The AltaGrade Blog

Drupal 7: Internationalization - Moderately critical - Cross site scripting - SA-CONTRIB-2020-025

Drupal Security

Project: Internationalization
Version: 7.x-1.x-dev
Date: 2020-June-17
Security risk: Moderately critical 14∕25 
Vulnerability: Cross site scripting

Description

The Internationalization (i18n) module is a collection of modules to extend Drupal 7 core multilingual capabilities and allows to build real life multilingual sites.

A value in the term translation module is displayed without being escaped leading to a Cross Site Scripting (XSS) vulnerability.

Read More

Drupal 8 and 9 core - Less critical - Access bypass - SA-CORE-2020-006

Drupal Security

Project: Drupal core
Date: 2020-June-17
Security risk: Less critical 8∕25 
Vulnerability: Access bypass
CVE IDs: CVE-2020-13665

Description

JSON:API PATCH requests may bypass validation for certain fields.

By default, JSON:API works in a read-only mode which makes it impossible to exploit the vulnerability. Only sites that have the read_only set to FALSE under jsonapi.settings config are vulnerable.

Solution

Install the latest version:

Read More

Drupal 8 and 9 core - Critical - Arbitrary PHP code execution - SA-CORE-2020-005

Drupal Security

Project: Drupal core
Date: 2020-June-17
Security risk: Critical 17∕25 
Vulnerability: Arbitrary PHP code execution
CVE IDs: CVE-2020-13664

Description

Drupal 8 and 9 have a remote code execution vulnerability under certain circumstances.

An attacker could trick an administrator into visiting a malicious site that could result in creating a carefully named directory on the file system. With this directory in place, an attacker could attempt to brute force a remote code execution vulnerability.

Read More

Time to update WordPress to 5.2.1

Time to update WordPress to 5.2.1

A short-cycle maintenance 5.2.1 release WordPress has been announced today. The next version 5.2.2 is expected to follow in approximately two weeks.

This maintenance release fixes 33 bugs, including improvements to the block editor, accessibility, internationalization, and the Site Health feature introduced in 5.2.

Read More