Drupal

scroll to top - Moderately critical - Cross site scripting - SA-CONTRIB-2019-061

Nick

Marketing Project Manager

Aug 15, 2019
Add comment

scroll to top - Moderately critical - Cross site scripting - SA-CONTRIB-2019-061

Project: scroll to top
Date: 2019-August-14
Security risk: Moderately critical 13∕25
Vulnerability: Cross site scripting

Description

The Scroll To Top module enables you to have an animated scroll to top link in the bottom of the node.

The module does not sufficiently filter configuration text leading to a Cross Site Scripting (XSS) vulnerability.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer scroll to top".

Forms Steps - Critical - Access bypass - SA-CONTRIB-2019-064

Nick

Marketing Project Manager

Aug 15, 2019
Add comment

Forms Steps - Critical - Access bypass - SA-CONTRIB-2019-064

Project: Forms Steps
Date: 2019-August-14
Security risk:  Critical 16∕25 
Vulnerability: Access bypass

Description

Forms Steps provides an UI to create form workflows using form modes. It creates quick and configurable multisteps forms.

The module doesn't sufficiently check user permissions to access its workflows entities that allows to see any entities that have been created through the different steps of its multistep forms.

External Links Filter - Moderately critical - Open Redirect Vulnerability - SA-CONTRIB-2019-063

Alex

Technical Support Specialist

Aug 15, 2019
Add comment

External Links Filter - Moderately critical - Open Redirect Vulnerability - SA-CONTRIB-2019-063

Project: External Links Filter
Date: 2019-August-14
Security risk: Moderately critical 10∕25 
Vulnerability: Open Redirect Vulnerability

Description

The External Link Filter module provides an input filter that replaces external links by a local link that redirects to the target URL.

The module did not have protection for the Redirect URL to go where content authors intended.

Solution

Install the latest version:

Critical vulnerabilities found in Drupal 8 Core and two Drupal 7 contributed modules

Nick

Marketing Project Manager

Jul 18, 2019
Add comment

Critical vulnerabilities found in Drupal 8 Core and two Drupal 7 contributed modules

Drupal Security team announced today the discovery of vulnerabilities in Drupal 8 core and two Drupal 7 contributed modules - ImageCache Actions and Meta tags quick with the following details and recommended ways of mitigations.

Moderately critical security update for Drupal 7 & 8 cores - SA-CORE-2019-007

Nick

Marketing Project Manager

May 8, 2019
Add comment

Moderately critical security update for Drupal 7 & 8 cores - SA-CORE-2019-007

Drupal Security Team has announced a moderately critical security advisory for both Drupal 7 & 8 cores today on May 8, 2019 with the following details:

Project: Drupal core
Date: 2019-May-08
Security risk: Moderately critical 14∕25
Vulnerability: Third-party libraries

Moderately critical Drupal core update - Cross Site Scripting - SA-CORE-2019-006

Nick

Marketing Project Manager

Apr 17, 2019
Add comment

Moderately critical Drupal core update - Cross Site Scripting - SA-CORE-2019-006

jQuery 3.4.0 includes a fix for some unintended behavior when using jQuery.extend(true, {}, ...). If an unsanitized source object contained an enumerable __proto__ property, it could extend the native Object.prototype. This fix is included in jQuery 3.4.0, but patch diffs exist to patch previous jQuery versions.

Timetable for migration to AltaGrade

Alex

Technical Support Specialist

Apr 8, 2019
Add comment

As you might know we first announced the launch of our new AltaGrade website and the new hosting platform back on November, 2018. Since then we've been accepting new orders on and migrating Drupion customers who wanted immediate upgrades to the new system.

A highly critical vulnerability in Drupal 8 core and several Drupal 7 contributed modules discovered: CVE-2019-6340

Nick

Marketing Project Manager

Feb 21, 2019
Add comment

The Drupal security team has announced the discovery of a highly critical remote code execution vulnerability and the release of the latest version of Drupal 8 to patch the critical vulnerability which could allow remote attackers to hack Drupal sites.

Happy eighteenth birthday, Drupal

Nick

Marketing Project Manager

Jan 16, 2019
Add comment

As a Drupal-oriented company we - AltaGrade team - are happy to be celebrating Drupal's eighteenth birthday and sharing the joy of the founder, Dries Buytaert:

Eighteen years ago today, I released Drupal 1.0.0. What started from humble beginnings has grown into one of the largest Open Source communities in the world. Today, Drupal exists because of its people and the collective effort of thousands of community members. Thank you to everyone who has been and continues to contribute to Drupal.

Drupal

Description

Description

Description

Solution

Pages