View online: https://www.drupal.org/sa-core-2020-007

Project: Drupal core [1]
Date: 2020-September-16
Security risk: *Moderately critical* 14∕25
AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:All [2]
Vulnerability: Cross-site scripting

CVE IDs: CVE-2020-13666
Description: 
The Drupal AJAX API does not disable JSONP by default, which can lead to
cross-site scripting.

Solution: 
Install the latest version:

* If you are using Drupal 7.x, upgrade to Drupal 7.73 [3].
* If you are using Drupal 8.8.x, upgrade to Drupal 8.8.10 [4].
* If you are using Drupal 8.9.x, upgrade to Drupal 8.9.6 [5].
* If you are using Drupal 9.0.x, upgrade to Drupal 9.0.6 [6].

Versions of Drupal 8 prior to 8.8.x are end-of-life and do not receive
security coverage. Sites on 8.7.x or earlier should update to 8.8.10.

If you were previously relying on Drupal’s AJAX API to perform trusted JSONP
requests, you’ll either need to override the AJAX options to set “jsonp:
true”, or you’ll need to use the jQuery AJAX API directly.

If you are using jQuery’s AJAX API for user-provided URLs in a contrib or
custom module, you should review your code and set “jsonp: false” where this
is appropriate.

Reported By: 
* Samuel Mortenson [7] of the Drupal Security Team

Fixed By: 
* Samuel Mortenson [8] of the Drupal Security Team
* Théodore Biadala [9]
* Lee Rowlands [10] of the Drupal Security Team
* David Snopek [11] of the Drupal Security Team
* Nathaniel Catchpole [12] of the Drupal Security Team
* Alex Bronstein [13] of the Drupal Security Team
* Drew Webber [14] of the Drupal Security Team

[1] https://www.drupal.org/project/drupal
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/drupal/releases/7.73
[4] https://www.drupal.org/project/drupal/releases/8.8.10
[5] https://www.drupal.org/project/drupal/releases/8.9.6
[6] https://www.drupal.org/project/drupal/releases/9.0.6
[7] https://www.drupal.org/user/2582268
[8] https://www.drupal.org/user/2582268
[9] https://www.drupal.org/user/598310
[10] https://www.drupal.org/user/395439
[11] https://www.drupal.org/user/266527
[12] https://www.drupal.org/user/35733
[13] https://www.drupal.org/user/78040
[14] https://www.drupal.org/user/255969

_______________________________________________
Security-news mailing list
Security-news@drupal.org
Unsubscribe at https://lists.drupal.org/mailman/listinfo/security-news

View online: https://www.drupal.org/sa-core-2020-008

Project: Drupal core [1]
Date: 2020-September-16
Security risk: *Moderately critical* 12∕25
AC:Basic/A:None/CI:Some/II:None/E:Theoretical/TD:Default [2]
Vulnerability: Access bypass

CVE IDs: CVE-2020-13667
Description: 
The experimental Workspaces module allows you to create multiple workspaces
on your site in which draft content can be edited before being published to
the live workspace.

The Workspaces module doesn’t sufficiently check access permissions when
switching workspaces, leading to an access bypass vulnerability. An attacker
might be able to see content before the site owner intends people to see the
content.

This vulnerability is mitigated by the fact that sites are only vulnerable if
they have installed the experimental Workspaces module.

Solution: 
Install the latest version:

* If you are using Drupal 8.8.x, upgrade to Drupal 8.8.10 [3].
* If you are using Drupal 8.9.x, upgrade to Drupal 8.9.6 [4].
* If you are using Drupal 9.0.x, upgrade to Drupal 9.0.6 [5].

Versions of Drupal 8 prior to 8.8.x are end-of-life and do not receive
security coverage. Sites on 8.7.x or earlier should update to 8.8.10.

Once a site running Workspaces is upgraded, authenticated users may continue
to see unauthorized workspace content that they accessed previously until
they are logged out.

If it is important for the unintended access to stop immediately, you may
wish to end all active user sessions on your site (for example, by truncating
the sessions table). Be aware that this will immediately log all users out
and can cause side effects like lost user input.

