Drupal

Several moderately critical and critical bugs are found in Drupal core

Several moderately critical and critical bugs are found in Drupal core

Drupal core - Moderately critical - Cross-site scripting - SA-CORE-2020-007

Project: Drupal core
Date: 2020-September-16
Security risk: Moderately critical 14∕25 
Vulnerability: Cross-site scripting
CVE IDs: CVE-2020-13666

Description

The Drupal AJAX API does not disable JSONP by default, which can lead to cross-site scripting.

Solution

Install the latest version:

Read More

Group - Moderately critical - Information disclosure - SA-CONTRIB-2020-033

Group - Moderately critical - Information disclosure - SA-CONTRIB-2020-033

Project: Group
Version: 8.x-1.x-dev
Date: 2020-August-05
Security risk: Moderately critical 11∕25
Vulnerability: Information disclosure

Description

The Group module enables you to hand out permissions on a smaller subset, section or community of your website.

Under very specific circumstances, where two group types support the same content, yet hand out different permissions, non-members of the first group type may use the set of permissions of the 2nd group type for the grouped content.

Read More

Group - Moderately critical - Information disclosure - SA-CONTRIB-2020-032

Group - Moderately critical - Information disclosure - SA-CONTRIB-2020-032

Project: Group
Version: 8.x-1.x-dev
Date: 2020-August-05
Security risk: Moderately critical 12∕25 
Vulnerability: Information disclosure

Description

The Group module enables you to hand out permissions on a smaller subset, section or community of your website.

With the 1.1 security release, new code was introduced to ensure proper access for all entity types, but a mistake introduced unexpected access to unpublished nodes.

Solution

Install the latest version:

Read More

Apigee Edge - Moderately critical - Access bypass - SA-CONTRIB-2020-028

Apigee Edge - Moderately critical - Access bypass - SA-CONTRIB-2020-028

Project: Apigee Edge
Version: 8.x-1.x-dev
Date: 2020-July-22
Security risk: Moderately critical 10∕25 
Vulnerability: Access bypass

Description

The Apigee Edge module allows connecting a Drupal site to Apigee Edge in order to build a developer portal. It contains an "Apigee Edge Teams" submodule that provides shared app functionality by allowing developers to be organized into teams.

Read More

Modal Form - Critical - Access bypass - SA-CONTRIB-2020-029

Modal Form - Critical - Access bypass - SA-CONTRIB-2020-029

Project: Modal Form
Version: 8.x-1.x-dev
Date: 2020-July-22
Security risk: Critical 16∕25
Vulnerability: Access bypass

Description

The Modal form module is a toolset for quick start of using forms in modal windows.

Any form is available for view and submit when the modal_form module is installed. The only requirement is to know the form's fully-qualified class name.

Solution

Upgrade to modal_form-8.x-1.2.

Read More

Easy Breadcrumb - Moderately critical - Cross site scripting - SA-CONTRIB-2020-027

Easy Breadcrumb - Moderately critical - Cross site scripting - SA-CONTRIB-2020-027

Project: Easy Breadcrumb
Version: 8.x-1.x-dev
Date: 2020-July-22
Security risk: Moderately critical 13∕25 
Vulnerability: Cross site scripting

Description

This module enables you to use the current URL (path alias) and the current page's title to automatically extract the breadcrumb's segments and its respective links then show them as breadcrumbs on your website.

The module doesn't sufficiently sanitize editor input in certain circumstances leading to a Cross Site Scripting (XSS) vulnerability.

Read More

Renderkit - Less critical - Access bypass - SA-CONTRIB-2020-026

Renderkit - Less critical - Access bypass - SA-CONTRIB-2020-026

Project: Renderkit
Version: 7.x-1.x-dev
Date: 2020-July-01
Security risk: Less critical 9∕25 
Vulnerability: Access bypass

Description

The renderkit module contains components which can transform the display of field items sent to it.

Some of these components do not respect the '#access' property on the field render element, and thus can make rendered field values visible to visitors who would otherwise not be allowed to see those field values.

Read More

Pages