Show advisories for only contributed projects, only PSAs, or all security advisories

Drupal core - Critical - Cache poisoning - SA-CORE-2023-006

Date: 
2023-September-20
Security risk: 
Critical 16 ∕ 25 AC:Complex/A:None/CI:All/II:Some/E:Theoretical/TD:Default
CVE IDs: 
CVE-2023-5256

In certain scenarios, Drupal's JSON:API module will output error backtraces. With some configurations, this may cause sensitive information to be cached and made available to anonymous users, leading to privilege escalation.

This vulnerability only affects sites with the JSON:API module enabled, and can be mitigated by uninstalling JSON:API.

The core REST and contributed GraphQL modules are not affected.

Drupal core - Moderately critical - Access bypass - SA-CORE-2023-005

Date: 
2023-April-19
Security risk: 
Moderately critical 13 ∕ 25 AC:Basic/A:None/CI:Some/II:None/E:Theoretical/TD:All
CVE IDs: 
CVE-2023-31250

The file download facility doesn't sufficiently sanitize file paths in certain situations. This may result in users gaining access to private files that they should not have access to.

Some sites may require configuration changes following this security release. Review the release notes for your Drupal version if you have issues accessing private files after updating.

Drupal core - Moderately critical - Access bypass - SA-CORE-2023-004

Date: 
2023-March-15
Security risk: 
Moderately critical 14 ∕ 25 AC:Complex/A:Admin/CI:All/II:All/E:Theoretical/TD:Uncommon

Drupal core provides a page that outputs the markup from phpinfo() to assist with diagnosing PHP configuration.

If an attacker was able to achieve an XSS exploit against a privileged user, they may be able to use the phpinfo page to access sensitive information that could be used to escalate the attack.

This vulnerability is mitigated by the fact that a successful XSS exploit is required in order to exploit it.

Drupal core - Moderately critical - Information Disclosure - SA-CORE-2023-003

Date: 
2023-March-15
Security risk: 
Moderately critical 13 ∕ 25 AC:None/A:None/CI:Some/II:None/E:Theoretical/TD:Uncommon

The language module provides a Language switcher block which can be placed to provide links to quickly switch between different languages.

The URL of unpublished translations may be disclosed. When used in conjunction with a module like Pathauto, this may reveal the title of unpublished content.

This advisory is not covered by Drupal Steward.

Drupal core - Moderately critical - Information Disclosure - SA-CORE-2023-002

Date: 
2023-March-15
Security risk: 
Moderately critical 14 ∕ 25 AC:None/A:None/CI:Some/II:None/E:Theoretical/TD:Default

The Media module does not properly check entity access in some circumstances. This may result in users seeing thumbnails of media items they do not have access to, including for private files.

This release was coordinated with SA-CONTRIB-2023-010.

This advisory is not covered by Drupal Steward.

Drupal core - Moderately critical - Information Disclosure - SA-CORE-2023-001

Date: 
2023-January-18
Security risk: 
Moderately critical 12 ∕ 25 AC:None/A:User/CI:Some/II:None/E:Theoretical/TD:Default

The Media Library module does not properly check entity access in some circumstances. This may result in users with access to edit content seeing metadata about media items they are not authorized to access.

The vulnerability is mitigated by the fact that the inaccessible media will only be visible to users who can already edit content that includes a media reference field.

This advisory is not covered by Drupal Steward.

Drupal core - Critical - Multiple vulnerabilities - SA-CORE-2022-016

Date: 
2022-September-28
Security risk: 
Critical 18 ∕ 25 AC:Basic/A:Admin/CI:All/II:All/E:Proof/TD:All
CVE IDs: 
CVE-2022-39261

Drupal uses the Twig third-party library for content templating and sanitization. Twig has released a security update that affects Drupal. Twig has rated the vulnerability as high severity.

Drupal core's code extending Twig has also been updated to mitigate a related vulnerability.

Drupal core - Moderately critical - Multiple vulnerabilities - SA-CORE-2022-015

Date: 
2022-July-20
Security risk: 
Moderately critical 11 ∕ 25 AC:Complex/A:User/CI:Some/II:Some/E:Theoretical/TD:Uncommon
CVE IDs: 
CVE-2022-25276

The Media oEmbed iframe route does not properly validate the iframe domain setting, which allows embeds to be displayed in the context of the primary domain. Under certain circumstances, this could lead to cross-site scripting, leaked cookies, or other vulnerabilities.

This advisory is not covered by Drupal Steward.

Drupal core - Critical - Arbitrary PHP code execution - SA-CORE-2022-014

Date: 
2022-July-20
Security risk: 
Critical 15 ∕ 25 AC:Basic/A:Admin/CI:All/II:All/E:Theoretical/TD:Uncommon
CVE IDs: 
CVE-2022-25277

Updated 2022-07-20 19:45 UTC to indicate that this only affects Apache web servers.

Drupal core sanitizes filenames with dangerous extensions upon upload (reference: SA-CORE-2020-012) and strips leading and trailing dots from filenames to prevent uploading server configuration files (reference: SA-CORE-2019-010).

Drupal core - Moderately critical - Access Bypass - SA-CORE-2022-013

Date: 
2022-July-20
Security risk: 
Moderately critical 12 ∕ 25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:Uncommon
CVE IDs: 
CVE-2022-25278

Under certain circumstances, the Drupal core form API evaluates form element access incorrectly. This may lead to a user being able to alter data they should not have access to.

No forms provided by Drupal core are known to be vulnerable. However, forms added through contributed or custom modules or themes may be affected.

This advisory is not covered by Drupal Steward.

Pages

Subscribe with RSS Subscribe to Security advisories