Panelizer enables you to use Panels to replace the display of any entity, and even modify the Panels configuration in-place using the Panels In-Place Editor (IPE).
The default behavior for Panels IPE is to allow any user with the permissions “Use the Panels In-Place Editor” and “Change layouts with the Panels In-Place Editor ” access to the IPE regardless of whether or not a user has access to edit the underlying entity. While users cannot edit the entity itself, they can change the layout and the different panel panes shown (effectively allowing them to edit it).
This vulnerability is mitigated by the fact that an attacker must have a role with the permission “Use the Panels In-Place Editor” and the IPE must be enabled for the specific content type.
CVE identifier(s) issued
A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
Panelizer 7.x-3.x versions prior to 7.x-3.3.
Drupal core is not affected. If you do not use the contributed Panelizer module, there is nothing you need to do.
Solution
Install the latest version:
If you use the Panelizer module for Drupal 7.x, upgrade to Panelizer 7.x-3.3
Vulnerability: Access bypass, Information Disclosure
Description
Panels does not check access on some routes (Critical)
Panels allows users with certain permissions to modify the layout and panel panes on pages or entities utilizing panels.
Much of the functionality to modify these panels rely on backend routes that call administrative forms. These forms did not provide any access checks, or site specific encoded urls. This can allow an attacker to guess the backend url as an anonymous user and see data loaded for the form.
There is no mitigation for this exploit. Any site with panels enabled is vulnerable.
Panels In-place Editor does not properly check for access (Moderately Critical)
The Panels In-Place Editor (IPE) allows users with certain permissions to modify the layout and panel content of pages.
The default behavior for Panels IPE is to allow any user with the permissions “Use the Panels In-Place Editor” and “Change layouts with the Panels In-Place Editor ” access to the IPE regardless of whether or not a user has proper access to the page. While users cannot edit the page content itself, they can change the layout and the different panel panes shown.
This vulnerability is mitigated by the fact that an attacker must have a role with the permission “Use the Panels In-Place Editor” and the IPE must be enabled for the specific content type.
CVE identifier(s) issued
A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
Panels 7.x-3.x versions prior to 7.x-3.6.
Drupal core is not affected. If you do not use the contributed Panels module, there is nothing you need to do.
Solution
Install the latest version:
If you use the panels module for Drupal 7x, upgrade to Panels 7.x-3.6
The Hosting module is a core component of the Aegir Hosting System.
This install profile, and accompanying suite of modules, is a hosting system that sits alongside a LAMP or LEMP server to create, deploy and manage Drupal sites.
The Hosting module does not sufficiently control access to any custom content types created by the user. The default content types are sufficiently protected.
This vulnerability is mitigated by the fact that on a typical installation the users who have access normally have admin privilege already, and few installations will have created additional custom content types.
CVE identifier(s) issued
A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
Hosting 7.x-3.x versions prior to 7.x-3.7.
Drupal core is not affected. If you do not use the contributed Hosting module, there is nothing you need to do.
Solution
Install the latest version:
If you use the hosting module for Drupal 7.x, upgrade to hosting 7.x-3.7
Vulnerability: Cross Site Scripting, Access bypass
Description
This module enables you to restrict site access without using user roles or permissions.
The module does not sufficiently escape some of its settings, and, in some cases, allows malicious users to bypass the protection offered by Require Login.
CVE identifier(s) issued
A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
Require Login 7.x-2.x versions prior to 7.x-2.4
Require Login 8.x-1.x versions prior to 8.x-1.8
Drupal core is not affected. If you do not use the contributed Require Login module, there is nothing you need to do.
Solution
Install the latest version:
If you use the Require Login module for Drupal 7.x, upgrade to Require Login 7.x-2.4
If you use the Require Login module for Drupal 8.x, upgrade to Require Login 8.x-1.8
The module does not check the validity of the state parameter, during server-side flow, before getting a token. This may allow a malicious user to feed a fake access_token to another user, and subsequently provide him fake data from the server. This page explains it in more details: http://www.twobotechnologies.com/blog/2014/02/importance-of-state-in-oau…
CVE identifier(s) issued
A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
OAuth2 Client 7.x-1.x versions prior to 7.x-1.5.
Drupal core is not affected. If you do not use the contributed OAuth2 Client module, there is nothing you need to do.
Solution
Install the latest version:
If you use the OAuth2 Client module for Drupal 7.x, upgrade to OAuth2 Client 7.x-1.5
This module enables you to add integration with Piwik statistics service.
The module allows admin users to enter custom JavaScript snippets to add advanced tracking functionality. The permission required to enter this JavaScript was not marked as restricted.
This vulnerability is mitigated by the fact that an attacker must have a role with the permission “Administer Piwik”.
For greater flexibility a new feature has been added to the module to implement the new permission “Add JavaScript snippets” that can be assigned to users who are allowed to add JS code snippets into your web site.
If you have granted the Administer Google Analytics to non trusted users, please check your settings to make sure all javascript entered is valid.
CVE identifier(s) issued
A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
Piwik 7.x-2.x versions prior to 7.x-2.9.
Piwik 8.x-2.x versions prior to 8.x-1.1.
Drupal core is not affected. If you do not use the contributed Piwik Web Analytics module, there is nothing you need to do.
Solution
Install the latest version:
If you use the Piwik module for Drupal 7.x, upgrade to Piwik 7.x-2.9
If you use the Piwik module for Drupal 8.x, upgrade to Piwik 8.x-1.1
This module enables you to add integration with Google Analytics statistics service.
The module allows admin users to enter custom JavaScript snippets to add advanced tracking functionality. The permission required to enter this JavaScript was not marked as restricted.
This vulnerability is mitigated by the fact that an attacker must have a role with the permission “Administer Google Analytics”.
For greater flexibility a new feature has been added to the module to implement the new permission “Add JavaScript snippets” that can be assigned to users who are allowed to add JS code snippets into your web site.
If you have granted the Administer Google Analytics to non trusted users, please check your settings to make sure all javascript entered is valid.
CVE identifier(s) issued
A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
Google Analytics 7.x-2.x versions prior to 7.x-2.3.
Google Analytics 8.x-2.x versions prior to 8.x-2.1.
Drupal core is not affected. If you do not use the contributed Google Analytics module, there is nothing you need to do.
Administration Views module replaces overview/listing pages with actual views for superior usability.
The module does not check access properly under certain circumstances. Anonymous users could get access to read information they should not have access to.
CVE identifier(s) issued
A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
administration views 7.x-1.x versions prior to 7.x-1.6.
Drupal core is not affected. If you do not use the contributed Administration Views module, there is nothing you need to do.
Drupal 8 uses the third-party PHP library Guzzle for making server-side HTTP requests. An attacker can provide a proxy server that Guzzle will use. The details of this are explained at https://httpoxy.org/.
If you use Drupal 7.x, Drupal core is not affected. However you should consider using the mitigation steps at https://httpoxy.org/ since you might have modules or other software on your server affected by this issue. For example, sites using Apache can add the following code to .htaccess:
Drupal core 8.0.x is no longer supported. Update to 8.1.7 to get the latest security and bug fixes.
Why is this being released Monday rather than Wednesday?
The Drupal Security Team usually releases Security Advisories on Wednesdays. However, this vulnerability affects more than Drupal, and the authors of Guzzle and reporters of the issue coordinated to make it public Monday. Therefore, we are issuing a core release to update to the secure version of Guzzle today.
Contact and More Information
The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.