The AltaGrade Blog

Svg Image - Critical - Cross site scripting - SA-CONTRIB-2020-008

Nick

Marketing Project Manager

Mar 25, 2020
Add comment

Svg Image - Critical - Cross site scripting - SA-CONTRIB-2020-008

Project: Svg Image
Date: 2020-March-25
Security risk: Critical 15∕25
Vulnerability: Cross site scripting

Description

SVG Image module allows to upload SVG files.

The module did not sufficiently protect against malicious code inside SVG files leading to a Cross Site Scripting vulnerability.

This vulnerability is mitigated by the fact that an attacker must have permission to upload an SVG file.

Solution

Install the latest version:

Nick

Marketing Project Manager

Mar 25, 2020
Add comment

Backdrop core - Moderately critical - Third-party library - BACKDROP-SA-CORE-2020-001

Security risk: Moderately Critical
Advisory ID: BACKDROP-SA-CORE-2020-001
Vulnerability: Third Party Libraries

Description

The Backdrop project uses the third-party library CKEditor, which has released a security improvement that is needed to protect some Backdrop configurations.

Nick

Marketing Project Manager

Mar 19, 2020
Add comment

CKEditor - WYSIWYG HTML editor - Moderately critical - Cross site scripting - SA-CONTRIB-2020-007

Project: CKEditor - WYSIWYG HTML editor
Date: 2020-March-18
Security risk: Moderately critical 11∕25 
Vulnerability: Cross site scripting

Description

The CKEditor module (and its predecessor, FCKeditor module) allows Drupal to replace textarea fields with CKEditor 3.x/4.x (FCKeditor 2.x in case of FCKeditor module) - a visual HTML editor, sometimes called WYSIWYG editor.

Nick

Marketing Project Manager

Mar 19, 2020
Add comment

Drupal 8 core - Moderately critical - Third-party library - SA-CORE-2020-001

Project: Drupal core
Versions: 8.8.x-dev, 8.7.x-dev
Date: 2020-March-18
Security risk: Moderately critical 13∕25
Vulnerability: Third-party library

Description

The Drupal project uses the third-party library CKEditor, which has released a security improvement that is needed to protect some Drupal configurations.

Nick

Marketing Project Manager

Mar 12, 2020
Add comment

SAML Service Provider - Critical - Access bypass - SA-CONTRIB-2020-006

Project: SAML Service Provider
Date: 2020-March-11
Security risk: Critical 15∕25
Vulnerability: Access bypass

Description

This module enables you to authenticate Drupal users using an external SAML Identity Provider.

If the site is configured to allow visitors to register for user accounts but administrator approval is required, the module doesn't sufficiently enforce the administrative approval requirement, in the case where the requesting user has already authenticated through SAML.

Nick

Marketing Project Manager

Feb 19, 2020
Add comment

Project: Profile
Date: 2020-February-19
Security risk: Moderately critical 14∕25
Vulnerability: Access Bypass

Description

The Profile module enables you to allow users to have configurable user profiles.

The module doesn't sufficiently check access when creating a user profile. Users with the "create profiles" permission could create profiles for any users.

Solution

Install the latest version:

Nick

Marketing Project Manager

Jan 20, 2020
3 comments

If not Drupal 8 then definitely Backdrop!

Since its official release on January 5, 2011 for many years Drupal 7 had been the content management system of choice for the majority of the web-projects hosted on AltaGrade platform. However, the picture has been gradually changing after Drupal 7's end-of-life was announced to take place sometime in November 2021 with growing number of Drupal 8, Wordpress, Backdrop or other types of websites coming instead.

Nick

Marketing Project Manager

Dec 19, 2019
Add comment

A critical and three "moderately critical" vulnerabilities found in Drupal 7 and 8

Project: Drupal core
Version: 8.8.x-dev, 8.7.x-dev, 7.x-dev
Date: 2019-December-18
Security risk: Critical 17∕25 
Vulnerability: Multiple vulnerabilities

Drupal Security team released important security updates for Drupal 7 and Drupal 8 which address a critical and three "moderately critical" vulnerabilities in its core system.

Nick

Marketing Project Manager

Dec 13, 2019
Add comment

WordPress 5.3.1 Security and Maintenance Release

WordPress 5.3.1 is now available! This security and maintenance release features 46 fixes and enhancements. Plus, it adds a number of security fixes—see the list below.

WordPress 5.3.1 is a short-cycle maintenance release. The next major release will be version 5.4.

You can download WordPress 5.3.1 by clicking this link, or visit your WordPress website's Dashboard → Updates and click Update Now.

Nick

Marketing Project Manager

Dec 11, 2019
Add comment

Webform - Critical - Multiple vulnerabilities - SA-CONTRIB-2019-096

Webform - Critical - Multiple vulnerabilities - SA-CONTRIB-2019-096
Project: Webform
Versions: 7.x-4.x, 7.x-3.x
Date: 2019-December-11
Security risk: Critical 15∕25 
Vulnerability: Multiple vulnerabilities

Description

This module enables you to create forms to collect information from users and report, analyze and distribute it by email.

The AltaGrade Blog

Svg Image - Critical - Cross site scripting - SA-CONTRIB-2020-008

Description

Solution

Backdrop core - Moderately critical - Third-party library - BACKDROP-SA-CORE-2020-001

Description

CKEditor - WYSIWYG HTML editor - Moderately critical - Cross site scripting - SA-CONTRIB-2020-007

Description

Drupal 8 core - Moderately critical - Third-party library - SA-CORE-2020-001

Description

SAML Service Provider - Critical - Access bypass - SA-CONTRIB-2020-006

Description

Profile - Moderately critical - Access Bypass - SA-CONTRIB-2020-004

Description

Solution

If not Drupal 8 then Backdrop - Upgrade your Drupal 7 website with AltaGrade!

A critical one and three "moderately critical" vulnerabilities found in Drupal 7 and 8

WordPress 5.3.1 Security and Maintenance Release

Webform - Critical - Multiple vulnerabilities - SA-CONTRIB-2019-096

Pages