October 2016

Tripal BLAST UI - Highly Critical - Remote Code Execution

* Advisory ID: DRUPAL-SA-CONTRIB-2016-054
* Project: Tripal BLAST UI (third-party module)
* Version: 7.x
* Date: 2016-October-26
* Security risk: 20/25 ( Highly Critical)
* Vulnerability: Remote code execution

DESCRIPTION

This module enables you to run NCBI BLAST jobs on the host system.

The module doesn't sufficiently validate advanced options available to users
submitting BLAST jobs, thereby exposing the ability to enter a short snippet
of shell code that will be executed when the BLAST job is run.

Webform - Less Critical - Access Bypass

* Advisory ID: DRUPAL-SA-CONTRIB-2016-053
* Project: Webform
* Version: 7.x
* Date: 2016-October-19
* Security risk: 9/25
* Vulnerability: Access bypass

DESCRIPTION

This module provides a user interface to create and configure forms called
Webforms.

When using forms with private file uploads, Webform wasn't explicitly denying
access to files it managed which could allow access to be granted by other
modules.

Elysia Cron - Moderately Critical - Cross Site Scripting (XSS)

* Advisory ID: DRUPAL-SA-CONTRIB-2016-052
* Project: Elysia Cron
* Version: 7.x
* Date: 2016-October-12
* Security risk: 11/25 ( Moderately Critical)
* Vulnerability: Cross Site Scripting

DESCRIPTION

This module enables you to manage cron jobs.

The module doesn't sufficiently sanitize the cron rules which are entered
into "Predefined rules" field thereby exposing a Cross Site Scripting
vulnerability.