====================================================================


                             CERT-Renater

                 Note d'Information No. 2018/VULN407
_____________________________________________________________________

DATE                : 30/11/2018

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running GatherContent for Drupal,
                      Date Reminder for Drupal, Bootstrap for Drupal.

=====================================================================
https://www.drupal.org/sa-contrib-2018-075
https://www.drupal.org/sa-contrib-2018-076
https://www.drupal.org/sa-contrib-2018-074
_____________________________________________________________________

GatherContent - Moderately critical - Access bypass - SA-CONTRIB-2018-075

Project:           GatherContent
Date:              2018-November-28
Security risk:     Moderately critical 13/25
                   AC:Basic/A:None/CI:Some/II:None/E:Theoretical/TD:All
Vulnerability:     Access bypass

Description:

This module enables you to import and export data from the GatherContent
service.

The module didn't properly protect its administrative paths.

Solution:

  o gathercontent 7.x versions prior to 7.x-3.5.

Drupal core is not affected. If you do not use the contributed
GatherContent module, there is nothing you need to do.

Solution

Install the latest version:

  o If you use the gathercontent module for Drupal 7.x, upgrade to
    gathercontent 7.x-3.5

Reported By:

  o Francisco Rodriguez

Fixed By:

  o Roland Kovacsics

Coordinated By:

  o Michael Hess of the Drupal Security Team
  o Greg Knaddison of the Drupal Security Team

_____________________________________________________________________

Date Reminder - Moderately critical - Access bypass - SA-CONTRIB-2018-076

Project:         Date Reminder
Date:            2018-November-28
Security risk:   Moderately critical 10/25
                 AC:Basic/A:User/CI:Some/II:None/E:Theoretical/
TD:              Default
Vulnerability:   Access bypass

Description:

This module allows registered users to request email reminders to be
sent at a specified time before an event.

The module doesn't sufficiently check access to nodes, allowing a user
to set a reminder on a node that the user shouldn't be able to access.

This can be mitigated with configuring DateReminder with Reminder
Display:
"Fieldset within a node" disables the potential exploit.

Solution:

Install the latest version:

  o If you use the Date Reminder module for Drupal 7.x, upgrade to Date
    Reminder 7.x-1.15

Also see the Date Reminder project page.

Reported By:

  o than_nak87

Fixed By:

  o dwillcox
  o Balazs Janos Tatar Provisional Security Team member

Coordinated By:
Balazs Janos Tatar Provisional Security Team member

_____________________________________________________________________

Bootstrap - Moderately critical - Cross site scripting - SA-CONTRIB-2018-074

Project:         Bootstrap
Version:         7.x-3.22
                 8.x-3.14
Date:            2018-November-28
Security risk:   Moderately critical 11/25
                 AC:Complex/A:User/CI:Some/II:Some/E:Theoretical/
TD:              Uncommon
Vulnerability:   Cross site scripting

Description:

This base theme bridges the gap between Drupal and the Bootstrap
Framework.

The theme doesn't sufficiently filter valid targets under the scenario
of opening modals, popovers, and tooltips.

This vulnerability is mitigated by the fact that an attacker must
already have the ability to either:

 1. Edit/save custom content that supplies a value for the data-target
    attribute by injecting malicious code.
 2. Inject custom markup onto the page that further exploits the
    data-target attribute by injecting malicious code. This method of
    attack is highly unlikely if they already have this level of access.

Note: while the base-theme does not provide either of these
opportunities to do this out-of-the-box; a custom sub-theme may,
however, be susceptible if it didn't sanitize or filter user provided
input for XSS properly.

Solution:

Install the latest version and take additional manual steps (see below).

  o If you use the Drupal Bootstrap base-theme for Drupal 7.x, upgrade
    to 7.x-3.22
  o If you use the Drupal Bootstrap base-theme for Drupal 8.x, upgrade
    to 8.x-3.14

Extra Note:

The vulnerability fixed in the Bootstrap theme releases on Drupal.org is
a by-product from forking parts of the external framework's JavaScript
code. The external framework's vulnerability was first reported in a
public issue and later a fix for this vulnerability was merged into the
external framework, however an official release of the external
framework has yet to be made.

Users of this theme should take two additional steps:

 1. Follow this external framework issue for further information and to
    keep up-to-date on when you need to upgrade your sub-theme's
    external framework source. You may consider using the distributed
    files from the temporary branch master-xmr-v3-fixes until an
    official release is made.
 2. Review any custom code on your site that might have copied from the
    external framework's vulnerable code.

Also see the Bootstrap project page.

Reported By:

  o Gomez_in_the_South

Fixed By:

  o Mark Carver

Coordinated By:

  o Greg Knaddison of the Drupal Security Team
  o
    Samuel Mortenson of the Drupal Security Team


=========================================================
+ CERT-RENATER        | tel : 01-53-94-20-44            +
+ 23/25 Rue Daviel    | fax : 01-53-94-20-41            +
+ 75013 Paris         | email:cert@support.renater.fr   +
=========================================================