The AltaGrade Blog
Here it is! Named “Adderley” in honor of Nat Adderley, the latest and greatest version of WordPress is available for download or update in your dashboard.
Project: Svg Image
Security risk: Critical 15∕25
Vulnerability: Cross site scripting
SVG Image module allows to upload SVG files.
The module did not sufficiently protect against malicious code inside SVG files leading to a Cross Site Scripting vulnerability.
This vulnerability is mitigated by the fact that an attacker must have permission to upload an SVG file.
Install the latest version:
As the global pandemic of the COVID-19 continues to develop, we wanted to reach out to our current and prospective customers and let you know how AltaGrade is dealing with the Coronavirus emergency.
Project: CKEditor - WYSIWYG HTML editor Date: 2020-March-18 Security risk: Moderately critical 11∕25 Vulnerability: Cross site scripting
The CKEditor module (and its predecessor, FCKeditor module) allows Drupal to replace textarea fields with CKEditor 3.x/4.x (FCKeditor 2.x in case of FCKeditor module) - a visual HTML editor, sometimes called WYSIWYG editor.
Project: Drupal core Versions: 8.8.x-dev, 8.7.x-dev Date: 2020-March-18 Security risk: Moderately critical 13∕25 Vulnerability: Third-party library
The Drupal project uses the third-party library CKEditor, which has released a security improvement that is needed to protect some Drupal configurations.
Project: SAML Service Provider Date: 2020-March-11 Security risk: Critical 15∕25 Vulnerability: Access bypass
This module enables you to authenticate Drupal users using an external SAML Identity Provider.
If the site is configured to allow visitors to register for user accounts but administrator approval is required, the module doesn't sufficiently enforce the administrative approval requirement, in the case where the requesting user has already authenticated through SAML.
Project: Profile Date: 2020-February-19 Security risk: Moderately critical 14∕25 Vulnerability: Access Bypass
The Profile module enables you to allow users to have configurable user profiles.
The module doesn't sufficiently check access when creating a user profile. Users with the "create profiles" permission could create profiles for any users.
Install the latest version:
Project: Views Bulk Operations (VBO) Date: 2020-February-05 Security risk: Moderately critical 12∕25 Vulnerability: Access bypass
Views Bulk Operations provides enhancements to running bulk actions on views.
The module contains an access bypass vulnerability that might allow users to execute views actions that they should not have access to.
This vulnerability is mitigated by the fact that it only occurs in the case of customised action access (by means of hook_action_info_alter).