====================================================================== CERT-Renater Note d'Information No. 2024/VULN491 _____________________________________________________________________ DATE : 22/11/2024 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running Drupal core versions prior to 7.102, 10.2.11, 10.3.9, 11.0.8. ===================================================================== https://www.drupal.org/sa-core-2024-005 https://www.drupal.org/sa-core-2024-003 https://www.drupal.org/sa-core-2024-004 https://www.drupal.org/sa-core-2024-006 https://www.drupal.org/sa-core-2024-007 https://www.drupal.org/sa-core-2024-008 _____________________________________________________________________ Drupal core - Critical - Cross Site Scripting - SA-CORE-2024-005 Project: Drupal core Date: 2024-November-20 Security risk: Critical 17 ∕ 25 AC:None/A:None/CI:Some/II:Some/E:Theoretical/TD:Default Vulnerability: Cross Site Scripting Affected versions: >=7.0 <7.102 Description: Drupal 7 core's Overlay module doesn't safely handle user input, leading to reflected cross-site scripting under certain circumstances. Only sites with the Overlay module enabled are affected by this vulnerability. Solution: Install the latest version: If you are using Drupal 7, update to Drupal 7.102 Sites may also disable the Overlay module to avoid the issue. Drupal 10 and Drupal 11 are not affected, as the Overlay module was removed from Drupal core in Drupal 8. Reported By: Cesar Fixed By: Cesar Greg Knaddison of the Drupal Security Team Matthew Grill Wim Leers Drew Webber of the Drupal Security Team Ra Mänd Fabian Franz Juraj Nemec of the Drupal Security Team Coordinated By: Juraj Nemec of the Drupal Security Team Greg Knaddison of the Drupal Security Team xjm of the Drupal Security Team _____________________________________________________________________ Drupal core - Moderately critical - Cross Site Scripting - SA-CORE-2024-003 Project: Drupal core Date: 2024-November-20 Security risk: Moderately critical 13 ∕ 25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:Default Vulnerability: Cross Site Scripting Affected versions: >= 8.8.0 < 10.2.11 || >= 10.3.0 < 10.3.9 || >= 11.0.0 < 11.0.8 Description: Drupal uses JavaScript to render status messages in some cases and configurations. In certain situations, the status messages are not adequately sanitized. Solution: Install the latest version: If you are using Drupal 10.2, update to Drupal 10.2.11. If you are using Drupal 10.3, update to Drupal 10.3.9. If you are using Drupal 11.0, update to Drupal 11.0.8. Drupal 7 is not affected. All versions of Drupal 10 prior to 10.2 are end-of-life and do not receive security coverage. (Drupal 8 and Drupal 9 have both reached end-of-life.) Reported By: Jay Beaton Fixed By: Lee Rowlands of the Drupal Security Team catch of the Drupal Security Team Mingsong Juraj Nemec of the Drupal Security Team Dave Long of the Drupal Security Team Benji Fisher of the Drupal Security Team Coordinated By: Juraj Nemec of the Drupal Security Team Greg Knaddison of the Drupal Security Team _____________________________________________________________________ Drupal core - Moderately critical - Access bypass - SA-CORE-2024-004 Project: Drupal core Date: 2024-November-20 Security risk: Moderately critical 10 ∕ 25 AC:Basic/A:User/CI:None/II:Some/E:Theoretical/TD:Default Vulnerability: Access bypass Affected versions: >= 8.0.0 < 10.2.11 || >= 10.3.0 < 10.3.9 || >= 11.0.0 < 11.0.8 Description: Drupal's uniqueness checking for certain user fields is inconsistent depending on the database engine and its collation. As a result, a user may be able to register with the same email address as another user. This may lead to data integrity issues. Solution: Install the latest version: If you are using Drupal 10.2, update to Drupal 10.2.11. If you are using Drupal 10.3, update to Drupal 10.3.9. If you are using Drupal 11.0, update to Drupal 11.0.8. Drupal 7 is not affected. All versions of Drupal 10 prior to 10.2 are end-of-life and do not receive security coverage. (Drupal 8 and Drupal 9 have both reached end-of-life.) Updating Drupal will not solve potential issues with existing accounts affected by this bug. See Fixing emails that vary only by case for additional guidance. Reported By: Wayne Eaker Fixed By: Wayne Eaker cilefen of the Drupal Security Team Kristiaan Van den Eynde Drew Webber of the Drupal Security Team Lee Rowlands of the Drupal Security Team Coordinated By: Juraj Nemec of the Drupal Security Team Benji Fisher of the Drupal Security Team xjm of the Drupal Security Team _____________________________________________________________________ Drupal core - Less critical - Gadget chain - SA-CORE-2024-006 Project: Drupal core Date: 2024-November-20 Security risk: Less critical 8 ∕ 25 AC:Complex/A:User/CI:None/II:Some/E:Theoretical/TD:Uncommon Vulnerability: Gadget chain Affected versions: >= 8.0.0 < 10.2.11 || >= 10.3.0 < 10.3.9 || >= 11.0.0 < 11.0.8 Description: Drupal core contains a potential