The AltaGrade Blog

Drupal core - Moderately critical - Access bypass - SA-CORE-2023-005

Drupal core - Moderately critical - Access bypass - SA-CORE-2023-005

Project: Drupal core
Date: 2023-April-19
Security risk: Moderately critical 13∕25 
Vulnerability: Access bypass

Description

The file download facility doesn't sufficiently sanitize file paths in certain situations. This may result in users gaining access to private files that they should not have access to.

Some sites may require configuration changes following this security release. Review the release notes for your Drupal version if you have issues accessing private files after updating.

Read More

Drupal core - Moderately critical - Information Disclosure - SA-CORE-2023-003

Drupal core - Moderately critical - Information Disclosure - SA-CORE-2023-003

Project: Drupal core
Date: 2023-March-15
Security risk: Moderately critical 13∕25
Vulnerability: Information Disclosure
Affected versions: >=8.0.0 =9.5.0 =10.0.0 

Description

The language module provides a Language switcher block which can be placed to provide links to quickly switch between different languages.

The URL of unpublished translations may be disclosed. When used in conjunction with a module like Pathauto, this may reveal the title of unpublished content.

Read More

Drupal core - Moderately critical - Information Disclosure - SA-CORE-2023-002

Drupal core - Moderately critical - Information Disclosure - SA-CORE-2023-002

Project: Drupal core
Date: 2023-March-15
Security risk: Moderately critical 14∕25
Vulnerability: Information Disclosure
Affected versions: >=8.0.0 =9.5.0 =10.0.0 

Description

The Media module does not properly check entity access in some circumstances. This may result in users seeing thumbnails of media items they do not have access to, including for private files.

Read More

Media Responsive Thumbnail - Moderately critical - Information disclosure - SA-CONTRIB-2023-010

Media Responsive Thumbnail - Moderately critical - Information disclosure - SA-CONTRIB-2023-010

Project: Media Responsive Thumbnail
Date: 2023-March-15
Security risk: Moderately critical 14∕25 
Vulnerability: Information disclosure

Description

The Media Responsive Thumbnail module allows media reference fields to be rendered as a responsive image.

This module does not properly check entity access prior to rendering media. This may result in users seeing thumbnails of media items they do not have access to.

Read More

Drupal core - Moderately critical - Information Disclosure - SA-CORE-2023-001

Drupal core - Moderately critical - Information Disclosure - SA-CORE-2023-001

Project: Drupal core
Date:2023-January-18
Security risk: Moderately critical 12∕25
Vulnerability: Information Disclosure
Affected versions: >=8.0.0 =9.5.0 =10.0.0 

Description

The Media Library module does not properly check entity access in some circumstances. This may result in users with access to edit content seeing metadata about media items they are not authorized to access.

Read More

Private Taxonomy Terms - Moderately critical - Access bypass - SA-CONTRIB-2023-001

Private Taxonomy Terms - Moderately critical - Access bypass - SA-CONTRIB-2023-001

Project: Private Taxonomy Terms
Date: 2023-January-11
Security risk: Moderately critical 10∕25
Vulnerability: Access bypass

Description

This module enables users to create 'private' vocabularies.

The module doesn't enforce permissions appropriately for the taxonomy overview page and overview form.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission "Administer own taxonomy" or "View private taxonomies"

Solution

 

Read More

Drupal 10.0.0 has been released

Drupal 10

Thanks to 2129 contributors from 616 organizations resolving 4083 issues in the past two and a half years, Drupal 10.0.0 is available today! This new version sets Drupal up for continued stability and security for the longer term. All new features will be added to Drupal 10 going forward.

Read More

Search API - Moderately critical - Information Disclosure - SA-CONTRIB-2022-059

Search API - Moderately critical - Information Disclosure - SA-CONTRIB-2022-059

Project: Search API
Date: 2022-October-19
Security risk: Moderately critical 13∕25
Vulnerability: Information Disclosure

Description

This module enables you to build searches using a wide range of features, data sources and backends.

The module doesn't in all cases correctly detect whether a given search is active on the current page, leading to potential information disclosure for some setups.

Read More

Twig Field Value - Moderately critical - Access bypass - SA-CONTRIB-2022-058

Twig Field Value - Moderately critical - Access bypass - SA-CONTRIB-2022-058

Project: Twig Field Value
Date: 2022-October-12
Security risk: Moderately critical 12∕25 
Vulnerability: Access bypass

Description

This module enables themers to get partial data from field render arrays. It gives them more control over the output without drilling deep into the render array or using preprocess functions.

The module doesn't sufficiently apply access restrictions when using the filters field_label, field_value, field_raw and field_target_entity.

Read More

Pages