Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2019.1744 Drupal Contributed Projects 16 May 2019 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Drupal Opigno Drupal Opigno Learning path Drupal Multiple Registration Publisher: Drupal Operating System: Windows UNIX variants (UNIX, Linux, OSX) Impact/Access: Unauthorised Access -- Remote/Unauthenticated Access Confidential Data -- Existing Account Resolution: Patch/Upgrade Original Bulletin: https://www.drupal.org/sa-contrib-2019-046 https://www.drupal.org/sa-contrib-2019-047 https://www.drupal.org/sa-contrib-2019-048 Comment: This bulletin contains three (3) Drupal security advisories. - --------------------------BEGIN INCLUDED TEXT-------------------- Opigno forum - Less critical - Access bypass - SA-CONTRIB-2019-046 Project: Opigno forum Date: 2019-May-15 Security risk: Less critical 9/25 AC:Basic/A:User/CI:Some/II:None/E:Theoretical/TD:Uncommon Vulnerability: Access bypass Description: In certain circumstances it is possible that certain forum information is available to unprivileged users because the access check is done with node access instead of grants. This vulnerability is mitigated by the fact that the module itself does not disclose information but only if there are listings such as views where the site builder / developer has not taken this into account. Solution: Install the latest version: o If you use the opigno_forum module for Drupal 8.x, upgrade to opigno_forum 8.x-1.2 Also see the Opigno forum project page. Reported By: o Nathaniel Catchpole of the Drupal Security Team Fixed By: o James Aparicio o Nathaniel Catchpole of the Drupal Security Team Coordinated By: o Nathaniel Catchpole of the Drupal Security Team - ----------------------------------------------------------------------------- Opigno Learning path - Moderately critical - Access bypass - SA-CONTRIB-2019-047 Project: Opigno Learning path Date: 2019-May-15 Security risk: Moderately critical 10/25 AC:Basic/A:User/CI:Some/II:None/E:Theoretical/ TD:Default Vulnerability: Access bypass Description: In certain configuration cases, when a learning path is configured as semi-private, anonymous users are allowed to join a learning path when they should not. Solution: Install the latest version: o If you use the opigno learning path module for Drupal 8.x, upgrade to opigno_learning_path 8.x-1.4 o If using the opigno lms distribution it is recommended to update the whole distribution to the latest version Opigno lms 8.x-1.5 Also see the Opigno Learning path project page. Reported By: o Nathaniel Catchpole of the Drupal Security Team Fixed By: o James Aparicio o Nathaniel Catchpole of the Drupal Security Team Coordinated By: o Nathaniel Catchpole of the Drupal Security Team - ----------------------------------------------------------------------------- Multiple Registration - Critical - Access bypass - SA-CONTRIB-2019-048 Project: Multiple Registration Date: 2019-May-15 Security risk: Critical 19/25 AC:Basic/A:None/CI:All/II:All/E:Theoretical/TD:Default Vulnerability: Access bypass Description: This module enables you to use special routes for user registration with special roles and custom field sets defined for the role. The module doesn't sufficiently check which user roles can be registered under the scenario when the user tries to register the user with the administrator role. This vulnerability is mitigated on sites where account approval is required as the user starts as blocked but still gets the "Administrator" role. Solution: Install the latest version: o If you use the Multiple registration module for Drupal 8.x, upgrade to Multiple registration 8.x-2.8 Reported By: o iswilson Fixed By: o Yaroslav Samoylenko o iswilson o Cash Williams of the Drupal Security Team Coordinated By: Cash Williams of the Drupal Security Team - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBXNy2GmaOgq3Tt24GAQhvOA/9FxfyseV5FoXniRAr8MO/0w48ihXVev1N OlIpbQijUN47/a2Ju752IxKgRwQabDVOukRCLy/lAIhyrfDvEr7ZQHTo10J1dQ6Y gl2RVUXE51GgXsr5TVLChucpnEZtOwV/YgIatsDhebyav1jMyHk2vgHcltK+p9no bzHTzv+gzhEov/ZYqU/EWsyd1y5rx+HXyaw0gbcpWxjzrGIBRSRW99nd3wu5VS2h sH/VYzN+iR0pj/i/CaT1sosHYgX8HROoutJANw5VTsdDzgqwAJnkj+FMHS9Db783 bB/Zdo/avOggdQQfYtb/JhVarF6tLIzgYlknENMsSy+eM96moiZCMD7i2iP50EH4 hvQtU7mYbeRrfH+WXRMjbUebUq5OjhP8hy4uSaKlAcmY6VUFC0zwvnhnUbFekvWo KqgMeYt+zjL1PXR1UAygmTtVLRAM8dne0Bp7Okqhp4mPZcVJJ0zRU5kB1JmOU8Q2 iQo7rkA5SMbEtteMkgj0YmxtBoC5iNhLbSl8QqQU6NM1+3aECHrj9/UtnwNiKI+o 992AQyZVyU0ygdvifbAEq7aq4VlsJKSMiYFMSsMOSqCQFHkdQc/NqCYAC0+k9fgB zNtvn7pgTGsQCBMD+A6b3I1JXyvNp38lbKC6g4847gNZAYnHs/tbAvnaGgJTYcDT A9ES7wkhi5Y= =PJ4f -----END PGP SIGNATURE-----