The AltaGrade Blog

Multiple security advisories are issued for Drupal 7, 8, 9 core and contributed modules: SA-CORE-2020-012, SA-CONTRIB-2020-035, SA-CONTRIB-2020-036, SA-CONTRIB-2020-037, SA-CONTRIB-2020-038

Multiple security advisories are issued for Drupal 7, 8, 9 core and contributed modules: SA-CORE-2020-012, SA-CONTRIB-2020-035, SA-CONTRIB-2020-036, SA-CONTRIB-2020-037, SA-CONTRIB-2020-038

Media: oEmbed - Critical - Remote Code Execution - SA-CONTRIB-2020-036

Project: Media: oEmbed
Date: 2020-November-18
Security risk: Critical 17∕25 
Vulnerability: Remote Code Execution

Description

Media oEmbed does not properly sanitize certain filenames as described in SA-CORE-2020-012.

Solution

Install the latest version:

Upgrade to Media oEmbed 7.x-2.8

Read More

Drupal OAuth Server (OAuth Provider) - Single Sign On ( SSO ) - SQL Injection -SA-CONTRIB-2020-034

Drupal OAuth Server (OAuth Provider) - Single Sign On ( SSO ) - SQL Injection -SA-CONTRIB-2020-034

Project: Drupal OAuth Server ( OAuth Provider) - Single Sign On ( SSO )
Date: 2020-October-14
Vulnerability: SQL Injection

Description

This module enables you login into any OAuth 2.0 compliant application using Drupal credentials.

The 8.x branch of the module is vulnerable to SQL injection.

Solution

Install the latest version:

If you use the Drupal OAuth Server module for Drupal 8.x, upgrade to 8.x-1.1

Read More

Several moderately critical and critical bugs are found in Drupal core

Several moderately critical and critical bugs are found in Drupal core

Drupal core - Moderately critical - Cross-site scripting - SA-CORE-2020-007

Project: Drupal core
Date: 2020-September-16
Security risk: Moderately critical 14∕25 
Vulnerability: Cross-site scripting
CVE IDs: CVE-2020-13666

Description

The Drupal AJAX API does not disable JSONP by default, which can lead to cross-site scripting.

Solution

Install the latest version:

Read More

WordPress 5.5 named “Eckstine” has been released today

WordPress 5.5 named “Eckstine” has been released today

A new version of WordPress named “Eckstine” has been released today. Named “Eckstine” in honor of Billy Eckstine, this latest and greatest version of WordPress is available for download or update in your dashboard.

Speed

Posts and pages feel faster, thanks to lazy-loaded images.

Images give your story a lot of impact, but they can sometimes make your site seem slow.

In WordPress 5.5, images wait to load until they’re just about to scroll into view. The technical term is ‘lazy loading.’

Read More

Apigee Edge - Moderately critical - Access bypass - SA-CONTRIB-2020-028

Apigee Edge - Moderately critical - Access bypass - SA-CONTRIB-2020-028

Project: Apigee Edge
Version: 8.x-1.x-dev
Date: 2020-July-22
Security risk: Moderately critical 10∕25 
Vulnerability: Access bypass

Description

The Apigee Edge module allows connecting a Drupal site to Apigee Edge in order to build a developer portal. It contains an "Apigee Edge Teams" submodule that provides shared app functionality by allowing developers to be organized into teams.

Read More

Modal Form - Critical - Access bypass - SA-CONTRIB-2020-029

Modal Form - Critical - Access bypass - SA-CONTRIB-2020-029

Project: Modal Form
Version: 8.x-1.x-dev
Date: 2020-July-22
Security risk: Critical 16∕25
Vulnerability: Access bypass

Description

The Modal form module is a toolset for quick start of using forms in modal windows.

Any form is available for view and submit when the modal_form module is installed. The only requirement is to know the form's fully-qualified class name.

Solution

Upgrade to modal_form-8.x-1.2.

Read More

Easy Breadcrumb - Moderately critical - Cross site scripting - SA-CONTRIB-2020-027

Easy Breadcrumb - Moderately critical - Cross site scripting - SA-CONTRIB-2020-027

Project: Easy Breadcrumb
Version: 8.x-1.x-dev
Date: 2020-July-22
Security risk: Moderately critical 13∕25 
Vulnerability: Cross site scripting

Description

This module enables you to use the current URL (path alias) and the current page's title to automatically extract the breadcrumb's segments and its respective links then show them as breadcrumbs on your website.

The module doesn't sufficiently sanitize editor input in certain circumstances leading to a Cross Site Scripting (XSS) vulnerability.

Read More

Pages