Project: Drupal core
Date: 2024-January-17
Security risk: Moderately critical 11∕25
Vulnerability: Denial of Service
Affected versions: >=8.0 =10.2 The Comment module allows users to reply to comments. In certain cases, an attacker could make comment reply requests that would trigger a denial of service (DOS).
Sites that do not use the Comment module are not affected.
Install the latest version:
Project: Typogrify
Date: 2024-January-10
Security risk: Moderately critical 12∕25
Vulnerability: Cross Site Scripting
Affected versions: <1.3.0
The Typogrify module brings the typographic refinements of Typogrify to Drupal. It provides a text filter and a Twig filter.
The typogrify Twig filter can be used to bypass the Twig auto-escape feature, leading to a persistent Cross Site Scripting (XSS) vulnerability.
Project: File Entity (fieldable files)
Date: 2024-January-10
Security risk: Moderately critical 14∕25
Vulnerability: Cross Site Scripting, Access bypassFile entity provides interfaces for managing files. It also extends the core file entity, allowing files to be fieldable, grouped into types, viewed (using display modes) and formatted using field formatters.
On November 1, 2023, Drupal 9 has officially reached its end of life.
Drupal 9 depends on several essential software components, including Symfony, CKEditor, and Twig. With the approaching end of life for Symfony 4, CKEditor 4, and Twig 2, Drupal 9 has now transitioned into its end-of-life phase. There will be no further Drupal 9 releases.
Project: Entity cache
Date: 2023-September-27
Security risk: Critical 16∕25
Vulnerability: Information disclosureEntity Cache puts core entities into Drupal's cache API.
A recent release of the module does not sanitize certain inputs appropriately. This can lead to unintended behavior when wildcard characters are included in the input.
The impact of this bug should be relatively minor in most configurations, but in worst-case scenarios it could lead to significant Access Bypass.
Thanks to 2129 contributors from 616 organizations resolving 4083 issues in the past two and a half years, Drupal 10.0.0 is available today! This new version sets Drupal up for continued stability and security for the longer term. All new features will be added to Drupal 10 going forward.
Project: GOV.UK Theme
Date: 2022-February-23
Security risk: Moderately critical 14∕25
Vulnerability: Cross site scriptingThe GOV.UK Theme (govuk_theme) is a Drupal theme for the GOV.UK Design System.
Project: Entity Reference Tree Widget
Date: 2022-February-23
Security risk: Moderately critical 12∕25
Vulnerability: Cross Site ScriptingThis module provides an entity relationship hierarchy tree widget for an entity reference field.
The module doesn't sufficiently filter on output, leading to a Cross Site Scripting vulnerability.
This vulnerability is mitigated by the fact that an attacker must have a role with the permission to modify an entity that is the reference to a field.
Project: Quick Edit
Date: 2022-February-16
Security risk: Moderately critical 12∕25
Vulnerability: Information DisclosureThis advisory addresses a similar issue to Drupal core - Moderately critical - Information disclosure - SA-CORE-2022-004.
Project: Drupal core
Date: 2022-February-16
Security risk: Moderately critical 12∕25
Vulnerability: Information disclosureThe Quick Edit module does not properly check entity access in some circumstances. This could result in users with the "access in-place editing" permission viewing some content they are are not authorized to access.
Sites are only affected if the QuickEdit module (which comes with the Standard profile) is installed.