AltaGrade During the Coronavirus Crisis
As the global pandemic of the COVID-19 continues to develop, we wanted to reach out to our current and prospective customers and let you know how AltaGrade is dealing with the Coronavirus emergency.
The AltaGrade Blog
CKEditor - WYSIWYG HTML editor - Moderately critical - Cross site scripting - SA-CONTRIB-2020-007
Project: CKEditor - WYSIWYG HTML editor
Date: 2020-March-18
Security risk: Moderately critical 11∕25
Vulnerability: Cross site scriptingDescription
The CKEditor module (and its predecessor, FCKeditor module) allows Drupal to replace textarea fields with CKEditor 3.x/4.x (FCKeditor 2.x in case of FCKeditor module) - a visual HTML editor, sometimes called WYSIWYG editor.
Drupal 8 core - Moderately critical - Third-party library - SA-CORE-2020-001
Project: Drupal core
Versions: 8.8.x-dev, 8.7.x-dev
Date: 2020-March-18
Security risk: Moderately critical 13∕25
Vulnerability: Third-party libraryDescription
The Drupal project uses the third-party library CKEditor, which has released a security improvement that is needed to protect some Drupal configurations.
SAML Service Provider - Critical - Access bypass - SA-CONTRIB-2020-006
Project: SAML Service Provider
Date: 2020-March-11
Security risk: Critical 15∕25
Vulnerability: Access bypassDescription
This module enables you to authenticate Drupal users using an external SAML Identity Provider.
If the site is configured to allow visitors to register for user accounts but administrator approval is required, the module doesn't sufficiently enforce the administrative approval requirement, in the case where the requesting user has already authenticated through SAML.
Profile - Moderately critical - Access Bypass - SA-CONTRIB-2020-004
Project: Profile
Date: 2020-February-19
Security risk: Moderately critical 14∕25
Vulnerability: Access BypassDescription
The Profile module enables you to allow users to have configurable user profiles.
The module doesn't sufficiently check access when creating a user profile. Users with the "create profiles" permission could create profiles for any users.
Solution
Install the latest version:
Views Bulk Operations (VBO) - Moderately critical - Access bypass - SA-CONTRIB-2020-003
Project: Views Bulk Operations (VBO)
Date: 2020-February-05
Security risk: Moderately critical 12∕25
Vulnerability: Access bypassDescription
Views Bulk Operations provides enhancements to running bulk actions on views.
The module contains an access bypass vulnerability that might allow users to execute views actions that they should not have access to.
This vulnerability is mitigated by the fact that it only occurs in the case of customised action access (by means of hook_action_info_alter).
If not Drupal 8 then Backdrop - Upgrade your Drupal 7 website with AltaGrade!
Since its official release on January 5, 2011 for many years Drupal 7 had been the content management system of choice for the majority of the web-projects hosted on AltaGrade platform. However, the picture has been gradually changing after Drupal 7's end-of-life was announced to take place sometime in November 2021 with growing number of Drupal 8, Wordpress, Backdrop or other types of websites coming instead.
Backdrop 1.15 has just been released
Following the 4-month release cycle, the Backdrop community has released the version 1.15 of Backdrop CMS.
Radix - Moderately critical - Cross site scripting - SA-CONTRIB-2020-001
Project: Radix
Date: 2020-January-15
Security risk: Moderately critical 13∕25
Vulnerability: Cross site scripting
Description
Radix is a base theme for Drupal, with Bootstrap 4, Sass, ES6 and BrowserSync built-in.
The module doesn't sufficiently filter menu titles when used in a dropdown in the main menu.
This vulnerability is mitigated by the fact that an attacker must have permission to edit a menu title used in the main menu.
Solution
Install the latest version:
Merry Christmas and Happy New Year!
As we are approaching the year 2020 we would like to thank you for entrusting your Drupal, Backdrop and WordPress websites to us. We appreciate your business with AltaGrade and assure you that we will deliver more convenient features to our hosting platform and better enhancements to our ticket processing and billing portal in 2020.