected. If you do not use the contributed Web Experience Toolkit: Omega module, there is nothing you need to do.

Solution

Install the latest version:

• If you use the wetkit_omega module for Drupal 7.x, upgrade to wetkit_omega 7.x-1.15

Also see the Web Experience Toolkit: Omega project page.

Reported by

• Fabian Franz

Fixed by

• William Hearn the module maintainer

Coordinated by

• Michael Hess of the Drupal Security Team
• David Snopek of the Drupal Security Team

Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

• Advisory ID: DRUPAL-SA-CONTRIB-2017-011
• Project: Facebook Pull (third-party module)
• Version: 7.x
• Date: 2017-February-08
• Security risk: 15/25 ( Critical) AC:Complex/A:None/CI:Some/II:Some/E:Theoretical/TD:All
• Vulnerability: Cross Site Scripting

Description

This module enables you to add integration with Facebook API.

The module doesn’t sufficiently sanitize incoming data from Facebook.

This vulnerability is mitigated by the fact that an attacker must have be able to successfully pass malicious code through Facebook API or alter facebooks DNS and recreate API endpoints.

CVE identifier(s) issued

• A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.

Versions affected

• Facebook Pull versions prior to 7.x-3.1.

Drupal core is not affected. If you do not use the contributed Facebook Pull module, there is nothing you need to do.

Solution

Install the latest version:

• If you use the Facebook Pull module for Drupal 7.x, upgrade to Facebook Pull 7.x-3.1

Also see the Facebook Pull project page.

Reported by

• Nedjo Rogers

Fixed by

• Dave Ferrara the module maintainer
• Lee Rowlands of the Drupal Security Team

Coordinated by

• Michael Hess of the Drupal Security Team
• David Snopek of the Drupal Security Team

Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

• Advisory ID: DRUPAL-SA-CONTRIB-2017-010
• Project: Storage API stream wrappers (third-party module)
• Version: 7.x
• Date: 2017-February-08
• Security risk: 13/25 ( Moderately Critical) AC:None/A:None/CI:Some/II:None/E:Theoretical/TD:Uncommon
• Vulnerability: Access bypass

Description

This module provides stream wrappers to integrate Storage API with Drupal, as an alternative to Storage API’s core_bridge submodule.

It provides two stream wrappers: “Storage API Public” and “Storage API Private”.

The private storage API doesn’t sufficiently performs access control allowing anonymous users to access the private storage files.

CVE identifier(s) issued

• A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.

Versions affected

• Storage API stream wrappers 7.x-1.x versions prior to 7.x-1.1.

Drupal core is not affected. If you do not use the contributed Storage API stream wrappers module, there is nothing you need to do.

Solution

Install the latest version:

• If you use the Storage API stream wrappers module for Drupal 7.x, upgrade to Storage API stream wrappers 7.x-1.1

Also see the Storage API stream wrappers project page.

Reported by

• Gareth Goodwin

Fixed by

• Jonathan Araña Cruz the module maintainer

Coordinated by

• Michael Hess of the Drupal Security Team
• David Snopek of the Drupal Security Team

Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

• Advisory ID: DRUPAL-SA-CONTRIB-2017-009
• Project: Better Exposed Filters (third-party module)
• Version: 7.x
• Date: 2017-February-01
• Security risk: 7/25 ( Less Critical) AC:Complex/A:Admin/CI:None/II:Some/E:Theoretical/TD:Uncommon
• Vulnerability: Cross Site Scripting

Description

The Better Exposed Filters module gives site builders more choices for rendering Views’ exposed form elements.

The module does not sufficiently sanitize taxonomy term descriptions when the “Include the term description” option is selected.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission “administer taxonomy”.

CVE identifier(s) issued

• A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.

Versions affected

• Better Exposed Filters 7.x-3.x versions prior to 7.x-3.4.

Drupal core is not affected. If you do not use the contributed Better Exposed Filters module, there is nothing you need to do.

Solution

Install the latest version:

• If you use the Better Exposed Filters module for Drupal 7.x, upgrade to Better Exposed Filters 7.x-3.4 or greater.

Also see the Better Exposed Filters project page.

Reported by

• Henri Medot (anrikun)

Fixed by

• Henri Medot (anrikun)
• Mike Keran (mikeker) the module maintainer

Coordinated by

• Klaus Purer of the Drupal Security Team

Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

• Advisory ID: DRUPAL-SA-CONTRIB-2017-008
• Project: Salescloud (third-party module)
• Version: 7.x
• Date: 2017-Jan-25
• Security risk: 19/25 ( Critical) AC:None/A:None/CI:Some/II:Some/E:Proof/TD:All

Description

This module Connects Drupal to SalesCloud’s API, a Commerce Platform as a Service.

CVE identifier(s) issued

• A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.

Versions affected

• All versions

Drupal core is not affected. If you do not use the contributed salescloud module, there is nothing you need to do.

