The Coder module checks your Drupal code against coding standards and other best practices. It can also fix coding standard violations and perform basic upgrades on modules.
The module doesn’t sufficiently validate user inputs in a script file that has the php extension. A malicious unauthenticated user can make requests directly to this file to execute arbitrary php code.
There are no mitigating factors. The module does not need to be enabled for this to be exploited. Its presence on the file system and being reachable from the web are sufficient.
CVE identifier(s) issued
A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
Coder module 7.x-1.x versions prior to 7.x-1.3.
Coder module 7.x-2.x versions prior to 7.x-2.6.
Drupal core is not affected. If you do not use the contributed Coder module, there is nothing you need to do.
Solution
Two solutions are possible.
A first option is to remove the module from all publicly available websites:
The coder module is intended to be used in development environments and is not intended to be on publicly available servers. Therefore, one simple solution is to remove the entire coder module directory from any publicly accessible website.
The Webform Multiple File Upload module allows users to upload multiple files on a Webform.
The Webform Multifile File Upload module contains a Remote Code Execution (RCE) vulnerability where form inputs will be unserialized and a specially crafted form input may trigger arbitrary code execution depending on the libraries available on a site.
This vulnerability is mitigated by the fact that an attacker must have the ability to submit a Webform with a Multiple File Input field. Further, a site must have an object defined with methods that are invoked at wake/destroy that include code that can be leveraged for malicious purposes. Drupal 7 Core contains one such class which can be used to delete arbitrary files, but contributed or custom classes may include methods that can be leveraged for RCE.
Note: this vulnerability exists in the Webform Multiple File Upload (webform_multifile) module. There is a similarly named module Webform Multiple File (webform_multiple_file) which is not related to this issue.
CVE identifier(s) issued
A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
Webform Multifile 7.x-1.x versions prior to 7.x-1.4
Drupal core is not affected. If you do not use the contributed Webform Multiple File Upload module, there is nothing you need to do.
This module enables you to authenticate with Instagram’s API via an intermediary service (instagram.yanniboi.com).
The module doesn’t sufficiently advise that your authentication tokens could be intercepted.
CVE identifier(s) issued
A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
Instagram Block 7.x-1.x versions prior to 7.x-1.4.
Drupal core is not affected. If you do not use the contributed Instagram Block module, there is nothing you need to do.
Saving user accounts can sometimes grant the user all roles (User module – Drupal 7 – Moderately Critical)
A vulnerability exists in the User module, where if some specific contributed or custom code triggers a rebuild of the user profile form, a registered user can be granted all user roles on the site. This would typically result in the user gaining administrative access.
This issue is mitigated by the fact that it requires contributed or custom code that performs a form rebuild during submission of the user profile form.
Views can allow unauthorized users to see Statistics information (Views module – Drupal 8 – Less Critical)
An access bypass vulnerability exists in the Views module, where users without the “View content count” permission can see the number of hits collected by the Statistics module for results in the view.
This issue is mitigated by the fact that the view must be configured to show a “Content statistics” field, such as “Total views”, “Views today” or “Last visit”.
The same vulnerability exists in the Drupal 7 Views module (see SA-CONTRIB-2016-036).
CVE identifier(s) issued
A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
An access bypass vulnerability exists in the Views module, where users without the “View content count” permission can see the number of hits collected by the Statistics module for results in the view.
This issue is mitigated by the fact that the view must be configured to show a “Content statistics” field, such as “Total views”, “Views today” or “Last visit”.
The same vulnerability exists in the Drupal 8 core Views module SA-CORE-2016-002
CVE identifier(s) issued
A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
Views 7.x-3.x versions prior to 7.x-3.14.
Drupal core is not affected. If you do not use the contributed Views module, there is nothing you need to do.
Solution
Install the latest version:
If you use the Views module for Drupal 7.x, upgrade to Views 7.x-3.14
This module enables you to mass administer book outlines and perform common operations through one interface, improving the usability for the book module.
The module doesn’t sufficiently sanitize titles when presenting them on this interface.
This vulnerability is mitigated by the fact that an attacker must have have the ability to use outline designer, which is generally reserved for content authors and system admins.
CVE identifier(s) issued
A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
Outline Designer 7.x-2.x versions prior to 7.x-2.2.
Drupal core is not affected. If you do not use the contributed Outline Designer module, there is nothing you need to do.
This module enables you to embed the contents of one node in the body field of another.
The module doesn’t sufficiently protect against a node being embedded in itself, or a loop being created of one node being embedded in another which is then itself embedded in the first node.
This vulnerability is mitigated by the fact that an attacker must have a role with the permission to create content which allows other content to be embedded.
CVE identifier(s) issued
A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
All Node Embed 7.x-1.x versions.
Drupal core is not affected. If you do not use the contributed Node Embed module, there is nothing you need to do.
Solution
If you use the Node Embed module for Drupal 7.x you should uninstall it.
This module enables you to make Panels pages (and other pages managed by CTools’ Page Manager submodule) indexible and searchable through the standard Search module provided in Drupal core.
The module doesn’t block access to Page Manager pages which have been disabled.
CVE identifier(s) issued
A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
Page Manager Search 7.x-1.x versions prior to 7.x-1.2.
Drupal core is not affected. If you do not use the contributed Page manager search module, there is nothing you need to do.
This module enables you to enter opening hours for locations in a highly detailed way.
The module doesn’t sufficiently escape input data from user input.
This vulnerability is mitigated by the fact that an attacker must be able to edit opening hours by having a role with the permission “Edit opening hours for content”, or have permissions to edit taxonomy terms.
CVE identifier(s) issued
A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
Opening Hours 7.x-1.x versions prior to 7.x-1.6.
Drupal core is not affected. If you do not use the contributed Opening hours module, there is nothing you need to do.
Solution
Install the latest version:
If you use the Opening Hours module for Drupal 7.x, upgrade to Opening Hours 7.x-1.6