October 2016

Tripal BLAST UI - Highly Critical - Remote Code Execution

* Advisory ID: DRUPAL-SA-CONTRIB-2016-054
* Project: Tripal BLAST UI (third-party module)
* Version: 7.x
* Date: 2016-October-26
* Security risk: 20/25 ( Highly Critical)
* Vulnerability: Remote code execution


This module enables you to run NCBI BLAST jobs on the host system.

The module doesn't sufficiently validate advanced options available to users
submitting BLAST jobs, thereby exposing the ability to enter a short snippet
of shell code that will be executed when the BLAST job is run.

Webform - Less Critical - Access Bypass

* Advisory ID: DRUPAL-SA-CONTRIB-2016-053
* Project: Webform
* Version: 7.x
* Date: 2016-October-19
* Security risk: 9/25
* Vulnerability: Access bypass


This module provides a user interface to create and configure forms called

When using forms with private file uploads, Webform wasn't explicitly denying
access to files it managed which could allow access to be granted by other

Elysia Cron - Moderately Critical - Cross Site Scripting (XSS)

* Advisory ID: DRUPAL-SA-CONTRIB-2016-052
* Project: Elysia Cron
* Version: 7.x
* Date: 2016-October-12
* Security risk: 11/25 ( Moderately Critical)
* Vulnerability: Cross Site Scripting


This module enables you to manage cron jobs.

The module doesn't sufficiently sanitize the cron rules which are entered
into "Predefined rules" field thereby exposing a Cross Site Scripting