The AltaGrade Blog

Apigee Edge - Moderately critical - Access bypass - SA-CONTRIB-2022-045

Apigee Edge - Moderately critical - Access bypass - SA-CONTRIB-2022-045

Project: Apigee Edge
Date: 2022-May-25
Security risk: Moderately critical 13∕25
Vulnerability: Access bypass

Description

The Apigee Edge module allows connecting a Drupal site to Apigee X / Edge in order to build a developer portal. The developers (user) can view API keys for their respective Apps.

The module discloses information by allowing attackers to view cached information of API Keys from the browser cache for a limited time frame after the user login on the same computer.

Read More

Wingsuit - Storybook for UI Patterns - Critical - Access bypass - SA-CONTRIB-2022-040

Wingsuit - Storybook for UI Patterns - Critical - Access bypass - SA-CONTRIB-2022-040

Project: Wingsuit - Storybook for UI Patterns
Version: 8.x-2.x-dev, 8.x-1.x-dev
Date: 2022-May-18
Security risk: Critical 16∕25
Vulnerability: Access bypass

Description

The Wingsuit module enables site builders to build UI Patterns (and|or) Twig Components with Storybook and use them without any mapping code in Drupal.

The module doesn't have an access check for the admin form allowing an attacker to view and modify the Wingsuit configuration.

Solution

Install the latest version:

Read More

Image Field Caption - Moderately critical - Cross Site Scripting - SA-CONTRIB-2022-036

Image Field Caption - Moderately critical - Cross Site Scripting - SA-CONTRIB-2022-036

Project: Image Field Caption
Version: 8.x-1.1
Date: 2022-May-04
Security risk: Moderately critical 13∕25
Vulnerability: Cross Site Scripting

Description

Image Field Caption (image_field_caption) adds an extra text area for captions on image fields.

The module doesn't sanitize user input in certain cases, which leads to a Cross-Site-Scripting (XSS) vulnerability.

Read More

Link - Moderately critical - Cross site scripting - SA-CONTRIB-2022-034

Link - Moderately critical - Cross site scripting - SA-CONTRIB-2022-034

Project: Link
Date: 2022-May-04
Security risk: Moderately critical 13∕25
Vulnerability: Cross site scripting

Description

This module enables you to add URL fields to entity types with a variety of options.

The module doesn't sufficiently filter output when token processing is disabled on an individual field.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission to create content and the token processing option must be disabled.

Read More

Drupal core - Moderately critical - Access bypass - SA-CORE-2022-009

Drupal core - Moderately critical - Access bypass - SA-CORE-2022-009

Project: Drupal core
Date: 2022-April-20
Security risk: Moderately critical 13∕25 
Vulnerability: Access bypass

Description

Drupal 9.3 implemented a generic entity access API for entity revisions. However, this API was not completely integrated with existing permissions, resulting in some possible access bypass for users who have access to use revisions of content generally, but who do not have access to individual items of node and media content.

Read More

Drupal core - Moderately critical - Improper input validation - SA-CORE-2022-008

Drupal core - Moderately critical - Improper input validation - SA-CORE-2022-008

Project: Drupal core
Date: 2022-April-20
Security risk: Moderately critical 12∕25 
Vulnerability: Improper input validation

Description

Drupal core's form API has a vulnerability where certain contributed or custom modules' forms may be vulnerable to improper input validation. This could allow an attacker to inject disallowed values or overwrite data. Affected forms are uncommon, but in certain cases an attacker could alter critical or sensitive data.

Read More

Rename Admin Paths - Moderately critical - Access bypass - SA-CONTRIB-2022-033

Rename Admin Paths - Moderately critical - Access bypass - SA-CONTRIB-2022-033

Project: Rename Admin Paths
Version: 7.x-2.3, 7.x-2.2, 7.x-2.1
Date: 2022-April-12
Security risk: Moderately critical 10∕25 
Vulnerability: Access bypass

Description

The Rename Admin Path module provides additional security to Drupal sites by renaming the admin paths. The module has a vulnerability with allows attackers to bypass the protection by using specially crafted URLs.

Read More

Pages