The AltaGrade Blog

Several moderately critical and critical bugs are found in Drupal core

Several moderately critical and critical bugs are found in Drupal core

Drupal core - Moderately critical - Cross-site scripting - SA-CORE-2020-007

Project: Drupal core
Date: 2020-September-16
Security risk: Moderately critical 14∕25 
Vulnerability: Cross-site scripting
CVE IDs: CVE-2020-13666

Description

The Drupal AJAX API does not disable JSONP by default, which can lead to cross-site scripting.

Solution

Install the latest version:

Read More

WordPress 5.5 named “Eckstine” has been released today

WordPress 5.5 named “Eckstine” has been released today

A new version of WordPress named “Eckstine” has been released today. Named “Eckstine” in honor of Billy Eckstine, this latest and greatest version of WordPress is available for download or update in your dashboard.

Speed

Posts and pages feel faster, thanks to lazy-loaded images.

Images give your story a lot of impact, but they can sometimes make your site seem slow.

In WordPress 5.5, images wait to load until they’re just about to scroll into view. The technical term is ‘lazy loading.’

Read More

Apigee Edge - Moderately critical - Access bypass - SA-CONTRIB-2020-028

Apigee Edge - Moderately critical - Access bypass - SA-CONTRIB-2020-028

Project: Apigee Edge
Version: 8.x-1.x-dev
Date: 2020-July-22
Security risk: Moderately critical 10∕25 
Vulnerability: Access bypass

Description

The Apigee Edge module allows connecting a Drupal site to Apigee Edge in order to build a developer portal. It contains an "Apigee Edge Teams" submodule that provides shared app functionality by allowing developers to be organized into teams.

Read More

Modal Form - Critical - Access bypass - SA-CONTRIB-2020-029

Modal Form - Critical - Access bypass - SA-CONTRIB-2020-029

Project: Modal Form
Version: 8.x-1.x-dev
Date: 2020-July-22
Security risk: Critical 16∕25
Vulnerability: Access bypass

Description

The Modal form module is a toolset for quick start of using forms in modal windows.

Any form is available for view and submit when the modal_form module is installed. The only requirement is to know the form's fully-qualified class name.

Solution

Upgrade to modal_form-8.x-1.2.

Read More

Easy Breadcrumb - Moderately critical - Cross site scripting - SA-CONTRIB-2020-027

Easy Breadcrumb - Moderately critical - Cross site scripting - SA-CONTRIB-2020-027

Project: Easy Breadcrumb
Version: 8.x-1.x-dev
Date: 2020-July-22
Security risk: Moderately critical 13∕25 
Vulnerability: Cross site scripting

Description

This module enables you to use the current URL (path alias) and the current page's title to automatically extract the breadcrumb's segments and its respective links then show them as breadcrumbs on your website.

The module doesn't sufficiently sanitize editor input in certain circumstances leading to a Cross Site Scripting (XSS) vulnerability.

Read More

Renderkit - Less critical - Access bypass - SA-CONTRIB-2020-026

Renderkit - Less critical - Access bypass - SA-CONTRIB-2020-026

Project: Renderkit
Version: 7.x-1.x-dev
Date: 2020-July-01
Security risk: Less critical 9∕25 
Vulnerability: Access bypass

Description

The renderkit module contains components which can transform the display of field items sent to it.

Some of these components do not respect the '#access' property on the field render element, and thus can make rendered field values visible to visitors who would otherwise not be allowed to see those field values.

Read More

Open ReadSpeaker - Moderately critical - Cross site scripting - SA-CONTRIB-2020-024

drupal hosting

Project: Open ReadSpeaker
Version: 8.x-1.x-dev
Date: 2020-June-10
Security risk: Moderately critical 13∕25 
Vulnerability: Cross site scripting

Description

This module enables you to add a configured ReadSpeaker button for text-to-speech for your site visitors.

The module doesn't sufficiently sanitize block configuration causing a Cross Site Scripting (XSS) vulnerability.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer blocks".

Read More

WordPress 5.4.2 has been released

WordPress hosting

This security and maintenance release features 22 fixes and enhancements. Plus, it adds a number of security fixes—see the list below.

These bugs affect WordPress versions 5.4.1 and earlier; version 5.4.2 fixes them, so you’ll want to upgrade.

If you haven’t yet updated to 5.4, there are also updated versions of 5.3 and earlier that fix the bugs for you.

Security Updates

Read More

Pages