Drupal

There are known exploits! Drupal core - Critical - Arbitrary PHP code execution - SA-CORE-2020-013

There are known exploits! Drupal core - Critical - Arbitrary PHP code execution - SA-CORE-2020-013

Project: Drupal core
Date: 2020-November-25
Security risk: Critical 18∕25 
Vulnerability: Arbitrary PHP code execution
CVE IDs: CVE-2020-28949,CVE-2020-28948

Description

The Drupal project uses the PEAR Archive_Tar library. The PEAR Archive_Tar library has released a security update that impacts Drupal. For more information please see:

Read More

Multiple security advisories are issued for Drupal 7, 8, 9 core and contributed modules: SA-CORE-2020-012, SA-CONTRIB-2020-035, SA-CONTRIB-2020-036, SA-CONTRIB-2020-037, SA-CONTRIB-2020-038

Multiple security advisories are issued for Drupal 7, 8, 9 core and contributed modules: SA-CORE-2020-012, SA-CONTRIB-2020-035, SA-CONTRIB-2020-036, SA-CONTRIB-2020-037, SA-CONTRIB-2020-038

Media: oEmbed - Critical - Remote Code Execution - SA-CONTRIB-2020-036

Project: Media: oEmbed
Date: 2020-November-18
Security risk: Critical 17∕25 
Vulnerability: Remote Code Execution

Description

Media oEmbed does not properly sanitize certain filenames as described in SA-CORE-2020-012.

Solution

Install the latest version:

Upgrade to Media oEmbed 7.x-2.8

Read More

Drupal OAuth Server (OAuth Provider) - Single Sign On ( SSO ) - SQL Injection -SA-CONTRIB-2020-034

Drupal OAuth Server (OAuth Provider) - Single Sign On ( SSO ) - SQL Injection -SA-CONTRIB-2020-034

Project: Drupal OAuth Server ( OAuth Provider) - Single Sign On ( SSO )
Date: 2020-October-14
Vulnerability: SQL Injection

Description

This module enables you login into any OAuth 2.0 compliant application using Drupal credentials.

The 8.x branch of the module is vulnerable to SQL injection.

Solution

Install the latest version:

If you use the Drupal OAuth Server module for Drupal 8.x, upgrade to 8.x-1.1

Read More

Several moderately critical and critical bugs are found in Drupal core

Several moderately critical and critical bugs are found in Drupal core

Drupal core - Moderately critical - Cross-site scripting - SA-CORE-2020-007

Project: Drupal core
Date: 2020-September-16
Security risk: Moderately critical 14∕25 
Vulnerability: Cross-site scripting
CVE IDs: CVE-2020-13666

Description

The Drupal AJAX API does not disable JSONP by default, which can lead to cross-site scripting.

Solution

Install the latest version:

Read More

Group - Moderately critical - Information disclosure - SA-CONTRIB-2020-033

Group - Moderately critical - Information disclosure - SA-CONTRIB-2020-033

Project: Group
Version: 8.x-1.x-dev
Date: 2020-August-05
Security risk: Moderately critical 11∕25
Vulnerability: Information disclosure

Description

The Group module enables you to hand out permissions on a smaller subset, section or community of your website.

Under very specific circumstances, where two group types support the same content, yet hand out different permissions, non-members of the first group type may use the set of permissions of the 2nd group type for the grouped content.

Read More

Group - Moderately critical - Information disclosure - SA-CONTRIB-2020-032

Group - Moderately critical - Information disclosure - SA-CONTRIB-2020-032

Project: Group
Version: 8.x-1.x-dev
Date: 2020-August-05
Security risk: Moderately critical 12∕25 
Vulnerability: Information disclosure

Description

The Group module enables you to hand out permissions on a smaller subset, section or community of your website.

With the 1.1 security release, new code was introduced to ensure proper access for all entity types, but a mistake introduced unexpected access to unpublished nodes.

Solution

Install the latest version:

Read More

Apigee Edge - Moderately critical - Access bypass - SA-CONTRIB-2020-028

Apigee Edge - Moderately critical - Access bypass - SA-CONTRIB-2020-028

Project: Apigee Edge
Version: 8.x-1.x-dev
Date: 2020-July-22
Security risk: Moderately critical 10∕25 
Vulnerability: Access bypass

Description

The Apigee Edge module allows connecting a Drupal site to Apigee Edge in order to build a developer portal. It contains an "Apigee Edge Teams" submodule that provides shared app functionality by allowing developers to be organized into teams.

Read More

Pages