Drupal

Role Delegation - Moderately critical - Privilege escalation - SA-CONTRIB-2022-031

Role Delegation - Moderately critical - Privilege escalation - SA-CONTRIB-2022-031

Project: Role Delegation
Date: 2022-March-23
Security risk: Moderately critical 14∕25
Vulnerability: Privilege escalation

Description

This module allows site administrators to grant specific roles the authority to assign selected roles to users, without them needing the administer permissions permission.

The module contains an access bypass vulnerability when used in combination with the Views Bulk Operations module. An authenticated user is able to assign the administrator role to his own user.

Read More

Opigno Learning path - Moderately critical - Access bypass - SA-CONTRIB-2022-029

Opigno Learning path - Moderately critical - Access bypass - SA-CONTRIB-2022-029

Project: Opigno Learning path
Date: 2022-March-09
Security risk: Moderately critical 13∕25
Vulnerability: Access bypass

Description

This module is used as part of the Opigno LMS distribution and implements learning paths for the LMS.

The module was providing too much user information about users such as the list of groups a uid is in.

Solution

Install the latest version:

Read More

SVG Formatter - Critical - Cross Site Scripting - SA-CONTRIB-2022-028

SVG Formatter - Critical - Cross Site Scripting - SA-CONTRIB-2022-028

Project: SVG Formatter
Date: 2022-March-09
Security risk: Critical 15∕25 
Vulnerability: Cross Site Scripting

Description

SVG Formatter module provides support for using SVG images on your website.

Our dependency library enshrined/svg-sanitize has a cross-site scripting vulnerability.

This vulnerability is mitigated by the fact that an attacker must have a role with permission that enables them to upload SVG images.

Read More

Entity Reference Tree Widget - Moderately critical - Cross Site Scripting - SA-CONTRIB-2022-026

Entity Reference Tree Widget - Moderately critical - Cross Site Scripting - SA-CONTRIB-2022-026

Project: Entity Reference Tree Widget
Date: 2022-February-23
Security risk: Moderately critical 12∕25
Vulnerability: Cross Site Scripting

Description

This module provides an entity relationship hierarchy tree widget for an entity reference field.

The module doesn't sufficiently filter on output, leading to a Cross Site Scripting vulnerability.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission to modify an entity that is the reference to a field.

Read More

Drupal core - Moderately critical - Information disclosure - SA-CORE-2022-004

Drupal core - Moderately critical - Information disclosure - SA-CORE-2022-004

Project: Drupal core
Date: 2022-February-16
Security risk: Moderately critical 12∕25
Vulnerability: Information disclosure

Description

The Quick Edit module does not properly check entity access in some circumstances. This could result in users with the "access in-place editing" permission viewing some content they are are not authorized to access.

Sites are only affected if the QuickEdit module (which comes with the Standard profile) is installed.

Read More

Drupal core - Moderately critical - Improper input validation - SA-CORE-2022-003

Drupal core - Moderately critical - Improper input validation - SA-CORE-2022-003

Project: Drupal core
Date: 2022-February-16
Security risk: Moderately critical 14∕25
Vulnerability: Improper input validation
CVE IDs: CVE-2022-25271

Description

Drupal core's form API has a vulnerability where certain contributed or custom modules' forms may be vulnerable to improper input validation. This could allow an attacker to inject disallowed values or overwrite data. Affected forms are uncommon, but in certain cases an attacker could alter critical or sensitive data.

Read More

Pages