The AltaGrade Blog

Link - Moderately critical - Cross site scripting - SA-CONTRIB-2022-034

Nick

Marketing Project Manager

May 5, 2022
Add comment

Link - Moderately critical - Cross site scripting - SA-CONTRIB-2022-034

Project: Link
Date: 2022-May-04
Security risk: Moderately critical 13∕25
Vulnerability: Cross site scripting

Description

This module enables you to add URL fields to entity types with a variety of options.

The module doesn't sufficiently filter output when token processing is disabled on an individual field.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission to create content and the token processing option must be disabled.

Nick

Marketing Project Manager

Apr 20, 2022
Add comment

Drupal core - Moderately critical - Access bypass - SA-CORE-2022-009

Project: Drupal core
Date: 2022-April-20
Security risk: Moderately critical 13∕25 
Vulnerability: Access bypass

Description

Drupal 9.3 implemented a generic entity access API for entity revisions. However, this API was not completely integrated with existing permissions, resulting in some possible access bypass for users who have access to use revisions of content generally, but who do not have access to individual items of node and media content.

Nick

Marketing Project Manager

Apr 20, 2022
Add comment

Drupal core - Moderately critical - Improper input validation - SA-CORE-2022-008

Project: Drupal core
Date: 2022-April-20
Security risk: Moderately critical 12∕25 
Vulnerability: Improper input validation

Description

Drupal core's form API has a vulnerability where certain contributed or custom modules' forms may be vulnerable to improper input validation. This could allow an attacker to inject disallowed values or overwrite data. Affected forms are uncommon, but in certain cases an attacker could alter critical or sensitive data.

Nick

Marketing Project Manager

Apr 13, 2022
Add comment

Rename Admin Paths - Moderately critical - Access bypass - SA-CONTRIB-2022-033

Project: Rename Admin Paths
Version: 7.x-2.3, 7.x-2.2, 7.x-2.1
Date: 2022-April-12
Security risk: Moderately critical 10∕25 
Vulnerability: Access bypass

Description

The Rename Admin Path module provides additional security to Drupal sites by renaming the admin paths. The module has a vulnerability with allows attackers to bypass the protection by using specially crafted URLs.

Nick

Marketing Project Manager

Mar 23, 2022
Add comment

Colorbox Node - Critical - Unsupported - SA-CONTRIB-2022-030

Project: Colorbox Node
Date: 2022-March-23
Security risk: Critical 15∕25
Vulnerability: Unsupported

Nick

Marketing Project Manager

Mar 23, 2022
Add comment

Role Delegation - Moderately critical - Privilege escalation - SA-CONTRIB-2022-031

Project: Role Delegation
Date: 2022-March-23
Security risk: Moderately critical 14∕25
Vulnerability: Privilege escalation

Description

This module allows site administrators to grant specific roles the authority to assign selected roles to users, without them needing the administer permissions permission.

The module contains an access bypass vulnerability when used in combination with the Views Bulk Operations module. An authenticated user is able to assign the administrator role to his own user.

Nick

Marketing Project Manager

Mar 21, 2022
Add comment

Drupal core - Moderately critical - Third-party libraries - SA-CORE-2022-006

Project: Drupal core
Date: 2022-March-21
Security risk: Moderately critical 11∕25
Vulnerability: Third-party libraries
CVE IDs: CVE-2022-24775

Description

Drupal uses the third-party Guzzle library for handling HTTP requests and responses to external services. Guzzle has released a security update which may affect some Drupal sites.

Nick

Marketing Project Manager

Mar 16, 2022
Add comment

Drupal core - Moderately critical - Third-party libraries - SA-CORE-2022-005

Project: Drupal core
Date: 2022-March-16
Security risk: Moderately critical 13∕25 
Vulnerability: Third-party libraries
CVE IDs: CVE-2022-24728, CVE-2022-24729

Description

The Drupal project uses the CKEditor library for WYSIWYG editing. CKEditor has released a security update that impacts Drupal.

Nick

Marketing Project Manager

Mar 11, 2022
Add comment

WordPress 5.9.2 Security and Maintenance Release

WordPress 5.9.2 is now available!

This security and maintenance release features 1 bug fix in addition to 3 security fixes. Because this is a security release, it is recommended that you update your sites immediately. All versions since WordPress 3.7 have also been updated.

WordPress 5.9.2 is a security and maintenance release. The next major release will be version 6.0.

Nick

Marketing Project Manager

Mar 9, 2022
Add comment

Opigno Learning path - Moderately critical - Access bypass - SA-CONTRIB-2022-029

Project: Opigno Learning path
Date: 2022-March-09
Security risk: Moderately critical 13∕25
Vulnerability: Access bypass

Description

This module is used as part of the Opigno LMS distribution and implements learning paths for the LMS.

The module was providing too much user information about users such as the list of groups a uid is in.

Solution

Install the latest version:

The AltaGrade Blog

Description

Description

Description

Description

Description

Description

Description

Description

Solution

Pages