Project: Drupal core
Date: 2022-March-21
Security risk: Moderately critical 11∕25
Vulnerability: Third-party libraries
CVE IDs: CVE-2022-24775Drupal uses the third-party Guzzle library for handling HTTP requests and responses to external services. Guzzle has released a security update which may affect some Drupal sites.
Project: Drupal core
Date: 2022-March-16
Security risk: Moderately critical 13∕25
Vulnerability: Third-party libraries
CVE IDs: CVE-2022-24728, CVE-2022-24729The Drupal project uses the CKEditor library for WYSIWYG editing. CKEditor has released a security update that impacts Drupal.
Project: Opigno Learning path
Date: 2022-March-09
Security risk: Moderately critical 13∕25
Vulnerability: Access bypassThis module is used as part of the Opigno LMS distribution and implements learning paths for the LMS.
The module was providing too much user information about users such as the list of groups a uid is in.
Install the latest version:
Project: SVG Formatter
Date: 2022-March-09
Security risk: Critical 15∕25
Vulnerability: Cross Site ScriptingSVG Formatter module provides support for using SVG images on your website.
Our dependency library enshrined/svg-sanitize has a cross-site scripting vulnerability.
This vulnerability is mitigated by the fact that an attacker must have a role with permission that enables them to upload SVG images.
Project: GOV.UK Theme
Date: 2022-February-23
Security risk: Moderately critical 14∕25
Vulnerability: Cross site scriptingThe GOV.UK Theme (govuk_theme) is a Drupal theme for the GOV.UK Design System.
Project: Entity Reference Tree Widget
Date: 2022-February-23
Security risk: Moderately critical 12∕25
Vulnerability: Cross Site ScriptingThis module provides an entity relationship hierarchy tree widget for an entity reference field.
The module doesn't sufficiently filter on output, leading to a Cross Site Scripting vulnerability.
This vulnerability is mitigated by the fact that an attacker must have a role with the permission to modify an entity that is the reference to a field.
Project: Quick Edit
Date: 2022-February-16
Security risk: Moderately critical 12∕25
Vulnerability: Information DisclosureThis advisory addresses a similar issue to Drupal core - Moderately critical - Information disclosure - SA-CORE-2022-004.
Project: Drupal core
Date: 2022-February-16
Security risk: Moderately critical 12∕25
Vulnerability: Information disclosureThe Quick Edit module does not properly check entity access in some circumstances. This could result in users with the "access in-place editing" permission viewing some content they are are not authorized to access.
Sites are only affected if the QuickEdit module (which comes with the Standard profile) is installed.
Project: Drupal core
Date: 2022-February-16
Security risk: Moderately critical 14∕25
Vulnerability: Improper input validation
CVE IDs: CVE-2022-25271Drupal core's form API has a vulnerability where certain contributed or custom modules' forms may be vulnerable to improper input validation. This could allow an attacker to inject disallowed values or overwrite data. Affected forms are uncommon, but in certain cases an attacker could alter critical or sensitive data.
Project: Fancy File Delete
Date: 2022-February-09
Security risk: Moderately critical 14∕25
Vulnerability: Access BypassThis module enables you to manage and delete files.
The module doesn't sufficiently protect unmanaged files from view under the scenario unauthenticated user knows path to visit the view and can attempt to delete files which results in duplicate files being created.