Drupal

Context - Moderately critical - Cross Site Scripting - SA-CONTRIB-2022-049

Context - Moderately critical - Cross Site Scripting - SA-CONTRIB-2022-049

Project: Context
Version: 7.x-3.x
Date: 2022-July-27
Security risk: Moderately critical 12∕25
Vulnerability: Cross Site Scripting

Description

This module enables you to conditionally display blocks in particular theme regions.

The module doesn't sufficiently sanitize the title of a block as displayed in the admin UI when a site administrator edits a context block reaction.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer blocks".

Read More

Drupal core - Moderately critical - Access Bypass - SA-CORE-2022-013

Drupal core - Moderately critical - Access Bypass - SA-CORE-2022-013

Project: Drupal core
Date: 2022-July-20
Security risk: Moderately critical 12∕25
Vulnerability: Access Bypass

Description

Under certain circumstances, the Drupal core form API evaluates form element access incorrectly. This may lead to a user being able to alter data they should not have access to.

No forms provided by Drupal core are known to be vulnerable. However, forms added through contributed or custom modules or themes may be affected.

Solution

Install the latest version:

Read More

Drupal core - Moderately critical - Multiple vulnerabilities - SA-CORE-2022-015

Drupal core - Moderately critical - Multiple vulnerabilities - SA-CORE-2022-015

Project: Drupal core
Date: 2022-July-20
Security risk: Moderately critical 11∕25 
Vulnerability: Multiple vulnerabilities

Description

The Media oEmbed iframe route does not properly validate the iframe domain setting, which allows embeds to be displayed in the context of the primary domain. Under certain circumstances, this could lead to cross-site scripting, leaked cookies, or other vulnerabilities.

Solution

Install the latest version:

Read More

Entity Print - Moderately critical - Multiple: Remote Code Execution, Information disclosure - SA-CONTRIB-2022-048

Entity Print - Moderately critical - Multiple: Remote Code Execution, Information disclosure - SA-CONTRIB-2022-048

Project: Entity Print
Date: 2022-July-13
Security risk: Moderately critical 13∕25
Vulnerability: Multiple: Remote Code Execution, Information disclosure

Description

This module enables you to generate print versions of content.
Some installations of the module make use of the dompdf/dompdf third-party dependency.
Security vulnerabilities exist for versions of dompdf/dompdf < 2.0.0

Read More

Lottiefiles Field - Moderately critical - Cross Site Scripting - SA-CONTRIB-2022-046

Lottiefiles Field - Moderately critical - Cross Site Scripting - SA-CONTRIB-2022-046

Project: Lottiefiles Field
Date: 2022-June-29
Security risk: Moderately critical 14∕25
Vulnerability: Cross Site Scripting

Description

The Lottiefiles Field module enables you to integrate the lottiefiles features into your page.

The module does not sufficiently filter user-provided text on output, resulting in a Cross-Site Scripting (XSS) vulnerability.

Read More

Config Terms - Critical - Access bypass - SA-CONTRIB-2022-047

Config Terms - Critical - Access bypass - SA-CONTRIB-2022-047

Project: Config Terms
Date: 2022-June-29
Security risk: Critical 15∕25
Vulnerability: Access bypass

Description

This module enables you to create and manage a version of taxonomy based on configuration entities instead of content. This allows the terms, vocabularies, and their structure to be exported, imported, and managed as site configuration.

Read More

Pages