July 2017

Drupal Remote Dashboard - Critical - Weak encryption keys

* Advisory ID: DRUPAL-SA-CONTRIB-2017-046
* Project: Drupal Remote Dashboard
* Version: 7.x, 8.x
* Date: 2017-May-10
* Security risk: 17/25 ( Critical)
* Vulnerability: Access bypass, Information Disclosure

DESCRIPTION

UPDATE (2017-07-12): This SA originally only mentioned the Drupal 8 version of the module, but it was later discovered that this issue affected the Drupal 7 version as well. We've updated the SA for the Drupal 7 security release.

DrupalChat - Critical - Multiple vulnerabilities

* Advisory ID: DRUPAL-SA-CONTRIB-2017-057
* Project: DrupalChat (third-party module)
* Version: 7.x
* Date: 2017-July-05
* Security risk: 16/25 ( Critical)
* Vulnerability: Cross Site Scripting, Cross Site Request Forgery

DESCRIPTION

UPDATE (2017-07-12): This SA originally recommended version 2.6, but it was
incorrectly tagged. We've updated the SA to recommend version 2.7.

OAuth - Critical - Access Bypass - SA-CONTRIB-2017-056

* Advisory ID: DRUPAL-SA-CONTRIB-2017-056
* Project: OAuth (third-party module)
* Version: 8.x
* Date: 2017-July-05
* Security risk: 15/25 ( Critical)

DESCRIPTION

This module enables you to protect requests via the OAuth authentication protocol.

The module doesn't sufficiently notify the Cache API to avoid causing responses under the scenario in which an authentication user requests a resource such as unpublished node.

DrupalChat - Critical - Multiple vulnerabilities - SA-CONTRIB-2017-057

* Advisory ID: DRUPAL-SA-CONTRIB-2017-057
* Project: DrupalChat (third-party module)
* Version: 7.x
* Date: 2017-July-05
* Security risk: 16/25 ( Critical)
* Vulnerability: Cross Site Scripting, Cross Site Request Forgery

DESCRIPTION

DrupalChat allows visitors of your Drupal site to chat with each other privately or together in a public chatroom.