The AltaGrade Blog

Link - Moderately critical - Cross site scripting - SA-CONTRIB-2022-034

Link - Moderately critical - Cross site scripting - SA-CONTRIB-2022-034

Project: Link
Date: 2022-May-04
Security risk: Moderately critical 13∕25
Vulnerability: Cross site scripting

Description

This module enables you to add URL fields to entity types with a variety of options.

The module doesn't sufficiently filter output when token processing is disabled on an individual field.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission to create content and the token processing option must be disabled.

Read More

Drupal core - Moderately critical - Access bypass - SA-CORE-2022-009

Drupal core - Moderately critical - Access bypass - SA-CORE-2022-009

Project: Drupal core
Date: 2022-April-20
Security risk: Moderately critical 13∕25 
Vulnerability: Access bypass

Description

Drupal 9.3 implemented a generic entity access API for entity revisions. However, this API was not completely integrated with existing permissions, resulting in some possible access bypass for users who have access to use revisions of content generally, but who do not have access to individual items of node and media content.

Read More

Drupal core - Moderately critical - Improper input validation - SA-CORE-2022-008

Drupal core - Moderately critical - Improper input validation - SA-CORE-2022-008

Project: Drupal core
Date: 2022-April-20
Security risk: Moderately critical 12∕25 
Vulnerability: Improper input validation

Description

Drupal core's form API has a vulnerability where certain contributed or custom modules' forms may be vulnerable to improper input validation. This could allow an attacker to inject disallowed values or overwrite data. Affected forms are uncommon, but in certain cases an attacker could alter critical or sensitive data.

Read More

Rename Admin Paths - Moderately critical - Access bypass - SA-CONTRIB-2022-033

Rename Admin Paths - Moderately critical - Access bypass - SA-CONTRIB-2022-033

Project: Rename Admin Paths
Version: 7.x-2.3, 7.x-2.2, 7.x-2.1
Date: 2022-April-12
Security risk: Moderately critical 10∕25 
Vulnerability: Access bypass

Description

The Rename Admin Path module provides additional security to Drupal sites by renaming the admin paths. The module has a vulnerability with allows attackers to bypass the protection by using specially crafted URLs.

Read More

Role Delegation - Moderately critical - Privilege escalation - SA-CONTRIB-2022-031

Role Delegation - Moderately critical - Privilege escalation - SA-CONTRIB-2022-031

Project: Role Delegation
Date: 2022-March-23
Security risk: Moderately critical 14∕25
Vulnerability: Privilege escalation

Description

This module allows site administrators to grant specific roles the authority to assign selected roles to users, without them needing the administer permissions permission.

The module contains an access bypass vulnerability when used in combination with the Views Bulk Operations module. An authenticated user is able to assign the administrator role to his own user.

Read More

WordPress 5.9.2 Security and Maintenance Release

WordPress 5.9.2 Security and Maintenance Release

WordPress 5.9.2 is now available!

This security and maintenance release features 1 bug fix in addition to 3 security fixes. Because this is a security release, it is recommended that you update your sites immediately. All versions since WordPress 3.7 have also been updated.

WordPress 5.9.2 is a security and maintenance release. The next major release will be version 6.0.

Read More

Opigno Learning path - Moderately critical - Access bypass - SA-CONTRIB-2022-029

Opigno Learning path - Moderately critical - Access bypass - SA-CONTRIB-2022-029

Project: Opigno Learning path
Date: 2022-March-09
Security risk: Moderately critical 13∕25
Vulnerability: Access bypass

Description

This module is used as part of the Opigno LMS distribution and implements learning paths for the LMS.

The module was providing too much user information about users such as the list of groups a uid is in.

Solution

Install the latest version:

Read More

Pages