Zum Inhalt springen.
Sympa Menü

it-securitynotifies - [IT-SecNots] [Security-news] Simple hierarchical select - Moderately critical - Cross site request forgery - SA-CONTRIB-2019-038

it-securitynotifies AT lists.piratenpartei.de

Betreff: Sicherheitsankündigungen

Listenarchiv

[IT-SecNots] [Security-news] Simple hierarchical select - Moderately critical - Cross site request forgery - SA-CONTRIB-2019-038


Chronologisch Thread 
    < Chronologisch >      < Thread >
  • From: security-news AT drupal.org
  • To: security-news AT drupal.org
  • Subject: [IT-SecNots] [Security-news] Simple hierarchical select - Moderately critical - Cross site request forgery - SA-CONTRIB-2019-038
  • Date: Wed, 13 Mar 2019 17:37:13 +0000 (UTC)
  • List-archive: <http://lists.drupal.org/pipermail/security-news/>
  • List-id: <security-news.drupal.org>
View online: https://www.drupal.org/sa-contrib-2019-038

Project: Simple hierarchical select [1]
Date: 2019-March-13
Security risk: *Moderately critical* 10∕25
AC:Basic/A:User/CI:None/II:Some/E:Theoretical/TD:Default [2]
Vulnerability: Cross site request forgery

Description: 
Simple hierarchical select defines a new form widget for taxonomy fields to
select a term by "browsing" through the vocabularies hierarchy. It also
allows users to create new taxonomy terms using its widget directly in the
node form.

Version 7.x of Simple hierarchical select doesn't sufficiently checks
permission when creating new terms so attackers can create arbitrary taxonomy
terms in any vocabularies the victim has access to..
This vulnerability is mitigated by the fact that an attacker must trick a
user with permission to create terms to visit a specially prepared web page
controlled by the attacker.

Solution: 
Install the latest version:

* If you use /Simple hierarchical select/ prior to 7.x-1.7 update to 7.x-1.8
[3]
* If you are unable to update, simply deactivate the option to allow
creating new terms in the widget settings.

Note that the Drupal 8 version of this module is unaffected.

Reported By: 
* Ayesh Karunaratne [4]

Fixed By: 
* Ayesh Karunaratne [5]
* Stefan Borchert [6]
* Greg Knaddison [7] of the Drupal Security Team

Coordinated By: 
* Greg Knaddison [8] of the Drupal Security Team

[1] https://www.drupal.org/project/shs
[2] https://www.drupal.org/security-team/risk-levels
[3] node/3039685
[4] https://www.drupal.org/user/796148
[5] https://www.drupal.org/user/796148
[6] https://www.drupal.org/user/36942
[7] https://www.drupal.org/user/36762
[8] https://www.drupal.org/user/36762

_______________________________________________
Security-news mailing list
Security-news AT drupal.org
Unsubscribe at https://lists.drupal.org/mailman/listinfo/security-news

  • [IT-SecNots] [Security-news] Simple hierarchical select - Moderately critical - Cross site request forgery - SA-CONTRIB-2019-038, security-news, 13.03.2019

Archiv bereitgestellt durch MHonArc 2.6.19.

Seitenanfang