Free hosting and discounted plans during the Coronavirus crisis
As a response to the COVID-19 crisis we recently announced a free hosting plans for non-profit organizations.
The AltaGrade Blog
Password Reset Landing Page (PRLP) - Highly critical - Access bypass - SA-CONTRIB-2020-021
Project: Password Reset Landing Page (PRLP)
Date: 2020-May-27
Security risk: Highly critical 20∕25
Vulnerability: Access bypass
Description
This module enables you to force a password update when using password reset link.
The module doesn't sufficiently validate the login URL allowing a malicious user to use a specially crafted URL to log in as another user.
Solution
Install the latest version:
Drupal Commerce - Moderately critical - Access bypass - SA-CONTRIB-2020-020
Project: Drupal Commerce
Date: 2020-May-27
Security risk: Moderately critical 12∕25
Vulnerability: Access bypassDescription
Drupal Commerce is used to build eCommerce websites and applications. It's possible to configure commerce to permit orders by anonymous users. In this configuration, customers who do not choose to create an account upon checkout completion remain anonymous, and the resulting orders are never assigned an owner.
Drupal 7 core - Moderately critical - Open Redirect - SA-CORE-2020-003
Project: Drupal core
Date: 2020-May-20
Security risk: Moderately critical 10∕25
Vulnerability: Open RedirectDescription
Drupal 7 has an Open Redirect vulnerability. For example, a user could be tricked into visiting a specially crafted link which would redirect them to an arbitrary external URL.
The vulnerability is caused by insufficient validation of the destination query parameter in the drupal_goto() function.
reCAPTCHA v3 - Critical - Access bypass - SA-CONTRIB-2020-019
Project: reCAPTCHA v3
Date: 2020-May-13
Security risk: Critical 18∕25
Vulnerability: Access bypassDescription
The reCaptcha v3 module enables you to protect your forms using the Google reCaptcha V3.
If the reCaptcha v3 challenge succeeds, all the other form validations are bypassed. This makes it possible for attackers to submit invalid or incomplete forms.
Webform - Critical - Access bypass - SA-CONTRIB-2020-018
Project: Webform
Date: 2020-May-13
Security risk: Critical 15∕25
Vulnerability: Access bypassDescription
This webform module enables you to build a 'Term checkboxes' element.
The module doesn't sufficiently check term 'view' access when rendering 'Term checkboxes' elements. Unpublished terms will always appear in the 'Term checkboxes' element.
Drupal 8: Multiple critical and moderately critical security advisories for Webform module
Drupal Security team has released multiple critical and moderately critical security advisories for Webform module today. This module enables you to build forms and surveys in Drupal.
Webform - Critical - Remote Code Execution - SA-CONTRIB-2020-011
Project: Webform
Date: 2020-May-06
Security risk: Critical 17∕25
Vulnerability: Remote Code Execution
JSON:API - Critical - Unsupported - SA-CONTRIB-2020-010
Project: JSON:API
Version: 8.x-1.26
Date: 2020-April-15
Security risk: Critical 15∕25
Vulnerability: UnsupportedDescription
This module provides a JSON API standards-compliant API for accessing and manipulating Drupal content and configuration entities.
Spamicide - Critical - Access bypass - SA-CONTRIB-2020-009
Project: Spamicide
Date: 2020-April-08
Security risk: Critical 18∕25
Vulnerability: Access bypassDescription
The Spamicide module protects Drupal forms with a form field that is hidden from normal users, but visible to spam bots.
The module doesn't require appropriate permissions for administrative pages leading to an Access Bypass.
Solution
Install the latest version: