Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2020.3175
Drupal Security Updates
17 September 2020
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Drupal
Publisher: Drupal
Operating System: Windows
UNIX variants (UNIX, Linux, OSX)
Impact/Access: Cross-site Scripting -- Remote with User Interaction
Access Confidential Data -- Remote/Unauthenticated
Unauthorised Access -- Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2020-13670 CVE-2020-13669 CVE-2020-13668
CVE-2020-13667 CVE-2020-13666
Original Bulletin:
https://www.drupal.org/sa-core-2020-011
https://www.drupal.org/sa-core-2020-008
https://www.drupal.org/sa-core-2020-010
https://www.drupal.org/sa-core-2020-009
https://www.drupal.org/sa-core-2020-007
Comment: This bulletin contains five (5) Drupal security advisories.
- --------------------------BEGIN INCLUDED TEXT--------------------
Drupal core - Moderately critical - Information disclosure - SA-CORE-2020-011
Project: Drupal core
Date: 2020-September-16
Security risk: Moderately critical 12/25
AC:None/A:User/CI:Some/II:None/E:Theoretical/TD:Default
Vulnerability: Information disclosure
CVE IDs: CVE-2020-13670
Description:
A vulnerability exists in the File module which allows an attacker to gain
access to the file metadata of a permanent private file that they do not have
access to by guessing the ID of the file.
Solution:
Install the latest version:
o If you are using Drupal 8.8.x, upgrade to Drupal 8.8.10 .
o If you are using Drupal 8.9.x, upgrade to Drupal 8.9.6 .
o If you are using Drupal 9.0.x, upgrade to Drupal 9.0.6 .
Versions of Drupal 8 prior to 8.8.x are end-of-life and do not receive security
coverage. Sites on 8.7.x or earlier should update to 8.8.10.
Reported By:
o David Rothstein of the Drupal Security Team
o Ivan
o elarlang
o Mori Sugimoto of the Drupal Security Team
o kyk
Fixed By:
o Michael Hess of the Drupal Security Team
o Peter Wolanin of the Drupal Security Team
o Stefan Ruijsenaars
o David Rothstein of the Drupal Security Team
o Jess of the Drupal Security Team
o Ben Dougherty of the Drupal Security Team
o Frederic G. Marand
o Samuel Mortenson of the Drupal Security Team
o Joseph Zhao , provisional member of the Drupal Security Team
- --------------------------------------------------------------------------------
Drupal core - Moderately critical - Access bypass - SA-CORE-2020-008
Project: Drupal core
Date: 2020-September-16
Security risk: Moderately critical 12/25
AC:Basic/A:None/CI:Some/II:None/E:Theoretical/TD:Default
Vulnerability: Access bypass
CVE IDs: CVE-2020-13667
Description:
The experimental Workspaces module allows you to create multiple workspaces on
your site in which draft content can be edited before being published to the
live workspace.
The Workspaces module doesn't sufficiently check access permissions when
switching workspaces, leading to an access bypass vulnerability. An attacker
might be able to see content before the site owner intends people to see the
content.
This vulnerability is mitigated by the fact that sites are only vulnerable if
they have installed the experimental Workspaces module.
Solution:
Install the latest version:
o If you are using Drupal 8.8.x, upgrade to Drupal 8.8.10 .
o If you are using Drupal 8.9.x, upgrade to Drupal 8.9.6 .
o If you are using Drupal 9.0.x, upgrade to Drupal 9.0.6 .
Versions of Drupal 8 prior to 8.8.x are end-of-life and do not receive security
coverage. Sites on 8.7.x or earlier should update to 8.8.10.
Once a site running Workspaces is upgraded, authenticated users may continue to
see unauthorized workspace content that they accessed previously until they are
logged out.
If it is important for the unintended access to stop immediately, you may wish
to end all active user sessions on your site (for example, by truncating the
sessions table). Be aware that this will immediately log all users out and can
cause side effects like lost user input.
Reported By:
o Andrei Mateescu
Fixed By:
o Andrei Mateescu
o Jess of the Drupal Security Team
o Nathaniel Catchpole of the Drupal Security Team
o Lee Rowlands of the Drupal Security Team
o Greg Knaddison of the Drupal Security Team
o Dick Olsson
- --------------------------------------------------------------------------------
Drupal core - Moderately critical - Cross-site scripting - SA-CORE-2020-010
Project: Drupal core
Date: 2020-September-16
Security risk: Moderately critical 13/25
AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:Default
Vulnerability: Cross-site scripting
CVE IDs: CVE-2020-13669
Description:
Drupal core's built-in CKEditor image caption functionality is vulnerable to
XSS.
Solution:
Install the latest version:
o If you are using Drupal 8.8.x, upgrade to Drupal 8.8.10 .
o If you are using Drupal 8.9.x, upgrade to Drupal 8.9.6 .
o If you are using Drupal 9.0.x, upgrade to Drupal 9.0.6 .
Versions of Drupal 8 prior to 8.8.x are end-of-life and do not receive security
coverage. Sites on 8.7.x or earlier should update to 8.8.10.
