Security

Svg Image - Critical - Cross site scripting - SA-CONTRIB-2020-008

Svg Image - Critical - Cross site scripting - SA-CONTRIB-2020-008

Project: Svg Image
Date: 2020-March-25
Security risk: Critical 15∕25
Vulnerability: Cross site scripting

Description

SVG Image module allows to upload SVG files.

The module did not sufficiently protect against malicious code inside SVG files leading to a Cross Site Scripting vulnerability.

This vulnerability is mitigated by the fact that an attacker must have permission to upload an SVG file.

Solution

Install the latest version:

Read More

CKEditor - WYSIWYG HTML editor - Moderately critical - Cross site scripting - SA-CONTRIB-2020-007

CKEditor - WYSIWYG HTML editor - Moderately critical - Cross site scripting - SA-CONTRIB-2020-007

Project: CKEditor - WYSIWYG HTML editor
Date: 2020-March-18
Security risk: Moderately critical 11∕25 
Vulnerability: Cross site scripting

Description

The CKEditor module (and its predecessor, FCKeditor module) allows Drupal to replace textarea fields with CKEditor 3.x/4.x (FCKeditor 2.x in case of FCKeditor module) - a visual HTML editor, sometimes called WYSIWYG editor.

Read More

SAML Service Provider - Critical - Access bypass - SA-CONTRIB-2020-006

SAML Service Provider - Critical - Access bypass - SA-CONTRIB-2020-006

Project: SAML Service Provider
Date: 2020-March-11
Security risk: Critical 15∕25
Vulnerability: Access bypass

Description

This module enables you to authenticate Drupal users using an external SAML Identity Provider.

If the site is configured to allow visitors to register for user accounts but administrator approval is required, the module doesn't sufficiently enforce the administrative approval requirement, in the case where the requesting user has already authenticated through SAML.

Read More

Profile - Moderately critical - Access Bypass - SA-CONTRIB-2020-004

Profile - Moderately critical - Access Bypass - SA-CONTRIB-2020-004

Project: Profile
Date: 2020-February-19
Security risk: Moderately critical 14∕25
Vulnerability: Access Bypass

Description

The Profile module enables you to allow users to have configurable user profiles.

The module doesn't sufficiently check access when creating a user profile. Users with the "create profiles" permission could create profiles for any users.

Solution

Install the latest version:

Read More

Views Bulk Operations (VBO) - Moderately critical - Access bypass - SA-CONTRIB-2020-003

Views Bulk Operations (VBO) - Moderately critical - Access bypass - SA-CONTRIB-2020-003

Project: Views Bulk Operations (VBO)
Date: 2020-February-05
Security risk: Moderately critical 12∕25
Vulnerability: Access bypass

Description

Views Bulk Operations provides enhancements to running bulk actions on views.

The module contains an access bypass vulnerability that might allow users to execute views actions that they should not have access to.

This vulnerability is mitigated by the fact that it only occurs in the case of customised action access (by means of hook_action_info_alter).

Read More

Radix - Moderately critical - Cross site scripting - SA-CONTRIB-2020-001

Radix - Moderately critical - Cross site scripting - SA-CONTRIB-2020-001

Project: Radix
Date: 2020-January-15
Security risk: Moderately critical 13∕25
Vulnerability: Cross site scripting

Description

Radix is a base theme for Drupal, with Bootstrap 4, Sass, ES6 and BrowserSync built-in.

The module doesn't sufficiently filter menu titles when used in a dropdown in the main menu.

This vulnerability is mitigated by the fact that an attacker must have permission to edit a menu title used in the main menu.

Solution

Install the latest version:

Read More

Pages