Solution

If you use the salescloud module for Drupal 7.x you should uninstall it.

Also see the salescloud project page.

Reported by

• Cash Williams of the Drupal Security Team

Fixed by

Not applicable

Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

• Advisory ID: DRUPAL-SA-CONTRIB-2017-007
• Project: microblog (third-party module)
• Version: 7.x
• Date: 2017-Jan-25
• Security risk: 19/25 ( Critical) AC:None/A:None/CI:Some/II:Some/E:Proof/TD:All

Description

This module enables microblogging on Drupal sites using it.

CVE identifier(s) issued

• A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.

Versions affected

• All versions

Drupal core is not affected. If you do not use the contributed microblog module, there is nothing you need to do.

Solution

If you use the microblog module for Drupal 7.x you should uninstall it.

Also see the microblog project page.

Reported by

• Reuben Unruh

Fixed by

Not applicable

Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

• Advisory ID: DRUPAL-SA-CONTRIB-2017-006
• Project: OAuth (third-party module)
• Version: 7.x
• Date: 2017-January-25
• Security risk: 8/25 ( Less Critical) AC:Complex/A:Admin/CI:None/II:Some/E:Theoretical/TD:Default
• Vulnerability: Access bypass

Description

This module enables you to use the OAuth 1.a protocol to authenticate requests.

The module does not does not implement the OAuth 1.0a security fix reported at https://oauth.net/advisories/2009-1/.

CVE identifier(s) issued

• A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.

Versions affected

• OAuth 7.x-3.x versions prior to 7.x-3.3.

Drupal core is not affected. If you do not use the contributed OAuth module, there is nothing you need to do.

Solution

Install the latest version.

• If you use the OAuth module for Drupal 7.x, upgrade to OAuth 7.x-3.3

Also see the OAuth project page.

Reported by

• Tim Brandin
• Damien McKenna of the Drupal Security Team

Fixed by

• Tim Brandin
• Juampy NR the module maintainer

Coordinated by

• Michael Hess of the Drupal Security Team
• Damien McKenna of the Drupal Security Team
• Klaus Purer of the Drupal Security Team

Changelog

• 2017-01-25: Released the advisory as unsupported module.
• 2017-01-25: Updated the advisory as the module is supported again and a security release was made.

Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

• Advisory ID: DRUPAL-SA-CONTRIB-2017-005
• Project: (third-party module)
• Version: 7.x
• Date: 2017-January-11
• Security risk: 23/25 ( Highly Critical) AC:None/A:User/CI:All/II:All/E:Exploit/TD:All
• Vulnerability: Arbitrary PHP code execution

Description

The Mailjet module integrates with a 3rd party system to deliver site-generated emails, including newsletters, system notifications, etc.

The Mailjet module included v5.2.8 of the PHPMailer library in its “includes” directory. Per PSA-2016-004, this version of the PHPMailer library was vulnerable to PHP code execution.

Per Drupal.org policy, 3rd party code should not be stored in drupal.org repositories.

Updating this module will require manual actions to replace the PHPMailer library as described in the README.txt file included in the release.

CVE identifier(s) issued

• A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.

Versions affected

• Mailjet 7.x-2.x versions prior 7.x-2.9.

Drupal core is not affected. If you do not use the contributed module, there is nothing you need to do.

Solution

Install the latest version:

• If you use the Mailjet module for Drupal 7.x, upgrade to Mailjet7.x-2.9

Also see the project page.

Reported by

• hargobind

Fixed by

• Proxiad the module maintainer

Coordinated by

• Damien McKenna of the Drupal Security Team

Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

• Advisory ID: DRUPAL-SA-CONTRIB-2017-004
• Project: OpenLucius (third-party distribution)
• Version: 7.x
• Date: 2017-January-11
• Security risk: 14/25 ( Moderately Critical) AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:All
• Vulnerability: Cross Site Scripting, Cross Site Request Forgery

Description

OpenLucius is a work management platform for social communication, documentation, and projects.

The distribution doesn’t sufficiently use tokens when marking messages for users as read thereby exposing a Cross Site Request Forgery (CSRF) vulnerability.

The distribution does not sufficiently filter taxonomy term names before outputting them to HTML thereby exposing a Cross Site Scripting (XSS) vulnerability. This vulnerability is mitigated by the fact that an attacker must have permissions to insert malicious taxonomy terms.

CVE identifier(s) issued

• A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.

Versions affected

• Openlucius 7.x-1.x versions prior to 7.x-1.6.

Drupal core is not affected. If you do not use the contributed OpenLucius News module, there is nothing you need to do.

Solution

Install the latest version:

• If you use the Openlucius for Drupal 7.x, upgrade to Openlucius 7.x-1.7

Also see the OpenLucius News project page.

Reported by

• Klaus Purer of the Drupal Security Team

Fixed by

• Thomas Dik the distribution maintainer

Coordinated by

• Klaus Purer of the Drupal Security Team

Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity