From security em unicamp.br Mon Jun 1 09:26:40 2020 From: security em unicamp.br (CSIRT Unicamp) Date: Mon, 1 Jun 2020 09:26:40 -0300 Subject: [SECURITY-L] Vulnerabilities Monthly Digest for May 2020 - WPScan In-Reply-To: <010001726cd8f795-16d3a3aa-f7b0-46a6-b027-93bc59532f0d-000000@email.amazonses.com> References: <010001726cd8f795-16d3a3aa-f7b0-46a6-b027-93bc59532f0d-000000@email.amazonses.com> Message-ID: Hello, This is your Vulnerabilities Monthly Digest for May 2020. WordPress Plugin Vulnerabilities - Multi Scheduler <= 1.0.0 - Arbitrary Record Deletion via CSRF - MapPress Maps < 2.54.6 - Improper Capability Checks in AJAX Calls - bbPress < 2.6.5 - Authenticated Stored Cross-Site Scripting via the forums list table - bbPress 2.6-2.6.5 - Authenticated Privilege Escalation via the Super Moderator feature - bbPress < 2.6.5 - Unauthenticated Privilege Escalation when New User Registration enabled - Final Tiles Gallery < 3.4.19 - Authenticated Stored Cross-Site Scripting (XSS) - Page Builder: PageLayer - Drag and Drop website builder < 1.1.2 - CSRF leading to XSS - Page Builder: PageLayer - Drag and Drop website builder < 1.1.2 - Unprotected AJAX's leading to XSS - Drag and Drop Multiple File Upload for Contact Form 7 < 1.3.3.3 - Unauthenticated File Upload Bypass - Form Maker by 10Web <= 1.13.35 - Authenticated SQL Injection - Official MailerLite Sign Up Forms < 1.4.5 - Multiple CSRF Issues - Official MailerLite Sign Up Forms < 1.4.4 - Unauthenticated SQL Injection - Add-on SweetAlert Contact Form 7 < 1.0.8 - Authenticated Stored Cross-Site Scripting (XSS) - ThirstyAffiliates < 3.9.3 - Authenticated Stored XSS - WP Frontend Profile < 1.2.2 - CSRF Check Incorrectly Implemented - Paid Memberships Pro < 2.3.3 - Authenticated SQL Injection - Ajax Load More < 5.3.2 - Authenticated SQL Injection - Visual Composer < 27.0 - Multiple Authenticated Cross-Site Scripting Issues - Team Members < 5.0.4 - Authenticated Stored Cross-Site Scripting (XSS) - Photo Gallery by 10Web < 1.5.55 - Unauthenticated SQL Injection - WP Product Review < 3.7.6 - Unauthenticated Stored Cross-Site Scripting (XSS) - Login/Signup Popup < 1.5 - Authenticated Stored Cross-Site Scripting (XSS) - Site Kit by Google < 1.8.0 - Privilege Escalation to gain Search Console Access - Easy Testimonials < 3.6 - Authenticated Stored Cross-Site Scripting (XSS) - WooCommerce < 4.1.0 - Unescaped Metadata when Duplicating Products - Page Builder by SiteOrigin < 2.10.16 - CSRF to Reflected Cross-Site Scripting (XSS) - Chopslider <= 3.4 - Unauthenticated Blind SQL Injection - Iframe < 4.5 - Authenticated Stored Cross Site Scripting (XSS) - Ultimate Addons for Elementor < 1.24.2 - Registration Bypass - Elementor Pro < 2.9.4 - Authenticated Arbitrary File Upload - Elementor < 2.9.8 - SVG Sanitizer Bypass leading to Authenticated Stored XSS - Advanced Order Export For WooCommerce < 3.1.4 - Authenticated Cross-Site Scripting (XSS) - WTI Like Post <= 1.4.5 - Authenticated Stored Cross-Site Scripting (XSS) WordPress Theme Vulnerabilities - Avada < 6.2.3 - Missing Permission Checks leading to Arbitrary Post Creation, Edition, Deletion and Stored XSS Thank you, The WPScan Team === Computer Security Incident Response Team - CSIRT Universidade Estadual de Campinas - Unicamp Centro de Computacao - CCUEC GnuPG Public Key: http://www.security.unicamp.br/security.asc [^] Contato: +55 19 3521-2289 ou INOC-DBA: 1251*830 -------------- Próxima Parte ---------- Um anexo em HTML foi limpo... URL: From security em unicamp.br Wed Jun 3 13:48:08 2020 From: security em unicamp.br (CSIRT Unicamp) Date: Wed, 3 Jun 2020 13:48:08 -0300 Subject: [SECURITY-L] [Security-news] Services - Moderately critical - Access bypass - SA-CONTRIB-2020-022 In-Reply-To: References: Message-ID: View online: https://www.drupal.org/sa-contrib-2020-022 Project: Services [1] Version: 7.x-3.x-dev Date: 2020-June-03 Security risk: *Moderately critical* 11?25 AC:Basic/A:User/CI:Some/II:None/E:Theoretical/TD:All [2] Vulnerability: Access bypass Description: This module provides a standardized solution for building API's so that external clients can communicate with Drupal. The module's taxonomy term index resource doesn't take into consideration certain access control tags provided (but unused) by core, that certain contrib modules depend on. This vulnerability is mitigated by the fact your site must have the taxonomy term index resource enabled, your site must have a contributed module enabled which utilizes taxonomy term access control, and an attacker must know your api endpoint's path. Solution: Install the latest version: * If you use the Services module for Drupal 7.x, upgrade to Services 7.x-3.26 [3] Also see the Services [4] project page. Reported By: * Vadym Abramchuk [5] Fixed By: * Vadym Abramchuk [6] * Tyler Frankenstein [7] Coordinated By: * Greg Knaddison [8] of the Drupal Security Team [1] https://www.drupal.org/project/services [2] https://www.drupal.org/security-team/risk-levels [3] https://www.drupal.org/node/3144924 [4] https://www.drupal.org/project/services [5] https://www.drupal.org/user/3216035 [6] https://www.drupal.org/user/3216035 [7] https://www.drupal.org/user/150680 [8] https://www.drupal.org/user/36762 _______________________________________________ Security-news mailing list Security-news em drupal.org Unsubscribe at https://lists.drupal.org/mailman/listinfo/security-news === Computer Security Incident Response Team - CSIRT Universidade Estadual de Campinas - Unicamp Centro de Computacao - CCUEC GnuPG Public Key: http://www.security.unicamp.br/security.asc [^] Contato: +55 19 3521-2289 ou INOC-DBA: 1251*830 -------------- Próxima Parte ---------- Um anexo em HTML foi limpo... URL: From security em unicamp.br Wed Jun 17 16:04:50 2020 From: security em unicamp.br (CSIRT Unicamp) Date: Wed, 17 Jun 2020 16:04:50 -0300 Subject: [SECURITY-L] [Security-news] Drupal core - Critical - Arbitrary PHP code execution - SA-CORE-2020-005 In-Reply-To: References: Message-ID: View online: https://www.drupal.org/sa-core-2020-005 Project: Drupal core [1] Date: 2020-June-17 Security risk: *Critical* 17?25 AC:Complex/A:None/CI:All/II:All/E:Theoretical/TD:Uncommon [2] Vulnerability: Arbitrary PHP code execution CVE IDs: CVE-2020-13664 Description: Drupal 8 and 9 have a remote code execution vulnerability under certain circumstances. An attacker could trick an administrator into visiting a malicious site that could result in creating a carefully named directory on the file system. With this directory in place, an attacker could attempt to brute force a remote code execution vulnerability. Windows servers are most likely to be affected. Solution: Install the latest version: * If you are using Drupal 8.8.x, upgrade to Drupal 8.8.8 [3]. * If you are using Drupal 8.9.x, upgrade to Drupal 8.9.1 [4]. * If you are using Drupal 9.0.x, upgrade to Drupal 9.0.1 [5]. Versions of Drupal 8 prior to 8.8.x are end-of-life and do not receive security coverage. Sites on 8.7.x or earlier should update to 8.8.8. Reported By: * Lorenzo G [6] * Sam Thomas [7] Fixed By: * Jess [8] of the Drupal Security Team * Samuel Mortenson [9] of the Drupal Security Team * Peter Wolanin [10] of the Drupal Security