Reported By:
o Dor Tumarkin
o Krzysztof Krzton
Fixed By:
o Samuel Mortenson of the Drupal Security Team
o Wim Leers
o Henrik Danielsson
o Dor Tumarkin
o Jess of the Drupal Security Team
o Krzysztof Krzton
o Lee Rowlands of the Drupal Security Team
- --------------------------------------------------------------------------------
Drupal core - Critical - Cross-site scripting - SA-CORE-2020-009
Project: Drupal core
Date: 2020-September-16
Security risk: Critical 15/25
AC:Basic/A:None/CI:Some/II:Some/E:Theoretical/TD:Default
Vulnerability: Cross-site scripting
CVE IDs: CVE-2020-13668
Description:
Drupal 8 and 9 have a reflected cross-site scripting (XSS) vulnerability under
certain circumstances.
An attacker could leverage the way that HTML is rendered for affected forms in
order to exploit the vulnerability.
Solution:
Install the latest version:
o If you are using Drupal 8.8.x, upgrade to Drupal 8.8.10 .
o If you are using Drupal 8.9.x, upgrade to Drupal 8.9.6 .
o If you are using Drupal 9.0.x, upgrade to Drupal 9.0.6 .
Versions of Drupal 8 prior to 8.8.x are end-of-life and do not receive security
coverage. Sites on 8.7.x or earlier should update to 8.8.10.
In addition to updating Drupal core, sites that override \Drupal\Core\Form\
FormBuilder 's renderPlaceholderFormAction() and/or buildFormAction() methods
in contrib and/or custom code should ensure that appropriate sanitization is
applied for URLs.
Reported By:
o Nuno Ramos
o markwittens
o Nathan Dentzau
o Marc Addeo
o Alejandro Garza
Fixed By:
o Lee Rowlands of the Drupal Security Team
o David Rothstein of the Drupal Security Team
o Wim Leers
o Vijay Mani , provisional member of the Drupal Security Team
o Drew Webber of the Drupal Security Team
o Nathan Dentzau
o Heine of the Drupal Security Team
o Joseph Zhao , provisional member of the Drupal Security Team
o Jess of the Drupal Security Team
o Tim Plunkett
- --------------------------------------------------------------------------------
Drupal core - Moderately critical - Cross-site scripting - SA-CORE-2020-007
Project: Drupal core
Date: 2020-September-16
Security risk: Moderately critical 14/25
AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:All
Vulnerability: Cross-site scripting
CVE IDs: CVE-2020-13666
Description:
The Drupal AJAX API does not disable JSONP by default, which can lead to
cross-site scripting.
Solution:
Install the latest version:
o If you are using Drupal 7.x, upgrade to Drupal 7.73 .
o If you are using Drupal 8.8.x, upgrade to Drupal 8.8.10 .
o If you are using Drupal 8.9.x, upgrade to Drupal 8.9.6 .
o If you are using Drupal 9.0.x, upgrade to Drupal 9.0.6 .
Versions of Drupal 8 prior to 8.8.x are end-of-life and do not receive security
coverage. Sites on 8.7.x or earlier should update to 8.8.10.
If you were previously relying on Drupal's AJAX API to perform trusted JSONP
requests, you'll either need to override the AJAX options to set "jsonp: true"
, or you'll need to use the jQuery AJAX API directly.
If you are using jQuery's AJAX API for user-provided URLs in a contrib or
custom module, you should review your code and set "jsonp: false" where this is
appropriate.
Reported By:
o Samuel Mortenson of the Drupal Security Team
Fixed By:
o Samuel Mortenson of the Drupal Security Team
o Theodore Biadala
o Lee Rowlands of the Drupal Security Team
o David Snopek of the Drupal Security Team
o Nathaniel Catchpole of the Drupal Security Team
o Alex Bronstein of the Drupal Security Team
o Drew Webber of the Drupal Security Team
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBX2KOX+NLKJtyKPYoAQg8KQ//W70E6uJJMe0KSbzTkqO+9tdj3Kf4Iw9n
BbNXeDIUsVO+gVWr0gzs3RgQGOnaNHdYrKdY+94e8JY2eujcAMS265XmJmFb4Lo1
xY55lFiCZmw/l6ESLi6M3Unnk2Me+/v9SjE0Uh3ecZfuBsuyQn6HOuOzmD9SkSnx
5qZ05ABbvIl/mBrLBcjDnNYusk9Sqr71euEWKNSW+VqCadsUt9SYQ2pVaphYulyL
cm36K9w2USmdAcRseAAX0g5qmzmOzumU7LeqKo6jgj70hnRjPLdqVaEr3ohPkxeh
cLLefOEE4+lL1V5VEsd8CNc4akYO4edu5ZqyNa0lkc+fSwwGH2XXhXQsKD6SrBG6
6/zpEXnJTnM83JcXmBkwqNBUQJuYv0b7C14ZMNtimQLluIXvEO9D7QLsRKux8v/F
rn/XELGz95EkeJnQBbBy2x5Pc9OnusNm7yMGRnJS8O0bI6RcFveI5kWP9dVXwGaE
eewzpXZZ0wruQTZHSF1hXhWG1mFcOfXDonfkWeHS+9XoVMr4Gh5Fxj3hijVCESRi
+Nu45Xt3LRp0gqtKUsaOsqdeDZfbPqfu1Pp1tWkFccgXdsnUmZheCOHdx2p+7k+0
l7aLVEdRlHD44A6LqTfiFPE23KWXks8n9ZdjAepJ4AeFWaOH1q7oFtS7l8ewfLSy
M9YUoxh3LqQ=
=WKmn
-----END PGP SIGNATURE-----