The AltaGrade Blog
Webform - Moderately critical - Cross Site Scripting - SA-CONTRIB-2021-026
Project: Webform
Date: 2021-August-25
Security risk: Moderately critical 12∕25
Vulnerability: Cross Site Scripting
Description
The Webform module uses the CKEditor, library for WYSIWYG editing. CKEditor has released a security update that impacts Webform.
Admin Toolbar - Moderately critical - Cross Site Scripting, Access Bypass - SA-CONTRIB-2021-025
Project: Admin Toolbar
Date: 2021-August-25
Security risk: Moderately critical 13∕25
Vulnerability: Cross Site Scripting, Access Bypass
Description
The Admin Toolbar (admin_toolbar) module extends the default toolbar provided by Drupal Core with various features facilitating day-to-day editorial and administrative work.
The Admin Toolbar Search sub-module of this module
Drupal core - Moderately critical - Third-party libraries - SA-CORE-2021-005
Project: Drupal core
Date: 2021-August-12
Security risk: Moderately critical 13∕25
Vulnerability: Third-party libraries
Description
The Drupal project uses the CKEditor, library for WYSIWYG editing. CKEditor has released a security update that impacts Drupal.
How to install Devel and Kint on Drupal 9
I was recently setting up my local development environment for a new Drupal 9 project and despite abundance of documentation, couldn't get the Devel and Kint properly working at once. And because most of tutorials found online on the subject turned out to be buggy, outdated and/or obsolete, for posterity reasons I decided to log the installation steps that worked for me.
#TL;DR
drush pmu kint
composer require drupal/devel kint-php/kint
drush en devel
Pages Restriction Access - Critical - Access bypass - SA-CONTRIB-2021-024
Project: Pages Restriction Access
Date: 2021-July-28
Security risk: Critical 16∕25
Vulnerability: Access bypass
Description
This project enables administrators to restrict access from anonymous and regular users to pre-defined pages.
The administration routes used by the project lacked proper permissions, allowing untrusted users to access, create and modify the module's settings.
Solution
Install the latest version:
Form mode manager - Moderately critical - Access bypass - SA-CONTRIB-2021-023
Project: Form mode manager
Date: 2021-July-21
Security risk: Moderately critical 11∕25
Vulnerability: Access bypass
Description
This module provides a user interface that allows the implementation and use of Form modes without custom development.
The module does not sufficiently respect access restrictions to entity forms for routes it creates to use specific form modes.
Drupal core - Critical - Drupal core - Critical - Third-party libraries - SA-CORE-2021-004
Project: Drupal core
Date: 2021-July-21
Security risk: Critical 15∕25
Vulnerability: Drupal core - Critical - Third-party libraries
CVE IDs: CVE-2021-32610
Description
The Drupal project uses the pear Archive_Tar library, which has released a security update that impacts Drupal.
The vulnerability is mitigated by the fact that Drupal core's use of the Archive_Tar library is not vulnerable, as it does not permit symlinks.
WordPress 5.8 Tatum has been released
Introducing 5.8 “Tatum”, our latest and greatest release now available for download or update in your dashboard. Named in honor of Art Tatum, the legendary Jazz pianist. His formidable technique and willingness to push boundaries inspired musicians and changed what people thought could be done.
So fire up your music service of choice and enjoy Tatum’s famous recordings of ‘Tea for Two’, ‘Tiger Rag’, ‘Begin the Beguine’, and ‘Night and Day’ as you read about what the latest WordPress version brings to you.
Linky Revision UI - Moderately critical - Access bypass - SA-CONTRIB-2021-021
Project: Linky Revision UI
Date: 2021-June-30
Security risk: Moderately critical 11∕25
Vulnerability: Access bypass
Description
This module provides a revision UI for Linky entities.
The module doesn't sufficiently respect access restrictions to certain entities when used in conjunction with specific modules.
This vulnerability is mitigated by the fact that an attacker must have a role with any of the permissions provided by Linky Revision UI, and another affected module must be enabled.
Solution
Install the latest version: