Upgrading your existing Drupal 8 sites is strongly recommended. There are no new features nor non-security-related bug fixes in this release. See the 8.2.7 release notes for details on important changes and known issues affecting this release. Read on for details of the security vulnerabilities that were fixed in this release.
When adding a private file via a configured text editor (like CKEditor), the editor will not correctly check access for the file being attached, resulting in an access bypass.
Some admin paths were not protected with a CSRF token – Drupal 8 – Cross Site Request Forgery – Moderately Critical – CVE-2017-6379
Some administrative paths did not include protection for CSRF. This would allow an attacker to disable some blocks on a site. This issue is mitigated by the fact that users would have to know the block ID.
A 3rd party development library including with Drupal 8 development dependencies is vulnerable to remote code execution.
This is mitigated by the default .htaccess protection against PHP execution, and the fact that Composer development dependencies aren’t normal installed.
You might be vulnerable to this if you are running a version of Drupal before 8.2.2. To be sure you aren’t vulnerable, you can remove the /vendor/phpunit directory from the site root of your production deployments.
This module enables you to mark nodes as private so that they are only accessible to users that have been granted an extra permissions.
The module doesn’t always enforce the access restrictions. In some cases a node that a site admin expects to be private is actually accessible as normal or nodes may be editable in ways a site admin may not expect.
CVE identifier(s) issued
A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
Private 7.x-1.x versions
Drupal core is not affected. If you do not use the contributed Private module, there is nothing you need to do.
Solution
Install the latest version:
If you use the Private module 7.x-1.x your site may be at risk. The only completely safe option is to take the website off-line. In most cases, disabling the module will not mitigate the vulnerabilities as that will expose even more private information.
A new maintainer has developed a beta secure version of the module using the 7.x-2.x branch. This is a partial rewrite and needs further testing. Please test it and provide bug reports and help developing patches.
This module adds a form on the password-reset-landing page to allow changing the password of the user during the log in process.
The module does not sufficiently validate all access tokens, which allows an attacker to change the password of any arbitrary user and gain access to their account.
In order to exploit, the attacker must have an active account on the site.
CVE identifier(s) issued
A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
PRLP versions prior to 8.x-1.3
Drupal core is not affected. If you do not use the contributed Password Reset Landing Page (PRLP) module, there is nothing you need to do.
Solution
Install the latest version:
If you use the PRLP module for Drupal 8.x, upgrade to PRLP 8.x-1.3 (the latest 8.x release as of this advisory date).
This module provides a standardized solution for building API’s so that external clients can communicate with Drupal.
The module accepts user submitted data in PHP’s serialization format (“Content-Type: application/vnd.php.serialized”) which can lead to arbitrary remote code execution.
This vulnerability is mitigated by the fact that an attacker must know your Service Endpoint’s path, and your Service Endpoint must have “application/vnd.php.serialized” enabled as a request parser.
CVE identifier(s) issued
A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
Services 7.x-3.x versions prior to 7.x-3.19.
Drupal core is not affected. If you do not use the contributed Services module, there is nothing you need to do.
Solution
Install the latest version:
If you use the Services 3.x module for Drupal 7.x, upgrade to Services 7.x-3.19
You may disable “application/vnd.php.serialized” under “Request parsing” in Drupal to prevent the exploit: /admin/structure/services/list/[my-endpoint]/server
However, installing the latest version of the Services module is highly recommended.
Breakpoint panels adds a button to the Panels In-Place Editor for each pane. When selected, it will display checkboxes next to all of the breakpoints specified in that modules UI. Unchecking any of these will ‘hide’ it from that breakpoint.
The security team is marking this module unsupported. There is a known security issue with the module that has not been fixed by the maintainer. If you would like to maintain this module, please read: https://www.drupal.org/node/251466
CVE identifier(s) issued
A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
All versions
Drupal core is not affected. If you do not use the contributed breakpoint panels module, there is nothing you need to do.
Solution
If you use the breakpoint panels module for Drupal 7.x you should uninstall it.
This module provides an API that allows other modules to encrypt and decrypt data using the AES encryption algorithm.
The module does not follow requirements for encrypting data safely. An attacker who gains access to data encrypted with this module could decrypt it more easily than should be possible. The maintainer has opted not to fix these weaknesses. See solution section for details on how to migrate to a supported and more secure AES encryption module.
CVE identifier(s) issued
A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
All versions of the AES module
Drupal core is not affected. If you do not use the contributed AES encryption module, there is nothing you need to do.
In all other situations, you can replace the AES module with the Real AES module:
If you don’t have a recent backup, make a backup of your site’s database and codebase. Consider taking your site offline (e.g. using Drupal’s maintenance mode) as some features may not work properly during this upgrade process.
Do NOT follow the normal uninstall process for the AES module. The uninstall process would delete your encryption key and make it impossible to recover your data! Instead, disable the module and delete the AES module directory without uninstalling the module.
Download and extract the latest release of Real AES
Enable the Real AES, Key and AES compatibility modules
Use the Key module to create a new 128-bit encryption key with the name “Real AES Key”.
Clear all your Drupal caches.
Modules that depend on AES and store encrypted data will continue to function as normal. They should decrypt and re-encrypt any stored data. The Real AES module provides some functions from the AES module (like, aes_encrypt() and aes_decrypt()) which can decrypt using your old key, but will re-encrypt using the new key and more correct AES encryption.
Vulnerability: Cross Site Scripting, Access bypass
Description
This module enables you to display one simple location map via Google Maps.
The module doesn’t sufficiently sanitize user input in the configuration text fields of the module (allows any tags and does not respect text format configuration).
This vulnerability is mitigated by the fact that an attacker must have a role with the permission “administer locationmap”.
CVE identifier(s) issued
A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
locationmap 7.x-2.x versions prior to 7.x-2.4.
Drupal core is not affected. If you do not use the contributed Location Map module, there is nothing you need to do.
Remember me is a module that allows users to check “Remember me” when logging in.
The security team is marking this module unsupported. There is a known security issue with the module that has not been fixed by the maintainer. If you would like to maintain this module, please read: https://www.drupal.org/node/251466
CVE identifier(s) issued
A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
All versions
Drupal core is not affected. If you do not use the contributed Remember Me module, there is nothing you need to do.
Solution
If you use the remember_me module for Drupal 7.x you should uninstall it.
RestWS makes Drupal Entity data available in a REST API.
The module doesn’t sufficiently check for access to properties when filtering queries.
This vulnerability is mitigated by the fact that an attacker must have a role that allows them to access an entity type with access-controlled properties. And the attacker can only query on the property equalling a value supplied by the attacker.
CVE identifier(s) issued
A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
restws 7.x-2.x versions prior to 7.x-2.7.
Drupal core is not affected. If you do not use the contributed RESTful Web Services module, there is nothing you need to do.
Solution
Install the latest version:
If you use the restws 2.x module for Drupal 7.x, upgrade to restws 7.x-2.7