Drupal

Link - Moderately critical - Cross site scripting - SA-CONTRIB-2022-034

Nick

Marketing Project Manager

May 5, 2022
Add comment

Link - Moderately critical - Cross site scripting - SA-CONTRIB-2022-034

Project: Link
Date: 2022-May-04
Security risk: Moderately critical 13∕25
Vulnerability: Cross site scripting

Description

This module enables you to add URL fields to entity types with a variety of options.

The module doesn't sufficiently filter output when token processing is disabled on an individual field.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission to create content and the token processing option must be disabled.

Drupal core - Moderately critical - Access bypass - SA-CORE-2022-009

Nick

Marketing Project Manager

Apr 20, 2022
Add comment

Drupal core - Moderately critical - Access bypass - SA-CORE-2022-009

Project: Drupal core
Date: 2022-April-20
Security risk: Moderately critical 13∕25 
Vulnerability: Access bypass

Description

Drupal 9.3 implemented a generic entity access API for entity revisions. However, this API was not completely integrated with existing permissions, resulting in some possible access bypass for users who have access to use revisions of content generally, but who do not have access to individual items of node and media content.

Drupal core - Moderately critical - Improper input validation - SA-CORE-2022-008

Nick

Marketing Project Manager

Apr 20, 2022
Add comment

Drupal core - Moderately critical - Improper input validation - SA-CORE-2022-008

Project: Drupal core
Date: 2022-April-20
Security risk: Moderately critical 12∕25 
Vulnerability: Improper input validation

Description

Drupal core's form API has a vulnerability where certain contributed or custom modules' forms may be vulnerable to improper input validation. This could allow an attacker to inject disallowed values or overwrite data. Affected forms are uncommon, but in certain cases an attacker could alter critical or sensitive data.

Rename Admin Paths - Moderately critical - Access bypass - SA-CONTRIB-2022-033

Nick

Marketing Project Manager

Apr 13, 2022
Add comment

Rename Admin Paths - Moderately critical - Access bypass - SA-CONTRIB-2022-033

Project: Rename Admin Paths
Version: 7.x-2.3, 7.x-2.2, 7.x-2.1
Date: 2022-April-12
Security risk: Moderately critical 10∕25 
Vulnerability: Access bypass

Description

The Rename Admin Path module provides additional security to Drupal sites by renaming the admin paths. The module has a vulnerability with allows attackers to bypass the protection by using specially crafted URLs.

Colorbox Node - Critical - Unsupported - SA-CONTRIB-2022-030

Nick

Marketing Project Manager

Mar 23, 2022
Add comment

Colorbox Node - Critical - Unsupported - SA-CONTRIB-2022-030

Project: Colorbox Node
Date: 2022-March-23
Security risk: Critical 15∕25
Vulnerability: Unsupported

Role Delegation - Moderately critical - Privilege escalation - SA-CONTRIB-2022-031

Nick

Marketing Project Manager

Mar 23, 2022
Add comment

Role Delegation - Moderately critical - Privilege escalation - SA-CONTRIB-2022-031

Project: Role Delegation
Date: 2022-March-23
Security risk: Moderately critical 14∕25
Vulnerability: Privilege escalation

Description

This module allows site administrators to grant specific roles the authority to assign selected roles to users, without them needing the administer permissions permission.

The module contains an access bypass vulnerability when used in combination with the Views Bulk Operations module. An authenticated user is able to assign the administrator role to his own user.

Drupal core - Moderately critical - Third-party libraries - SA-CORE-2022-006

Nick

Marketing Project Manager

Mar 21, 2022
Add comment

Drupal core - Moderately critical - Third-party libraries - SA-CORE-2022-006

Project: Drupal core
Date: 2022-March-21
Security risk: Moderately critical 11∕25
Vulnerability: Third-party libraries
CVE IDs: CVE-2022-24775

Description

Drupal uses the third-party Guzzle library for handling HTTP requests and responses to external services. Guzzle has released a security update which may affect some Drupal sites.

Drupal core - Moderately critical - Third-party libraries - SA-CORE-2022-005

Nick

Marketing Project Manager

Mar 16, 2022
Add comment

Drupal core - Moderately critical - Third-party libraries - SA-CORE-2022-005

Project: Drupal core
Date: 2022-March-16
Security risk: Moderately critical 13∕25 
Vulnerability: Third-party libraries
CVE IDs: CVE-2022-24728, CVE-2022-24729

Description

The Drupal project uses the CKEditor library for WYSIWYG editing. CKEditor has released a security update that impacts Drupal.

Opigno Learning path - Moderately critical - Access bypass - SA-CONTRIB-2022-029

Nick

Marketing Project Manager

Mar 9, 2022
Add comment

Opigno Learning path - Moderately critical - Access bypass - SA-CONTRIB-2022-029

Project: Opigno Learning path
Date: 2022-March-09
Security risk: Moderately critical 13∕25
Vulnerability: Access bypass

Description

This module is used as part of the Opigno LMS distribution and implements learning paths for the LMS.

The module was providing too much user information about users such as the list of groups a uid is in.

Solution

Install the latest version:

SVG Formatter - Critical - Cross Site Scripting - SA-CONTRIB-2022-028

Nick

Marketing Project Manager

Mar 9, 2022
Add comment

SVG Formatter - Critical - Cross Site Scripting - SA-CONTRIB-2022-028

Project: SVG Formatter
Date: 2022-March-09
Security risk: Critical 15∕25 
Vulnerability: Cross Site Scripting

Description

SVG Formatter module provides support for using SVG images on your website.

Our dependency library enshrined/svg-sanitize has a cross-site scripting vulnerability.

This vulnerability is mitigated by the fact that an attacker must have a role with permission that enables them to upload SVG images.

Drupal

Description

Description

Description

Description

Description

Description

Description

Description

Solution

Description

Pages