=================================================================== CERT-Renater Note d'Information No. 2023/VULN230 _____________________________________________________________________ DATE : 23/06/2023 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems runnin Album Photos for Drupal, Civic Cookie Control for Drupal, Office Hours for Drupal. ====================================================================https://www.drupal.org/sa-contrib-2023-022 https://www.drupal.org/sa-contrib-2023-021 https://www.drupal.org/sa-contrib-2023-020 _____________________________________________________________________ Album Photos - Critical - Access bypass - SA-CONTRIB-2023-022 Project: Album Photos Date: 2023-June-21 Security risk: Critical 15∕25 AC:None/A:Admin/CI:All/II:Some/E:Theoretical/TD:Uncommon Vulnerability: Access bypass Description: This module enables you to create and manage photos and photo albums on your website. The module doesn't sufficiently check node access when a user is provided the "edit any photo" or "delete any photo" permissions. This vulnerability is mitigated by the fact that an attacker must have a role with the permission "edit any photo" or "delete any photo". Solution: Install the latest version: If you use the 6.0.x version of the photos module for Drupal 9 or 10, upgrade to photos 6.0.4 If you use the 8.x version of the photos module for Drupal 9, upgrade to photos 8.x-4.5 Reported By: Marco Bouwer Fixed By: Nathaniel Burnett Marco Bouwer Coordinated By: Chris McCafferty of the Drupal Security Team Damien McKenna of the Drupal Security Team Greg Knaddison of the Drupal Security Team _____________________________________________________________________ Civic Cookie Control - Moderately critical - Cross Site Scripting - SA-CONTRIB-2023-021 Project: Civic Cookie Control Date: 2023-June-21 Security risk: Moderately critical 11∕25 AC:Basic/A:Admin/CI:Some/II:Some/E:Theoretical/TD:Uncommon Vulnerability: Cross Site Scripting Description: CivicCookieControl is a module that can help make a website compliant with EU and UK cookie legislation. The Civic GovUK Cookie Control module does not sufficiently sanitize the configuration resulting in a Cross-Site Scripting (XSS) vulnerability. This vulnerability is mitigated by the fact that the attacker must have a role with the "Administer Civic Cookie Control" permission. Solution: Install the latest version: If you use the Civic Cookie Control module for Drupal 9.x, upgrade to Civic Cookie Control 4.4.13 Reported By: Mitch Portier Fixed By: Thanassis Perperis Mitch Portier Coordinated By: Damien McKenna of the Drupal Security Team Greg Knaddison of the Drupal Security Team _____________________________________________________________________ Office Hours - Moderately critical - Cross Site Scripting - SA-CONTRIB-2023-020 Project: Office Hours Version: 8.x-1.5 8.x-1.4 8.x-1.3 8.x-1.2 8.x-1.1 8.x-1.0 Date: 2023-June-14 Security risk: Moderately critical 14∕25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:All Vulnerability: Cross Site Scripting Description: This module enables you to define a 'weekly office hours' field type, and add a field to any Content type, in order to display the weekly opening hours for a location. The module doesn't sufficiently filter user-supplied text leading to a Cross Site Scripting (XSS) vulnerability. This vulnerability is mitigated by the fact that an attacker needs additional permissions. The vulnerability can be exploited by an attacker with a role with the permission "administer display" regardless of other configurations. In some scenarios, the vulnerability can be exploited by a user with "Create content" or "Edit content" for a relevant Content type. Solution: Install the latest version: If you use the 'Office hours' module for Drupal 8.x, upgrade to office_hours 8.x-1.11 Reported By: John Voskuilen Mitch Portier Fixed By: John Voskuilen Mitch Portier Coordinated By: Greg Knaddison of the Drupal Security Team ========================================================+ CERT-RENATER | tel : 01-53-94-20-44 + + 23/25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email:cert@support.renater.fr + =======================================================