==================================================================== CERT-Renater Note d'Information No. 2020/VULN428 _____________________________________________________________________ DATE : 24/07/2020 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running Modal Form for Drupal versions prior to 8.x-1.2, Apigee Edge for Drupal versions versions prior to 8.x-1.12, Easy Breadcrumb for Drupal versions prior to 8.x-1.13. ===================================================================== https://www.drupal.org/sa-contrib-2020-029 https://www.drupal.org/sa-contrib-2020-028 https://www.drupal.org/sa-contrib-2020-027 _____________________________________________________________________ Modal Form - Critical - Access bypass - SA-CONTRIB-2020-029 Project: Modal Form Version: 8.x-1.x-dev Date: 2020-July-22 Security risk: Critical 16∕25 AC:Basic/A:None/CI:Some/II:Some/E:Theoretical/TD:All Vulnerability: Access bypass Description: The Modal form module is a toolset for quick start of using forms in modal windows. Any form is available for view and submit when the modal_form module is installed. The only requirement is to know the form's fully-qualified class name. Solution: Upgrade to modal_form-8.x-1.2. Also see the Modal Form project page. Reported By: Dave Long Fixed By: Sergii Bondarenko Coordinated By: Greg Knaddison of the Drupal Security Team _____________________________________________________________________ Apigee Edge - Moderately critical - Access bypass - SA-CONTRIB-2020-028 Project: Apigee Edge Version: 8.x-1.x-dev Date: 2020-July-22 Security risk: Moderately critical 10∕25 AC:Basic/A:User/CI:Some/II:None/E:Theoretical/TD:Default Vulnerability: Access bypass Description: The Apigee Edge module allows connecting a Drupal site to Apigee Edge in order to build a developer portal. It contains an "Apigee Edge Teams" submodule that provides shared app functionality by allowing developers to be organized into teams. The "Apigee Edge Teams" submodule has an information disclosure vulnerability. The "Add team member" form displays an email autocomplete field which can expose the email addresses of other accounts in the system. This vulnerability is mitigated by the fact that to have access to the form, the site must have the Apigee Edge Teams submodule enabled, and the user must have a team role that has the "Manage team members" permission. (Note that team roles and permissions are not related to Drupal core roles and permissions). Solution: Install the latest version: If you use the apigee_edge_teams submodule for Drupal 8.x, upgrade to Apigee Edge module 8.x-1.12 Also see the Apigee Edge project page. Reported By: Arlina Espinoza Rhoton Fixed By: Arlina Espinoza Rhoton Chris Novak Coordinated By: Greg Knaddison of the Drupal Security Team _____________________________________________________________________ Easy Breadcrumb - Moderately critical - Cross site scripting - SA-CONTRIB-2020-027 Project: Easy Breadcrumb Version: 8.x-1.12 8.x-1.10 Date: 2020-July-22 Security risk: Moderately critical 13∕25 AC:Basic/A:Admin/CI:Some/II:Some/E:Theoretical/TD:All Vulnerability: Cross site scripting Description: This module enables you to use the current URL (path alias) and the current page's title to automatically extract the breadcrumb's segments and its respective links then show them as breadcrumbs on your website. The module doesn't sufficiently sanitize editor input in certain circumstances leading to a Cross Site Scripting (XSS) vulnerability. This vulnerability requires the user have 'administer Easy Breadcrumb settings permission'. Solution: Install the latest version: If you use the Easy Breadcrumb module for Drupal 8, upgrade to Easy Breadcrumb 8.x-1.13 Also see the Easy Breadcrumb project page. Reported By: Greg Boggs Fixed By: Greg Boggs Samuel Mortenson of the Drupal Security Team Coordinated By: Greg Knaddison of the Drupal Security Team ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23/25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email:cert@support.renater.fr + =========================================================