====================================================================

                             CERT-Renater

                 Note d'Information No. 2021/VULN304
_____________________________________________________________________

DATE                : 03/06/2021

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running OpenID Connect / OAuth client for
                      Drupal versions prior to 8.x-1.1, 7.x-1.0,
                      GraphQL versions prior to 8.x-4.1,
                  Frequently Asked Questions versions prior to 7.x-1.3,
                      Open Social versions prior to 8.x-9.17, 10.0.13,
                                           10.1.6.

=====================================================================
https://www.drupal.org/sa-contrib-2021-014
https://www.drupal.org/sa-contrib-2021-013
https://www.drupal.org/sa-contrib-2021-012
https://www.drupal.org/sa-contrib-2021-011
https://www.drupal.org/sa-contrib-2021-010
____________________________________________________________________


OpenID Connect / OAuth client - Moderately critical - Access bypass -
SA-CONTRIB-2021-014


Project:         OpenID Connect / OAuth client
Date:            2021-June-02
Security risk:
Moderately critical 14∕25
AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:All
Vulnerability:    Access bypass


Description:

This module allows users to authenticate against an Oauth 2.0 / OpenID
Connect identity provider to login to your Drupal site.

The module doesn't sufficiently protect against unauthorized local
access, by way of using the 'password reset' facility, for users who are
supposed to only be able to log in through the identity provider. This
creates a scenario where after such a user is blocked from logging in
through the identity provider but not explicitly blocked in Drupal, they
are still able to log in by sending themselves a Drupal 'password reset'
e-mail.


Solution:

Install the latest version:

    If you use the openid_connect module for Drupal 8/9, upgrade to
openid_connect 8.x-1.1
    If you use the openid_connect module for Drupal 7, upgrade to
openid_connect 7.x-1.0


Reported By:

    Jeffrey Bertoen


Fixed By:

    João Ventura
    Philip Frilling
    Jeffrey Bertoen


Coordinated By:

    Greg Knaddison of the Drupal Security Team
    Drew Webber of the Drupal Security Team


____________________________________________________________________

GraphQL - Moderately critical - Information Disclosure - SA-CONTRIB-2021-013

Project:         GraphQL
Date:            2021-June-02
Security risk:
Moderately critical 11∕25
AC:Basic/A:None/CI:Some/II:None/E:Theoretical/TD:Uncommon
Vulnerability:    Information Disclosure


Description:

This module lets you craft and expose a GraphQL web service API.

The module does not sufficiently protect arbitrary exception and error
messages thereby exposing an information disclosure vulnerability.

This vulnerability is mitigated by the fact that a GraphQL server must
be enabled and a data producer be configured that throws exceptions with
confidential error messages that must not be exposed over the GraphQL
API.


Solution:

Install the latest version:

    If you use the GraphQL module for Drupal 8.x, upgrade to GraphQL
8.x-4.1


Reported By:

    Alex Tkachev


Fixed By:

    Klaus Purer
    Radoslav Terezka


Coordinated By:

    Greg Knaddison of the Drupal Security Team

__________________________________________________________________________

Frequently Asked Questions - Moderately critical - Cross Site Scripting
- SA-CONTRIB-2021-012

Project:          Frequently Asked Questions
Date:             2021-June-02
Security risk:
Moderately critical 11∕25
AC:Basic/A:User/CI:None/II:Some/E:Theoretical/TD:All
Vulnerability:    Cross Site Scripting


Description:

The Frequently Asked Questions (faq) module allows users, with
appropriate permissions, to create question and answer pairs which they
want displayed on the 'faq' page. The 'faq' page is automatically
generated from the FAQ nodes configured. Basic Views layouts are also
provided and can be customised via the Views UI (rather than via the
module settings page).

The module doesn't sufficiently sanitize editor input leading to a Cross
Site Scripting (XSS) vulnerability.

This vulnerability is mitigated by the fact that an attacker must have a
role with the "create faq content" permission.


Solution:

Install the latest version:

    If you use the Frequently Asked Questions module for Drupal 7.x,
upgrade to Frequently Asked Questions 7.x-1.3


Reported By:

    Mitch Portier


Fixed By:

    Mitch Portier
    Mohammed Razem
    Vijay Mani Provisional Member of the Drupal Security Team


Coordinated By:

    Greg Knaddison of the Drupal Security Team

_____________________________________________________________________

Open Social - Critical - Authentication Bypass - SA-CONTRIB-2021-011

Project:         Open Social
Date:            2021-June-02
Security risk:
Critical 15∕25 AC:Basic/A:None/CI:Some/II:Some/E:Theoretical/TD:Default
Vulnerability:    Authentication Bypass


Description:

Open Social is a Drupal distribution for online communities.

The included social_magic_login module doesn't sufficiently validate
magic login URLs for user accounts. The lack of validation makes it
possible for an adversary to forge valid login URLs and login to such an
account.

This vulnerability is mitigated by the fact the module
social_magic_login needs to be enabled.


Solution:

Install the latest version of Open Social:

    If you use the Open Social distribution for Drupal 10.0.x, upgrade
to Open Social 10.0.13

    If you use the Open Social distribution for Drupal 10.1.x, upgrade
to Open social 10.1.6

Alternatively, disable the module social_magic_login.


Reported By:

    Ronald te Brake
    Alexander Varwijk
    Robert Ragas


Fixed By:

    Ronald te Brake
    Alexander Varwijk
    Robert Ragas


Coordinated By:

    Greg Knaddison of the Drupal Security Team

_____________________________________________________________________

Open Social - Moderately critical - SQL Injection - SA-CONTRIB-2021-010
Project:          Open Social
Date:             2021-June-02
Security risk:
Moderately critical 11∕25
AC:Complex/A:User/CI:All/II:None/E:Theoretical/TD:Default
Vulnerability:     SQL Injection


Description:

This Open Social distribution provides a turn-key system for building
customized social networks.

The module doesn't sufficiently process data in certain circumstances.

This vulnerability is mitigated by the fact that an attacker must have a
role with the permission "access mentions".


Solution:

Install the latest version:

    If you use Open Social 9.x, upgrade to 8.x-9.17
    If you use Open Social 10.0.x, upgrade to 10.0.13
    If you use Open Social 10.1.x, upgrade to 10.1.6


Reported By:

    mindaugasd


Fixed By:

    mindaugasd
    Alexander Varwijk
    Drew Webber of the Drupal Security Team
    Ronald te Brake
    Neil Drumm of the Drupal Security Team


Coordinated By:

    Greg Knaddison of the Drupal Security Team




=========================================================
+ CERT-RENATER       |    tel : 01-53-94-20-44          +
+ 23/25 Rue Daviel   |    fax : 01-53-94-20-41          +
+ 75013 Paris        |    email:cert@support.renater.fr +
=========================================================