Project: Hostmaster (Aegir)
Version: 7.x-3.x-dev
Date: 2020-July-29
Security risk: Moderately critical 14∕25
Vulnerability: Access bypass, Arbitrary code executionAegir is a powerful hosting system that sits alongside a LAMP or LEMP server to create, deploy and manage Drupal sites.
Given that
Project: Group
Version: 8.x-1.x-dev
Date: 2020-July-29
Security risk: Critical 15∕25
Vulnerability: Information DisclosureThis module enables you to hand out permissions on a smaller subset, section or community of your website.
Project: Apigee Edge
Version: 8.x-1.x-dev
Date: 2020-July-22
Security risk: Moderately critical 10∕25
Vulnerability: Access bypassThe Apigee Edge module allows connecting a Drupal site to Apigee Edge in order to build a developer portal. It contains an "Apigee Edge Teams" submodule that provides shared app functionality by allowing developers to be organized into teams.
Project: Modal Form
Version: 8.x-1.x-dev
Date: 2020-July-22
Security risk: Critical 16∕25
Vulnerability: Access bypassThe Modal form module is a toolset for quick start of using forms in modal windows.
Any form is available for view and submit when the modal_form module is installed. The only requirement is to know the form's fully-qualified class name.
Upgrade to modal_form-8.x-1.2.
Project: Easy Breadcrumb
Version: 8.x-1.x-dev
Date: 2020-July-22
Security risk: Moderately critical 13∕25
Vulnerability: Cross site scriptingThis module enables you to use the current URL (path alias) and the current page's title to automatically extract the breadcrumb's segments and its respective links then show them as breadcrumbs on your website.
The module doesn't sufficiently sanitize editor input in certain circumstances leading to a Cross Site Scripting (XSS) vulnerability.
Project: Renderkit
Version: 7.x-1.x-dev
Date: 2020-July-01
Security risk: Less critical 9∕25
Vulnerability: Access bypassThe renderkit module contains components which can transform the display of field items sent to it.
Some of these components do not respect the '#access' property on the field render element, and thus can make rendered field values visible to visitors who would otherwise not be allowed to see those field values.
PSA-2020-06-24
Date: 2020-June-24The Drupal Security Team has announced today that given the impact of COVID-19 on budgets and businesses Drupal 7's end-of-life, previously scheduled for November 2021, will be extended until November 28, 2022.
Project: Internationalization
Version: 7.x-1.x-dev
Date: 2020-June-17
Security risk: Moderately critical 14∕25
Vulnerability: Cross site scriptingThe Internationalization (i18n) module is a collection of modules to extend Drupal 7 core multilingual capabilities and allows to build real life multilingual sites.
A value in the term translation module is displayed without being escaped leading to a Cross Site Scripting (XSS) vulnerability.
Project: Drupal core
Date: 2020-June-17
Security risk: Less critical 8∕25
Vulnerability: Access bypass
CVE IDs: CVE-2020-13665JSON:API PATCH requests may bypass validation for certain fields.
By default, JSON:API works in a read-only mode which makes it impossible to exploit the vulnerability. Only sites that have the read_only set to FALSE under jsonapi.settings config are vulnerable.
Install the latest version:
Project: Drupal core
Date: 2020-June-17
Security risk: Critical 17∕25
Vulnerability: Arbitrary PHP code execution
CVE IDs: CVE-2020-13664Drupal 8 and 9 have a remote code execution vulnerability under certain circumstances.
An attacker could trick an administrator into visiting a malicious site that could result in creating a carefully named directory on the file system. With this directory in place, an attacker could attempt to brute force a remote code execution vulnerability.