The AltaGrade Blog

Drupal core - Critical - Cross-site scripting - SA-CORE-2021-002

Drupal core - Critical - Cross-site scripting - SA-CORE-2021-002

Project: Drupal core
Date: 2021-April-21
Security risk: Critical 15∕25
Vulnerability: Cross-site scripting

Description

Drupal core's sanitization API fails to properly filter cross-site scripting under certain circumstances.

Not all sites and users are affected, but configuration changes to prevent the exploit might be impractical and will vary between sites. Therefore, we recommend all sites update to this release as soon as possible.

Solution

Install the latest version:

Read More

Joomla Core - Escape xss in logo parameter error pages

Joomla Core - Escape xss in logo parameter error pages

Impact: Low
Severity: Low
Versions: 3.0.0 - 3.9.25
Exploit type: XSS
Reported Date: 2021-03-09
Fixed Date: 2021-04-13
CVE Number: CVE-2021-26030

Description

Inadequate escaping allowed XSS attacks using the logo parameter of the default templates on error pages.

Affected Installs

Joomla! CMS versions 3.0.0 - 3.9.25

Solution

Upgrade to version 3.9.26

Read More

Drupal 7.79 has been released

drupal 7

Maintenance release of the Drupal 7 series. Includes bug fixes and small API/feature improvements only (no major, non-backwards-compatible new functionality).

No security fixes are included in this release.

This release is the first where D7 core's test suite passes tests in PHP 8.0. However, there may be remaining problems with PHP 8 in core, and it's very likely that there are problems in contrib. Please test, and report any problems in the appropriate issue queue.

Read More

AltaGrade donates the domain name "backdrop.org" to the Backdrop community

AltaGrade donates the domain name "backdrop.org" to the Backdrop community

I remember poking into Backdrop's code for the first time back in October 2014, when we tried to set it up on Drupion (the older incarnation of our company). According to a popular Russian proverb, "the first pancake is always wonky," so we ran into our first Backdrop problem right then. However, with the valuable input from the Backdrop community members we quickly made necessary changes and got it up and running.

Read More

Backdrop core - Critical - Third-party libraries - BACKDROP-SA-CORE-2021-001

Backdrop core - Critical - Third-party libraries - BACKDROP-SA-CORE-2021-001

Date: Wednesday, Jan 27th, 2021
Security risk: Critical
Advisory ID: BACKDROP-SA-CORE-2021-001
CVE ID: CVE-2020-36193
Vulnerability: Third Party Libraries
Versions affected: Backdrop Core 1.18.x versions prior to 1.18.1, Backdrop Core 1.17.x versions prior to 1.17.6
Backdrop versions 1.16 and prior do not receive security coverage.

Description

The Backdrop project uses the pear Archive_Tar library, which has released a security update that impacts Backdrop. For more information please see:

Read More

Pages