PHP Object Injection vulnerability that (if combined with another exploit) could lead to Artbitrary File Deletion. It is not directly exploitable. This issue is mitigated by the fact that in order to be exploitable, a separate vulnerability must be present that allows an attacker to pass unsafe input to unserialize(). There are no such known exploits in Drupal core. To help protect against this vulnerability, types have been added to properties in some of Drupal core's classes. If an application extends those classes, the same types may need to be specified on the subclass to avoid a TypeError. Solution: Install the latest version: If you are using Drupal 10.2, update to Drupal 10.2.11. If you are using Drupal 10.3, update to Drupal 10.3.9. If you are using Drupal 11.0, update to Drupal 11.0.8. Drupal 7 is not affected. All versions of Drupal 10 prior to 10.2 are end-of-life and do not receive security coverage. (Drupal 8 and Drupal 9 have both reached end-of-life.) Reported By: Drew Webber of the Drupal Security Team Fixed By: Drew Webber of the Drupal Security Team Lee Rowlands of the Drupal Security Team Coordinated By: Juraj Nemec of the Drupal Security Team Benji Fisher of the Drupal Security Team xjm of the Drupal Security Team _____________________________________________________________________ Drupal core - Moderately critical - Gadget chain - SA-CORE-2024-007 Project: Drupal core Date: 2024-November-20 Security risk: Moderately critical 14 ∕ 25 AC:Complex/A:Admin/CI:All/II:All/E:Theoretical/TD:Uncommon Vulnerability: Gadget chain Affected versions: >= 8.0.0 < 10.2.11 || >= 10.3.0 < 10.3.9 || >= 11.0.0 < 11.0.8 Description: Drupal core contains a potential PHP Object Injection vulnerability that (if combined with another exploit) could lead to Remote Code Execution. It is not directly exploitable. This issue is mitigated by the fact that in order for it to be exploitable, a separate vulnerability must be present to allow an attacker to pass unsafe input to unserialize(). There are no such known exploits in Drupal core. To help protect against this potential vulnerability, types have been added to properties in some of Drupal core's classes. If an application extends those classes, the same types may need to be specified on the subclass to avoid a TypeError. Solution: Install the latest version: If you are using Drupal 10.2, update to Drupal 10.2.11. If you are using Drupal 10.3, update to Drupal 10.3.9. If you are using Drupal 11.0, update to Drupal 11.0.8. Drupal 7 is not affected. All versions of Drupal 10 prior to 10.2 are end-of-life and do not receive security coverage. (Drupal 8 and Drupal 9 have both reached end-of-life.) Reported By: Drew Webber of the Drupal Security Team Fixed By: Drew Webber of the Drupal Security Team Lee Rowlands of the Drupal Security Team Coordinated By: Juraj Nemec of the Drupal Security Team Greg Knaddison of the Drupal Security Team Benji Fisher of the Drupal Security Team xjm of the Drupal Security Team _____________________________________________________________________ Drupal core - Moderately critical - Gadget chain - SA-CORE-2024-008 Project: Drupal core Date: 2024-November-20 Security risk: Moderately critical 14 ∕ 25 AC:Complex/A:Admin/CI:All/II:All/E:Theoretical/TD:Uncommon Vulnerability: Gadget chain Affected versions: >=7.0 < 7.102 || >= 8.0.0 < 10.2.11 || >= 10.3.0 < 10.3.9 Description: Drupal core contains a potential PHP Object Injection vulnerability that (if combined with another exploit) could lead to Remote Code Execution. It is not directly exploitable. This issue is mitigated by the fact that in order for it to be exploitable, a separate vulnerability must be present to allow an attacker to pass unsafe input to unserialize(). There are no such known exploits in Drupal core. To help protect against this potential vulnerability, some additional checks have been added to Drupal core's database code. If you use a third-party database driver, check the release notes for additional configuration steps that may be required in certain cases. Solution: Install the latest version: If you are using Drupal 7, update to Drupal 7.102. If you are using Drupal 10.2, update to Drupal 10.2.11. If you are using Drupal 10.3, update to Drupal 10.3.9. All versions of Drupal 10 prior to 10.2 are end-of-life and do not receive security coverage. (Drupal 8 and Drupal 9 have both reached end-of-life.) Reported By: Drew Webber of the Drupal Security Team Fixed By: Drew Webber of the Drupal Security Team Fabian Franz Juraj Nemec of the Drupal Security Team Lee Rowlands of the Drupal Security Team Dave Long of the Drupal Security Team Alex Pott of the Drupal Security Team Coordinated By: Juraj Nemec of the Drupal Security Team Benji Fisher of the Drupal Security Team xjm of the Drupal Security Team ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23/25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email:cert@support.renater.fr + =========================================================