The AltaGrade Blog

Drupal core - Moderately critical - Access Bypass - SA-CORE-2022-013

Nick

Marketing Project Manager

Jul 20, 2022
Add comment

Drupal core - Moderately critical - Access Bypass - SA-CORE-2022-013

Project: Drupal core
Date: 2022-July-20
Security risk: Moderately critical 12∕25
Vulnerability: Access Bypass

Description

Under certain circumstances, the Drupal core form API evaluates form element access incorrectly. This may lead to a user being able to alter data they should not have access to.

No forms provided by Drupal core are known to be vulnerable. However, forms added through contributed or custom modules or themes may be affected.

Solution

Install the latest version:

Nick

Marketing Project Manager

Jul 20, 2022
Add comment

Drupal core - Critical - Arbitrary PHP code execution - SA-CORE-2022-014

Project: Drupal core
Date: 2022-July-20
Security risk: Critical 15∕25
Vulnerability: Arbitrary PHP code execution

Description

Drupal core sanitizes filenames with dangerous extensions upon upload (reference: SA-CORE-2020-012) and strips leading and trailing dots from filenames to prevent uploading server configuration files (reference: SA-CORE-2019-010).

Nick

Marketing Project Manager

Jul 20, 2022
Add comment

Drupal core - Moderately critical - Multiple vulnerabilities - SA-CORE-2022-015

Project: Drupal core
Date: 2022-July-20
Security risk: Moderately critical 11∕25 
Vulnerability: Multiple vulnerabilities

Description

The Media oEmbed iframe route does not properly validate the iframe domain setting, which allows embeds to be displayed in the context of the primary domain. Under certain circumstances, this could lead to cross-site scripting, leaked cookies, or other vulnerabilities.

Solution

Install the latest version:

Nick

Marketing Project Manager

Jul 13, 2022
Add comment

Entity Print - Moderately critical - Multiple: Remote Code Execution, Information disclosure - SA-CONTRIB-2022-048

Project: Entity Print
Date: 2022-July-13
Security risk: Moderately critical 13∕25
Vulnerability: Multiple: Remote Code Execution, Information disclosure

Description

This module enables you to generate print versions of content.
Some installations of the module make use of the dompdf/dompdf third-party dependency.
Security vulnerabilities exist for versions of dompdf/dompdf < 2.0.0

Nick

Marketing Project Manager

Jun 29, 2022
Add comment

Lottiefiles Field - Moderately critical - Cross Site Scripting - SA-CONTRIB-2022-046

Project: Lottiefiles Field
Date: 2022-June-29
Security risk: Moderately critical 14∕25
Vulnerability: Cross Site Scripting

Description

The Lottiefiles Field module enables you to integrate the lottiefiles features into your page.

The module does not sufficiently filter user-provided text on output, resulting in a Cross-Site Scripting (XSS) vulnerability.

Nick

Marketing Project Manager

Jun 29, 2022
Add comment

Config Terms - Critical - Access bypass - SA-CONTRIB-2022-047

Project: Config Terms
Date: 2022-June-29
Security risk: Critical 15∕25
Vulnerability: Access bypass

Description

This module enables you to create and manage a version of taxonomy based on configuration entities instead of content. This allows the terms, vocabularies, and their structure to be exported, imported, and managed as site configuration.

Nick

Marketing Project Manager

Jun 10, 2022
Add comment

Drupal core - Moderately critical - Third-party libraries - SA-CORE-2022-011

Project: Drupal core
Date: 2022-June-10
Security risk: Moderately critical 13∕25
Vulnerability: Third-party libraries
CVE IDs: CVE-2022-31042, CVE-2022-31043

Description

Drupal uses the third-party Guzzle library for handling HTTP requests and responses to external services. Guzzle has released two security advisories:

Nick

Marketing Project Manager

May 26, 2022
Add comment

Drupal core - Moderately critical - Third-party libraries - SA-CORE-2022-010

Project: Drupal core
Date: 2022-May-25
Security risk: Moderately critical 13∕25
Vulnerability: Third-party libraries
CVE IDs: CVE-2022-29248

Description

Drupal uses the third-party Guzzle library for handling HTTP requests and responses to external services. Guzzle has released a security update which does not affect Drupal core, but may affect some contributed projects or custom code on Drupal sites.

Nick

Marketing Project Manager

May 25, 2022
Add comment

Embed - Moderately critical - Cross Site Scripting - SA-CONTRIB-2022-042

Project: Embed
Date: 2022-May-25
Security risk: Moderately critical 13∕25
Vulnerability: Cross Site Scripting

Description

The Drupal Embed module provides a filter to allow embedding various embeddable items like entities in content fields.

In certain circumstances, the filter could allow an unprivileged user to inject HTML into a page when it is accessed by a trusted user with permission to embed items. In some cases, this could lead to cross-site scripting (XSS).

Nick

Marketing Project Manager

May 25, 2022
Add comment

Open Social - Moderately critical - Access bypass - SA-CONTRIB-2022-043

Project: Open Social
Date: 2022-May-25
Security risk: Moderately critical 14∕25
Vulnerability: Access bypass

Description

Open Social is a Drupal distribution for online communities.

Group entities created within Open Social did not sufficiently check entity access in group overviews, allowing users to see information in the overviews they should not have access to. Visiting the entity directly resulted in correct access checks applied.

The AltaGrade Blog

Description

Solution

Description

Description

Solution

Description

Description

Description

Description

Description

Description

Description

Pages