Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2020.3175 Drupal Security Updates 17 September 2020 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Drupal Publisher: Drupal Operating System: Windows UNIX variants (UNIX, Linux, OSX) Impact/Access: Cross-site Scripting -- Remote with User Interaction Access Confidential Data -- Remote/Unauthenticated Unauthorised Access -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2020-13670 CVE-2020-13669 CVE-2020-13668 CVE-2020-13667 CVE-2020-13666 Original Bulletin: https://www.drupal.org/sa-core-2020-011 https://www.drupal.org/sa-core-2020-008 https://www.drupal.org/sa-core-2020-010 https://www.drupal.org/sa-core-2020-009 https://www.drupal.org/sa-core-2020-007 Comment: This bulletin contains five (5) Drupal security advisories. - --------------------------BEGIN INCLUDED TEXT-------------------- Drupal core - Moderately critical - Information disclosure - SA-CORE-2020-011 Project: Drupal core Date: 2020-September-16 Security risk: Moderately critical 12/25 AC:None/A:User/CI:Some/II:None/E:Theoretical/TD:Default Vulnerability: Information disclosure CVE IDs: CVE-2020-13670 Description: A vulnerability exists in the File module which allows an attacker to gain access to the file metadata of a permanent private file that they do not have access to by guessing the ID of the file. Solution: Install the latest version: o If you are using Drupal 8.8.x, upgrade to Drupal 8.8.10 . o If you are using Drupal 8.9.x, upgrade to Drupal 8.9.6 . o If you are using Drupal 9.0.x, upgrade to Drupal 9.0.6 . Versions of Drupal 8 prior to 8.8.x are end-of-life and do not receive security coverage. Sites on 8.7.x or earlier should update to 8.8.10. Reported By: o David Rothstein of the Drupal Security Team o Ivan o elarlang o Mori Sugimoto of the Drupal Security Team o kyk Fixed By: o Michael Hess of the Drupal Security Team o Peter Wolanin of the Drupal Security Team o Stefan Ruijsenaars o David Rothstein of the Drupal Security Team o Jess of the Drupal Security Team o Ben Dougherty of the Drupal Security Team o Frederic G. Marand o Samuel Mortenson of the Drupal Security Team o Joseph Zhao , provisional member of the Drupal Security Team - -------------------------------------------------------------------------------- Drupal core - Moderately critical - Access bypass - SA-CORE-2020-008 Project: Drupal core Date: 2020-September-16 Security risk: Moderately critical 12/25 AC:Basic/A:None/CI:Some/II:None/E:Theoretical/TD:Default Vulnerability: Access bypass CVE IDs: CVE-2020-13667 Description: The experimental Workspaces module allows you to create multiple workspaces on your site in which draft content can be edited before being published to the live workspace. The Workspaces module doesn't sufficiently check access permissions when switching workspaces, leading to an access bypass vulnerability. An attacker might be able to see content before the site owner intends people to see the content. This vulnerability is mitigated by the fact that sites are only vulnerable if they have installed the experimental Workspaces module. Solution: Install the latest version: o If you are using Drupal 8.8.x, upgrade to Drupal 8.8.10 . o If you are using Drupal 8.9.x, upgrade to Drupal 8.9.6 . o If you are using Drupal 9.0.x, upgrade to Drupal 9.0.6 . Versions of Drupal 8 prior to 8.8.x are end-of-life and do not receive security coverage. Sites on 8.7.x or earlier should update to 8.8.10. Once a site running Workspaces is upgraded, authenticated users may continue to see unauthorized workspace content that they accessed previously until they are logged out. If it is important for the unintended access to stop immediately, you may wish to end all active user sessions on your site (for example, by truncating the sessions table). Be aware that this will immediately log all users out and can cause side effects like lost user input. Reported By: o Andrei Mateescu Fixed By: o Andrei Mateescu o Jess of the Drupal Security Team o Nathaniel Catchpole of the Drupal Security Team o Lee Rowlands of the Drupal Security Team o Greg Knaddison of the Drupal Security Team o Dick Olsson - -------------------------------------------------------------------------------- Drupal core - Moderately critical - Cross-site scripting - SA-CORE-2020-010 Project: Drupal core Date: 2020-September-16 Security risk: Moderately critical 13/25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:Default Vulnerability: Cross-site scripting CVE IDs: CVE-2020-13669 Description: Drupal core's built-in CKEditor image caption functionality is vulnerable to XSS. Solution: Install the latest