This module enables administrators to set unique registration paths per Profile2 profile type.
The module allows users to register even though a site is configured to prevent registration.
The module fails to filter some configuration text. This vulnerability is mitigated by the fact that an attacker must have the “Administer profiles” permission.
CVE identifier(s) issued
A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
All versions are affected.
Drupal core is not affected. If you do not use the contributed Profile2 Registration Path module, there is nothing you need to do.
This module enables you to run NCBI BLAST jobs on the host system.
The module doesn’t sufficiently validate advanced options available to users submitting BLAST jobs, thereby exposing the ability to enter a short snippet of shell code that will be executed when the BLAST job is run.
This vulnerability only requires the attacker to have minimal permissions on the site (for example, “View published content”) and therefore can be exploited by untrusted or unauthenticated users in most cases.
CVE identifier(s) issued
A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
Tripal BLAST UI 7.x-1.x versions prior to 7.x-1.2
Drupal core is not affected. If you do not use the contributed Tripal BLAST UI module, there is nothing you need to do.
This module provides a user interface to create and configure forms called Webforms.
When using forms with private file uploads, Webform wasn’t explicitly denying access to files it managed which could allow access to be granted by other modules.
The vulnerability is mitigated by the fact that another module has to explicitly grant access to those files.
CVE identifier(s) issued
A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
Webform 7.x-3.x versions prior to 7.x-3.25.
Webform 7.x-4.x is unaffected.
Drupal core is not affected. If you do not use the contributed Webform module, there is nothing you need to do.
The module doesn’t sufficiently sanitize the cron rules which are entered into “Predefined rules” field thereby exposing a Cross Site Scripting vulnerability.
This vulnerability is mitigated by the fact that an attacker must have a role with the permission “Administer elysia cron”.
CVE identifier(s) issued
A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
Elysia Cron 7.x-2.x versions prior to 7.x-2.2.
Drupal core is not affected. If you do not use the contributed Elysia Cron module, there is nothing you need to do.
Solution
Install the latest version:
If you use the Elysia Cron module for Drupal 7.x, upgrade to Elysia Cron 7.x-2.3
Users without “Administer comments” can set comment visibility on nodes they can edit. (Less critical)
Users who have rights to edit a node, can set the visibility on comments for that node. This should be restricted to those who have the administer comments permission.
Cross-site Scripting in http exceptions (critical)
An attacker could create a specially crafted url, which could execute arbitrary code in the victim’s browser if loaded. Drupal was not properly sanitizing an exception
Full config export can be downloaded without administrative permissions (critical)
The system.temporary route would allow the download of a full config export. The full config export should be limited to those with Export configuration permission.
CVE identifier(s) issued
A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
8.x
Solution
Upgrade to Drupal 8.1.10
Reported by
Users without “Administer comments” can set comment visibility on nodes they can edit.
This module enables regular users to create unlimited private flags called lists.
The flag_lists module doesn’t sufficiently filter the output when applying token strings to flag_lists links leading to a persistent Cross Site Scripting (XSS) attack.
This vulnerability is mitigated by the fact that an attacker must have a role with the “Create flag lists” permission.
CVE identifier(s) issued
A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
flag_lists 7.x-3.x versions prior to 7.x-3.1.
flag_lists 7.x-1.x versions prior to 7.x-1.3.
Please note that there are two different versions available of the flag_lists module. One 7.x-3.x which is used together with flag 7.x-3.x and one for the earlier flag module prior to 7.x-3.x.
Drupal core is not affected. If you do not use the contributed Flag lists module, there is nothing you need to do.
Drupal core is not affected. If you do not use the contributed Flag Lists module, there is nothing you need to do.
Solution
Install the latest version:
If you use the flag_lists module for Drupal 7.x-3.x, upgrade to Flag Lists 7.x-3.1
If you use the flag_lists module for Drupal 7.x-1.x, upgrade to Flag Lists 7.x-1.3
Flag enables users to mark content with any number of admin-defined flags, such as ‘bookmarks’ or ‘spam’. Flag Bookmark is a submodule within Flag, which provides a ‘bookmarks’ flag, and default views to list bookmarked content.
The provided view that lists each user’s bookmarked content as a tab on their user profile has for its access control the permission to use the ‘bookmarks’ flag. This means that any user who has permission to use the ‘bookmarks’ flag can see the list of content that any user has bookmarked.
This vulnerability is mitigated by the fact that the site must have enabled the Flag Bookmark module to create this view, and an attacker must have a role with the permission “Flag node entities as bookmarks”.
CVE identifier(s) issued
A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
Flag 7.x-3.x versions prior to 7.x-3.8.
Drupal core is not affected. If you do not use the contributed Flag module, there is nothing you need to do.
Solution
Install the latest version:
If you use the Flag module for Drupal 7.x, upgrade to Flag 7.x-3.8
If you have Flag Bookmark enabled, or have enabled it in the past and still have the flag_bookmarks_tab view active, edit this and change the User: uid contextual filter’s as follows:
set the validator to ‘Current user ID matches argument value’
set the action to take if the filter value does not validate to ‘Show “Page not found”‘.
Workbench Scheduler module provides users with the ability to create schedules that change moderated content from one workbench moderation state to another.
An authenticated user could add a schedule to a node even when that content type has schedules disabled.
The vulnerability is mitigated by the fact that a attacker must have access to an account in the system with permission to edit content and create schedules. Also, only sites with a specific combination of permissions and modules are affected.
CVE identifier(s) issued
A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
Workbench Scheduler 7.x-1.x versions prior to 7.x-1.9.
Drupal core is not affected. If you do not use the contributed Workbench Scheduler module, there is nothing you need to do.