There are several critical vulnerabilities in a middleware layer used in Drupal, including both cross-site scripting and cross-site request forgery bugs, that can be exploited remotely.
The vulnerabilities are in the Open Semantic Framework, which is a third-party project and not part of the Drupal Core. The framework is used to allow “structured data (RDF) and associated vocabularies (ontologies) to ‘drive’ tailored tools and data displays within Drupal”, the advisory on the vulnerabilities says. There are three separate bugs in the OSF framework.
“The module is vulnerable to reflected Cross Site Scripting (XSS) because it did not sufficiently filter user input values in some administration pages. An attacker could exploit this vulnerability by making other users visit a specially-crafted URL. Only sites with OSF Ontology module enabled are affected,” the advisory says.
In addition to the XSS flaw, the OSF module also is susceptible to a CSRF attack and arbitrary file deletion.
“A malicious user can cause an administrator to delete files by getting their browser to make a request to a specially-crafted URL. Only sites with OSF Ontology and OSF Import modules enabled are affected,” the advisory says.
“Also, some forms were vulnerable to Cross Site Request Forgery (CSRF). An attacker could create new OSF datasets by getting an administrator’s browser to make a request to a specially-crafted URL. Only sites with OSF Import module enabled are affected.”
The bugs are fixed in version 7.x-3.1.
There is also an XSS bug in a separate Drupal module called Time Tracker. That module is used to track the time on comments and entities on Drupal sites.
“The module doesn’t sufficiently filter notes added to time entries, leading to an XSS/JavaScript injection vulnerability. This vulnerability is mitigated by the fact that an attacker must have a role with the permission ‘Add Time Tracker Entries’,” the Drupal advisory says.
“The module doesn’t sufficiently filter activities used to categorize time tracker entries. This vulnerability is mitigated by the fact that an attacker must have a role with the ‘Administer Time Tracker’ permission. This role has also been properly marked as ‘restrict access’.”
Users should update to the patched version, which is 7.x-1.4.