June 2018

TFA Basic plugins - Less critical - Insecure Randomness - SA-CONTRIB-2018-044

Project: TFA Basic plugins
Version: 7.x-1.0
Date: 2018-June-27
Security risk: *Less critical* 9∕25
Vulnerability: Insecure Randomness

Description

The TFA Basic module enables you to use Two Factor Authentication via a
variety of plugins including TOTP and one-time codes delivered via email or
sms.

The module doesn't use a strong source of randomness, creating weak and
predictable one-time login codes that are then delivered using SMS. This
weakness does not affect the more common TOTP second factor.

Mass Password Reset - Less critical - Insecure Randomness - SA-CONTRIB-2018-043

Project: Mass Password Reset
Version: 7.x-1.0
Date: 2018-June-27
Security risk: *Less critical* 9∕25
Vulnerability: Insecure Randomness

Description

 
This module enables you to reset passwords for all users based upon their
user role.

The module doesn't use a strong source of randomness, creating weak and
predictable passwords.

This vulnerability is mitigated by the fact that the site must be configured
to reveal the password to the attacker, which is a common configuration.

Generate Password - Less critical - Insecure Randomness - SA-CONTRIB-2018-042

Project: Generate Password
Version: 7.x-1.x-dev
Date: 2018-June-27
Security risk: *Less critical* 9∕25
Vulnerability: Insecure Randomness

Description

The Genpass module makes the password field optional (or hidden) on the add
new user page (admin & registration). If the password field is not set during
registration, the system generates a password.

The module doesn't use a strong source of randomness, creating weak and
predictable passwords.

Custom Tokens - Critical - Arbitrary PHP code execution - SA-CONTRIB-2018-041

Project: Custom Tokens
Date: 2018-June-13
Security risk: *Critical* 16∕25
Vulnerability: Arbitrary PHP code execution

Description

The Custom Tokens module enables you to create custom tokens for specific
replacements that can improve other modules relying on the token API.

The module doesn't sufficiently identify that its custom permissions are
risky and should only be granted to highly trusted roles.

Entity Delete - Critical - Multiple Vulnerabilities - SA-CONTRIB-2018-040

Project: Entity Delete
Date: 2018-June-06
Security risk: *Critical* 18∕25
Vulnerability: Multiple Vulnerabilities

Description

 
This module enables you to delete any types of entities in bulk.

The module doesn't sufficiently verify access permissions under its use
cases, leading to access bypass. The module also does not protect against
Cross Site Request Forgeries on its delete process.

AdTego SiteIntel - AdBlocker Detect - Critical - Unsupported - SA-CONTRIB-2018-039

Project: AdTego SiteIntel - AdBlocker Detect
Date: 2018-June-06
Security risk: *Critical* 15∕25
Vulnerability: Unsupported

Description

The security team is marking this project unsupported. There is a known
security issue with the project that has not been fixed by the maintainer. If
you would like to maintain this project, please read:
https://www.drupal.org/node/251466.

Mollom - Critical - Unsupported - SA-CONTRIB-2018-038

Project: Mollom
Date: 2018-June-06
Security risk: *Critical* 15∕25
Vulnerability: Unsupported

Description

The security team is marking this project unsupported. There is a known
security issue with the project that has not been fixed by the maintainer. If
you would like to maintain this project, please read:
https://www.drupal.org/node/251466.

The security team marks all unsupported projects critical by default.