==================================================================== CERT-Renater Note d'Information No. 2019/VULN418 _____________________________________________________________________ DATE : 18/12/2019 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running Permissions by Term for Drupal, Modal Page for Drupal, Taxonomy access fix for Drupal, Smart Trim for Drupal, Webform for Drupal. ===================================================================== https://www.drupal.org/sa-contrib-2019-095 https://www.drupal.org/sa-contrib-2019-094 https://www.drupal.org/sa-contrib-2019-093 https://www.drupal.org/sa-contrib-2019-092 https://www.drupal.org/sa-contrib-2019-096 _____________________________________________________________________ Permissions by Term - Moderately critical - Access bypass - SA-CONTRIB-2019-095 Project: Permissions by Term Date: 2019-December-11 Security risk: Moderately critical 13∕25 AC:None/A:None/CI:Some/II:None/E:Theoretical/TD:Uncommon Vulnerability: Access bypass Description: The Permissions by Term module extends Drupal by functionality for restricting access to single nodes via taxonomy terms. The module doesn't sufficiently restrict access to node previews, when the Search API module is used to display nodes in search result lists. Solution: Install the latest version: If you use the Permissions by Term module for Drupal 8.x, including all of the 8.x-1.x branch, upgrade to Version 8.x-2.0 or later. The settings have been refactored. They are now bundled in the "permissions_by_term.settings.yml" file. There are not so many settings, so you can simply visit PbT's settings page and set the settings manually. Like the setting for "single term restriction". Also see the Permissions by Term project page. Reported By: Tamás Nagy Fixed By: Peter Majmesku Coordinated By: Greg Knaddison of the Drupal Security Team _____________________________________________________________________ Modal Page - Moderately critical - Access bypass - SA-CONTRIB-2019-094 Project: Modal Page Version: 8.x-2.4 8.x-2.3 8.x-2.2 8.x-2.1 8.x-2.0 Date: 2019-December-11 Security risk: Moderately critical 10∕25 AC:Basic/A:User/CI:Some/II:None/E:Theoretical/TD:Default Vulnerability: Access bypass Description: This project enables administrators to create modal dialogs. The routes used by the module lacked proper permissions, allowing untrusted users to access, create and modify modal configurations. Solution: If you use the Modal Page module 8.x-2.x, upgrade to 8.x-2.5 Review user permissions after updating to ensure only trusted users have access to manage modals. Reported By: Will Mowlam Fixed By: Renato Gonçalves H Thalles Ferreira Coordinated By: Damien McKenna of the Drupal Security Team _____________________________________________________________________ Taxonomy access fix - Moderately critical - Access bypass - SA-CONTRIB-2019-093 Project: Taxonomy access fix Version: 8.x-2.6 8.x-2.5 8.x-2.4 Date: 2019-December-11 Security risk: Moderately critical 13∕25 AC:None/A:User/CI:Some/II:None/E:Theoretical/TD:All Vulnerability: Access bypass Description: This module extends access handling of Drupal Core's Taxonomy module. The module doesn't sufficiently check, if a given entity should be access controlled, defaulting to allowing access even to unpublished Taxonomy Terms. if certain administrative routes should be access controlled, defaulting to allowing access even to users without permission to access these administrative routes. The vulnerability is mitigated by the facts, that the user interface to change the status of Taxonomy Terms has been released in Drupal Core 8.8 and a custom or contributed module is required in earlier versions of Drupal Core to mark Taxonomy Terms as unpublished. all entity operations (except the view operation) available on affected administrative routes still require appropriate permissions. an attacker must have a role with permission to either access content or view a Taxonomy Term in a vocabulary. Solution: Install the latest version: If you use taxonomy_access_fix 8.x-2.4 or later, upgrade to Taxonomy Access Fix 8.x-2.7 