Security

Search API - Moderately critical - Information Disclosure - SA-CONTRIB-2022-059

Search API - Moderately critical - Information Disclosure - SA-CONTRIB-2022-059

Project: Search API
Date: 2022-October-19
Security risk: Moderately critical 13∕25
Vulnerability: Information Disclosure

Description

This module enables you to build searches using a wide range of features, data sources and backends.

The module doesn't in all cases correctly detect whether a given search is active on the current page, leading to potential information disclosure for some setups.

Read More

Twig Field Value - Moderately critical - Access bypass - SA-CONTRIB-2022-058

Twig Field Value - Moderately critical - Access bypass - SA-CONTRIB-2022-058

Project: Twig Field Value
Date: 2022-October-12
Security risk: Moderately critical 12∕25 
Vulnerability: Access bypass

Description

This module enables themers to get partial data from field render arrays. It gives them more control over the output without drilling deep into the render array or using preprocess functions.

The module doesn't sufficiently apply access restrictions when using the filters field_label, field_value, field_raw and field_target_entity.

Read More

Next.js - Moderately critical - Access bypass - SA-CONTRIB-2022-054

Next.js - Moderately critical - Access bypass - SA-CONTRIB-2022-054

Project: Next.js
Version: 1.2.0, 1.1.0, 1.0.0
Date: 2022-September-07
Security risk: Moderately critical 12∕25
Vulnerability: Access bypass

Description

The Next.js module provides an inline preview for content. Authenticated requests are made to Drupal to fetch JSON:API content and render them in an iframe from the decoupled Next.js site.

Read More

Permissions by Term - Moderately critical - Access bypass - SA-CONTRIB-2022-056

Permissions by Term - Moderately critical - Access bypass - SA-CONTRIB-2022-056

Project: Permissions by Term
Version: 3.1.18
Date: 2022-September-07
Security risk: Moderately critical 14∕25
Vulnerability: Access bypass

Description

This module enables you to set content permissions based on taxonomy terms.

The module doesn't sufficiently restrict access to translated and unpublished nodes.

This vulnerability is mitigated by the fact that it only affects sites with translated content.

Solution

Install the latest version:

Read More

jQuery UI Checkboxradio - Moderately critical - Cross site scripting - SA-CONTRIB-2022-052

jQuery UI Checkboxradio - Moderately critical - Cross site scripting - SA-CONTRIB-2022-052

Project: jQuery UI Checkboxradio
Version: 8.x-1.3, 8.x-1.2, 8.x-1.1, 8.x-1.0
Date: 2022-August-10
Security risk: Moderately critical 13∕25
Vulnerability: Cross site scripting

Description

jQuery UI is a third-party library used by Drupal. The jQuery UI Checkboxradio module provides the jQuery UI Checkboxradio library (which was previously in Drupal 8 core, but has since been removed from core and moved to this module).

Read More

Context - Moderately critical - Cross Site Scripting - SA-CONTRIB-2022-049

Context - Moderately critical - Cross Site Scripting - SA-CONTRIB-2022-049

Project: Context
Version: 7.x-3.x
Date: 2022-July-27
Security risk: Moderately critical 12∕25
Vulnerability: Cross Site Scripting

Description

This module enables you to conditionally display blocks in particular theme regions.

The module doesn't sufficiently sanitize the title of a block as displayed in the admin UI when a site administrator edits a context block reaction.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer blocks".

Read More

Pages