====================================================================

                             CERT-Renater

                 Note d'Information No. 2020/VULN524
_____________________________________________________________________

DATE                : 17/09/2020

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Drupal core versions prior to 7.73,
                                      8.8.10, 8.9.6, 9.0.6.

=====================================================================
https://www.drupal.org/sa-core-2020-011
https://www.drupal.org/sa-core-2020-008
https://www.drupal.org/sa-core-2020-010
https://www.drupal.org/sa-core-2020-009
https://www.drupal.org/sa-core-2020-007
_____________________________________________________________________

Drupal core - Moderately critical - Information disclosure -
SA-CORE-2020-011

Project: Drupal core
Date: 2020-September-16
Security risk:
Moderately critical 12∕25
AC:None/A:User/CI:Some/II:None/E:Theoretical/TD:Default
Vulnerability: Information disclosure
CVE IDs: CVE-2020-13670


Description:

A vulnerability exists in the File module which allows an attacker to
gain access to the file metadata of a permanent private file that they
do not have access to by guessing the ID of the file.


Solution:

Install the latest version:

    If you are using Drupal 8.8.x, upgrade to Drupal 8.8.10.
    If you are using Drupal 8.9.x, upgrade to Drupal 8.9.6.
    If you are using Drupal 9.0.x, upgrade to Drupal 9.0.6.

Versions of Drupal 8 prior to 8.8.x are end-of-life and do not receive
security coverage. Sites on 8.7.x or earlier should update to 8.8.10.


Reported By:

    David Rothstein of the Drupal Security Team
    Ivan
    elarlang
    Mori Sugimoto of the Drupal Security Team
    kyk

Fixed By:

    Michael Hess of the Drupal Security Team
    Peter Wolanin of the Drupal Security Team
    Stefan Ruijsenaars
    David Rothstein of the Drupal Security Team
    Jess of the Drupal Security Team
    Ben Dougherty of the Drupal Security Team
    Frédéric G. Marand
    Samuel Mortenson of the Drupal Security Team
    Joseph Zhao, provisional member of the Drupal Security Team
    Lee Rowlands of the Drupal Security Team


_____________________________________________________________________

Drupal core - Moderately critical - Access bypass - SA-CORE-2020-008

Project: Drupal core
Date: 2020-September-16
Security risk:
Moderately critical 12∕25
AC:Basic/A:None/CI:Some/II:None/E:Theoretical/TD:Default
Vulnerability: Access bypass
CVE IDs: CVE-2020-13667


Description:

The experimental Workspaces module allows you to create multiple
workspaces on your site in which draft content can be edited before
being published to the live workspace.

The Workspaces module doesn't sufficiently check access permissions when
switching workspaces, leading to an access bypass vulnerability. An
attacker might be able to see content before the site owner intends
people to see the content.

This vulnerability is mitigated by the fact that sites are only
vulnerable if they have installed the experimental Workspaces module.


Solution:

Install the latest version:

    If you are using Drupal 8.8.x, upgrade to Drupal 8.8.10.
    If you are using Drupal 8.9.x, upgrade to Drupal 8.9.6.
    If you are using Drupal 9.0.x, upgrade to Drupal 9.0.6.

Versions of Drupal 8 prior to 8.8.x are end-of-life and do not receive
security coverage. Sites on 8.7.x or earlier should update to 8.8.10.

Once a site running Workspaces is upgraded, authenticated users may
continue to see unauthorized workspace content that they accessed
previously until they are logged out.

If it is important for the unintended access to stop immediately, you
may wish to end all active user sessions on your site (for example, by
truncating the sessions table). Be aware that this will immediately log
all users out and can cause side effects like lost user input.


Reported By:

    Andrei Mateescu

Fixed By:

    Andrei Mateescu
    Jess of the Drupal Security Team
    Nathaniel Catchpole of the Drupal Security Team
    Lee Rowlands of the Drupal Security Team
    Greg Knaddison of the Drupal Security Team
    Dick Olsson



_____________________________________________________________________

Drupal core - Moderately critical - Cross-site scripting - SA-CORE-2020-010

Project: Drupal core
Date: 2020-September-16
Security risk:
Moderately critical 13∕25
AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:Default
Vulnerability: Cross-site scripting
CVE IDs: CVE-2020-13669


Description:

Drupal core's built-in CKEditor image caption functionality is
vulnerable to XSS.


Solution:

Install the latest version:

    If you are using Drupal 8.8.x, upgrade to Drupal 8.8.10.
    If you are using Drupal 8.9.x, upgrade to Drupal 8.9.6.
    If you are using Drupal 9.0.x, upgrade to Drupal 9.0.6.

