Show advisories for only Drupal core, only PSAs, or all security advisories

Security advisories for third-party projects that are not part of Drupal core - this includes all modules, themes, and installation profiles that have been contributed by community members.

Private Taxonomy Terms - Moderately critical - Access bypass - SA-CONTRIB-2023-001

Date: 
2023-January-11
Security risk: 
Moderately critical 10∕25 AC:Basic/A:User/CI:Some/II:None/E:Theoretical/TD:Default

This module enables users to create 'private' vocabularies.

The module doesn't enforce permissions appropriately for the taxonomy overview page and overview form.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission "Administer own taxonomy" or "View private taxonomies"

File (Field) Paths - Moderately critical - Access bypass - SA-CONTRIB-2022-065

Date: 
2022-December-14
Security risk: 
Moderately critical 12∕25 AC:Basic/A:None/CI:Some/II:None/E:Theoretical/TD:Default

The File (Field) Paths module extends the default functionality of Drupal's core File module, by adding the ability to use entity-based tokens in destination paths and file names.

The module's default configuration could temporarily expose private files to anonymous visitors.

Important note: to fix the problem, database updates must be run in addition to updating the module.

H5P - Create and Share Rich Content and Applications - Moderately critical - Remote Code Execution - SA-CONTRIB-2022-064

Date: 
2022-December-14
Security risk: 
Moderately critical 12∕25 AC:Complex/A:User/CI:Some/II:Some/E:Theoretical/TD:Default

This module enables you to create interactive content.

The module doesn't sufficiently stop path traversal attacks through zipped filenames for the uploadable .h5p files.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission "update h5p libraries". In addition, it is only exploitable on Windows servers.

Entity Registration - Moderately critical - Access bypass - SA-CONTRIB-2022-063

Date: 
2022-December-07
Security risk: 
Moderately critical 13∕25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:Default

This module enables you to create registration entities related to nodes.

The module doesn't sufficiently restrict update access to a user's own registrations.

This vulnerability is mitigated by the fact that an attacker must have the "update own [registration type]" permission.

Open Social - Moderately critical - Access bypass - SA-CONTRIB-2022-062

Date: 
2022-November-30
Security risk: 
Moderately critical 10∕25 AC:Basic/A:User/CI:None/II:Some/E:Theoretical/TD:Default

Social Private Message module allows users on the platform to allow users to send private messages to each other.

The module does not properly perform the correct access checks for certain operations.

Open Social - Moderately critical - Access bypass - SA-CONTRIB-2022-061

Date: 
2022-November-30
Security risk: 
Moderately critical 13∕25 AC:None/A:None/CI:Some/II:None/E:Theoretical/TD:Uncommon

Social Flexible Group is an Open Social extension that allows users to create groups with many different configurations.

In specific uncommon scenarios, where a platform doesn't have any flexible groups with the "Group members only (secret)" visibility, community groups are visible to anonymous users on the /all-groups page. No other group information is revealed since group access is not affected by this issue.

This vulnerability is mitigated by creating a Flexible Group with visibility "Group members only (secret)".

Social Base - Moderately critical - Access bypass - SA-CONTRIB-2022-060

Date: 
2022-November-30
Security risk: 
Moderately critical 14∕25 AC:None/A:None/CI:Some/II:None/E:Theoretical/TD:Default

The Social Base theme is designed as a base theme for Open Social. This base
theme holds has a lot of sensible defaults. It doesn't however contain much
styling. We expect developers to want to change this for their own project.

When content within the Open Social distribution is placed within a group then the Socialbase theme renders a link to that group on the content view page.

Search API - Moderately critical - Information Disclosure - SA-CONTRIB-2022-059

Date: 
2022-October-19
Security risk: 
Moderately critical 13∕25 AC:None/A:None/CI:Some/II:None/E:Theoretical/TD:Uncommon

This module enables you to build searches using a wide range of features, data sources and backends.

The module doesn't in all cases correctly detect whether a given search is active on the current page, leading to potential information disclosure for some setups.

This vulnerability is mitigated by the fact that only very specific setups will have this problem and there is no way for an attacker to trigger it.

Twig Field Value - Moderately critical - Access bypass - SA-CONTRIB-2022-058

Date: 
2022-October-12
Security risk: 
Moderately critical 12∕25 AC:Basic/A:None/CI:Some/II:None/E:Theoretical/TD:Default

This module enables themers to get partial data from field render arrays. It gives them more control over the output without drilling deep into the render array or using preprocess functions.

The module doesn't sufficiently apply access restrictions when using the filters field_label, field_value, field_raw and field_target_entity.

This vulnerability is mitigated by the fact that these filters must be used in combination with either unpublished content or access control modules.

S3 File System - Moderately critical - Access bypass - SA-CONTRIB-2022-057

Date: 
2022-September-28
Security risk: 
Moderately critical 10∕25 AC:Complex/A:None/CI:Some/II:None/E:Theoretical/TD:Uncommon

This module enables you to utilize S3-compatible storage as a Drupal filesystem.

The module doesn't sufficiently prevent file access across multiple filesystem schemes stored in the same bucket.

This vulnerability is mitigated by the fact that an attacker must obtain a method to access arbitrary file paths, the site must have public or private takeover enabled, and the file metadata cache must be ignored.

Pages

Subscribe with RSS Subscribe to Security advisories for contributed projects