Fairly Critical SQL Injection Vulnerability in Anti-Spam by CleanTalk

Software Code
Unsplash

The Drupal Security Team released a security advisory SA-CONTRIB-2022-032 on March 30th, 2022 about a moderately critical SQL injection vulnerability in the Anti-Spam by CleanTalk module . The vulnerability is classified fairly critical based on the 14∕25 AC:Basic/A:None/CI:None/II:All/E:Theoretical/TD:Default status. 

The anti-spam module by CleanTalk protects the Drupal Sites from spambot registration, spam comments publications through comment and contact forms. It is reportedly an invisible anti-spam without captcha, questions, puzzles etc. CleanTalk is a SaaS spam protection service for websites.

3, 025 sites report using this module. The SQL injection vulnerability is because the module does not properly filter data in certain circumstances.

Solution

If you use the Anti Spam by CleanTalk module for Drupal 8.x, upgrade to Anti Spam by CleanTalk 8.x-4.13 and if using the module for Drupal 9.x, upgrade to Anti Spam by CleanTalk 9.1.19.

The issue was reported by Glomberg of CleanTalk and Heine of the Drupal Security Team and fixed by Glomberg, which was coordinated by Chris McCafferty and Greg Knaddison of the Drupal Security Team.

Source: https://www.drupal.org/sa-contrib-2022-032

Note: The vision of this web portal is to help promote news and stories around the Drupal community and promote and celebrate the people and organizations in the community. We strive to create and distribute our content based on these content policy. If you see any omission/variation on this please let us know in the comments below and we will try to address the issue as best we can.

Advertisement Here

Call for Support