Project: OpenID Connect / OAuth client
Date: 2021-June-02
Security risk: Moderately critical 14∕25
Vulnerability: Access bypassThis module allows users to authenticate against an Oauth 2.0 / OpenID Connect identity provider to login to your Drupal site.
Project: GraphQL
Date: 2021-June-02
Security risk: Moderately critical 11∕25
Vulnerability: Information DisclosureThis module lets you craft and expose a GraphQL web service API.
The module does not sufficiently protect arbitrary exception and error messages thereby exposing an information disclosure vulnerability.
Project: Frequently Asked Questions
Date: 2021-June-02
Security risk: Moderately critical 11∕25
Vulnerability: Cross Site ScriptingThe Frequently Asked Questions (faq) module allows users, with appropriate permissions, to create question and answer pairs which they want displayed on the 'faq' page. The 'faq' page is automatically generated from the FAQ nodes configured. Basic Views layouts are also provided and can be customized via the Views UI (rather than via the module settings page).
Project: Open Social
Date: 2021-June-02
Security risk: Moderately critical 11∕25 AC:Complex/A:User/CI:All/II:None/E:Theoretical/TD:Default
Vulnerability: SQL InjectionThis Open Social distribution provides a turn-key system for building customized social networks.
The module doesn't sufficiently process data in certain circumstances.
Date: Wednesday, May 26th, 2021
Security risk: Moderately Critical
Advisory ID: BACKDROP-SA-CORE-2021-003
Vulnerability: Cross Site ScriptingBackdrop versions 1.17 and prior do not receive security coverage.
Backdrop core uses the third-party CKEditor library. This library has an error in parsing HTML that could lead to an XSS attack.
Project: Drupal core
Date: 2021-May-26
Security risk: Moderately critical 14∕25
Vulnerability: Cross Site ScriptingDrupal core uses the third-party CKEditor library. This library has an error in parsing HTML that could lead to an XSS attack. CKEditor 4.16.1 and later include the fix.
WordPress 5.7.2 is now available. This security release features one security fix. Because this is a security release, it is recommended that you update your sites immediately. All versions since WordPress 3.7 have also been updated.
WordPress 5.7.2 is a short-cycle security release. The next major release will be version 5.8. You can update to WordPress 5.7.2 by downloading from WordPress.org, or visit your Dashboard → Updates and click Update Now.
If you have sites that support automatic background updates, they’ve already started the update process.
Project: Gutenberg
Version: 8.x-2.x-dev, 8.x-1.x-dev
Date: 2021-May-12
Security risk: Critical 18∕25
Vulnerability: Access bypassThis module provides a new UI experience for node editing using the Gutenberg Editor library.
The module did not correctly validate access rules in certain situations allowing anonymous users to delete blocks.
Install the latest version:
Project: Facets
Version: 8.x-1.x-dev
Date: 2021-May-12
Security risk: Moderately critical 11∕25
Vulnerability: Cross site scriptingThis module enables you to add customizable facets on search pages, from core search or searches provided by Search API.
The module doesn't sufficiently filter all output in certain circumstances.
This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer facets".
Project: Chaos Tool Suite (ctools)
Version: 8.x-3.5, 8.x-3.4, 8.x-3.3, 8.x-3.2, 8.x-3.1, 8.x-3.0
Date: 2021-May-12
Security risk: Moderately critical 12∕25
Vulnerability: Information disclosureChaos tool suite (ctools) module provides a number of APIs and extensions for Drupal, it's 8.x-3.x branch is a start from scratch to evaluate the features of ctools that didn't make it into Drupal Core 8.0.x and port them.