The AltaGrade Blog

Open Social - Critical - Insecure Session Management - SA-CONTRIB-2019-075

Alex Shaposhnik's picture

Alex

 Technical Support Specialist

Nov 6, 2019
Add comment

Open Social - Critical - Insecure Session Management - SA-CONTRIB-2019-075

Project: Open Social
Date: 2019-November-06
Security risk: Critical 15∕25
Vulnerability: Insecure Session Management

Description

Open Social is a Drupal distribution for online communities. The included social_magic_login module doesn't sufficiently validate magic login URLs for user accounts that do not have a local password, but login via external systems. The lack of validation makes it possible for an adversary to forge valid login URLs and login to such an account.

Read More

Booking and Availability Management Tools for Drupal - Moderately critical - Access Bypass - SA-CONTRIB-2019-074

Public Group's picture

Public

Oct 16, 2019
Add comment

Project: Booking and Availability Management Tools for Drupal
Date: 2019-October-16
Security risk: Moderately critical 11∕25
Vulnerability: Access Bypass

Description

The Bat module provides a foundation through which a wide range of availability management, reservation and booking use cases can be addressed.

The routes used to view events don't sufficiently guard access for non-privileged users. Specifically, a user with the 'View own' permission for bat events can view others' events as well.

Read More

WordPress 5.2.4 security release has been announced

Nick Onom's picture

Nick

 Marketing Project Manager

Oct 15, 2019
Add comment

WordPress 5.2.4 security release has been announced

WordPress 5.2.4 is now available! This security release fixes 6 security issues.

WordPress versions 5.2.3 and earlier are affected by these bugs, which are fixed in version 5.2.4. Updated versions of WordPress 5.1 and earlier are also available for any users who have not yet updated to 5.2.

The following security vulnerabilities have been detected and addressed in this release:

Read More

Maintenance on all Germany-based servers

Public Group's picture

Public

Oct 10, 2019
Add comment

Type: Maintenance work
Category: Advanced infrastructure
Start: October 16, 2019 3:00 AM CEST
End: October 16, 2019 3:05 AM CEST

Description

In the above mentioned period maintenance on our European data-center will be performed. During this maintenance, the affected servers and the websites hosted accounts on them will not be available for about five minutes.

Affected clients

AltaGrade clients who have their projects hosted on Germany-based AltaGrade servers.

Read More

Simple AMP (Accelerated Mobile Pages) - Moderately critical - Access bypass - SA-CONTRIB-2019-071

Nick Onom's picture

Nick

 Marketing Project Manager

Oct 2, 2019
Add comment

Simple AMP (Accelerated Mobile Pages) - Moderately critical - Access bypass - SA-CONTRIB-2019-071

Project: Simple AMP (Accelerated Mobile Pages)
Date: 2019-October-02
Security risk: Moderately critical 13∕25 
Vulnerability: Access bypass

Description

This module allows display of a site's content in AMP format.

The module doesn't sufficiently check access on unpublished or restricted content.

Solution

Install the latest version of the module.

Read More

Gutenberg - Critical - Access bypass - SA-CONTRIB-2019-069

Nick Onom's picture

Nick

 Marketing Project Manager

Sep 25, 2019
Add comment

Gutenberg - Critical - Access bypass - SA-CONTRIB-2019-069

Project: Gutenberg
Date: 2019-September-25
Security risk: Critical 16∕25 
Vulnerability: Access bypass

Description

This module provides a new UI experience for node editing - Gutenberg editor.

The routes used by the Gutenberg editor lack proper permissions allowing untrusted users to view and modify some content they should not be able to view or modify.

Solution

Install the latest version:

Read More

Permissions by Term - Moderately critical - Access bypass - SA-CONTRIB-2019-068

Nick Onom's picture

Nick

 Marketing Project Manager

Sep 25, 2019
Add comment

Permissions by Term - Moderately critical - Access bypass - SA-CONTRIB-2019-068

Project: Permissions by Term
Version: 8.x-1.x-dev
Date: 2019-September-25
Security risk: Moderately critical 14∕25
Vulnerability: Access bypass

Description

This module enables you to control access to content based on taxonomy terms. The module doesn't sufficiently check if a given entity should be access controlled, defaulting to allowing access even to unpublished nodes.

The vulnerability is mitigated by the fact that the submodule Permissions by Entity must also be enabled.

Solution

Install the latest version:

Read More

TableField - Moderately critical - Access bypass - SA-CONTRIB-2019-067

Nick Onom's picture

Nick

 Marketing Project Manager

Sep 18, 2019
Add comment

Project: TableField
Version: 8.x-2.x-dev
Date: 2019-September-18
Security risk: Moderately critical 12∕25 
Vulnerability: Access bypass

Description

This module allows you to attach tabular data to an entity.

There is insufficient access checking for users with the ability to "Export Tablefield Data as CSV". They can export data from unpublished nodes or otherwise inaccessible entities.

Read More

Pages