Versions of Drupal 8 prior to 8.8.x are end-of-life and do not receive
security coverage. Sites on 8.7.x or earlier should update to 8.8.10.


Reported By:

    Dor Tumarkin
    Krzysztof Krzton

Fixed By:

    Samuel Mortenson of the Drupal Security Team
    Wim Leers
    Henrik Danielsson
    Dor Tumarkin
    Jess of the Drupal Security Team
    Krzysztof Krzton
    Lee Rowlands of the Drupal Security Team

_____________________________________________________________________

Drupal core - Critical - Cross-site scripting - SA-CORE-2020-009

Project: Drupal core
Date: 2020-September-16
Security risk:
Critical 15∕25 AC:Basic/A:None/CI:Some/II:Some/E:Theoretical/TD:Default
Vulnerability: Cross-site scripting
CVE IDs: CVE-2020-13668


Description:

Drupal 8 and 9 have a reflected cross-site scripting (XSS) vulnerability
under certain circumstances.

An attacker could leverage the way that HTML is rendered for affected
forms in order to exploit the vulnerability.


Solution:

Install the latest version:

    If you are using Drupal 8.8.x, upgrade to Drupal 8.8.10.
    If you are using Drupal 8.9.x, upgrade to Drupal 8.9.6.
    If you are using Drupal 9.0.x, upgrade to Drupal 9.0.6.

Versions of Drupal 8 prior to 8.8.x are end-of-life and do not receive
security coverage. Sites on 8.7.x or earlier should update to 8.8.10.

In addition to updating Drupal core, sites that override
\Drupal\Core\Form\FormBuilder's renderPlaceholderFormAction() and/or
buildFormAction() methods in contrib and/or custom code should ensure
that appropriate sanitization is applied for URLs.


Reported By:

    Nuno Ramos
    markwittens
    Nathan Dentzau
    Marc Addeo
    Alejandro Garza
    Drew Webber of the Drupal Security Team

Fixed By:

    Lee Rowlands of the Drupal Security Team
    David Rothstein of the Drupal Security Team
    Wim Leers
    Vijay Mani, provisional member of the Drupal Security Team
    Drew Webber of the Drupal Security Team
    Nathan Dentzau
    Heine of the Drupal Security Team
    Joseph Zhao, provisional member of the Drupal Security Team
    Jess of the Drupal Security Team
    Tim Plunkett

_____________________________________________________________________

Drupal core - Moderately critical - Cross-site scripting - SA-CORE-2020-007

Project: Drupal core
Date: 2020-September-16
Security risk:
Moderately critical 14∕25
AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:All
Vulnerability: Cross-site scripting
CVE IDs: CVE-2020-13666


Description:

The Drupal AJAX API does not disable JSONP by default, which can lead to
cross-site scripting.


Solution:

Install the latest version:

    If you are using Drupal 7.x, upgrade to Drupal 7.73.
    If you are using Drupal 8.8.x, upgrade to Drupal 8.8.10.
    If you are using Drupal 8.9.x, upgrade to Drupal 8.9.6.
    If you are using Drupal 9.0.x, upgrade to Drupal 9.0.6.

Versions of Drupal 8 prior to 8.8.x are end-of-life and do not receive
security coverage. Sites on 8.7.x or earlier should update to 8.8.10.

If you were previously relying on Drupal's AJAX API to perform trusted
JSONP requests, you'll either need to override the AJAX options to set
"jsonp: true", or you'll need to use the jQuery AJAX API directly.

If you are using jQuery's AJAX API for user-provided URLs in a contrib
or custom module, you should review your code and set "jsonp: false"
where this is appropriate.


Update

Drupal 7 sites should also pass such URLs through the new
Drupal.sanitizeAjaxUrl() function.


Reported By:

    Samuel Mortenson of the Drupal Security Team

Fixed By:

    Samuel Mortenson of the Drupal Security Team
    Théodore Biadala
    Lee Rowlands of the Drupal Security Team
    David Snopek of the Drupal Security Team
    Nathaniel Catchpole of the Drupal Security Team
    Alex Bronstein of the Drupal Security Team
    Drew Webber of the Drupal Security Team



=========================================================
+ CERT-RENATER       |    tel : 01-53-94-20-44          +
+ 23/25 Rue Daviel   |    fax : 01-53-94-20-41          +
+ 75013 Paris        |    email:cert@support.renater.fr +
=========================================================