Show advisories for only Drupal Core, only contributed projects, or only PSAs

Drupal core - Moderately critical - Denial of Service - SA-CORE-2019-009

Date: 
2019-December-18
Security risk: 
Moderately critical 12 ∕ 25 AC:None/A:None/CI:None/II:None/E:Theoretical/TD:All

A visit to install.php can cause cached data to become corrupted. This could cause a site to be impaired until caches are rebuilt.

Webform - Critical - Multiple vulnerabilities - SA-CONTRIB-2019-096

Date: 
2019-December-11
Security risk: 
Critical 15 ∕ 25 AC:Basic/A:None/CI:Some/II:Some/E:Theoretical/TD:Default

This module enables you to create forms to collect information from users and report, analyze and distribute it by email.

The 7.x-3.x module doesn't sufficiently sanitize token values taken from query strings. If a query string token is used as the value of a markup component, an attacker can inject JavaScript into a page.

Permissions by Term - Moderately critical - Access bypass - SA-CONTRIB-2019-095

Date: 
2019-December-11
Security risk: 
Moderately critical 13 ∕ 25 AC:None/A:None/CI:Some/II:None/E:Theoretical/TD:Uncommon

The Permissions by Term module extends Drupal by functionality for restricting access to single nodes via taxonomy terms.

The module doesn't sufficiently restrict access to node previews, when the Search API module is used to display nodes in search result lists.

Modal - Moderately critical - Access bypass - SA-CONTRIB-2019-094

Date: 
2019-December-11
Security risk: 
Moderately critical 10 ∕ 25 AC:Basic/A:User/CI:Some/II:None/E:Theoretical/TD:Default

This project enables administrators to create modal dialogs.

The routes used by the module lacked proper permissions, allowing untrusted users to access, create and modify modal configurations.

Taxonomy access fix - Moderately critical - Access bypass - SA-CONTRIB-2019-093

Date: 
2019-December-11
Security risk: 
Moderately critical 13 ∕ 25 AC:None/A:User/CI:Some/II:None/E:Theoretical/TD:All

This module extends access handling of Drupal Core's Taxonomy module.

The module doesn't sufficiently check,

  • if a given entity should be access controlled, defaulting to allowing access even to unpublished Taxonomy Terms.
  • if certain administrative routes should be access controlled, defaulting to allowing access even to users without permission to access these administrative routes.

The vulnerability is mitigated by the facts, that

Smart Trim - Moderately critical - Cross site scripting - SA-CONTRIB-2019-092

Date: 
2019-December-11
Security risk: 
Moderately critical 13 ∕ 25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:Default

The Smart Trim module allows site builders additional control with text summary fields.

The module doesn't sufficiently filter text when certain options are selected.

This vulnerability is mitigated by the fact that an attacker must have a role with the ability to create content on the site when certain options are selected for the trimmed output.

Floating Button Menu - Critical - Unsupported - SA-CONTRIB-2019-091

Date: 
2019-November-13
Security risk: 
Critical 15 ∕ 25 AC:Basic/A:User/CI:Some/II:Some/E:Proof/TD:All

The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: https://www.drupal.org/node/251466#procedure---own-project---unsupported

Webform Multiple File Upload - Critical - Unsupported - SA-CONTRIB-2019-090

Date: 
2019-November-13
Security risk: 
Critical 15 ∕ 25 AC:Basic/A:User/CI:Some/II:Some/E:Proof/TD:All

The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: https://www.drupal.org/node/251466#procedure---own-project---unsupported

Commerce Ingenico - Critical - Unsupported - SA-CONTRIB-2019-089

Date: 
2019-November-13
Security risk: 
Critical 15 ∕ 25 AC:Basic/A:User/CI:Some/II:Some/E:Proof/TD:All

The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: https://www.drupal.org/node/251466#procedure---own-project---unsupported

SendinBlue - Critical - Access bypass - SA-CONTRIB-2019-088

Date: 
2019-November-13
Security risk: 
Critical 15 ∕ 25 AC:Basic/A:User/CI:Some/II:Some/E:Proof/TD:All

Update: This module had an access bypass vulnerability which has now been addressed by the module’s current maintainers.

Original description

The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: https://www.drupal.org/node/251466#procedure---own-project---unsupported

Pages

Subscribe with RSS Subscribe to Security advisories