Drupal

Private Taxonomy Terms - Critical - Access bypass, Information Disclosure, Multiple vulnerabilities - SA-CONTRIB-2022-014

Alex

Technical Support Specialist

Jan 26, 2022
Add comment

Private Taxonomy Terms - Critical - Access bypass, Information Disclosure, Multiple vulnerabilities - SA-CONTRIB-2022-014

Project: Private Taxonomy Terms
Date: 2022-January-26
Security risk: Critical 15∕25
Vulnerability: Access bypass, Information Disclosure, Multiple vulnerabilities

Description

This module enables users to create 'private' vocabularies.

The module doesn't sufficiently check user access permissions when attempting to view, edit, or add terms to vocabularies, including vocabularies not managed by the module.

Drupal core - Moderately critical - Cross Site Scripting - SA-CORE-2022-001 - SA-CORE-2022-002

Alex

Technical Support Specialist

Jan 19, 2022
Add comment

Drupal core - Moderately critical - Cross Site Scripting - SA-CORE-2022-001

Project: Drupal core
Date: 2022-January-19
Security risk: Moderately critical 14∕25
Vulnerability: Cross Site Scripting

Description

jQuery UI is a third-party library used by Drupal. This library was previously thought to be end-of-life.

jQuery UI Datepicker - Moderately critical - Cross Site Scripting - SA-CONTRIB-2022-004

Alex

Technical Support Specialist

Jan 19, 2022
Add comment

jQuery UI Datepicker - Moderately critical - Cross Site Scripting - SA-CONTRIB-2022-004

Project: jQuery UI Datepicker
Date: 2022-January-19
Security risk: Moderately critical 14∕25 
Vulnerability: Cross Site Scripting

Description

jQuery UI is a third-party library used by Drupal. The jQuery UI Datepicker module provides the jQuery UI Datepicker library, which is not included in Drupal 9 core.

jQuery UI was previously thought to be end-of-life.

Super Login - Critical - Access bypass - SA-CONTRIB-2022-001

Alex

Technical Support Specialist

Jan 5, 2022
Add comment

Super Login - Critical - Access bypass - SA-CONTRIB-2022-001

Project: Super Login
Date: 2022-January-05
Security risk: Critical 18∕25
Vulnerability: Access bypass

Description

This module enables you to login with an email address.

The module doesn't sufficiently check if a user account is active when using email login.

This vulnerability is mitigated by the fact that an attacker must have an account in the website that is blocked.

Solution

Install the latest version:

Simple OAuth (OAuth2) & OpenID Connect - Moderately critical - Access bypass - SA-CONTRIB-2022-002

Alex

Technical Support Specialist

Jan 5, 2022
Add comment

Simple OAuth (OAuth2) & OpenID Connect - Moderately critical - Access bypass - SA-CONTRIB-2022-002

Project: Simple OAuth (OAuth2) & OpenID Connect
Date: 2022-January-05
Security risk: Moderately critical 13∕25
Vulnerability: Access bypass

Description

This module enables you to implement OAuth 2.0 authentication for Drupal.

The module doesn't sufficiently verify client secret keys for "confidential" OAuth 2.0 clients when using certain grant types. The token refresh and client credentials grants are not affected.

Wysiwyg - Moderately critical - Cross site scripting - SA-CONTRIB-2022-003

Alex

Technical Support Specialist

Jan 5, 2022
Add comment

Wysiwyg - Moderately critical - Cross site scripting - SA-CONTRIB-2022-003

Project: Wysiwyg
Date: 2022-January-05
Security risk: Moderately critical 14∕25 
Vulnerability: Cross site scripting

Description

This module enables you to integrate various What-You-See-Is-What-You-Get (WYSIWYG) rich text editors into Drupal fields with text formats allowing markup for easier editing.

Mail Login - Moderately critical - Access bypass - SA-CONTRIB-2021-047

Alex

Technical Support Specialist

Dec 23, 2021
Add comment

Mail Login - Moderately critical - Access bypass - SA-CONTRIB-2021-047

Project: Mail Login
Date: 2021-December-22
Security risk: Moderately critical 14∕25
Vulnerability: Access bypass

Description

This modules enables users to login via email address.

This module does not sufficiently check user status when authenticating.

Solution

Install the latest version:

If you use the mail_login module for Drupal 8 or 9, upgrade to Mail Login 8.x-2.5

Search API Pages - Critical - Cross Site Scripting - SA-CONTRIB-2021-046

Alex

Technical Support Specialist

Dec 10, 2021
Add comment

Search API Pages - Critical - Cross Site Scripting - SA-CONTRIB-2021-046

Project: Search API Pages
Date: 2021-December-08
Security risk: Critical 16∕25 
Vulnerability: Cross Site Scripting

Description

This module enables you to create simple search pages based on Search API without the use of Views.

The module doesn’t sufficiently escape all variables provided for custom templates.

This vulnerability is mitigated by the fact that the default template provided by the module is not affected.

Solution

Install the latest version:

Webform - Critical - Cross Site Scripting, Access Bypass - SA-CONTRIB-2021-045

Alex

Technical Support Specialist

Dec 10, 2021
Add comment

Webform - Critical - Cross Site Scripting, Access Bypass - SA-CONTRIB-2021-045

Project: Webform
Date: 2021-December-08
Security risk: Critical 16∕25
Vulnerability: Cross Site Scripting, Access Bypass

Description

Access Bypass:

This module enables you to build forms and surveys in Drupal.

Drupal 8 is now end-of-life - PSA-2021-11-30

Alex

Technical Support Specialist

Dec 1, 2021
Add comment

Drupal 8 is now end-of-life - PSA-2021-11-30

Description

As of November 17, 2021, the Drupal core version 8 series has reached end-of-life. This means that all releases of Drupal 8 core (with 8.y.x version numbers) and Drupal contributed project releases that are compatible with only Drupal 8 will be marked unsupported as they no longer have security team support.

Drupal 8.0.0 was first released on November 9, 2015. The last version was released on November 17, 2021.