The AltaGrade Blog

Imagecache External - Critical - Insecure session token management - SA-CONTRIB-2019-065

Nick

Marketing Project Manager

Aug 22, 2019
Add comment

Imagecache External - Critical - Insecure session token management - SA-CONTRIB-2019-065

Project: Imagecache External
Date: 2019-August-21
Security risk: Critical 15∕25 
Vulnerability: Insecure session token management

Description

This module that allows you to store external images on your server and apply your own Image Styles.

The module exposes cookies to external sites when making external image requests.

This vulnerability is mitigated by using the whitelisted host feature to restrict external image requests from trusted sources.

Nick

Marketing Project Manager

Aug 15, 2019
Add comment

Super Login - Moderately critical - Cross site scripting - SA-CONTRIB-2019-062

Project: Super Login
Date: 2019-August-14
Security risk: Moderately critical 13∕25
Vulnerability: Cross site scripting

Description

This module improves the Drupal login page with the new features and layout.

The module doesn't sufficiently filter input text in the administration pages text configuration inputs. For example, the login text field.

The vulnerability is mitigated by the fact it can only be exploited by a user with the "Administer super login" permission.

Nick

Marketing Project Manager

Aug 15, 2019
Add comment

scroll to top - Moderately critical - Cross site scripting - SA-CONTRIB-2019-061

Project: scroll to top
Date: 2019-August-14
Security risk: Moderately critical 13∕25
Vulnerability: Cross site scripting

Description

The Scroll To Top module enables you to have an animated scroll to top link in the bottom of the node.

The module does not sufficiently filter configuration text leading to a Cross Site Scripting (XSS) vulnerability.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer scroll to top".

Nick

Marketing Project Manager

Aug 15, 2019
Add comment

Forms Steps - Critical - Access bypass - SA-CONTRIB-2019-064

Project: Forms Steps
Date: 2019-August-14
Security risk:  Critical 16∕25 
Vulnerability: Access bypass

Description

Forms Steps provides an UI to create form workflows using form modes. It creates quick and configurable multisteps forms.

The module doesn't sufficiently check user permissions to access its workflows entities that allows to see any entities that have been created through the different steps of its multistep forms.

Alex

Technical Support Specialist

Aug 15, 2019
Add comment

External Links Filter - Moderately critical - Open Redirect Vulnerability - SA-CONTRIB-2019-063

Project: External Links Filter
Date: 2019-August-14
Security risk: Moderately critical 10∕25 
Vulnerability: Open Redirect Vulnerability

Description

The External Link Filter module provides an input filter that replaces external links by a local link that redirects to the target URL.

The module did not have protection for the Redirect URL to go where content authors intended.

Solution

Install the latest version:

Nick

Marketing Project Manager

Jul 18, 2019
Add comment

Critical vulnerabilities found in Drupal 8 Core and two Drupal 7 contributed modules

Drupal Security team announced today the discovery of vulnerabilities in Drupal 8 core and two Drupal 7 contributed modules - ImageCache Actions and Meta tags quick with the following details and recommended ways of mitigations.

Alan

Technical Support Specialist

Jun 19, 2019
Add comment

WordPress Maintenance 5.2.2 Version has been released

WordPress 5.2.2 is now available! This maintenance release fixes 13 bugs and adds a little bit of polish to the Site Health feature that made its debut in 5.2.

Here are some changes of note:

Nick

Marketing Project Manager

Jun 11, 2019
Add comment

Critical Vulnerability in WordPress WP Live Chat – CVE-2019-12498

Cybersecurity security researchers at Alert Logic have announced warning about a critical vulnerability they discovered in one of a popular WordPress Live Chat plugin, which, if exploited, could allow unauthorized remote attackers to steal chat logs or manipulate chat sessions.

Alex

Technical Support Specialist

Jun 1, 2019
Add comment

Finalizing migration from Drupion to AltaGrade

Update of June 5, 2019: We have to re-send this newsletter once again, because when contacted about migration some customers reported they didn't receive previous notifications about Drupion-AltaGrade transformation.

Alan

Technical Support Specialist

May 22, 2019
Add comment

A short-cycle maintenance 5.2.1 release WordPress has been announced today. The next version 5.2.2 is expected to follow in approximately two weeks.

This maintenance release fixes 33 bugs, including improvements to the block editor, accessibility, internationalization, and the Site Health feature introduced in 5.2.

The AltaGrade Blog

Imagecache External - Critical - Insecure session token management - SA-CONTRIB-2019-065

Description

Super Login - Moderately critical - Cross site scripting - SA-CONTRIB-2019-062

Description

scroll to top - Moderately critical - Cross site scripting - SA-CONTRIB-2019-061

Description

Forms Steps - Critical - Access bypass - SA-CONTRIB-2019-064

Description

External Links Filter - Moderately critical - Open Redirect Vulnerability - SA-CONTRIB-2019-063

Description

Solution

Critical vulnerabilities found in Drupal 8 Core and two Drupal 7 contributed modules

WordPress Maintenance 5.2.2 Version has been released

Critical Vulnerability in WordPress WP Live Chat – CVE-2019-12498

Updated: Finalizing migration from Drupion to AltaGrade

Time to update WordPress to 5.2.1

Pages