The AltaGrade Blog

jQuery UI Checkboxradio - Moderately critical - Cross site scripting - SA-CONTRIB-2022-052

Nick

Marketing Project Manager

Aug 16, 2022
Add comment

jQuery UI Checkboxradio - Moderately critical - Cross site scripting - SA-CONTRIB-2022-052

Project: jQuery UI Checkboxradio
Version: 8.x-1.3, 8.x-1.2, 8.x-1.1, 8.x-1.0
Date: 2022-August-10
Security risk: Moderately critical 13∕25
Vulnerability: Cross site scripting

Description

jQuery UI is a third-party library used by Drupal. The jQuery UI Checkboxradio module provides the jQuery UI Checkboxradio library (which was previously in Drupal 8 core, but has since been removed from core and moved to this module).

Nick

Marketing Project Manager

Jul 27, 2022
Add comment

Context - Moderately critical - Cross Site Scripting - SA-CONTRIB-2022-049

Project: Context
Version: 7.x-3.x
Date: 2022-July-27
Security risk: Moderately critical 12∕25
Vulnerability: Cross Site Scripting

Description

This module enables you to conditionally display blocks in particular theme regions.

The module doesn't sufficiently sanitize the title of a block as displayed in the admin UI when a site administrator edits a context block reaction.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer blocks".

Nick

Marketing Project Manager

Jul 27, 2022
Add comment

PDF generator API - Moderately critical - Remote Code Execution - SA-CONTRIB-2022-050

Project: PDF generator API
Version: 2.2.1, 2.2.0, 2.1.0, 2.0.0
Date: 2022-July-27
Security risk: Moderately critical 12∕25
Vulnerability: Remote Code Execution

Description

This module enables you to generate PDF versions of content.

Some installations of the module make use of the dompdf/dompdf third-party dependency.

Nick

Marketing Project Manager

Jul 27, 2022
Add comment

Tagify - Moderately critical - Access bypass - SA-CONTRIB-2022-051

Project: Tagify
Version: 1.0.4, 1.0.3, 1.0.2-beta1, 1.0.1-beta1, 1.0.0-beta1
Date: 2022-July-27
Security risk: Moderately critical 11∕25
Vulnerability: Access bypass

Description

This module provides a widget to transform entity reference fields into a more user-friendly tags input component with a great performance.

Nick

Marketing Project Manager

Jul 20, 2022
Add comment

Drupal core - Moderately critical - Information Disclosure - SA-CORE-2022-012

Project: Drupal core
Date: 2022-July-20
Security risk: Moderately critical 13∕25
Vulnerability: Information Disclosure

Description

In some situations, the Image module does not correctly check access to image files not stored in the standard public files directory when generating derivative images using the image styles system.

Nick

Marketing Project Manager

Jul 20, 2022
Add comment

Drupal core - Moderately critical - Access Bypass - SA-CORE-2022-013

Project: Drupal core
Date: 2022-July-20
Security risk: Moderately critical 12∕25
Vulnerability: Access Bypass

Description

Under certain circumstances, the Drupal core form API evaluates form element access incorrectly. This may lead to a user being able to alter data they should not have access to.

No forms provided by Drupal core are known to be vulnerable. However, forms added through contributed or custom modules or themes may be affected.

Solution

Install the latest version:

Nick

Marketing Project Manager

Jul 20, 2022
Add comment

Drupal core - Critical - Arbitrary PHP code execution - SA-CORE-2022-014

Project: Drupal core
Date: 2022-July-20
Security risk: Critical 15∕25
Vulnerability: Arbitrary PHP code execution

Description

Drupal core sanitizes filenames with dangerous extensions upon upload (reference: SA-CORE-2020-012) and strips leading and trailing dots from filenames to prevent uploading server configuration files (reference: SA-CORE-2019-010).

Nick

Marketing Project Manager

Jul 20, 2022
Add comment

Drupal core - Moderately critical - Multiple vulnerabilities - SA-CORE-2022-015

Project: Drupal core
Date: 2022-July-20
Security risk: Moderately critical 11∕25 
Vulnerability: Multiple vulnerabilities

Description

The Media oEmbed iframe route does not properly validate the iframe domain setting, which allows embeds to be displayed in the context of the primary domain. Under certain circumstances, this could lead to cross-site scripting, leaked cookies, or other vulnerabilities.

Solution

Install the latest version:

Nick

Marketing Project Manager

Jul 13, 2022
Add comment

Entity Print - Moderately critical - Multiple: Remote Code Execution, Information disclosure - SA-CONTRIB-2022-048

Project: Entity Print
Date: 2022-July-13
Security risk: Moderately critical 13∕25
Vulnerability: Multiple: Remote Code Execution, Information disclosure

Description

This module enables you to generate print versions of content.
Some installations of the module make use of the dompdf/dompdf third-party dependency.
Security vulnerabilities exist for versions of dompdf/dompdf < 2.0.0

Nick

Marketing Project Manager

Jun 29, 2022
Add comment

Lottiefiles Field - Moderately critical - Cross Site Scripting - SA-CONTRIB-2022-046

Project: Lottiefiles Field
Date: 2022-June-29
Security risk: Moderately critical 14∕25
Vulnerability: Cross Site Scripting

Description

The Lottiefiles Field module enables you to integrate the lottiefiles features into your page.

The module does not sufficiently filter user-provided text on output, resulting in a Cross-Site Scripting (XSS) vulnerability.

The AltaGrade Blog

Description

Description

Description

Description

Description

Description

Solution

Description

Description

Solution

Description

Description

Pages