Project: Drupal core
Date: 2020-September-16
Security risk: Moderately critical 14∕25
Vulnerability: Cross-site scripting
CVE IDs: CVE-2020-13666The Drupal AJAX API does not disable JSONP by default, which can lead to cross-site scripting.
Install the latest version:
Project: Group
Version: 8.x-1.x-dev
Date: 2020-August-05
Security risk: Moderately critical 11∕25
Vulnerability: Information disclosure
The Group module enables you to hand out permissions on a smaller subset, section or community of your website.
Under very specific circumstances, where two group types support the same content, yet hand out different permissions, non-members of the first group type may use the set of permissions of the 2nd group type for the grouped content.
Project: Group
Version: 8.x-1.x-dev
Date: 2020-August-05
Security risk: Moderately critical 12∕25
Vulnerability: Information disclosureThe Group module enables you to hand out permissions on a smaller subset, section or community of your website.
With the 1.1 security release, new code was introduced to ensure proper access for all entity types, but a mistake introduced unexpected access to unpublished nodes.
Install the latest version:
Project: Hostmaster (Aegir)
Version: 7.x-3.x-dev
Date: 2020-July-29
Security risk: Moderately critical 14∕25
Vulnerability: Access bypass, Arbitrary code executionAegir is a powerful hosting system that sits alongside a LAMP or LEMP server to create, deploy and manage Drupal sites.
Given that
Project: Group
Version: 8.x-1.x-dev
Date: 2020-July-29
Security risk: Critical 15∕25
Vulnerability: Information DisclosureThis module enables you to hand out permissions on a smaller subset, section or community of your website.
Project: Apigee Edge
Version: 8.x-1.x-dev
Date: 2020-July-22
Security risk: Moderately critical 10∕25
Vulnerability: Access bypassThe Apigee Edge module allows connecting a Drupal site to Apigee Edge in order to build a developer portal. It contains an "Apigee Edge Teams" submodule that provides shared app functionality by allowing developers to be organized into teams.
Project: Modal Form
Version: 8.x-1.x-dev
Date: 2020-July-22
Security risk: Critical 16∕25
Vulnerability: Access bypassThe Modal form module is a toolset for quick start of using forms in modal windows.
Any form is available for view and submit when the modal_form module is installed. The only requirement is to know the form's fully-qualified class name.
Upgrade to modal_form-8.x-1.2.
Project: Easy Breadcrumb
Version: 8.x-1.x-dev
Date: 2020-July-22
Security risk: Moderately critical 13∕25
Vulnerability: Cross site scriptingThis module enables you to use the current URL (path alias) and the current page's title to automatically extract the breadcrumb's segments and its respective links then show them as breadcrumbs on your website.
The module doesn't sufficiently sanitize editor input in certain circumstances leading to a Cross Site Scripting (XSS) vulnerability.
Project: Renderkit
Version: 7.x-1.x-dev
Date: 2020-July-01
Security risk: Less critical 9∕25
Vulnerability: Access bypassThe renderkit module contains components which can transform the display of field items sent to it.
Some of these components do not respect the '#access' property on the field render element, and thus can make rendered field values visible to visitors who would otherwise not be allowed to see those field values.
PSA-2020-06-24
Date: 2020-June-24The Drupal Security Team has announced today that given the impact of COVID-19 on budgets and businesses Drupal 7's end-of-life, previously scheduled for November 2021, will be extended until November 28, 2022.