Project: Drupal core
Date:2023-January-18
Security risk: Moderately critical 12∕25
Vulnerability: Information Disclosure
Affected versions: >=8.0.0 =9.5.0 =10.0.0 The Media Library module does not properly check entity access in some circumstances. This may result in users with access to edit content seeing metadata about media items they are not authorized to access.
Project: Private Taxonomy Terms
Date: 2023-January-11
Security risk: Moderately critical 10∕25
Vulnerability: Access bypassThis module enables users to create 'private' vocabularies.
The module doesn't enforce permissions appropriately for the taxonomy overview page and overview form.
This vulnerability is mitigated by the fact that an attacker must have a role with the permission "Administer own taxonomy" or "View private taxonomies"
Project: Search API
Date: 2022-October-19
Security risk: Moderately critical 13∕25
Vulnerability: Information DisclosureThis module enables you to build searches using a wide range of features, data sources and backends.
The module doesn't in all cases correctly detect whether a given search is active on the current page, leading to potential information disclosure for some setups.
Project: Twig Field Value
Date: 2022-October-12
Security risk: Moderately critical 12∕25
Vulnerability: Access bypassThis module enables themers to get partial data from field render arrays. It gives them more control over the output without drilling deep into the render array or using preprocess functions.
The module doesn't sufficiently apply access restrictions when using the filters field_label, field_value, field_raw and field_target_entity.
Project: S3 File System
Date: 2022-September-28
Security risk: Moderately critical 10∕25
Vulnerability: Access bypassThis module enables you to utilize S3-compatible storage as a Drupal filesystem.
The module doesn't sufficiently prevent file access across multiple filesystem schemes stored in the same bucket.
Project: Drupal core
Date: 2022-September-28
Security risk: Critical 18∕25
Vulnerability: Multiple vulnerabilities
Affected versions: >= 8.0.0 = 9.4.0 Project: Next.js
Version: 1.2.0, 1.1.0, 1.0.0
Date: 2022-September-07
Security risk: Moderately critical 12∕25
Vulnerability: Access bypassThe Next.js module provides an inline preview for content. Authenticated requests are made to Drupal to fetch JSON:API content and render them in an iframe from the decoupled Next.js site.
Project: Permissions by Term
Version: 3.1.18
Date: 2022-September-07
Security risk: Moderately critical 14∕25
Vulnerability: Access bypassThis module enables you to set content permissions based on taxonomy terms.
The module doesn't sufficiently restrict access to translated and unpublished nodes.
This vulnerability is mitigated by the fact that it only affects sites with translated content.
Install the latest version:
Project: jQuery UI Checkboxradio
Version: 8.x-1.3, 8.x-1.2, 8.x-1.1, 8.x-1.0
Date: 2022-August-10
Security risk: Moderately critical 13∕25
Vulnerability: Cross site scriptingjQuery UI is a third-party library used by Drupal. The jQuery UI Checkboxradio module provides the jQuery UI Checkboxradio library (which was previously in Drupal 8 core, but has since been removed from core and moved to this module).
Project: Context
Version: 7.x-3.x
Date: 2022-July-27
Security risk: Moderately critical 12∕25
Vulnerability: Cross Site ScriptingThis module enables you to conditionally display blocks in particular theme regions.
The module doesn't sufficiently sanitize the title of a block as displayed in the admin UI when a site administrator edits a context block reaction.
This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer blocks".