The AltaGrade Blog

Critical and moderately critical security advisories for the The Better Mega Menu module

Alex

Technical Support Specialist

Sep 22, 2021
Add comment

Critical and moderately critical security adversaries for the The Better Mega Menu module

The Better Mega Menu - Moderately critical - Cross Site Scripting, Information Disclosure, Multiple vulnerabilities - SA-CONTRIB-2021-038

Project: The Better Mega Menu
Date: 2021-September-22
Security risk: Moderately critical 12∕25
Vulnerability: Cross Site Scripting, Information Disclosure, Multiple vulnerabilities

Description

This module provides an admin interface for creating drop down menus that combine Drupal menu items with rich media content.

Nick

Marketing Project Manager

Sep 16, 2021
Add comment

GraphQL - Moderately critical - Access bypass - SA-CONTRIB-2021-029

Project: GraphQL
Date: 2021-September-15
Security risk: Moderately critical 13∕25
Vulnerability: Access bypass
CVE IDs: CVE-2020-13675

Description

This advisory addresses a similar issue to Drupal core - Moderately critical - Access bypass - SA-CORE-2021-008.

Nick

Marketing Project Manager

Sep 16, 2021
Add comment

Entity Embed - Moderately critical - Cross Site Request Forgery - SA-CONTRIB-2021-028

Project: Entity Embed
Date: 2021-September-15
Security risk: Moderately critical 11∕25
Vulnerability: Cross Site Request Forgery
CVE IDs: CVE-2020-13673

Description

This advisory addresses a similar issue to Drupal core - Moderately critical - Cross Site Request Forgery - SA-CORE-2021-006.

Nick

Marketing Project Manager

Sep 16, 2021
Add comment

Drupal core - Moderately critical - SA-CORE-2021-006(-010)

Drupal core - Moderately critical - Cross Site Request Forgery - SA-CORE-2021-006

Project: Drupal core
Date: 2021-September-15
Security risk: Moderately critical 10∕25
Vulnerability: Cross Site Request Forgery
CVE IDs: CVE-2020-13673

Nick

Marketing Project Manager

Sep 9, 2021
Add comment

WordPress 5.8.1 Security and Maintenance Release

WordPress 5.8.1 is now available!

This security and maintenance release features 60 bug fixes in addition to 3 security fixes. Because this is a security release, it is recommended that you update your sites immediately. All versions since WordPress 5.4 have also been updated.

Nick

Marketing Project Manager

Aug 25, 2021
Add comment

Webform - Moderately critical - Cross Site Scripting - SA-CONTRIB-2021-026

Project: Webform
Date: 2021-August-25
Security risk: Moderately critical 12∕25
Vulnerability: Cross Site Scripting

Description

The Webform module uses the CKEditor, library for WYSIWYG editing. CKEditor has released a security update that impacts Webform.

Nick

Marketing Project Manager

Aug 25, 2021
Add comment

Admin Toolbar - Moderately critical - Cross Site Scripting, Access Bypass - SA-CONTRIB-2021-025

Project: Admin Toolbar
Date: 2021-August-25
Security risk: Moderately critical 13∕25
Vulnerability: Cross Site Scripting, Access Bypass

Description

The Admin Toolbar (admin_toolbar) module extends the default toolbar provided by Drupal Core with various features facilitating day-to-day editorial and administrative work.

The Admin Toolbar Search sub-module of this module

Alex

Technical Support Specialist

Aug 13, 2021
Add comment

Drupal core - Moderately critical - Third-party libraries - SA-CORE-2021-005

Project: Drupal core
Date: 2021-August-12
Security risk: Moderately critical 13∕25
Vulnerability: Third-party libraries

Description

The Drupal project uses the CKEditor, library for WYSIWYG editing. CKEditor has released a security update that impacts Drupal.

Alex

Technical Support Specialist

Aug 2, 2021
8 comments

How to properly setup Devel and Kint on Drupal 9?

I was recently setting up my local development environment for a new Drupal 9 project and despite abundance of documentation, couldn't get the Devel and Kint properly working at once. And because most of tutorials found online on the subject turned out to be buggy, outdated and/or obsolete, for posterity reasons I decided to log the installation steps that worked for me.

#TL;DR
drush pmu kint
composer require drupal/devel kint-php/kint
drush en devel

Nick

Marketing Project Manager

Jul 28, 2021
Add comment

Pages Restriction Access - Critical - Access bypass - SA-CONTRIB-2021-024

Project: Pages Restriction Access
Date: 2021-July-28
Security risk: Critical 16∕25
Vulnerability: Access bypass

Description

This project enables administrators to restrict access from anonymous and regular users to pre-defined pages.

The administration routes used by the project lacked proper permissions, allowing untrusted users to access, create and modify the module's settings.

Solution

Install the latest version: