====================================================================

                                 CERT-Renater

                    Note d'Information No. 2017/VULN014
_____________________________________________________________________

DATE                : 17/01/2017

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Mailjet versions 7.x prior to
                         7.x-2.9,
                      OpenLucius versions 7.x prior to 7.x-1.7,
                      Autocomplete Deluxe versions 7.x prior to 7.x-2.2.

=====================================================================
https://www.drupal.org/node/2842760
https://www.drupal.org/node/2842759
https://www.drupal.org/node/2842730
____________________________________________________________________

Mailjet - Highly critical - Arbitrary PHP code execution -
SA-CONTRIB-2017-005

Posted by Drupal Security Team on January 11, 2017 at 4:25pm

     Advisory ID: DRUPAL-SA-CONTRIB-2017-005
     Project: (third-party module)
     Version: 7.x
     Date: 2017-January-11
     Security risk: 23/25 ( Highly Critical)
                    AC:None/A:User/CI:All/II:All/E:Exploit/TD:All
     Vulnerability: Arbitrary PHP code execution


Description

The Mailjet module integrates with a 3rd party system to deliver
site-generated emails, including newsletters, system notifications,
etc.

The Mailjet module included v5.2.8 of the PHPMailer library in its
"includes" directory. Per PSA-2016-004, this version of the PHPMailer
library was vulnerable to PHP code execution.

Per Drupal.org policy, 3rd party code should not be stored in
drupal.org repositories.

Updating this module will require manual actions to replace the
PHPMailer library as described in the README.txt file included in
the release.


CVE identifier(s) issued

     A CVE identifier will be requested, and added upon issuance,
in accordance with Drupal Security Team processes.


Versions affected

     Mailjet 7.x-2.x versions prior 7.x-2.9.

Drupal core is not affected. If you do not use the contributed
module, there is nothing you need to do.


Solution

Install the latest version:

     If you use the Mailjet module for Drupal 7.x, upgrade to
Mailjet7.x-2.9

Also see the project page.


Reported by

     hargobind

Fixed by

     Proxiad the module maintainer

Coordinated by

     Damien McKenna of the Drupal Security Team

Contact and More Information

The Drupal security team can be reached at security at drupal.org
or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies,
writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at
https://twitter.com/drupalsecurity

____________________________________________________________________

OpenLucius - Moderately Critical - Multiple vulnerabilities -
SA-CONTRIB-2017-004

Posted by Drupal Security Team on January 11, 2017 at 4:23pm

     Advisory ID: DRUPAL-SA-CONTRIB-2017-004
     Project: OpenLucius (third-party distribution)
     Version: 7.x
     Date: 2017-January-11
     Security risk: 14/25 ( Moderately Critical)
                    AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:All
     Vulnerability: Cross Site Scripting, Cross Site Request Forgery


Description

OpenLucius is a work management platform for social communication,
documentation, and projects.

The distribution doesn't sufficiently use tokens when marking messages
for users as read thereby exposing a Cross Site Request Forgery (CSRF)
vulnerability.

The distribution does not sufficiently filter taxonomy term names
before outputting them to HTML thereby exposing a Cross Site Scripting
(XSS) vulnerability. This vulnerability is mitigated by the fact that
an attacker must have permissions to insert malicious taxonomy terms.


CVE identifier(s) issued

     A CVE identifier will be requested, and added upon issuance, in
accordance with Drupal Security Team processes.


Versions affected

     Openlucius 7.x-1.x versions prior to 7.x-1.6.

Drupal core is not affected. If you do not use the contributed
OpenLucius News module, there is nothing you need to do.


Solution

Install the latest version:

     If you use the Openlucius for Drupal 7.x, upgrade to Openlucius
7.x-1.7

Also see the OpenLucius News project page.


Reported by

     Klaus Purer of the Drupal Security Team

Fixed by

     Thomas Dik the distribution maintainer

Coordinated by

     Klaus Purer of the Drupal Security Team


Contact and More Information

The Drupal security team can be reached at security at drupal.org
or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing
secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at
https://twitter.com/drupalsecurity

⋅ Categories: Drupal 7.x

____________________________________________________________________

Autocomplete Deluxe - Moderately Critical - Cross Site Scripting (XSS)
- SA-CONTRIB-2017-003

Posted by Drupal Security Team on January 11, 2017 at 3:42pm

     Advisory ID: DRUPAL-SA-CONTRIB-2017-003
     Project: Autocomplete Deluxe (third-party module)
     Version: 7.x
     Date: 2017-January-11
     Security risk: 13/25 ( Moderately Critical)
                AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:Default
     Vulnerability: Cross Site Scripting


Description

This module creates a new widget for taxonomy fields based on
JQuery UI autocomplete.

The module doesn't sufficiently escape the entered taxonomy terms
thereby exposing a Cross Site Scripting (XSS) vulnerability. This
vulnerability is mitigated by the fact that an attacker must have
the permission to edit a taxonomy field.


CVE identifier(s) issued

     A CVE identifier will be requested, and added upon issuance,
in accordance with Drupal Security Team processes.


Versions affected

     Autocomplete Deluxe 7.x-2.x versions prior to 7.x-2.2.

Drupal core is not affected. If you do not use the contributed
Autocomplete Deluxe module, there is nothing you need to do.


Solution

Install the latest version:

     If you use the autocomplete deluxe module for Drupal 7.x,
upgrade to Autocomplete Deluxe 7.x-2.2

Also see the Autocomplete Deluxe project page.


Reported by

     René Wolf

Fixed by

     Sebastian Gilits the module maintainer

Coordinated by

     Klaus Purer of the Drupal Security Team


Contact and More Information

The Drupal security team can be reached at security at drupal.org
or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies,
writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at
https://twitter.com/drupalsecurity

⋅ Categories: Drupal 7.x

==========================================================
Serveur de référence du CERT-Renater
https://services.renater.fr/ssi/
==========================================================
+ CERT-RENATER          | tel : 01-53-94-20-44           +
+ 23 - 25 Rue Daviel    | fax : 01-53-94-20-41           +
+ 75013 Paris           | email: cert@support.renater.fr +
==========================================================