==================================================================== CERT-Renater Note d'Information No. 2017/VULN336 _____________________________________________________________________ DATE : 10/11/2017 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running Custom Permissions for DRUPAL versions prior to 8.x-1.1, Permissions by Term for DRUPAL versions prior to 8.x-1.35, Automated Logout for DRUPAL versions prior to 7.x-4.5. ===================================================================== https://www.drupal.org/sa-contrib-2017-083 https://www.drupal.org/sa-contrib-2017-082 https://www.drupal.org/sa-contrib-2017-081 ____________________________________________________________________ Custom Permissions - Moderately critical - Access bypass - SA-CONTRIB-2017-083 Project: Custom Permissions Version: 8.x-1.x-dev Date: 2017-November-08 Security risk: Moderately critical 13∕25 AC:Basic/A:Admin/CI:Some/II:Some/E:Theoretical/TD:All Vulnerability: Access bypass Description: Custom Permissions is a lightweight module that allows permissions to be created and managed through an administrative form. When this module is in use, any user who is able to perform an action which rebuilds some of Drupal's caches can trigger a scenario in which certain pages protected by this module's custom permissions temporarily lose those custom access controls, thereby leading to an access bypass vulnerability. Solution: Install the latest version: If you use the Custom Permissions module for Drupal 8, upgrade to Custom Permissions 8.x-1.1 Reported By: Michael Koza David Rothstein of the Drupal Security Team Fixed By: David Valdez the module maintainer David Rothstein of the Drupal Security Team Coordinated By: David Rothstein of the Drupal Security Team ____________________________________________________________________ Permissions by Term - Moderately critical - Access bypass - SA-CONTRIB-2017-082 Project: Permissions by Term Version: 8.x-1.x-dev Date: 2017-November-08 Security risk: Moderately critical 14∕25 AC:None/A:None/CI:Some/II:None/E:Theoretical/TD:Default Vulnerability: Access bypass Description: The Permissions by Term module extends Drupal by adding functionality for restricting access to single nodes via taxonomy terms. The module grants access to nodes that are being blocked by other node access modules and that the Permissions by Term module does not intend to control. Additionally, it grants access to unpublished nodes in node listings to users who should not be able to see them. These problems lead to an access bypass vulnerability. This vulnerability is mitigated by the fact that it only occurs on sites that either have another node access module (besides Permissions by Term) in use, or that have node listings that are accessible to unprivileged users and that don't directly filter out unpublished content. Solution: Install the latest version: If you use the Permissions by Term module for Drupal 8, upgrade to Permissions by Term 8.x-1.35 Reported By: David Rothstein of the Drupal Security Team Fixed By: David Rothstein of the Drupal Security Team Peter Majmesku the module maintainer Coordinated By: David Rothstein of the Drupal Security Team ____________________________________________________________________ Automated Logout - Moderately critical - Cross Site Scripting - SA-CONTRIB-2017-081 Project: Automated Logout Version: 7.x-4.x-dev Date: 2017-November-01 Security risk: Moderately critical 14∕25 AC:Basic/A:Admin/CI:Some/II:Some/E:Proof/TD:All Vulnerability: Cross Site Scripting Description: This module provides a site administrator the ability to log users out after a specified time of inactivity. It is highly customizable and includes "site policies" by role to enforce log out. The module does not sufficiently filter user-supplied text that is stored in the configuration, resulting in a persistent Cross Site Scripting vulnerability (XSS). This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer autologout". Solution: Install the latest version: If you use the Automated Logout module for Drupal 7, upgrade to Automated Logout 7.x-4.5 Reported By: Nancy Wichmann Fixed By: Nancy Wichmann Ajit Shinde the module maintainer Coordinated By: David Snopek of the Drupal Security Team ========================================================== + CERT-RENATER | tel : 01-53-94-20-44 + + 23 - 25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email: cert@support.renater.fr + ==========================================================