Project: TableField
Version: 8.x-2.x-dev
Date: 2019-September-18
Security risk: Moderately critical 12∕25
Vulnerability: Access bypassThis module allows you to attach tabular data to an entity.
There is insufficient access checking for users with the ability to "Export Tablefield Data as CSV". They can export data from unpublished nodes or otherwise inaccessible entities.
According to the Public Service Advisory PSA-2011-002 - External libraries and plugins Drupal Security team has released an advisory today with regard to an exploit found in the third party library.
Project: Imagecache External
Date: 2019-August-21
Security risk: Critical 15∕25
Vulnerability: Insecure session token managementThis module that allows you to store external images on your server and apply your own Image Styles.
The module exposes cookies to external sites when making external image requests.
This vulnerability is mitigated by using the whitelisted host feature to restrict external image requests from trusted sources.
Project: Super Login
Date: 2019-August-14
Security risk: Moderately critical 13∕25
Vulnerability: Cross site scriptingThis module improves the Drupal login page with the new features and layout.
The module doesn't sufficiently filter input text in the administration pages text configuration inputs. For example, the login text field.
The vulnerability is mitigated by the fact it can only be exploited by a user with the "Administer super login" permission.
Project: scroll to top
Date: 2019-August-14
Security risk: Moderately critical 13∕25
Vulnerability: Cross site scriptingThe Scroll To Top module enables you to have an animated scroll to top link in the bottom of the node.
The module does not sufficiently filter configuration text leading to a Cross Site Scripting (XSS) vulnerability.
This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer scroll to top".
Project: Forms Steps
Date: 2019-August-14
Security risk: Critical 16∕25
Vulnerability: Access bypassForms Steps provides an UI to create form workflows using form modes. It creates quick and configurable multisteps forms.
The module doesn't sufficiently check user permissions to access its workflows entities that allows to see any entities that have been created through the different steps of its multistep forms.
Project: External Links Filter
Date: 2019-August-14
Security risk: Moderately critical 10∕25
Vulnerability: Open Redirect VulnerabilityThe External Link Filter module provides an input filter that replaces external links by a local link that redirects to the target URL.
The module did not have protection for the Redirect URL to go where content authors intended.
Install the latest version:
Drupal Security team announced today the discovery of vulnerabilities in Drupal 8 core and two Drupal 7 contributed modules - ImageCache Actions and Meta tags quick with the following details and recommended ways of mitigations.
Drupal Security Team has announced a moderately critical security advisory for both Drupal 7 & 8 cores today on May 8, 2019 with the following details:
Project: Drupal core
Date: 2019-May-08
Security risk: Moderately critical 14∕25
Vulnerability: Third-party librariesjQuery 3.4.0 includes a fix for some unintended behavior when using jQuery.extend(true, {}, ...). If an unsanitized source object contained an enumerable __proto__ property, it could extend the native Object.prototype. This fix is included in jQuery 3.4.0, but patch diffs exist to patch previous jQuery versions.