Team * Lorenzo G [11] * Lee Rowlands [12] of the Drupal Security Team * Greg Knaddison [13] of the Drupal Security Team * Cash Williams [14] of the Drupal Security Team * Heine [15] of the Drupal Security Team * Drew Webber [16] of the Drupal Security Team * Alex Pott [17] of the Drupal Security Team * Gábor Hojtsy [18] [1] https://www.drupal.org/project/drupal [2] https://www.drupal.org/security-team/risk-levels [3] https://www.drupal.org/project/drupal/releases/8.8.8 [4] https://www.drupal.org/project/drupal/releases/8.9.1 [5] https://www.drupal.org/project/drupal/releases/9.0.1 [6] https://www.drupal.org/user/3644903 [7] https://www.drupal.org/user/3603418 [8] https://www.drupal.org/user/65776 [9] https://www.drupal.org/user/2582268 [10] https://www.drupal.org/user/49851 [11] https://www.drupal.org/user/3644903 [12] https://www.drupal.org/user/395439 [13] https://www.drupal.org/user/36762 [14] https://www.drupal.org/user/421070 [15] https://www.drupal.org/user/17943 [16] https://www.drupal.org/user/255969 [17] https://www.drupal.org/user/157725 [18] https://www.drupal.org/user/4166 _______________________________________________ Security-news mailing list Security-news em drupal.org Unsubscribe at https://lists.drupal.org/mailman/listinfo/security-news -------------- Próxima Parte ---------- Um anexo em HTML foi limpo... URL: From security em unicamp.br Wed Jun 17 16:07:06 2020 From: security em unicamp.br (CSIRT Unicamp) Date: Wed, 17 Jun 2020 16:07:06 -0300 Subject: [SECURITY-L] [Security-news] Drupal core - Less critical - Access bypass - SA-CORE-2020-006 In-Reply-To: References: Message-ID: View online: https://www.drupal.org/sa-core-2020-006 Project: Drupal core [1] Date: 2020-June-17 Security risk: *Less critical* 8?25 AC:Complex/A:User/CI:None/II:Some/E:Theoretical/TD:Uncommon [2] Vulnerability: Access bypass CVE IDs: CVE-2020-13665 Description: JSON:API PATCH requests may bypass validation for certain fields. By default, JSON:API works in a read-only mode which makes it impossible to exploit the vulnerability. Only sites that have the read_only set to FALSE under jsonapi.settings config are vulnerable. Solution: Install the latest version: * If you are using Drupal 8.8.x, upgrade to Drupal 8.8.8 [3]. * If you are using Drupal 8.9.x, upgrade to Drupal 8.9.1 [4]. * If you are using Drupal 9.0.x, upgrade to Drupal 9.0.1 [5]. Versions of Drupal 8 prior to 8.8.x are end-of-life and do not receive security coverage. Sites on 8.7.x or earlier should update to 8.8.8. Reported By: * Sergii Bondarenko [6] Fixed By: * Sergii Bondarenko [7] * Wim Leers [8] * Jess [9] of the Drupal Security Team * Lee Rowlands [10] of the Drupal Security Team [1] https://www.drupal.org/project/drupal [2] https://www.drupal.org/security-team/risk-levels [3] https://www.drupal.org/project/drupal/releases/8.8.8 [4] https://www.drupal.org/project/drupal/releases/8.9.1 [5] https://www.drupal.org/project/drupal/releases/9.0.1 [6] https://www.drupal.org/user/2802285 [7] https://www.drupal.org/user/2802285 [8] https://www.drupal.org/user/99777 [9] https://www.drupal.org/user/65776 [10] https://www.drupal.org/user/395439 _______________________________________________ Security-news mailing list Security-news em drupal.org Unsubscribe at https://lists.drupal.org/mailman/listinfo/security-news -------------- Próxima Parte ---------- Um anexo em HTML foi limpo... URL: From security em unicamp.br Wed Jun 24 17:01:29 2020 From: security em unicamp.br (CSIRT Unicamp) Date: Wed, 24 Jun 2020 17:01:29 -0300 Subject: [SECURITY-L] [Security-news] Extending Drupal 7's End-of-Life - PSA-2020-06-24 In-Reply-To: References: Message-ID: View online: https://www.drupal.org/psa-2020-06-24 Date: 2020-June-24 Description: Previously, Drupal 7's end-of-life was scheduled for November 2021. Given the impact of COVID-19 on budgets and businesses, we will be extending the end of life until *November 28, 2022*. The Drupal Security Team will continue to follow the Security Team processes [1] for Drupal 7 core and contributed projects. However, this means extra work from the Drupal community at large and the security team in particular to review security reports, create patches, and release security advisories for Drupal 7. This community effort will give site owners more time while budgets recover, but the organizations that sponsor security team members and the individual security team members who volunteer their time could use your support. If you can, please donate to support the end-of-life extension [2]. *Drupal 8 will still be end-of-life on November 2, 2021*, due to Symfony 3's end of life [3]. However, since the upgrade path from Drupal 8 to Drupal 9 is much easier, we don't anticipate the same impact on end-users. .... What does this mean for my Drupal 7 site? You can continue to run the site and get security updates via the normal channels and processes. This will give you an extra year to work on converting your site to Drupal 9. .. Do I need to upgrade to Drupal 8 before I upgrade to Drupal 9? Migrating directly from Drupal 7 to Drupal 9 is supported with the core Migrate module. Read more on preparing a Drupal 7 site for Drupal 9 [4]. .... How can I help? *Consider donating [5] to support this effort.* If you are a representative of a large end-user of Drupal, we'd love you to join the Drupal Association and the security team as a partner. You can also consider getting more involved in fixing issues in the issue queue [6] or joining the Security Team [7] as a way to support the effort. .... What about Drupal 7 Vendor Extended Support? The extended support will now run from November 2022 until November 2025. You can read more about the Druapl 7 Vendor Extended Support program [8]. .... What about contributed projects? The Security Team will continue to follow the Security Team processes [9] for contributed projects. Contributed project maintainers are asked to consider supporting existing Drupal 7 releases if they are able. [1] https://www.drupal.org/drupal-security-team/security-team-procedures [2] http://drupal.org/security-team/donate [3] https://symfony.com/releases/3.4 [4] https://www.drupal.org/docs/understanding-drupal/drupal-9-release-date-and-what-it-means/what-happens-to-drupal-7-now-that [5] http://drupal.org/security-team/donate [6] https://www.drupal.org/project/issues/drupal?text=&status=Open&priorities=All&categories=All&version=all_7.*&component=All [7] https://www.drupal.org/drupal-security-team/how-to-join-the-drupal-security-team [8] https://www.drupal.org/drupal-security-team/information-for-organizations-interested-in-providing-commercial-drupal-7 [9] https://www.drupal.org/drupal-security-team/security-team-procedures _______________________________________________ Security-news mailing list Security-news em drupal.org Unsubscribe at https://lists.drupal.org/mailman/listinfo/security-news === Computer Security Incident Response Team - CSIRT Universidade Estadual de Campinas - Unicamp Centro de Computacao - CCUEC GnuPG Public Key: http://www.security.unicamp.br/security.asc [^] Contato: +55 19 3521-2289 ou INOC-DBA: 1251*830 -------------- Próxima Parte ---------- Um anexo em HTML foi limpo... URL: