The AltaGrade Blog

Drupal 9 Reaches End of Life

Drupal 9 Reaches End of Life

On November 1, 2023, Drupal 9 has officially reached its end of life.

Drupal 9 depends on several essential software components, including Symfony, CKEditor, and Twig. With the approaching end of life for Symfony 4, CKEditor 4, and Twig 2, Drupal 9 has now transitioned into its end-of-life phase. There will be no further Drupal 9 releases.

Read More

Entity cache - Critical - Information disclosure - SA-CONTRIB-2023-046

Entity cache - Critical - Information disclosure - SA-CONTRIB-2023-046

Project: Entity cache
Date: 2023-September-27
Security risk: Critical 16∕25
Vulnerability: Information disclosure

Description

Entity Cache puts core entities into Drupal's cache API.

A recent release of the module does not sanitize certain inputs appropriately. This can lead to unintended behavior when wildcard characters are included in the input.

The impact of this bug should be relatively minor in most configurations, but in worst-case scenarios it could lead to significant Access Bypass.

Read More

Drupal 10.0.0 has been released

Drupal 10

Thanks to 2129 contributors from 616 organizations resolving 4083 issues in the past two and a half years, Drupal 10.0.0 is available today! This new version sets Drupal up for continued stability and security for the longer term. All new features will be added to Drupal 10 going forward.

Read More

Entity Reference Tree Widget - Moderately critical - Cross Site Scripting - SA-CONTRIB-2022-026

Entity Reference Tree Widget - Moderately critical - Cross Site Scripting - SA-CONTRIB-2022-026

Project: Entity Reference Tree Widget
Date: 2022-February-23
Security risk: Moderately critical 12∕25
Vulnerability: Cross Site Scripting

Description

This module provides an entity relationship hierarchy tree widget for an entity reference field.

The module doesn't sufficiently filter on output, leading to a Cross Site Scripting vulnerability.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission to modify an entity that is the reference to a field.

Read More

Drupal core - Moderately critical - Information disclosure - SA-CORE-2022-004

Drupal core - Moderately critical - Information disclosure - SA-CORE-2022-004

Project: Drupal core
Date: 2022-February-16
Security risk: Moderately critical 12∕25
Vulnerability: Information disclosure

Description

The Quick Edit module does not properly check entity access in some circumstances. This could result in users with the "access in-place editing" permission viewing some content they are are not authorized to access.

Sites are only affected if the QuickEdit module (which comes with the Standard profile) is installed.

Read More

Drupal core - Moderately critical - Improper input validation - SA-CORE-2022-003

Drupal core - Moderately critical - Improper input validation - SA-CORE-2022-003

Project: Drupal core
Date: 2022-February-16
Security risk: Moderately critical 14∕25
Vulnerability: Improper input validation
CVE IDs: CVE-2022-25271

Description

Drupal core's form API has a vulnerability where certain contributed or custom modules' forms may be vulnerable to improper input validation. This could allow an attacker to inject disallowed values or overwrite data. Affected forms are uncommon, but in certain cases an attacker could alter critical or sensitive data.

Read More

Fancy File Delete - Moderately critical - Access Bypass - SA-CONTRIB-2022-023

Fancy File Delete - Moderately critical - Access Bypass - SA-CONTRIB-2022-023

Project: Fancy File Delete
Date: 2022-February-09
Security risk: Moderately critical 14∕25 
Vulnerability: Access Bypass

Description

This module enables you to manage and delete files.

The module doesn't sufficiently protect unmanaged files from view under the scenario unauthenticated user knows path to visit the view and can attempt to delete files which results in duplicate files being created.

Read More

Custom Breadcrumbs - Less critical - Cross Site Scripting - SA-CONTRIB-2022-024

Custom Breadcrumbs - Less critical - Cross Site Scripting - SA-CONTRIB-2022-024

Project: Custom Breadcrumbs
Date: 2022-February-09
Security risk: Less critical 8∕25 
Vulnerability: Cross Site Scripting

Description

The Custom Breadcrumbs module provides a variety of options for customizing the breadcrumb trail.

The module doesn't sufficiently filter on output, leading to a Cross Site Scripting vulnerability.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission "Administer custom breadcrumbs" permission.

Read More

Pages