====================================================================

                             CERT-Renater

                 Note d'Information No. 2020/VULN085
_____________________________________________________________________

DATE                : 20/02/2020

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Profile for Drupal,
                        SpamSpan filter for Drupal.

=====================================================================
https://www.drupal.org/sa-contrib-2020-004
https://www.drupal.org/sa-contrib-2020-002
_____________________________________________________________________

Profile - Moderately critical - Access Bypass - SA-CONTRIB-2020-004

Project: Profile
Date: 2020-February-19
Security risk:
Moderately critical 14∕25
AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:All
Vulnerability: Access Bypass


Description:

The Profile module enables you to allow users to have configurable user
profiles.

The module doesn't sufficiently check access when creating a user
profile. Users with the "create profiles" permission could create
profiles for any users.


Solution:

Install the latest version:

    If you use the Profile module for Drupal 8.x, upgrade to Profile 8.x-1.1

Also see the Profile project page.


Reported By:

    karl972


Fixed By:

    Matt Glaman
    Bojan Živanović


Coordinated By:

    Greg Knaddison of the Drupal Security Team

_____________________________________________________________________

SpamSpan filter - Moderately critical - Cross site scripting -
SA-CONTRIB-2020-002

Project: SpamSpan filter
Date: 2020-January-22
Security risk:
Moderately critical 11∕25
AC:Basic/A:None/CI:None/II:Some/E:Theoretical/TD:Uncommon
Vulnerability: Cross site scripting


Description:

The SpamSpan module obfuscates email addresses to help prevent spambots
from collecting them.

This module contains a spamspan twig filter which doesn't sanitize the
passed HTML string.

This vulnerability is mitigated by the fact that sites must have custom
twig template files that use the SpamSpan filter on a field that an
attacker could populate. By default the SpamSpan module does not use the
vulnerable twig filter.


Solution:

Install the latest version:

    If you use the SpamSpan module for Drupal 8.x, upgrade to SpamSpan
8.x-1.1

Also see the SpamSpan filter project page.


Reported By:

    Jeroen Tubex


Fixed By:

    Jeroen Tubex
    vitalie


Coordinated By:

    Ben Jeavons of the Drupal Security Team



=========================================================
+ CERT-RENATER        | tel : 01-53-94-20-44            +
+ 23/25 Rue Daviel    | fax : 01-53-94-20-41            +
+ 75013 Paris         | email:cert@support.renater.fr   +
=========================================================