Project: Super Login
Date: 2022-January-05
Security risk: Critical 18∕25
Vulnerability: Access bypassThis module enables you to login with an email address.
The module doesn't sufficiently check if a user account is active when using email login.
This vulnerability is mitigated by the fact that an attacker must have an account in the website that is blocked.
Install the latest version:
Project: Simple OAuth (OAuth2) & OpenID Connect
Date: 2022-January-05
Security risk: Moderately critical 13∕25
Vulnerability: Access bypassThis module enables you to implement OAuth 2.0 authentication for Drupal.
The module doesn't sufficiently verify client secret keys for "confidential" OAuth 2.0 clients when using certain grant types. The token refresh and client credentials grants are not affected.
Project: Wysiwyg
Date: 2022-January-05
Security risk: Moderately critical 14∕25
Vulnerability: Cross site scriptingThis module enables you to integrate various What-You-See-Is-What-You-Get (WYSIWYG) rich text editors into Drupal fields with text formats allowing markup for easier editing.
Project: Mail Login
Date: 2021-December-22
Security risk: Moderately critical 14∕25
Vulnerability: Access bypassThis modules enables users to login via email address.
This module does not sufficiently check user status when authenticating.
Install the latest version:
If you use the mail_login module for Drupal 8 or 9, upgrade to Mail Login 8.x-2.5
Project: Search API Pages
Date: 2021-December-08
Security risk: Critical 16∕25
Vulnerability: Cross Site ScriptingThis module enables you to create simple search pages based on Search API without the use of Views.
The module doesn’t sufficiently escape all variables provided for custom templates.
This vulnerability is mitigated by the fact that the default template provided by the module is not affected.
Install the latest version:
Project: Webform
Date: 2021-December-08
Security risk: Critical 16∕25
Vulnerability: Cross Site Scripting, Access BypassThis module enables you to build forms and surveys in Drupal.
As of November 17, 2021, the Drupal core version 8 series has reached end-of-life. This means that all releases of Drupal 8 core (with 8.y.x version numbers) and Drupal contributed project releases that are compatible with only Drupal 8 will be marked unsupported as they no longer have security team support.
Drupal 8.0.0 was first released on November 9, 2015. The last version was released on November 17, 2021.
Project: Drupal core
Date: 2021-November-17
Security risk: Moderately critical 13∕25
Vulnerability: Cross Site ScriptingThe Drupal project uses the CKEditor library for WYSIWYG editing. CKEditor has released a security update that impacts Drupal, along with a hotfix for that update.
Project: OpenID Connect Microsoft Azure Active Directory client
Date: 2021-November-17
Security risk: Moderately critical 14∕25
Vulnerability: Access BypassThis module enables users to authenticate through their Microsoft Azure AD account.
The module does not sufficiently check authorization before updating user profile information in certain non-default configurations. This could lead a user being able to hijack another existing account.
Project: Loft Data Grids
Date: 2021-October-13
Security risk: Moderately critical 11∕25
Vulnerability: XML External Entity (XXE) ProcessingThis module enables aklump/loft_data_grids to be used as a Drupal module.