The AltaGrade Blog

Radix - Moderately critical - Cross site scripting - SA-CONTRIB-2020-001

Radix - Moderately critical - Cross site scripting - SA-CONTRIB-2020-001

Project: Radix
Date: 2020-January-15
Security risk: Moderately critical 13∕25
Vulnerability: Cross site scripting

Description

Radix is a base theme for Drupal, with Bootstrap 4, Sass, ES6 and BrowserSync built-in.

The module doesn't sufficiently filter menu titles when used in a dropdown in the main menu.

This vulnerability is mitigated by the fact that an attacker must have permission to edit a menu title used in the main menu.

Solution

Install the latest version:

Read More

Merry Christmas and Happy New Year!

Merry Christmas and Happy New Year!

As we are approaching the year 2020 we would like to thank you for entrusting your Drupal, Backdrop and WordPress websites to us. We appreciate your business with AltaGrade and assure you that we will deliver more convenient features to our hosting platform and better enhancements to our ticket processing and billing portal in 2020.

Read More

WordPress 5.3.1 Security and Maintenance Release

WordPress 5.3.1 Security and Maintenance Release

WordPress 5.3.1 is now available! This security and maintenance release features 46 fixes and enhancements. Plus, it adds a number of security fixes—see the list below.

WordPress 5.3.1 is a short-cycle maintenance release. The next major release will be version 5.4.

You can download WordPress 5.3.1 by clicking this link, or visit your WordPress website's Dashboard → Updates and click Update Now.

Read More

Webform - Critical - Multiple vulnerabilities - SA-CONTRIB-2019-096

Webform - Critical - Multiple vulnerabilities - SA-CONTRIB-2019-096

Webform - Critical - Multiple vulnerabilities - SA-CONTRIB-2019-096
Project: Webform
Versions: 7.x-4.x, 7.x-3.x
Date: 2019-December-11
Security risk: Critical 15∕25 
Vulnerability: Multiple vulnerabilities

Description

This module enables you to create forms to collect information from users and report, analyze and distribute it by email.

Read More

Security advisories for multiple Drupal 8 contributed modules: Smart Trim, Modal Page, Taxonomy access fix, Permissions by Term

Security advisories for multiple Drupal 8 contributed modules: Smart Trim, Modal Page, Taxonomy access fix, Permissions by Term

Project: Smart Trim
Version: 8.x-1.x
Date: 2019-December-11
Security risk: Moderately critical 
Vulnerability: Cross site scripting

Description

The Smart Trim module allows site builders additional control with text summary fields.

The module doesn't sufficiently filter text when certain options are selected.

This vulnerability is mitigated by the fact that an attacker must have a role with the ability to create content on the site when certain options are selected for the trimmed output.

Read More

WordPress 5.3 “Kirk” is released

WordPress 5.3 “Kirk” is released

WordPress 5.3 with the improved block editor, named “Kirk” in honour of jazz multi-instrumentalist Rahsaan Roland Kirk, has been released today and is available for download or update in your dashboard.

5.3 expands and refines the block editor with more intuitive interactions and improved accessibility. New features in the editor increase design freedoms, provide additional layout options and style variations to allow designers more control over the look of a site.

Read More

Open Social - Critical - Insecure Session Management - SA-CONTRIB-2019-075

Open Social - Critical - Insecure Session Management - SA-CONTRIB-2019-075

Project: Open Social
Date: 2019-November-06
Security risk: Critical 15∕25
Vulnerability: Insecure Session Management

Description

Open Social is a Drupal distribution for online communities. The included social_magic_login module doesn't sufficiently validate magic login URLs for user accounts that do not have a local password, but login via external systems. The lack of validation makes it possible for an adversary to forge valid login URLs and login to such an account.

Read More

Booking and Availability Management Tools for Drupal - Moderately critical - Access Bypass - SA-CONTRIB-2019-074

Project: Booking and Availability Management Tools for Drupal
Date: 2019-October-16
Security risk: Moderately critical 11∕25
Vulnerability: Access Bypass

Description

The Bat module provides a foundation through which a wide range of availability management, reservation and booking use cases can be addressed.

The routes used to view events don't sufficiently guard access for non-privileged users. Specifically, a user with the 'View own' permission for bat events can view others' events as well.

Read More

Pages