Reported By: 
* Andrei Mateescu [6]

Fixed By: 
* Andrei Mateescu [7]
* Jess [8] of the Drupal Security Team
* Nathaniel Catchpole [9] of the Drupal Security Team
* Lee Rowlands [10] of the Drupal Security Team
* Greg Knaddison [11] of the Drupal Security Team
* Dick Olsson [12]

[1] https://www.drupal.org/project/drupal
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/drupal/releases/8.8.10
[4] https://www.drupal.org/project/drupal/releases/8.9.6
[5] https://www.drupal.org/project/drupal/releases/9.0.6
[6] https://www.drupal.org/user/729614
[7] https://www.drupal.org/user/729614
[8] https://www.drupal.org/user/65776
[9] https://www.drupal.org/user/35733
[10] https://www.drupal.org/user/395439
[11] https://www.drupal.org/user/36762
[12] https://www.drupal.org/user/239911

_______________________________________________
Security-news mailing list
Security-news@drupal.org
Unsubscribe at https://lists.drupal.org/mailman/listinfo/security-news

View online: https://www.drupal.org/sa-core-2020-009

Project: Drupal core [1]
Date: 2020-September-16
Security risk: *Critical* 15∕25
AC:Basic/A:None/CI:Some/II:Some/E:Theoretical/TD:Default [2]
Vulnerability: Cross-site scripting

CVE IDs: CVE-2020-13668
Description: 
Drupal 8 and 9 have a reflected cross-site scripting (XSS) vulnerability
under certain circumstances.

An attacker could leverage the way that HTML is rendered for affected forms
in order to exploit the vulnerability.

Solution: 
Install the latest version:

* If you are using Drupal 8.8.x, upgrade to Drupal 8.8.10 [3].
* If you are using Drupal 8.9.x, upgrade to Drupal 8.9.6 [4].
* If you are using Drupal 9.0.x, upgrade to Drupal 9.0.6 [5].

Versions of Drupal 8 prior to 8.8.x are end-of-life and do not receive
security coverage. Sites on 8.7.x or earlier should update to 8.8.10.

In addition to updating Drupal core, sites that override
\Drupal\Core\Form\FormBuilder’s renderPlaceholderFormAction() and/or
buildFormAction() methods in contrib and/or custom code should ensure that
appropriate sanitization is applied for URLs.

Reported By: 
* Nuno Ramos [6]
* markwittens [7]
* Nathan Dentzau [8]
* Marc Addeo [9]
* Alejandro Garza [10]

Fixed By: 
* Lee Rowlands [11] of the Drupal Security Team
* David Rothstein [12] of the Drupal Security Team
* Wim Leers [13]
* Vijay Mani [14], provisional member of the Drupal Security Team
* Drew Webber [15] of the Drupal Security Team
* Nathan Dentzau [16]
* Heine [17] of the Drupal Security Team
* Joseph Zhao [18], provisional member of the Drupal Security Team
* Jess [19] of the Drupal Security Team
* Tim Plunkett [20]

[1] https://www.drupal.org/project/drupal
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/drupal/releases/8.8.10
[4] https://www.drupal.org/project/drupal/releases/8.9.6
[5] https://www.drupal.org/project/drupal/releases/9.0.6
[6] https://www.drupal.org/user/3522063
[7] https://www.drupal.org/user/567198
[8] https://www.drupal.org/user/3444913
[9] https://www.drupal.org/user/3312527
[10] https://www.drupal.org/user/153120
[11] https://www.drupal.org/user/395439
[12] https://www.drupal.org/user/124982
[13] https://www.drupal.org/user/99777
[14] https://www.drupal.org/user/93488
[15] https://www.drupal.org/user/255969
[16] https://www.drupal.org/user/3444913
[17] https://www.drupal.org/user/17943
[18] https://www.drupal.org/user/1987218
[19] https://www.drupal.org/user/65776
[20] https://www.drupal.org/user/241634

_______________________________________________
Security-news mailing list
Security-news@drupal.org
Unsubscribe at https://lists.drupal.org/mailman/listinfo/security-news

View online: https://www.drupal.org/sa-core-2020-010

Project: Drupal core [1]
Date: 2020-September-16
Security risk: *Moderately critical* 13∕25
AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:Default [2]
Vulnerability: Cross-site scripting

CVE IDs: CVE-2020-13669
Description: 
Drupal core’s built-in CKEditor image caption functionality is vulnerable to
XSS.

