Drupal

Custom Permissions - Moderately critical - Access bypass - SA-CONTRIB-2017-083

Project: Custom Permissions
Version: 8.x-1.x-dev
Date: 2017-November-08
Security risk: *Moderately critical* 13∕25
Vulnerability: Access bypass

Description

 

Custom Permissions is a lightweight module that allows permissions to be
created and managed through an administrative form.

Permissions by Term - Moderately critical - Access bypass - SA-CONTRIB-2017-082

Project: Permissions by Term
Version: 8.x-1.x-dev
Date: 2017-November-08
Security risk: *Moderately critical* 14∕25
Vulnerability: Access bypass

Description

 

The Permissions by Term module extends Drupal by adding functionality for
restricting access to single nodes via taxonomy terms.

Automated Logout - Moderately critical - Cross Site Scripting - SA-CONTRIB-2017-081

Project: Automated Logout
Version: 7.x-4.x-dev
Date: 2017-November-01
Security risk: *Moderately critical* 14∕25
Vulnerability: Cross Site Scripting

Description

This module provides a site administrator the ability to log users out after
a specified time of inactivity. It is highly customizable and includes "site
policies" by role to enforce log out.

The module does not sufficiently filter user-supplied text that is stored in
the configuration, resulting in a persistent Cross Site Scripting
vulnerability (XSS).

Mosaik - Moderately critical - Cross-site scripting - SA-CONTRIB-2017-080

Project: Mosaik
Version: 7.x-1.x-dev
Date: 2017-October-25
Security risk: *Moderately critical* 13∕25
Vulnerability: Cross-site scripting

Description

The Mosaik module enables you to create pages or complex blocks in Drupal
with the logic of a real mosaic and its pieces.

Brilliant Gallery - Highly critical - Multiple Vulnerabilities - SA-CONTRIB-2017-079

Project: Brilliant Gallery
Version: 7.x-1.x-dev
Date: 2017-October-25
Security risk: *Highly critical* 20∕25
Vulnerability: Multiple Vulnerabilities

Description

This module enables you to display any number of galleries based on images
located in the files folder.

Yandex.Metrics - Moderately critical - Cross site scripting - SA-CONTRIB-2017-78

Project: Yandex.Metrics
Version: 7.x-3.x-dev, 7.x-2.x-dev, 7.x-1.x-dev
Date: 2017-October-18
Security risk: *Moderately critical* 13∕25
Vulnerability: Cross site scripting

Description: 

The Yandex.Metrics module allows you to look for key indicators of your site
effectiveness.

The module doesn't sufficiently let users know a setting page should not be
given to untrusted users.

This vulnerability is mitigated by the fact that an attacker must have a role
with the permission "administer Yandex.Metrics settings."

netFORUM Authentication - Moderately critical - Access Bypass - SA-CONTRIB-2017-077

Project: netFORUM Authentication
Version: 7.x-1.0
Date: 2017-October-11
Security risk: *Moderately critical* 12∕25
Vulnerability: Access Bypass

Description: 

The netFORUM Authentication module implements external authentication for
users against netFORUM.

The module does not correctly use flood control making it susceptible to
brute force attacks.

Solution: 

Install the latest version:

Page Access - Unsupported - SA-CONTRIB-2017-75

* Advisory ID: DRUPAL-SA-CONTRIB-2017-75
* Project: Page Access (third-party module)
* Date: 20-September-2017

DESCRIPTION

This module will provide the option to give the View and Edit access for
users and roles on each node pages.

The security team is marking this module unsupported. There is a known
security issue with the module that has not been fixed by the maintainer. If
you would like to maintain this module, please read:
https://www.drupal.org/node/251466

Skype Status - Moderately Critical - Cross Site Scripting - DRUPAL-SA-CONTRIB-2017-076

* Advisory ID: DRUPAL-SA-CONTRIB-2017-076
* Project: Skype Status
* Version: 7.x
* Date: 2017-September-20
* Security risk: 14/25 ( Moderately Critical)
* Vulnerability: Cross Site Scripting

DESCRIPTION

This module enables you to obtain the status for a user's Skype account

The module doesn't sufficiently sanitize the user input for their Skype ID.

This vulnerability is mitigated by the fact that an attacker must have an
account on the site and be allowed to edit/input their Skype ID.

VERSIONS AFFECTED

Pages

Subscribe to Drupal