Project: Drupal core
Date: 2022-May-25
Security risk: Moderately critical 13∕25
Vulnerability: Third-party libraries
CVE IDs: CVE-2022-29248Drupal uses the third-party Guzzle library for handling HTTP requests and responses to external services. Guzzle has released a security update which does not affect Drupal core, but may affect some contributed projects or custom code on Drupal sites.
Project: Embed
Date: 2022-May-25
Security risk: Moderately critical 13∕25
Vulnerability: Cross Site ScriptingThe Drupal Embed module provides a filter to allow embedding various embeddable items like entities in content fields.
In certain circumstances, the filter could allow an unprivileged user to inject HTML into a page when it is accessed by a trusted user with permission to embed items. In some cases, this could lead to cross-site scripting (XSS).
Project: Open Social
Date: 2022-May-25
Security risk: Moderately critical 14∕25
Vulnerability: Access bypassOpen Social is a Drupal distribution for online communities.
Group entities created within Open Social did not sufficiently check entity access in group overviews, allowing users to see information in the overviews they should not have access to. Visiting the entity directly resulted in correct access checks applied.
Project: Entity Browser Block
Date: 2022-May-25
Security risk: Moderately critical 13∕25
Vulnerability: Access bypassEntity Browser Block provides a Block Plugin for every Entity Browser on your site.
The module didn't sufficiently check entity view access in the block form.
This vulnerability is mitigated by the fact that an attacker must be able to place a block - either through the core "Block Layout" page or via a module like Layout Builder.
Project: Apigee Edge
Date: 2022-May-25
Security risk: Moderately critical 13∕25
Vulnerability: Access bypassThe Apigee Edge module allows connecting a Drupal site to Apigee X / Edge in order to build a developer portal. The developers (user) can view API keys for their respective Apps.
The module discloses information by allowing attackers to view cached information of API Keys from the browser cache for a limited time frame after the user login on the same computer.
Project: Wingsuit - Storybook for UI Patterns
Version: 8.x-2.x-dev, 8.x-1.x-dev
Date: 2022-May-18
Security risk: Critical 16∕25
Vulnerability: Access bypassThe Wingsuit module enables site builders to build UI Patterns (and|or) Twig Components with Storybook and use them without any mapping code in Drupal.
The module doesn't have an access check for the admin form allowing an attacker to view and modify the Wingsuit configuration.
Install the latest version:
Project: Duo Two-Factor Authentication
Date: 2022-May-04
Security risk: Critical 15∕25
Vulnerability: UnsupportedThe security team is marking this project unsupported. If you would like to maintain this project, please read: https://www.drupal.org/node/251466#procedure---own-project---unsupported.
Project: Quick Node Clone
Date: 2022-May-04
Security risk: Moderately critical 10∕25
Vulnerability: Access bypassThe module adds a "Clone" tab to a node. When clicked, a new node is created and fields from the previous node are populated into the new fields. This module supports paragraphs, groups, and other referenced entities.
Project: Image Field Caption
Version: 8.x-1.1
Date: 2022-May-04
Security risk: Moderately critical 13∕25
Vulnerability: Cross Site ScriptingImage Field Caption (image_field_caption) adds an extra text area for captions on image fields.
The module doesn't sanitize user input in certain cases, which leads to a Cross-Site-Scripting (XSS) vulnerability.
Project: Doubleclick for Publishers (DFP)
Date: 2022-May-04
Security risk: Moderately critical 13∕25
Vulnerability: Cross site scriptingDoubleclick for Publishers (DFP) module enables a site to place ads from Doubleclick For Publishers.