The XML Sitemap module enables you to create sitemaps which help search engines to more intelligently crawl a website and keep their results up to date.
The module doesn’t sufficiently filter the URL when it is displayed in the sitemap.
This vulnerability is mitigated if the setting for “Include a stylesheet in the sitemaps for humans.” on the module’s administration settings page is not enabled (the default is enabled).
CVE identifier(s) issued
A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
XML Sitemap 7.x-2.x versions prior to 7.x-2.3.
Drupal core is not affected. If you do not use the contributed XML Sitemap module, there is nothing you need to do.
Solution
Install the latest version:
If you use the XML Sitemap module for Drupal 7.x, upgrade to XML Sitemap 7.x-2.3
Vulnerability: Access bypass, Information Disclosure
Description
This module enables you to display content from any path within a list of content inside a view or form. The content is displayed in a modal-like format when the user clicks on the “view link” or any custom links created.
The module doesn’t sufficiently check access permissions when the user clicks on a views megarow link.
CVE identifier(s) issued
A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
Views megarow 7.x-1.x versions prior to 7.x-1.6.
Drupal core is not affected. If you do not use the contributed Views Megarow module, there is nothing you need to do.
Solution
Install the latest version:
If you use the Views megarow module for Drupal 7.x, upgrade to Views megarow 7.x-1.6
Vulnerability: Cross Site Scripting, Access bypass, Cross Site Request Forgery, Information Disclosure, Multiple vulnerabilities
Description
This module enables you to view dropbox files in your Drupal site.
The module doesn’t sufficiently sanitize filenames when displaying them to users or administrators leading to a Cross Site Scripting (XSS) vulnerability. This vulnerability is mitigated by the fact that an attacker must be able to upload files to the dropbox folder that the victim later views through the Drupal site.
Additionally, the module shipped with hardcoded and exposed Oauth credentials, making known users of the module exposed to phishing and/or access bypass.
The app secret has been made invalid, making the exposed secrets unusable for the attacker. This also makes the module unusable without upgrading and taking necessary steps to register a new Dropbox app.
CVE identifier(s) issued
A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
All dropbox_client 7.x-3.x versions.
Drupal core is not affected. If you do not use the contributed Dropbox Client module, there is nothing you need to do.
Open Atrium is a distribution of Drupal that allows you to build collaborative web sites. The Open Atrium Notification module adds the ability to send email notifications to users subscribed to certain content.
When combined with the Open Atrium Mailhandler app, incoming email replies to notifications can be processed as new comments. Notifications generated from these imported replies can be sent to the wrong list of users.
This vulnerability is mitigated by the fact that it depends on the specific configuration of the mailhandler that is processing notifications.
CVE identifier(s) issued
A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
oa_notifications 7.x-2.x versions prior to 7.x-2.30.
Open Atrium 7.x-2.x versions prior to 7.x-2.63.
Drupal core is not affected. If you do not use the contributed Open Atrium Notifications module, there is nothing you need to do.
This module enables you to create fieldable entities that have special integration with Panels.
The module doesn’t sufficiently filter the entity title or admin title fields when they are displayed in either the Panels admin UI or the In-Place Editor (IPE), allowing for specially crafted XSS attacks.
This vulnerability is mitigated by the fact that an attacker must have a role with the necessary permissions to create FPP objects, and then either:
a user with permission to use the Panels In-Place-Editor (IPE) must visit a page that the FPP object is added to; or
a user with permission to use the Panels admin interface must edit a page the FPP object is added to.
CVE identifier(s) issued
A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
Fieldable Panels Panes 7.x-1.x versions prior to 7.x-1.10.
Drupal core is not affected. If you do not use the contributed Fieldable Panels Panes (FPP) module, there is nothing you need to do.
Vulnerability: Cross Site Scripting, Cross Site Request Forgery
Description
EPSA Crop is a module that allows a user to choose coordinates for different presets on an image. If a user defines coordinates EPSACrop will override the Imagecache process and will set new coordinates.
CVE identifier(s) issued
A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
All versions of EPSA Crop module.
Drupal core is not affected. If you do not use the contributed EPSA Crop module, there is nothing you need to do.
Solution
If you use the EPSA Crop module for Drupal 7.x you should uninstall it.
This module enables users to create and manage their own ‘groups’. Each group can have subscribers, and maintains a group home page where subscribers communicate among themselves. Selective groups require approval in order to become a member, or even invitation-only groups.
Under the certain field configurations a user is able to subscribe without approval to group that requires approving the membership. Depending on permissions, the user may be able to post content to that group.
CVE identifier(s) issued
A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
Organic groups 7.x-2.x versions prior to 7.x-2.9.
Drupal core is not affected. If you do not use the contributed Organic groups module, there is nothing you need to do.
Vulnerability: Information Disclosure, Cross Site Scripting, Access bypass
Description
This module enables you to build searches using a wide range of features, data sources and backends.
Search index not updated by node access changes
The module doesn’t sufficiently re-index nodes when using the “Node access” or “Access check” data alterations and non-standard ways of changing node access are used. This could lead to nodes or comments being listed in search results to which the visitor viewing the results should not have access.
This vulnerability is mitigated by the fact that this only occurs in uncommon setups, and that only nodes that were already accessible to the user at some point can be displayed.
XSS vulnerability in Views search results
The module doesn’t sufficiently sanitize field values returned directly from the search server (e.g., Solr).
This vulnerability is mitigated by the fact that several components/modules need to be configured in a specific way to allow this vulnerability to be exploited.
Doesn’t check for “access comments” permission when searching for comments
The module doesn’t sufficiently check the user’s permissions when comments are searched.
This vulnerability is mitigated by the fact that it only occurs in specific site configurations:
A search index with item type “Comment”.
Using the “Access check” data alteration for protection.
The site allowing certain users to view content (nodes), but not comments.
A search page for the comment index must be accessible for these users.
CVE identifier(s) issued
A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
Search API 7.x-1.x versions prior to 7.x-1.18.
Drupal core is not affected. If you do not use the contributed Search API module, there is nothing you need to do.
Solution
Install the latest version:
If you use the Search API module for Drupal 7.x, upgrade to Search API 7.x-1.18
This module provides static page caching for Drupal enabling a very significant performance and scalability boost for sites that receive mostly anonymous traffic.
The module doesn’t prevent form cache from leaking between anonymous users which could result in information disclosure, where one user sees form data generated for another.
This vulnerability is mitigated by the fact that it only affects AJAX forms which expose sensitive data to anonymous users.
CVE identifier(s) issued
A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
Boost 7.x-1.x versions prior to 7.x-1.1.
Drupal core is not affected. If you do not use the contributed Boost module, there is nothing you need to do.
Solution
Install the latest version:
If you use the Boost module for Drupal 7.x, upgrade to Boost 7.x-1.1