Show advisories for only Drupal Core, only contributed projects, or only PSAs

Brilliant Gallery - Highly critical - Multiple Vulnerabilities - SA-CONTRIB-2017-079

Date: 
2017-October-25
Security risk: 
Highly critical 20 ∕ 25 AC:Basic/A:None/CI:All/II:All/E:Theoretical/TD:All

This module enables you to display any number of galleries based on images located in the files folder.

The module doesn't sufficiently sanitize various database queries which may allow attackers to craft requests resulting in an SQL injection vulnerability. This vulnerability could be exploited even by anonymous users and could potentially allow them to take over the site.

The module doesn't sufficiently confirm a user's intent to save checklist data, which allows for a cross-site request forgery (CSRF) exploit to be executed by unprivileged users.

Yandex.Metrics - Moderately critical - Cross site scripting - SA-CONTRIB-2017-078

Date: 
2017-October-18
Security risk: 
Moderately critical 13 ∕ 25 AC:Basic/A:Admin/CI:Some/II:Some/E:Theoretical/TD:All

The Yandex.Metrics module allows you to look for key indicators of your site effectiveness.

The module doesn't sufficiently let users know a setting page should not be given to untrusted users.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer Yandex.Metrics settings."

Edited October 19, 2017 to add a note about checking permissions.

netFORUM Authentication - Moderately critical - Access Bypass - SA-CONTRIB-2017-077

Date: 
2017-October-11
Security risk: 
Moderately critical 12 ∕ 25 AC:None/A:None/CI:None/II:None/E:Theoretical/TD:All

The netFORUM Authentication module implements external authentication for users against netFORUM.

The module does not correctly use flood control making it susceptible to brute force attacks.

Skype Status - Moderately Critical - Cross Site Scripting - DRUPAL-SA-CONTRIB-2017-076

By Drupal Security Team on
Categories: Drupal 7.x

Page Access - Unsupported - SA-CONTRIB-2017-075

By Drupal Security Team on
  • Advisory ID: DRUPAL-SA-CONTRIB-2017-075
  • Project: Page Access (third-party module)
  • Date: 20-September-2017

Flag clear - Moderately Critical - CSRF - DRUPAL-SA-CONTRIB-2017-074

By Drupal Security Team on
Categories: Drupal 7.x

CAPTCHA - Moderately Critical - Denial of Service - SA-CONTRIB-2017-073

By Drupal Security Team on

Clientside Validation - Critical - Arbitary PHP Execution - DRUPAL-SA-CONTRIB-2017-072

By Drupal Security Team on
Categories: Drupal 7.x

H5P - Critical - Reflected Cross Site Scripting (XSS) - DRUPAL-SA-CONTRIB-2017-071

By Drupal Security Team on
Categories: Drupal 7.x

Commerce invoices - Highly Critical - SQL Injection and Cross Site scripting - DRUPAL-SA-CONTRIB-2017-070

By Drupal Security Team on
Categories: Drupal 7.x

Pages

Subscribe with RSS Subscribe to Security advisories