The AltaGrade Blog

Renderkit - Less critical - Access bypass - SA-CONTRIB-2020-026

Nick

Marketing Project Manager

Jul 1, 2020
Add comment

Renderkit - Less critical - Access bypass - SA-CONTRIB-2020-026

Project: Renderkit
Version: 7.x-1.x-dev
Date: 2020-July-01
Security risk: Less critical 9∕25 
Vulnerability: Access bypass

Description

The renderkit module contains components which can transform the display of field items sent to it.

Some of these components do not respect the '#access' property on the field render element, and thus can make rendered field values visible to visitors who would otherwise not be allowed to see those field values.

Nick

Marketing Project Manager

Jun 11, 2020
Add comment

YubiKey 7.x - Less critical - Access bypass - SA-CONTRIB-2020-023

Project: YubiKey
Version: 7.x-2.x-dev
Date:  2020-June-10
Security risk: Less critical 9∕25 
Vulnerability: Access bypass

Description

This module enables you to use a Yubikey device to protect your Drupal user account. YubiKey is a secure method for logging into many websites using a cryptographically secure USB token.

Nick

Marketing Project Manager

Jun 11, 2020
Add comment

Project: Open ReadSpeaker
Version: 8.x-1.x-dev
Date: 2020-June-10
Security risk: Moderately critical 13∕25 
Vulnerability: Cross site scripting

Description

This module enables you to add a configured ReadSpeaker button for text-to-speech for your site visitors.

The module doesn't sufficiently sanitize block configuration causing a Cross Site Scripting (XSS) vulnerability.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer blocks".

Nick

Marketing Project Manager

Jun 11, 2020
Add comment

This security and maintenance release features 22 fixes and enhancements. Plus, it adds a number of security fixes—see the list below.

These bugs affect WordPress versions 5.4.1 and earlier; version 5.4.2 fixes them, so you’ll want to upgrade.

If you haven’t yet updated to 5.4, there are also updated versions of 5.3 and earlier that fix the bugs for you.

Security Updates

Nick

Marketing Project Manager

Jun 3, 2020
Add comment

Drupal 9 has been released today together with Drupal 8.9.0

The first official release of Drupal 9 has been announced today on June 3, 2020. This is the first supported release of the new Drupal 9 major version, and it is ready for use on production sites!

Nick

Marketing Project Manager

Jun 3, 2020
Add comment

Services for Drupal 7- Moderately critical - Access bypass - SA-CONTRIB-2020-022

Project: Services
Version: 7.x-3.x-dev
Date: 2020-June-03
Security risk: Moderately critical 11∕25
Vulnerability: Access bypass

Description

This module provides a standardized solution for building API's so that external clients can communicate with Drupal.

The module's taxonomy term index resource doesn't take into consideration certain access control tags provided (but unused) by core, that certain contributed modules depend on.

Nick

Marketing Project Manager

Jun 3, 2020
Add comment

Drupal 7.71 has been released today on 3 June 2020. This maintenance release of the Drupal 7 series includes bug fixes and small API/feature improvements. It does not have any major, non-backwards-compatible new functionalities. No security fixes are included in this release either.

Nick

Marketing Project Manager

May 27, 2020
Add comment

Password Reset Landing Page (PRLP) - Highly critical - Access bypass - SA-CONTRIB-2020-021

Project: Password Reset Landing Page (PRLP)
Date: 2020-May-27
Security risk: Highly critical 20∕25 
Vulnerability: Access bypass

Nick

Marketing Project Manager

May 27, 2020
Add comment

Drupal Commerce - Moderately critical - Access bypass - SA-CONTRIB-2020-020

Project: Drupal Commerce
Date: 2020-May-27
Security risk: Moderately critical 12∕25 
Vulnerability: Access bypass

Description

Drupal Commerce is used to build eCommerce websites and applications. It's possible to configure commerce to permit orders by anonymous users. In this configuration, customers who do not choose to create an account upon checkout completion remain anonymous, and the resulting orders are never assigned an owner.

Nick

Marketing Project Manager

May 20, 2020
Add comment

Drupal 7 core - Moderately critical - Open Redirect - SA-CORE-2020-003

Project: Drupal core
Date: 2020-May-20
Security risk: Moderately critical 10∕25 
Vulnerability: Open Redirect

Description

Drupal 7 has an Open Redirect vulnerability. For example, a user could be tricked into visiting a specially crafted link which would redirect them to an arbitrary external URL.

The vulnerability is caused by insufficient validation of the destination query parameter in the drupal_goto() function.

The AltaGrade Blog

Renderkit - Less critical - Access bypass - SA-CONTRIB-2020-026

Description

YubiKey 7.x - Less critical - Access bypass - SA-CONTRIB-2020-023

Description

Open ReadSpeaker - Moderately critical - Cross site scripting - SA-CONTRIB-2020-024

Description

WordPress 5.4.2 has been released

Drupal 9 has been released today together with Drupal 8.9.0

Services for Drupal 7- Moderately critical - Access bypass - SA-CONTRIB-2020-022

Description

Drupal 7.71 has been released today

Password Reset Landing Page (PRLP) - Highly critical - Access bypass - SA-CONTRIB-2020-021

Drupal Commerce - Moderately critical - Access bypass - SA-CONTRIB-2020-020

Description

Drupal 7 core - Moderately critical - Open Redirect - SA-CORE-2020-003

Description

Pages