Operating System:

[WIN][UNIX/Linux]

Published:

27 June 2019

Protect yourself against future threats.

//Service

Phishing Take-Down

Drawing on our strong international CERT relationships we have a high success rate in delivering phishing take-downs.

Read more
Resources > Security Bulletins > ESB-2019.2325 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2019.2325
                        Drupal Contributed Project
                               27 June 2019

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           Advanced Forum module for Drupal
Publisher:         Drupal
Operating System:  Windows
                   UNIX variants (UNIX, Linux, OSX)
Impact/Access:     Cross-site Scripting -- Existing Account
Resolution:        Patch/Upgrade

Original Bulletin: 
   https://www.drupal.org/sa-contrib-2019-054

- --------------------------BEGIN INCLUDED TEXT--------------------

Advanced Forum - Critical - Cross Site Scripting - SA-CONTRIB-2019-054

Project:
Advanced Forum
Version:
7.x-2.x-dev
Date:
2019-June-26
Security risk:
Critical 16/25 AC:Basic/A:None/CI:Some/II:Some/E:Theoretical/TD:All
Vulnerability:
Cross Site Scripting
Description:

Advanced Forum builds on and enhances Drupal's core forum module. When used in
combination with other Drupal contributed modules, many of which are
automatically used by Advanced Forum, you can achieve much of what stand alone
software provides.

The module doesn't sufficiently sanitise user input in specific circumstances.
It is not possible to disable the vulnerable functionality.

This vulnerability is mitigated by the fact that an attacker must have a role
with permission to create forum content.

Solution:

Install the latest version:

  o If you use the Advanced Forum module for Drupal 7.x, upgrade to Advanced
    Forum 7.x-2.8

Also see the Advanced Forum project page.

Reported By:

  o Drew Webber of the Drupal Security Team

Fixed By:

  o Drew Webber of the Drupal Security Team
  o Vijaya Chandran Mani Provisonal Member of the Drupal Security Team

Coordinated By:

  o Drew Webber of the Drupal Security Team

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBXRQyn2aOgq3Tt24GAQisMA//Z+8QK07/8uve+dEC5xWMixbhr/CNyLwy
R/jqn+h3ayTvuBOr3g2qEa0khZj3C8sIaEQOJnyUKORLivFXrKf4qSxrzS1rjhF/
OmhiLeV18qrBKoJiuQ4ZWF0Uz3redwk0HfdTDKyyGvGwjVCI29+tcdBbyc0fX1tR
HSzUDREX8Qb7yjXPG4MfxH2CBUztnc/4nQFXFB45+5gBkwb/1FA859/nH2x6h6wv
y7Bm7TgeqO9hWZu6MZT/Q+iHxWNp69XCLlreUUr4NaySXPwvGwX8enCSxM5+b9ZT
YmlRJoKY9IObJoHIhw8XxthBnhsTxK73ZHLyEW+icv4GZfDhpvNZlLLMS1rBJQEs
/zyWhXV2V9SH+uejXAVNY3hCLYXefO5jztoV/n7vejYQ7E76zfbqubRmQrhSrGUG
rFMeAwGclaMZcTx7ugY+ImD5qQYn7SVVEO5nmxn7dG4MFjeDrmy4b6NKgVM/c2ur
Dqtl2SL7ByemTFRVXsjqSiOyYU+zXNCCufQMwAXCPNmMIvOBimUoUg1xNV5MHJaN
57Y0/f2OC5KtMeT8w7DsGcuf62p3MvjULTVWskbV0O59DbQp1nc2ODYV050uFLVN
5jYI6RToH+58rkbk+9P+wvCagiFkKtZpeJ/5OgfPn9wisMk6atCT6ToL8z3bG1ut
bOuwpmVIoos=
=xLof
-----END PGP SIGNATURE-----