Drupal Security Releases for Wed, Oct 17, 2018 (SA-CORE-20178-006 and more)

If you haven’t seen the latest security updates, I’ve attached a summary of them, below.  They include some Critical, Remote Code Execution threats.  Please review your sites’ vulnerability and take appropriate action.

There’s more details on the linked pages, but here’s the short version for the releases that came out last night:

Drupal Core:  
https://www.drupal.org/sa-core-2018-006

  • Drupal 8: Content moderation - Moderately critical - Access bypass
    • Users can transition content to a state they shouldn’t be allowed to
    • This required changing the core module’s class interface and may require other related modules to be updated as well
  • Drupal 7/8: External URL injection through URL aliases - Moderately CriticalOpen Redirect
    • Users with 'administer paths' permission can create open redirects to malicious URLs
  • Drupal 7/8: Injection in DefaultMailSystem::mail() - Critical - Remote Code Execution
    •  When sending email some variables were not being sanitized for shell arguments, which could lead to remote code execution
  • Drupal 8: Contextual Links validation - Critical - Remote Code Execution
    • Users with the "access contextual links" permission can execute arbitrary PHP code
    • NOTE: I’m not sure if this is correct, as I don’t see this permission on my system, only “Use contextual links”, which is available to many authenticated users.

Mitigation:

  • If you are running 7.x, upgrade to Drupal 7.60
  • If you are running 8.6.x, upgrade to Drupal 8.6.2
  • If you are running 8.5.x or earlier, upgrade to Drupal 8.5.8
  • Upgrade any additional modules required from the D8 Content Moderation Updates

 

Contrib:

 

  • Drupal 7: Mime Mail - Critical - Remote Code Execution
  • Drupal 7 HTML Mail - Critical - Remote Code Execution
  • Drupal 7: Search Autocomplete - Moderately critical - Cross Site Scripting
  • Drupal 8: Workbench Moderation - Moderately critical - Access bypass

Mitigation:

  • Update to the latest versions of the affected modules.

If you don’t get these alerts directly, please sign up to get them.  To subscribe to the Drupal Security Mailing List, you should create/have an account on Drupal.org.  Then to subscribe to the Security email list: log in, go to your user profile page and subscribe to the security newsletter on the Edit » My newsletters tab.   You’ll then receive the security release emails when they come out.