The AltaGrade Blog

Drupal 8: Multiple critical and moderately critical security advisories for Webform module

Drupal 8: Multiple critical and moderately critical security advisories for Webform module

Drupal Security team has released multiple critical and moderately critical security advisories for Webform module today. This module enables you to build forms and surveys in Drupal.

Webform - Critical - Remote Code Execution - SA-CONTRIB-2020-011

Project: Webform
Date: 2020-May-06
Security risk: Critical 17∕25 
Vulnerability: Remote Code Execution
Read More

Spamicide - Critical - Access bypass - SA-CONTRIB-2020-009

Spamicide - Critical - Access bypass - SA-CONTRIB-2020-009

Project: Spamicide
Date: 2020-April-08
Security risk: Critical 18∕25 
Vulnerability: Access bypass

Description

The Spamicide module protects Drupal forms with a form field that is hidden from normal users, but visible to spam bots.

The module doesn't require appropriate permissions for administrative pages leading to an Access Bypass.

Solution

Install the latest version:

Read More

Svg Image - Critical - Cross site scripting - SA-CONTRIB-2020-008

Svg Image - Critical - Cross site scripting - SA-CONTRIB-2020-008

Project: Svg Image
Date: 2020-March-25
Security risk: Critical 15∕25
Vulnerability: Cross site scripting

Description

SVG Image module allows to upload SVG files.

The module did not sufficiently protect against malicious code inside SVG files leading to a Cross Site Scripting vulnerability.

This vulnerability is mitigated by the fact that an attacker must have permission to upload an SVG file.

Solution

Install the latest version:

Read More

CKEditor - WYSIWYG HTML editor - Moderately critical - Cross site scripting - SA-CONTRIB-2020-007

CKEditor - WYSIWYG HTML editor - Moderately critical - Cross site scripting - SA-CONTRIB-2020-007

Project: CKEditor - WYSIWYG HTML editor
Date: 2020-March-18
Security risk: Moderately critical 11∕25 
Vulnerability: Cross site scripting

Description

The CKEditor module (and its predecessor, FCKeditor module) allows Drupal to replace textarea fields with CKEditor 3.x/4.x (FCKeditor 2.x in case of FCKeditor module) - a visual HTML editor, sometimes called WYSIWYG editor.

Read More

Pages