Also see the Taxonomy Access Fix project page. Reported By: guedressel Fixed By: Julian Pustkuchen Patrick Fey Oleh Vehera guedressel Coordinated By: Greg Knaddison of the Drupal Security Team Damien McKenna of the Drupal Security Team _____________________________________________________________________ Smart Trim - Moderately critical - Cross site scripting - SA-CONTRIB-2019-092 Project: Smart Trim Version: 8.x-1.1 8.x-1.0 8.x-1.0-beta1 Date: 2019-December-11 Security risk: Moderately critical 13∕25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:Default Vulnerability: Cross site scripting Description: The Smart Trim module allows site builders additional control with text summary fields. The module doesn't sufficiently filter text when certain options are selected. This vulnerability is mitigated by the fact that an attacker must have a role with the ability to create content on the site when certain options are selected for the trimmed output. Solution: Install the latest version: If you use the Smart Trim module for Drupal 8.x, upgrade to smart_trim-8.x-1.2 Also see the Smart Trim project page. Reported By: Anne Adam Shepherd Fixed By: Anne Mark Casias Coordinated By: Damien McKenna of the Drupal Security Team _____________________________________________________________________ Webform - Critical - Multiple vulnerabilities - SA-CONTRIB-2019-096 Project: Webform Version: 7.x-4.20 7.x-4.20-rc1 7.x-4.19 7.x-4.19-rc1 7.x-4.18 7.x-4.18-rc1 7.x-4.17 7.x-4.17-rc1 7.x-4.16 7.x-4.16-rc1 7.x-4.15 7.x-4.15-rc1 7.x-4.14 7.x-4.13 7.x-4.12 7.x-4.11 7.x-4.10 7.x-4.9 7.x-4.8 7.x-4.7 7.x-4.6 7.x-4.5 7.x-4.4 7.x-4.3 7.x-4.2 7.x-4.1 7.x-4.0 7.x-4.0-rc6 7.x-4.0-rc5 7.x-4.0-rc4 7.x-4.0-rc3 7.x-4.0-rc2 7.x-4.0-rc1 7.x-4.0-beta3 7.x-4.0-beta2 7.x-4.0-beta1 7.x-4.0-alpha10 7.x-4.0-alpha9 7.x-4.0-alpha8 7.x-4.0-alpha7 7.x-4.0-alpha6 7.x-4.0-alpha5 7.x-4.0-alpha4 7.x-4.0-alpha3 7.x-4.0-alpha2 7.x-4.0-alpha1 7.x-3.28-rc1 7.x-3.27 7.x-3.27-rc1 7.x-3.26 7.x-3.26-rc1 7.x-3.25 7.x-3.24 7.x-3.23 7.x-3.22 7.x-3.21 7.x-3.20 7.x-3.19 7.x-3.18 7.x-3.17 7.x-3.16 7.x-3.15 7.x-3.13 7.x-3.12 7.x-3.11 7.x-3.10 7.x-3.9 7.x-3.8 7.x-3.7 7.x-3.6 7.x-3.4-beta1 7.x-3.3-beta1 7.x-3.0-beta8 7.x-3.0-beta7 7.x-3.0-beta6 7.x-3.0-beta5 7.x-3.0-beta4 7.x-3.0-beta3 7.x-3.0-beta2 Date: 2019-December-11 Security risk: Critical 15∕25 AC:Basic/A:None/CI:Some/II:Some/E:Theoretical/TD:Default Vulnerability: Multiple vulnerabilities Description: This module enables you to create forms to collect information from users and report, analyze and distribute it by email. The 7.x-3.x module doesn't sufficiently sanitize token values taken from query strings. If a query string token is used as the value of a markup component, an attacker can inject JavaScript into a page. The 7.x-4.x module doesn't sufficiently protect against an attacker changing the submission identifier of a draft webform, thereby overwriting another user's submission. Confidential information is not disclosed, but information can be overwritten and therefore lost or forged. The 7.x-4.x vulnerability is mitigated by the fact that an attacker must have a role with permission to submit a webform and the webform must have the advanced form setting of either 'Show "Save draft" button' and/or "Automatically save as draft between pages and when there are validation errors". Neither of these two options are enabled by default. Anonymous users cannot submit drafts and therefore cannot exploit this vulnerability. Solution: Install the latest version: If you use the Webform 3.x module for Drupal 7.x, upgrade to Webform 7.x-3.29 or to Webform 7.x-4.21. If you use the Webform 4.x module for Drupal 7.x, upgrade to Webform 7.x-4.21 Reported By: Robin De Herdt Ayesh Karunaratne Fixed By: Robin De Herdt Ayesh Karunaratne Liam Morland Dan Chadwick Roman Zimmermann Coordinated By: Greg Knaddison of the Drupal Security Team Michael Hess of the Drupal Security Team ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23/25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email:cert@support.renater.fr + =========================================================