Project: Image Field Caption
Version: 8.x-1.1
Date: 2022-May-04
Security risk: Moderately critical 13∕25
Vulnerability: Cross Site ScriptingImage Field Caption (image_field_caption) adds an extra text area for captions on image fields.
The module doesn't sanitize user input in certain cases, which leads to a Cross-Site-Scripting (XSS) vulnerability.
Project: Doubleclick for Publishers (DFP)
Date: 2022-May-04
Security risk: Moderately critical 13∕25
Vulnerability: Cross site scriptingDoubleclick for Publishers (DFP) module enables a site to place ads from Doubleclick For Publishers.
Project: Link
Date: 2022-May-04
Security risk: Moderately critical 13∕25
Vulnerability: Cross site scriptingThis module enables you to add URL fields to entity types with a variety of options.
The module doesn't sufficiently filter output when token processing is disabled on an individual field.
This vulnerability is mitigated by the fact that an attacker must have a role with the permission to create content and the token processing option must be disabled.
Project: Drupal core
Date: 2022-April-20
Security risk: Moderately critical 13∕25
Vulnerability: Access bypassDrupal 9.3 implemented a generic entity access API for entity revisions. However, this API was not completely integrated with existing permissions, resulting in some possible access bypass for users who have access to use revisions of content generally, but who do not have access to individual items of node and media content.
Project: Drupal core
Date: 2022-April-20
Security risk: Moderately critical 12∕25
Vulnerability: Improper input validationDrupal core's form API has a vulnerability where certain contributed or custom modules' forms may be vulnerable to improper input validation. This could allow an attacker to inject disallowed values or overwrite data. Affected forms are uncommon, but in certain cases an attacker could alter critical or sensitive data.
Project: Rename Admin Paths
Version: 7.x-2.3, 7.x-2.2, 7.x-2.1
Date: 2022-April-12
Security risk: Moderately critical 10∕25
Vulnerability: Access bypassThe Rename Admin Path module provides additional security to Drupal sites by renaming the admin paths. The module has a vulnerability with allows attackers to bypass the protection by using specially crafted URLs.
Project: Colorbox Node
Date: 2022-March-23
Security risk: Critical 15∕25
Vulnerability: UnsupportedProject: Role Delegation
Date: 2022-March-23
Security risk: Moderately critical 14∕25
Vulnerability: Privilege escalationThis module allows site administrators to grant specific roles the authority to assign selected roles to users, without them needing the administer permissions permission.
The module contains an access bypass vulnerability when used in combination with the Views Bulk Operations module. An authenticated user is able to assign the administrator role to his own user.
Project: Drupal core
Date: 2022-March-21
Security risk: Moderately critical 11∕25
Vulnerability: Third-party libraries
CVE IDs: CVE-2022-24775Drupal uses the third-party Guzzle library for handling HTTP requests and responses to external services. Guzzle has released a security update which may affect some Drupal sites.
Project: Drupal core
Date: 2022-March-16
Security risk: Moderately critical 13∕25
Vulnerability: Third-party libraries
CVE IDs: CVE-2022-24728, CVE-2022-24729The Drupal project uses the CKEditor library for WYSIWYG editing. CKEditor has released a security update that impacts Drupal.