KLA10563 Multiple vulnerabilities in Drupal modules

Multiple serious vulnerabilities have been found in Drupal modules. Malicious users can exploit these vulnerabilities to bypass security restrictions, inject arbitrary code or obtain sensitive information.

Below is a complete list of vulnerabilities

1. Open redirect vulnerabilities in Commerce WeDeal, Node basket, Views and Node Invite modules can be exploited remotely via unspecified vectors;
2. XSS vulnerabilities in Ajax Timeline, Facebook Album Fetcher, Public Download Count, Taxonomy Tools, Node Access Product, Taxonomy Path, Commerce Balanced Payments, Node basket, Quizzler, Node Invite, Taxonews, Classified Ads, Nodeauthor and Content Analysis modules can be exploited remotely via a specially designed parameters or other unknown vectors;
3. Unknown vulnerability in Path Breadcrumbs module can be exploited remotely via a 403 page reading;
4. CSRF vulnerabilities in Node basket, Feature Set, Shibboleth Authentication, Corner, Node Invite, Patterns, Alfresco and Contact Form Fields modules can be exploited remotely via an unspecified vectors;
5. An improper access restrictions in Views module can be exploited remotely via an unknown vectors;
6. Improper token generation in Amazon AWS module can be exploited remotely via an unspecified vectors.

Original advisories

Related products

Drupal

CVE list

CVE-2015-3393 high

CVE-2015-3392 warning

CVE-2015-3391 critical

CVE-2015-3390 warning

CVE-2015-3389 warning

CVE-2015-3388 high

CVE-2015-3387 warning

CVE-2015-3386 warning

CVE-2015-3385 warning

CVE-2015-3384 warning

CVE-2015-3383 high

CVE-2015-3382 high

CVE-2015-3381 warning

CVE-2015-3380 high

CVE-2015-3379 warning

CVE-2015-3378 warning

CVE-2015-3376 warning

CVE-2015-3375 high

CVE-2015-3374 high

CVE-2015-3373 critical

CVE-2015-3372 warning

CVE-2015-3371 high

CVE-2015-3370 high

CVE-2015-3369 warning

CVE-2015-3368 warning

CVE-2015-3367 high

CVE-2015-3366 high

CVE-2015-3365 warning

CVE-2015-3364 warning

CVE-2015-3363 high

Solution

Update to the latest version or check out another plugins to use.

Impacts

• OSI

Obtain sensitive information. Exploitation of vulnerabilities with this impact can lead to capturing by abuser information, critical for user or system.

• CI

Code injection. Exploitation of vulnerabilities with this impact can lead to changes in target code.

• SB

Security bypass. Exploitation of vulnerabilities with this impact can lead to performing actions restricted by current security settings.

Affected Products

• Commerce WeDeal versions earlier than 7.x-1.3Ajax Timeline versions earlier than 7.x-1.1Path Breadcrumbs versions earlier than 7.x-3.2Facebook Album Fetcher all versionsPublic Download Count versions earlier than 7.x-1.x-devCommerce Balanced Payments all versionsTaxonomy Tools versions earlier than 7.x-1.4Node Access Product all versionsTaxonomy Path versions earlier than 7.x-1.2Node basket all versionsFeature Set all versionsViews versions earlier than 6.x-2.18Views 6.x-3.x versions earlier than 6.x-3.2Views 7.x-3.x versions earlier than 7.x-3.10Quizzler versions earlier than 7-x.1.16Shibboleth Authentication versions earlier than 6.x-4.1Shibboleth Authentication 7.x-4.x versions earlier than 7.x-4.1Corner all versionsAmazon AWS versions earlier than 7.x-1.3Node Invite versions earlier than6.x-2.5Taxonews versions earlier than 6.x-1.2Taxonews 7.x-1.x versions earlier than 7.x-1.1Classified Ads versions earlier than 6.x-3.1Classified Ads 7.x-3.x versions earlier than 7.x-3.1Patterns versions earlier than 7.x-2.2Alfresco versions earlier than 6.x-1.3Nodeauthor all versionsContent Analysis versions earlier than 6.x-1.7Contact Form Fields versions earlier than 6.x-2.3