The AltaGrade Blog

Frequently Asked Questions - Moderately critical - Cross Site Scripting - SA-CONTRIB-2021-012

Nick Onom's picture

Nick

 Marketing Project Manager

Jun 2, 2021
Add comment

Frequently Asked Questions - Moderately critical - Cross Site Scripting - SA-CONTRIB-2021-012

Project: Frequently Asked Questions
Date: 2021-June-02
Security risk: Moderately critical 11∕25
Vulnerability: Cross Site Scripting

Description

The Frequently Asked Questions (faq) module allows users, with appropriate permissions, to create question and answer pairs which they want displayed on the 'faq' page. The 'faq' page is automatically generated from the FAQ nodes configured. Basic Views layouts are also provided and can be customized via the Views UI (rather than via the module settings page).

Read More

Open Social - SQL Injection & Authentication Bypass vulnarabilities - SA-CONTRIB-2021-010 & SA-CONTRIB-2021-011

Nick Onom's picture

Nick

 Marketing Project Manager

Jun 2, 2021
Add comment

Open Social - SQL Injection & Authentication Bypass vulnarabilities - SA-CONTRIB-2021-010 & SA-CONTRIB-2021-011

Open Social - Moderately critical - SQL Injection - SA-CONTRIB-2021-010

Project: Open Social
Date: 2021-June-02
Security risk: Moderately critical 11∕25 AC:Complex/A:User/CI:All/II:None/E:Theoretical/TD:Default
Vulnerability: SQL Injection

Description

This Open Social distribution provides a turn-key system for building customized social networks.

The module doesn't sufficiently process data in certain circumstances.

Read More

Backdrop core - Moderately critical - Cross Site Scripting

Nick Onom's picture

Nick

 Marketing Project Manager

May 26, 2021
Add comment

Backdrop core - Moderately critical - Cross Site Scripting

Date: Wednesday, May 26th, 2021
Security risk: Moderately Critical
Advisory ID: BACKDROP-SA-CORE-2021-003
Vulnerability: Cross Site Scripting

Versions affected

  • Backdrop Core 1.19.x versions prior to 1.19.1
  • Backdrop Core 1.18.x versions prior to 1.18.5

Backdrop versions 1.17 and prior do not receive security coverage.

Description

Backdrop core uses the third-party CKEditor library. This library has an error in parsing HTML that could lead to an XSS attack.

Read More

WordPress 5.7.2 Security Release

Nick Onom's picture

Nick

 Marketing Project Manager

May 13, 2021
Add comment

WordPress 5.7.2 Security Release

WordPress 5.7.2 is now available. This security release features one security fix. Because this is a security release, it is recommended that you update your sites immediately. All versions since WordPress 3.7 have also been updated.

WordPress 5.7.2 is a short-cycle security release. The next major release will be version 5.8. You can update to WordPress 5.7.2 by downloading from WordPress.org, or visit your Dashboard → Updates and click Update Now.

If you have sites that support automatic background updates, they’ve already started the update process.

Read More

Gutenberg - Critical - Access bypass - SA-CONTRIB-2021-007

Nick Onom's picture

Nick

 Marketing Project Manager

May 12, 2021
Add comment

Gutenberg - Critical - Access bypass - SA-CONTRIB-2021-007

Project: Gutenberg
Version: 8.x-2.x-dev, 8.x-1.x-dev
Date: 2021-May-12
Security risk: Critical 18∕25
Vulnerability: Access bypass

Description

This module provides a new UI experience for node editing using the Gutenberg Editor library.

The module did not correctly validate access rules in certain situations allowing anonymous users to delete blocks.

Solution

Install the latest version:

Read More

Facets - Moderately critical - Cross site scripting - SA-CONTRIB-2021-008

Nick Onom's picture

Nick

 Marketing Project Manager

May 12, 2021
Add comment

Facets - Moderately critical - Cross site scripting - SA-CONTRIB-2021-008

Project: Facets
Version: 8.x-1.x-dev
Date: 2021-May-12
Security risk: Moderately critical 11∕25
Vulnerability: Cross site scripting

Description

This module enables you to add customizable facets on search pages, from core search or searches provided by Search API.

The module doesn't sufficiently filter all output in certain circumstances.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer facets".

Read More

Chaos Tool Suite (ctools) - Moderately critical - Information disclosure - SA-CONTRIB-2021-009

Nick Onom's picture

Nick

 Marketing Project Manager

May 12, 2021
Add comment

Chaos Tool Suite (ctools) - Moderately critical - Information disclosure - SA-CONTRIB-2021-009

Project: Chaos Tool Suite (ctools)
Version: 8.x-3.5, 8.x-3.4, 8.x-3.3, 8.x-3.2, 8.x-3.1, 8.x-3.0
Date: 2021-May-12
Security risk: Moderately critical 12∕25
Vulnerability: Information disclosure

Description

Chaos tool suite (ctools) module provides a number of APIs and extensions for Drupal, it's 8.x-3.x branch is a start from scratch to evaluate the features of ctools that didn't make it into Drupal Core 8.0.x and port them.

Read More

Backdrop core - Critical - Cross-site scripting - SA-CORE-2021-002

Nick Onom's picture

Nick

 Marketing Project Manager

Apr 21, 2021
Add comment

Backdrop core - Critical - Cross-site scripting - SA-CORE-2021-002

Date: Wednesday, Apr 21th, 2021
Security risk: Critical
Advisory ID: BACKDROP-SA-CORE-2021-002
Vulnerability: Cross Site Scripting

Versions affected

  1. Backdrop Core 1.18.x versions prior to 1.18.3,
  2. Backdrop Core 1.17.x versions prior to 1.17.7
  3. Backdrop versions 1.16 and prior do not receive security coverage.

Description

Backdrop core's sanitization API fails to properly filter cross-site scripting under certain circumstances.

Read More

Pages