version: o If you are using Drupal 8.8.x, upgrade to Drupal 8.8.10 . o If you are using Drupal 8.9.x, upgrade to Drupal 8.9.6 . o If you are using Drupal 9.0.x, upgrade to Drupal 9.0.6 . Versions of Drupal 8 prior to 8.8.x are end-of-life and do not receive security coverage. Sites on 8.7.x or earlier should update to 8.8.10. Reported By: o Dor Tumarkin o Krzysztof Krzton Fixed By: o Samuel Mortenson of the Drupal Security Team o Wim Leers o Henrik Danielsson o Dor Tumarkin o Jess of the Drupal Security Team o Krzysztof Krzton o Lee Rowlands of the Drupal Security Team - -------------------------------------------------------------------------------- Drupal core - Critical - Cross-site scripting - SA-CORE-2020-009 Project: Drupal core Date: 2020-September-16 Security risk: Critical 15/25 AC:Basic/A:None/CI:Some/II:Some/E:Theoretical/TD:Default Vulnerability: Cross-site scripting CVE IDs: CVE-2020-13668 Description: Drupal 8 and 9 have a reflected cross-site scripting (XSS) vulnerability under certain circumstances. An attacker could leverage the way that HTML is rendered for affected forms in order to exploit the vulnerability. Solution: Install the latest version: o If you are using Drupal 8.8.x, upgrade to Drupal 8.8.10 . o If you are using Drupal 8.9.x, upgrade to Drupal 8.9.6 . o If you are using Drupal 9.0.x, upgrade to Drupal 9.0.6 . Versions of Drupal 8 prior to 8.8.x are end-of-life and do not receive security coverage. Sites on 8.7.x or earlier should update to 8.8.10. In addition to updating Drupal core, sites that override \Drupal\Core\Form\ FormBuilder 's renderPlaceholderFormAction() and/or buildFormAction() methods in contrib and/or custom code should ensure that appropriate sanitization is applied for URLs. Reported By: o Nuno Ramos o markwittens o Nathan Dentzau o Marc Addeo o Alejandro Garza Fixed By: o Lee Rowlands of the Drupal Security Team o David Rothstein of the Drupal Security Team o Wim Leers o Vijay Mani , provisional member of the Drupal Security Team o Drew Webber of the Drupal Security Team o Nathan Dentzau o Heine of the Drupal Security Team o Joseph Zhao , provisional member of the Drupal Security Team o Jess of the Drupal Security Team o Tim Plunkett - -------------------------------------------------------------------------------- Drupal core - Moderately critical - Cross-site scripting - SA-CORE-2020-007 Project: Drupal core Date: 2020-September-16 Security risk: Moderately critical 14/25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:All Vulnerability: Cross-site scripting CVE IDs: CVE-2020-13666 Description: The Drupal AJAX API does not disable JSONP by default, which can lead to cross-site scripting. Solution: Install the latest version: o If you are using Drupal 7.x, upgrade to Drupal 7.73 . o If you are using Drupal 8.8.x, upgrade to Drupal 8.8.10 . o If you are using Drupal 8.9.x, upgrade to Drupal 8.9.6 . o If you are using Drupal 9.0.x, upgrade to Drupal 9.0.6 . Versions of Drupal 8 prior to 8.8.x are end-of-life and do not receive security coverage. Sites on 8.7.x or earlier should update to 8.8.10. If you were previously relying on Drupal's AJAX API to perform trusted JSONP requests, you'll either need to override the AJAX options to set "jsonp: true" , or you'll need to use the jQuery AJAX API directly. If you are using jQuery's AJAX API for user-provided URLs in a contrib or custom module, you should review your code and set "jsonp: false" where this is appropriate. Reported By: o Samuel Mortenson of the Drupal Security Team Fixed By: o Samuel Mortenson of the Drupal Security Team o Theodore Biadala o Lee Rowlands of the Drupal Security Team o David Snopek of the Drupal Security Team o Nathaniel Catchpole of the Drupal Security Team o Alex Bronstein of the Drupal Security Team o Drew Webber of the Drupal Security Team - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBX2KOX+NLKJtyKPYoAQg8KQ//W70E6uJJMe0KSbzTkqO+9tdj3Kf4Iw9n BbNXeDIUsVO+gVWr0gzs3RgQGOnaNHdYrKdY+94e8JY2eujcAMS265XmJmFb4Lo1 xY55lFiCZmw/l6ESLi6M3Unnk2Me+/v9SjE0Uh3ecZfuBsuyQn6HOuOzmD9SkSnx 5qZ05ABbvIl/mBrLBcjDnNYusk9Sqr71euEWKNSW+VqCadsUt9SYQ2pVaphYulyL cm36K9w2USmdAcRseAAX0g5qmzmOzumU7LeqKo6jgj70hnRjPLdqVaEr3ohPkxeh cLLefOEE4+lL1V5VEsd8CNc4akYO4edu5ZqyNa0lkc+fSwwGH2XXhXQsKD6SrBG6 6/zpEXnJTnM83JcXmBkwqNBUQJuYv0b7C14ZMNtimQLluIXvEO9D7QLsRKux8v/F rn/XELGz95EkeJnQBbBy2x5Pc9OnusNm7yMGRnJS8O0bI6RcFveI5kWP9dVXwGaE eewzpXZZ0wruQTZHSF1hXhWG1mFcOfXDonfkWeHS+9XoVMr4Gh5Fxj3hijVCESRi +Nu45Xt3LRp0gqtKUsaOsqdeDZfbPqfu1Pp1tWkFccgXdsnUmZheCOHdx2p+7k+0 l7aLVEdRlHD44A6LqTfiFPE23KWXks8n9ZdjAepJ4AeFWaOH1q7oFtS7l8ewfLSy M9YUoxh3LqQ= =WKmn -----END PGP SIGNATURE-----