==================================================================== CERT-Renater Note d'Information No. 2019/VULN225 _____________________________________________________________________ DATE : 18/07/2019 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running Meta tags quick for Drupal versions prior to 7.x-2.10, ImageCache Actions for Drupal versions prior to 7.x-1.10, Custom Permissions for Drupal versions prior to 8.x-1.2. ===================================================================== https://www.drupal.org/sa-contrib-2019-057 https://www.drupal.org/sa-contrib-2019-056 https://www.drupal.org/sa-contrib-2019-055 _____________________________________________________________________ Meta tags quick - Moderately critical - Cross Site Scripting - SA-CONTRIB-2019-057 Project: Meta tags quick Date: 2019-July-17 Security risk: Moderately critical 13/25 AC:Basic/A:Admin/CI:Some/II:Some/E:Theoretical/TD:All Vulnerability: Cross Site Scripting Description: Metatags quick is a module that manages meta tags (tags that appear in HTML's head section) as Drupal 7 fields. Administration page of metatags quick does not sanitize the output of blocks that appear on the same page. This allows an attacker to inject malicious JavaScript in block markup. This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer blocks". Solution: Install the latest version. If you use the Metatags quick module for Drupal 7.x, upgrade to metatags quick 7.x-2.10. Reported By: * Yonatan Offek Fixed By: * Valery Lourie * Yonatan Offek Coordinated By: * Greg Knaddison of the Drupal Security Team Contact and more information The Drupal security team can be reached by email at security at drupal.org or via the contact form. Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site. Follow the Drupal Security Team on Twitter @drupalsecurity _____________________________________________________________________ ImageCache Actions - Critical - Multiple Vulnerabilities - SA-CONTRIB-2019-056 Project: ImageCache Actions Date: 2019-July-17 Security risk: Critical 17/25 AC:Basic/A:Admin/CI:All/II:All/E:Theoretical/TD:All Vulnerability: Multiple Vulnerabilities Description: The imagecache actions module defines a number of additional image effects that can be used to create image styles. The "Image styles admin" sub module provides additional functionality to duplicate, export and import image styles. The module uses unserialize() to import image styles into another site where unserialize() is known to have security issues when processing potentially unsafe input. This vulnerability is mitigated by the fact that the "Image styles admin" sub module must be enabled and an attacker must have a role with the permission "'administer image styles'". Furthermore, the import functionality supports PHP code included in image effects as part of an image style, which would run on image derivative generation subject to the PHP module being enabled. This is intended behaviour for the "Image styles admin" sub module, but the user access restrictions should reflect the potential risks involved. The new security release of this module introduces a new "import image styles" permission which is marked as restricted. In order to use the image style import functionality, users will need to have a role which has this new permission in addition to "administer image styles" (which is not marked as restricted). Solution: * If you use the Imagecache Actions module for Drupal 7.x, upgrade to Imagecache Actions 7.x-1.10. * Image Effects, the D8 successor is *not* vulnerable to this exploit. Reported By: * Ruben Hofman Fixed By: * Erwin Derksen * Greg Knaddison of the Drupal Security Team Coordinated By: * Greg Knaddison of the Drupal Security Team * Ivo Van Geertruyen of the Drupal Security Team * Drew Webber of the Drupal Security Team Contact and more information The Drupal security team can be reached by email at security at drupal.org or via the contact form. Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site. Follow the Drupal Security Team on Twitter @drupalsecurity _____________________________________________________________________ Custom Permissions - Critical - Access bypass - SA-CONTRIB-2019-055 Project: Custom Permissions Version: 8.x-1.x-dev Date: 2019-July-10 Security risk: Critical 16∕25 AC:Basic/A:None/CI:Some/II:Some/E:Theoretical/TD:All Vulnerability: Access bypass Description: This module enables you to add and manage additional custom permissions through the administration UI. The module doesn't sufficiently check for the proper access permissions to this page. This vulnerability is mitigated by the fact that an attacker must know the route of the Custom Permissions administration form though this is easily known. Solution: Install the latest version: If you use the Custom Permissions 8.x-1.1 for Drupal 8.x, upgrade to Custom Permissions 8.x-1.2 Also see the Custom Permissions project page. Reported By: Mohammed Razem Fixed By: David Valdez Coordinated By: Greg Knaddison of the Drupal Security Team ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23/25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email:cert@support.renater.fr + =========================================================