The AltaGrade Blog

Twig Field Value - Moderately critical - Access bypass - SA-CONTRIB-2022-058

Nick

Marketing Project Manager

Oct 12, 2022
Add comment

Twig Field Value - Moderately critical - Access bypass - SA-CONTRIB-2022-058

Project: Twig Field Value
Date: 2022-October-12
Security risk: Moderately critical 12∕25 
Vulnerability: Access bypass

Description

This module enables themers to get partial data from field render arrays. It gives them more control over the output without drilling deep into the render array or using preprocess functions.

The module doesn't sufficiently apply access restrictions when using the filters field_label, field_value, field_raw and field_target_entity.

Nick

Marketing Project Manager

Sep 28, 2022
Add comment

S3 File System - Moderately critical - Access bypass - SA-CONTRIB-2022-057

Project: S3 File System
Date: 2022-September-28
Security risk: Moderately critical 10∕25
Vulnerability: Access bypass

Description

This module enables you to utilize S3-compatible storage as a Drupal filesystem.

The module doesn't sufficiently prevent file access across multiple filesystem schemes stored in the same bucket.

Nick

Marketing Project Manager

Sep 28, 2022
Add comment

Drupal core - Critical - Multiple vulnerabilities - SA-CORE-2022-016

Project: Drupal core
Date: 2022-September-28
Security risk: Critical 18∕25
Vulnerability: Multiple vulnerabilities
Affected versions: >= 8.0.0 = 9.4.0

Nick

Marketing Project Manager

Sep 8, 2022
Add comment

Next.js - Moderately critical - Access bypass - SA-CONTRIB-2022-054

Project: Next.js
Version: 1.2.0, 1.1.0, 1.0.0
Date: 2022-September-07
Security risk: Moderately critical 12∕25
Vulnerability: Access bypass

Description

The Next.js module provides an inline preview for content. Authenticated requests are made to Drupal to fetch JSON:API content and render them in an iframe from the decoupled Next.js site.

Nick

Marketing Project Manager

Sep 8, 2022
Add comment

Permissions by Term - Moderately critical - Access bypass - SA-CONTRIB-2022-056

Project: Permissions by Term
Version: 3.1.18
Date: 2022-September-07
Security risk: Moderately critical 14∕25
Vulnerability: Access bypass

Description

This module enables you to set content permissions based on taxonomy terms.

The module doesn't sufficiently restrict access to translated and unpublished nodes.

This vulnerability is mitigated by the fact that it only affects sites with translated content.

Solution

Install the latest version:

Nick

Marketing Project Manager

Aug 16, 2022
Add comment

jQuery UI Checkboxradio - Moderately critical - Cross site scripting - SA-CONTRIB-2022-052

Project: jQuery UI Checkboxradio
Version: 8.x-1.3, 8.x-1.2, 8.x-1.1, 8.x-1.0
Date: 2022-August-10
Security risk: Moderately critical 13∕25
Vulnerability: Cross site scripting

Description

jQuery UI is a third-party library used by Drupal. The jQuery UI Checkboxradio module provides the jQuery UI Checkboxradio library (which was previously in Drupal 8 core, but has since been removed from core and moved to this module).

Nick

Marketing Project Manager

Jul 27, 2022
Add comment

Context - Moderately critical - Cross Site Scripting - SA-CONTRIB-2022-049

Project: Context
Version: 7.x-3.x
Date: 2022-July-27
Security risk: Moderately critical 12∕25
Vulnerability: Cross Site Scripting

Description

This module enables you to conditionally display blocks in particular theme regions.

The module doesn't sufficiently sanitize the title of a block as displayed in the admin UI when a site administrator edits a context block reaction.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer blocks".

Nick

Marketing Project Manager

Jul 27, 2022
Add comment

PDF generator API - Moderately critical - Remote Code Execution - SA-CONTRIB-2022-050

Project: PDF generator API
Version: 2.2.1, 2.2.0, 2.1.0, 2.0.0
Date: 2022-July-27
Security risk: Moderately critical 12∕25
Vulnerability: Remote Code Execution

Description

This module enables you to generate PDF versions of content.

Some installations of the module make use of the dompdf/dompdf third-party dependency.

Nick

Marketing Project Manager

Jul 27, 2022
Add comment

Tagify - Moderately critical - Access bypass - SA-CONTRIB-2022-051

Project: Tagify
Version: 1.0.4, 1.0.3, 1.0.2-beta1, 1.0.1-beta1, 1.0.0-beta1
Date: 2022-July-27
Security risk: Moderately critical 11∕25
Vulnerability: Access bypass

Description

This module provides a widget to transform entity reference fields into a more user-friendly tags input component with a great performance.

Nick

Marketing Project Manager

Jul 20, 2022
Add comment

Drupal core - Moderately critical - Information Disclosure - SA-CORE-2022-012

Project: Drupal core
Date: 2022-July-20
Security risk: Moderately critical 13∕25
Vulnerability: Information Disclosure

Description

In some situations, the Image module does not correctly check access to image files not stored in the standard public files directory when generating derivative images using the image styles system.

The AltaGrade Blog

Description

Description

Description

Description

Solution

Description

Description

Description

Description

Description

Pages