Solution: 
Install the latest version:

* If you are using Drupal 8.8.x, upgrade to Drupal 8.8.10 [3].
* If you are using Drupal 8.9.x, upgrade to Drupal 8.9.6 [4].
* If you are using Drupal 9.0.x, upgrade to Drupal 9.0.6 [5].

Versions of Drupal 8 prior to 8.8.x are end-of-life and do not receive
security coverage. Sites on 8.7.x or earlier should update to 8.8.10.

Reported By: 
* Dor Tumarkin [6]
* Krzysztof Krzton [7]

Fixed By: 
* Samuel Mortenson [8] of the Drupal Security Team
* Wim Leers [9]
* Henrik Danielsson [10]
* Dor Tumarkin [11]
* Jess [12] of the Drupal Security Team
* Krzysztof Krzton [13]
* Lee Rowlands [14] of the Drupal Security Team

[1] https://www.drupal.org/project/drupal
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/drupal/releases/8.8.10
[4] https://www.drupal.org/project/drupal/releases/8.9.6
[5] https://www.drupal.org/project/drupal/releases/9.0.6
[6] https://www.drupal.org/user/3648639
[7] https://www.drupal.org/user/3618903
[8] https://www.drupal.org/user/2582268
[9] https://www.drupal.org/user/99777
[10] https://www.drupal.org/user/244227
[11] https://www.drupal.org/user/3648639
[12] https://www.drupal.org/user/65776
[13] https://www.drupal.org/user/3618903
[14] https://www.drupal.org/user/395439

_______________________________________________
Security-news mailing list
Security-news@drupal.org
Unsubscribe at https://lists.drupal.org/mailman/listinfo/security-news

View online: https://www.drupal.org/sa-core-2020-011

Project: Drupal core [1]
Date: 2020-September-16
Security risk: *Moderately critical* 12∕25
AC:None/A:User/CI:Some/II:None/E:Theoretical/TD:Default [2]
Vulnerability: Information disclosure

CVE IDs: CVE-2020-13670
Description: 
A vulnerability exists in the File module which allows an attacker to gain
access to the file metadata of a permanent private file that they do not have
access to by guessing the ID of the file.

Solution: 
Install the latest version:

* If you are using Drupal 8.8.x, upgrade to Drupal 8.8.10 [3].
* If you are using Drupal 8.9.x, upgrade to Drupal 8.9.6 [4].
* If you are using Drupal 9.0.x, upgrade to Drupal 9.0.6 [5].

Versions of Drupal 8 prior to 8.8.x are end-of-life and do not receive
security coverage. Sites on 8.7.x or earlier should update to 8.8.10.

Reported By: 
* David Rothstein [6] of the Drupal Security Team
* Ivan [7]
* elarlang [8]
* Mori Sugimoto [9] of the Drupal Security Team
* kyk [10]

Fixed By: 
* Michael Hess [11] of the Drupal Security Team
* Peter Wolanin [12] of the Drupal Security Team
* Stefan Ruijsenaars [13]
* David Rothstein [14] of the Drupal Security Team
* Jess [15] of the Drupal Security Team
* Ben Dougherty [16] of the Drupal Security Team
* Frédéric G. Marand [17]
* Samuel Mortenson [18] of the Drupal Security Team
* Joseph Zhao [19], provisional member of the Drupal Security Team

[1] https://www.drupal.org/project/drupal
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/drupal/releases/8.8.10
[4] https://www.drupal.org/project/drupal/releases/8.9.6
[5] https://www.drupal.org/project/drupal/releases/9.0.6
[6] https://www.drupal.org/user/124982
[7] https://www.drupal.org/user/556138
[8] https://www.drupal.org/user/3583903
[9] https://www.drupal.org/user/82971
[10] https://www.drupal.org/user/29822
[11] https://www.drupal.org/user/102818
[12] https://www.drupal.org/user/49851
[13] https://www.drupal.org/user/551886
[14] https://www.drupal.org/user/124982
[15] https://www.drupal.org/user/65776
[16] https://www.drupal.org/user/1852732
[17] https://www.drupal.org/user/27985
[18] https://www.drupal.org/user/2582268
[19] https://www.drupal.org/user/1987218

_______________________________________________
Security-news mailing list
Security-news@drupal.org
Unsubscribe at https://lists.drupal.org/mailman/listinfo/security-news