Security

Admin Toolbar - Moderately critical - Cross Site Scripting, Access Bypass - SA-CONTRIB-2021-025

Admin Toolbar - Moderately critical - Cross Site Scripting, Access Bypass - SA-CONTRIB-2021-025

Project: Admin Toolbar
Date: 2021-August-25
Security risk: Moderately critical 13∕25
Vulnerability: Cross Site Scripting, Access Bypass

Description

The Admin Toolbar (admin_toolbar) module extends the default toolbar provided by Drupal Core with various features facilitating day-to-day editorial and administrative work.

The Admin Toolbar Search sub-module of this module

Read More

Pages Restriction Access - Critical - Access bypass - SA-CONTRIB-2021-024

Pages Restriction Access - Critical - Access bypass - SA-CONTRIB-2021-024

Project: Pages Restriction Access
Date: 2021-July-28
Security risk: Critical 16∕25
Vulnerability: Access bypass

Description

This project enables administrators to restrict access from anonymous and regular users to pre-defined pages.

The administration routes used by the project lacked proper permissions, allowing untrusted users to access, create and modify the module's settings.

Solution

Install the latest version:

Read More

Form mode manager - Moderately critical - Access bypass - SA-CONTRIB-2021-023

Form mode manager - Moderately critical - Access bypass - SA-CONTRIB-2021-023

Project: Form mode manager
Date: 2021-July-21
Security risk: Moderately critical 11∕25
Vulnerability: Access bypass

Description

This module provides a user interface that allows the implementation and use of Form modes without custom development.

The module does not sufficiently respect access restrictions to entity forms for routes it creates to use specific form modes.

Read More

Drupal core - Critical - Drupal core - Critical - Third-party libraries - SA-CORE-2021-004

Drupal core - Critical - Drupal core - Critical - Third-party libraries - SA-CORE-2021-004

Project: Drupal core
Date: 2021-July-21
Security risk: Critical 15∕25
Vulnerability: Drupal core - Critical - Third-party libraries
CVE IDs: CVE-2021-32610

Description

The Drupal project uses the pear Archive_Tar library, which has released a security update that impacts Drupal.

The vulnerability is mitigated by the fact that Drupal core's use of the Archive_Tar library is not vulnerable, as it does not permit symlinks.

Read More

Linky Revision UI - Moderately critical - Access bypass - SA-CONTRIB-2021-021

Linky Revision UI - Moderately critical - Access bypass - SA-CONTRIB-2021-021

Project: Linky Revision UI
Date: 2021-June-30
Security risk: Moderately critical 11∕25
Vulnerability: Access bypass

Description

This module provides a revision UI for Linky entities.

The module doesn't sufficiently respect access restrictions to certain entities when used in conjunction with specific modules.

This vulnerability is mitigated by the fact that an attacker must have a role with any of the permissions provided by Linky Revision UI, and another affected module must be enabled.

Solution

Install the latest version:

Read More

Pages