Project: Drupal core
Date: 2021-November-17
Security risk: Moderately critical 13∕25
Vulnerability: Cross Site ScriptingThe Drupal project uses the CKEditor library for WYSIWYG editing. CKEditor has released a security update that impacts Drupal, along with a hotfix for that update.
Project: OpenID Connect Microsoft Azure Active Directory client
Date: 2021-November-17
Security risk: Moderately critical 14∕25
Vulnerability: Access BypassThis module enables users to authenticate through their Microsoft Azure AD account.
The module does not sufficiently check authorization before updating user profile information in certain non-default configurations. This could lead a user being able to hijack another existing account.
Project: Loft Data Grids
Date: 2021-October-13
Security risk: Moderately critical 11∕25
Vulnerability: XML External Entity (XXE) ProcessingThis module enables aklump/loft_data_grids to be used as a Drupal module.
Project: Linkit
Date: 2021-September-29
Security risk: Moderately critical 12∕25
Vulnerability: Cross Site ScriptingLinkit provides an easy interface for internal and external linking with WYSIWYG editors by using an autocomplete field.
It does not sufficiently sanitize user input.
This vulnerability is mitigated by the fact that an attacker must have a role with the permission to create or edit an entity bundle.
Install the latest version:
Project: Domain Group
Date: 2021-September-22
Security risk: Critical 18∕25
Vulnerability: Access bypassThis module enables sites to define a domain from Domain Access that points directly to a group page.
The module doesn't sufficiently manage the access to content administrative paths allowing an attacker to see and take actions on content (nodes) they should be allowed to.
Install the latest version:
Project: SAML SP 2.0 Single Sign On (SSO) - SAML Service Provider
Date: 2021-September-22
Security risk: Moderately critical 14∕25
Vulnerability: Multiple vulnerabilitiesThis module provides a solution to authenticate visitors using existing SAML providers.
Certain non-default configurations allow a malicious user to login as any chosen user.
Project: Taxonomy Manager
Date: 2021-September-22
Security risk: Moderately critical 10∕25
Vulnerability: Access bypassThis module provides a powerful interface for managing a taxonomy vocabulary. A vocabulary gets displayed in a dynamic tree view, where parent terms can be expanded to list their nested child terms or can be collapsed.
The module does not take the correct user permissions into account, allowing an attacker to delete and move terms.
Project: Search API attachments
Date: 2021-September-22
Security risk: Critical 15∕25
Vulnerability: Arbitrary PHP code execution
This module enables you to extract the textual content of files for use on a website, e.g. to display it or or use it in search indexes.
The module doesn't sufficiently protect the administrator-defined commands which are executed on the server, which leads to post-authentication remote code execution by a limited set of users.
Project: File Extractor
Date: 2021-September-22
Security risk: Critical 15∕25
Vulnerability: Arbitrary PHP code executionThis module enables you to extract the textual content of files for use on a website, e.g. to display it or or use it in search indexes.
The module doesn't sufficiently protect the administrator-defined commands which are executed on the server, which leads to post-authentication remote code execution by a limited set of users.
Project: Commerce Core
Date: 2021-September-22
Security risk: Moderately critical 14∕25
Vulnerability: Access bypass, Information DisclosureThis module provides a system for building an ecommerce solution in their Drupal site.
The module doesn't sufficiently verify access to profile data in certain circumstances.
This vulnerability is mitigated by the fact that an attacker must have permission to perform the checkout operation.
Install the latest version: