July 2018

Select (or other) - Moderately critical - Cross Site Scripting - SA-CONTRIB-2018-054

Project: Select (or other)
Date: 2018-July-25
Security risk: *Moderately critical* 14∕25
Vulnerability: Cross Site Scripting

Description

This module enables users to select 'other' on certain form elements and a
textfield appears for the user to provide a custom value.

The module doesn't sufficiently escape values of a text field the under the
scenario when "Select or other" formatter is used.

XML sitemap - Moderately critical - Information Disclosure - SA-CONTRIB-2018-053

Project: XML sitemap
Date: 2018-July-18
Security risk: *Moderately critical* 13∕25
Vulnerability: Information Disclosure

Description

This module enables you to generate XML sitemaps and it helps search engines
to more intelligently crawl a website and keep their results up to date.

The module doesn't sufficiently handle access rights under the scenario of
updating contents from cron execution.

Taxonomy Entity Queue - Critical - SQL Injection - SA-CONTRIB-2018-052

Project: Taxonomy Entity Queue
Date: 2018-July-18
Security risk: *Critical* 17∕25
Vulnerability: SQL Injection

Description

This module enables you to create an entityqueue based on a taxonomy.

The module did not properly use Drupal's database API when querying the
database with user supplied values, allowing an attacker to send a specially
crafted request to modify the query or potentially perform additional
queries.

Tapestry - Moderately critical - Cross Site Scripting - SA-CONTRIB-2018-051

Project: Tapestry
Date: 2018-July-11
Security risk: *Moderately critical* 14∕25
Vulnerability: Cross Site Scripting

Description

This theme provides Drupal users with many advanced features including 20
Different Color Styles, 30 User Regions, Custom Block Theme Templates,
Suckerfish Menus, Icon Support, Advanced Page Layout Options, Simple
Configuration, Custom Typography...

The theme doesn't sufficiently sanitize user input.

litejazz - Moderately critical - Cross Site Scripting - SA-CONTRIB-2018-050

Project: litejazz
Date: 2018-July-11
Security risk: *Moderately critical* 14∕25
Vulnerability: Cross Site Scripting

Description

This theme features 3 color styles, 12 fully collapsible regions, suckerfish
menus, fluid or fixed widths, easy configuration, and more.

The theme doesn't sufficiently sanitize user input.

This vulnerability is mitigated by the fact that the theme is only
exploitable with non-default settings and under certain site configurations.

NewsFlash - Moderately critical - Cross Site Scripting - SA-CONTRIB-2018-049

Project: NewsFlash
Date: 2018-July-11
Security risk: *Moderately critical* 14∕25
Vulnerability: Cross Site Scripting

Description

This theme features 7 color styles, 12 collapsible regions, suckerfish menus,
fluid or fixed widths, and lots more.

The theme doesn't sufficiently sanitize user input.

This vulnerability is mitigated by the fact that the theme is only
exploitable with non-default settings and under certain site configurations.

Beale Street - Moderately critical - Cross Site Scripting - SA-CONTRIB-2018-048

Project: Beale Street
Date: 2018-July-11
Security risk: *Moderately critical* 13∕25
Vulnerability: Cross Site Scripting

Description

This theme features 4 built-in color styles, 18 collapsible regions,
Suckerfish menus, flexible widths, adjustable sidebars, configurable font
family, and lots more.

The theme doesn't sufficiently sanitize user input.

This vulnerability is mitigated by the fact that the theme is not exploitable
under common site configurations.

Commerce Custom Order Status - Moderately critical - Cross Site Scripting - SA-CONTRIB-2018-046

Project: Commerce Custom Order Status
Date: 2018-July-11
Security risk: *Moderately critical* 13∕25
Vulnerability:  Cross Site Scripting

Description

Commerce Custom Order Status provides forms for administrators to add, edit,
and delete order statuses from the order settings screen.

The module doesn't sufficiently sanitize the output of the status names.

EU Cookie Compliance - Moderately critical - Cross Site Scripting - SA-CONTRIB-2018-047

Project: EU Cookie Compliance
Date: 2018-July-11
Vulnerability: Cross Site Scripting

Description

This module addresses the General Data Protection Regulation (GDPR) that came
into effect 25th May 2018, and the EU Directive on Privacy and Electronic
Communications from 2012. It provides a banner where you can gather consent
from the user to store cookies on their computer and handle their personal
information.

WordPress 4.9.7 Security and Maintenance Release

WordPress 4.9.7 is now available. This is a security and maintenance release for all versions since WordPress 3.7. We strongly encourage you to update your sites immediately.

WordPress versions 4.9.6 and earlier are affected by a media issue that could potentially allow a user with certain capabilities to attempt to delete files outside the uploads directory.

Seventeen other bugs were fixed in WordPress 4.9.7. Particularly of note were:

Pages