Project: Rename Admin Paths
Version: 7.x-2.3, 7.x-2.2, 7.x-2.1
Date: 2022-April-12
Security risk: Moderately critical 10∕25
Vulnerability: Access bypassThe Rename Admin Path module provides additional security to Drupal sites by renaming the admin paths. The module has a vulnerability with allows attackers to bypass the protection by using specially crafted URLs.
Project: Colorbox Node
Date: 2022-March-23
Security risk: Critical 15∕25
Vulnerability: UnsupportedProject: Role Delegation
Date: 2022-March-23
Security risk: Moderately critical 14∕25
Vulnerability: Privilege escalationThis module allows site administrators to grant specific roles the authority to assign selected roles to users, without them needing the administer permissions permission.
The module contains an access bypass vulnerability when used in combination with the Views Bulk Operations module. An authenticated user is able to assign the administrator role to his own user.
Project: Drupal core
Date: 2022-March-21
Security risk: Moderately critical 11∕25
Vulnerability: Third-party libraries
CVE IDs: CVE-2022-24775Drupal uses the third-party Guzzle library for handling HTTP requests and responses to external services. Guzzle has released a security update which may affect some Drupal sites.
Project: Drupal core
Date: 2022-March-16
Security risk: Moderately critical 13∕25
Vulnerability: Third-party libraries
CVE IDs: CVE-2022-24728, CVE-2022-24729The Drupal project uses the CKEditor library for WYSIWYG editing. CKEditor has released a security update that impacts Drupal.
WordPress 5.9.2 is now available!
This security and maintenance release features 1 bug fix in addition to 3 security fixes. Because this is a security release, it is recommended that you update your sites immediately. All versions since WordPress 3.7 have also been updated.
WordPress 5.9.2 is a security and maintenance release. The next major release will be version 6.0.
Project: Opigno Learning path
Date: 2022-March-09
Security risk: Moderately critical 13∕25
Vulnerability: Access bypassThis module is used as part of the Opigno LMS distribution and implements learning paths for the LMS.
The module was providing too much user information about users such as the list of groups a uid is in.
Install the latest version:
Project: SVG Formatter
Date: 2022-March-09
Security risk: Critical 15∕25
Vulnerability: Cross Site ScriptingSVG Formatter module provides support for using SVG images on your website.
Our dependency library enshrined/svg-sanitize has a cross-site scripting vulnerability.
This vulnerability is mitigated by the fact that an attacker must have a role with permission that enables them to upload SVG images.
Project: GOV.UK Theme
Date: 2022-February-23
Security risk: Moderately critical 14∕25
Vulnerability: Cross site scriptingThe GOV.UK Theme (govuk_theme) is a Drupal theme for the GOV.UK Design System.
Project: Entity Reference Tree Widget
Date: 2022-February-23
Security risk: Moderately critical 12∕25
Vulnerability: Cross Site ScriptingThis module provides an entity relationship hierarchy tree widget for an entity reference field.
The module doesn't sufficiently filter on output, leading to a Cross Site Scripting vulnerability.
This vulnerability is mitigated by the fact that an attacker must have a role with the permission to modify an entity that is the reference to a field.