Drupal

Drupal core - Moderately critical - Information Disclosure - SA-CORE-2023-001

Drupal core - Moderately critical - Information Disclosure - SA-CORE-2023-001

Project: Drupal core
Date:2023-January-18
Security risk: Moderately critical 12∕25
Vulnerability: Information Disclosure
Affected versions: >=8.0.0 =9.5.0 =10.0.0 

Description

The Media Library module does not properly check entity access in some circumstances. This may result in users with access to edit content seeing metadata about media items they are not authorized to access.

Read More

Private Taxonomy Terms - Moderately critical - Access bypass - SA-CONTRIB-2023-001

Private Taxonomy Terms - Moderately critical - Access bypass - SA-CONTRIB-2023-001

Project: Private Taxonomy Terms
Date: 2023-January-11
Security risk: Moderately critical 10∕25
Vulnerability: Access bypass

Description

This module enables users to create 'private' vocabularies.

The module doesn't enforce permissions appropriately for the taxonomy overview page and overview form.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission "Administer own taxonomy" or "View private taxonomies"

Solution

 

Read More

Drupal 10.0.0 has been released

Drupal 10

Thanks to 2129 contributors from 616 organizations resolving 4083 issues in the past two and a half years, Drupal 10.0.0 is available today! This new version sets Drupal up for continued stability and security for the longer term. All new features will be added to Drupal 10 going forward.

Read More

Search API - Moderately critical - Information Disclosure - SA-CONTRIB-2022-059

Search API - Moderately critical - Information Disclosure - SA-CONTRIB-2022-059

Project: Search API
Date: 2022-October-19
Security risk: Moderately critical 13∕25
Vulnerability: Information Disclosure

Description

This module enables you to build searches using a wide range of features, data sources and backends.

The module doesn't in all cases correctly detect whether a given search is active on the current page, leading to potential information disclosure for some setups.

Read More

Twig Field Value - Moderately critical - Access bypass - SA-CONTRIB-2022-058

Twig Field Value - Moderately critical - Access bypass - SA-CONTRIB-2022-058

Project: Twig Field Value
Date: 2022-October-12
Security risk: Moderately critical 12∕25 
Vulnerability: Access bypass

Description

This module enables themers to get partial data from field render arrays. It gives them more control over the output without drilling deep into the render array or using preprocess functions.

The module doesn't sufficiently apply access restrictions when using the filters field_label, field_value, field_raw and field_target_entity.

Read More

Next.js - Moderately critical - Access bypass - SA-CONTRIB-2022-054

Next.js - Moderately critical - Access bypass - SA-CONTRIB-2022-054

Project: Next.js
Version: 1.2.0, 1.1.0, 1.0.0
Date: 2022-September-07
Security risk: Moderately critical 12∕25
Vulnerability: Access bypass

Description

The Next.js module provides an inline preview for content. Authenticated requests are made to Drupal to fetch JSON:API content and render them in an iframe from the decoupled Next.js site.

Read More

Permissions by Term - Moderately critical - Access bypass - SA-CONTRIB-2022-056

Permissions by Term - Moderately critical - Access bypass - SA-CONTRIB-2022-056

Project: Permissions by Term
Version: 3.1.18
Date: 2022-September-07
Security risk: Moderately critical 14∕25
Vulnerability: Access bypass

Description

This module enables you to set content permissions based on taxonomy terms.

The module doesn't sufficiently restrict access to translated and unpublished nodes.

This vulnerability is mitigated by the fact that it only affects sites with translated content.

Solution

Install the latest version:

Read More

Pages