Security

Next.js - Moderately critical - Access bypass - SA-CONTRIB-2022-054

Next.js - Moderately critical - Access bypass - SA-CONTRIB-2022-054

Project: Next.js
Version: 1.2.0, 1.1.0, 1.0.0
Date: 2022-September-07
Security risk: Moderately critical 12∕25
Vulnerability: Access bypass

Description

The Next.js module provides an inline preview for content. Authenticated requests are made to Drupal to fetch JSON:API content and render them in an iframe from the decoupled Next.js site.

Read More

Permissions by Term - Moderately critical - Access bypass - SA-CONTRIB-2022-056

Permissions by Term - Moderately critical - Access bypass - SA-CONTRIB-2022-056

Project: Permissions by Term
Version: 3.1.18
Date: 2022-September-07
Security risk: Moderately critical 14∕25
Vulnerability: Access bypass

Description

This module enables you to set content permissions based on taxonomy terms.

The module doesn't sufficiently restrict access to translated and unpublished nodes.

This vulnerability is mitigated by the fact that it only affects sites with translated content.

Solution

Install the latest version:

Read More

jQuery UI Checkboxradio - Moderately critical - Cross site scripting - SA-CONTRIB-2022-052

jQuery UI Checkboxradio - Moderately critical - Cross site scripting - SA-CONTRIB-2022-052

Project: jQuery UI Checkboxradio
Version: 8.x-1.3, 8.x-1.2, 8.x-1.1, 8.x-1.0
Date: 2022-August-10
Security risk: Moderately critical 13∕25
Vulnerability: Cross site scripting

Description

jQuery UI is a third-party library used by Drupal. The jQuery UI Checkboxradio module provides the jQuery UI Checkboxradio library (which was previously in Drupal 8 core, but has since been removed from core and moved to this module).

Read More

Context - Moderately critical - Cross Site Scripting - SA-CONTRIB-2022-049

Context - Moderately critical - Cross Site Scripting - SA-CONTRIB-2022-049

Project: Context
Version: 7.x-3.x
Date: 2022-July-27
Security risk: Moderately critical 12∕25
Vulnerability: Cross Site Scripting

Description

This module enables you to conditionally display blocks in particular theme regions.

The module doesn't sufficiently sanitize the title of a block as displayed in the admin UI when a site administrator edits a context block reaction.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer blocks".

Read More

Drupal core - Moderately critical - Access Bypass - SA-CORE-2022-013

Drupal core - Moderately critical - Access Bypass - SA-CORE-2022-013

Project: Drupal core
Date: 2022-July-20
Security risk: Moderately critical 12∕25
Vulnerability: Access Bypass

Description

Under certain circumstances, the Drupal core form API evaluates form element access incorrectly. This may lead to a user being able to alter data they should not have access to.

No forms provided by Drupal core are known to be vulnerable. However, forms added through contributed or custom modules or themes may be affected.

Solution

Install the latest version:

Read More

Drupal core - Moderately critical - Multiple vulnerabilities - SA-CORE-2022-015

Drupal core - Moderately critical - Multiple vulnerabilities - SA-CORE-2022-015

Project: Drupal core
Date: 2022-July-20
Security risk: Moderately critical 11∕25 
Vulnerability: Multiple vulnerabilities

Description

The Media oEmbed iframe route does not properly validate the iframe domain setting, which allows embeds to be displayed in the context of the primary domain. Under certain circumstances, this could lead to cross-site scripting, leaked cookies, or other vulnerabilities.

Solution

Install the latest version:

Read More

Pages