Show advisories for only contributed projects, only PSAs, or all security advisories

Drupal core - Moderately critical - Information Disclosure - SA-CORE-2022-012

Date: 
2022-July-20
Security risk: 
Moderately critical 13 ∕ 25 AC:None/A:None/CI:Some/II:None/E:Theoretical/TD:Uncommon
CVE IDs: 
CVE-2022-25275

In some situations, the Image module does not correctly check access to image files not stored in the standard public files directory when generating derivative images using the image styles system.

Access to a non-public file is checked only if it is stored in the "private" file system. However, some contributed modules provide additional file systems, or schemes, which may lead to this vulnerability.

Drupal core - Moderately critical - Third-party libraries - SA-CORE-2022-011

Date: 
2022-June-10
Security risk: 
Moderately critical 13 ∕ 25 AC:Complex/A:None/CI:Some/II:Some/E:Theoretical/TD:Uncommon
CVE IDs: 
CVE-2022-31042
CVE-2022-31043

Updated 22:00 UTC 2022-06-10: Added steps to update without drupal/core-recommended.

Drupal uses the third-party Guzzle library for handling HTTP requests and responses to external services. Guzzle has released two security advisories:

Drupal core - Moderately critical - Third-party libraries - SA-CORE-2022-010

Date: 
2022-May-25
Security risk: 
Moderately critical 13 ∕ 25 AC:Complex/A:None/CI:Some/II:Some/E:Theoretical/TD:Uncommon
CVE IDs: 
CVE-2022-29248

Drupal uses the third-party Guzzle library for handling HTTP requests and responses to external services. Guzzle has released a security update which does not affect Drupal core, but may affect some contributed projects or custom code on Drupal sites.

Drupal core - Moderately critical - Access bypass - SA-CORE-2022-009

Date: 
2022-April-20
Security risk: 
Moderately critical 13 ∕ 25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:Default
CVE IDs: 
CVE-2022-25274

Drupal 9.3 implemented a generic entity access API for entity revisions. However, this API was not completely integrated with existing permissions, resulting in some possible access bypass for users who have access to use revisions of content generally, but who do not have access to individual items of node and media content.

This vulnerability only affects sites using Drupal's revision system.

This advisory is not covered by Drupal Steward.

Drupal core - Moderately critical - Improper input validation - SA-CORE-2022-008

Date: 
2022-April-20
Security risk: 
Moderately critical 12 ∕ 25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:Uncommon
CVE IDs: 
CVE-2022-25273

Drupal core's form API has a vulnerability where certain contributed or custom modules' forms may be vulnerable to improper input validation. This could allow an attacker to inject disallowed values or overwrite data. Affected forms are uncommon, but in certain cases an attacker could alter critical or sensitive data.

We do not know of affected forms within core itself, but contributed and custom project forms could be affected. Installing this update will fix those forms.

This advisory is not covered by Drupal Steward.

Drupal core - Moderately critical - Third-party libraries - SA-CORE-2022-006

Date: 
2022-March-21
Security risk: 
Moderately critical 11 ∕ 25 AC:Complex/A:None/CI:None/II:Some/E:Theoretical/TD:Default
CVE IDs: 
CVE-2022-24775

Drupal uses the third-party Guzzle library for handling HTTP requests and responses to external services. Guzzle has released a security update which may affect some Drupal sites.

Drupal core - Moderately critical - Third-party libraries - SA-CORE-2022-005

Date: 
2022-March-16
Security risk: 
Moderately critical 13 ∕ 25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:Default
CVE IDs: 
CVE-2022-24728
CVE-2022-24729

The Drupal project uses the CKEditor library for WYSIWYG editing. CKEditor has released a security update that impacts Drupal.

Drupal core - Moderately critical - Information disclosure - SA-CORE-2022-004

Date: 
2022-February-16
Security risk: 
Moderately critical 12 ∕ 25 AC:None/A:User/CI:Some/II:None/E:Theoretical/TD:Default
CVE IDs: 
CVE-2022-25270

The Quick Edit module does not properly check entity access in some circumstances. This could result in users with the "access in-place editing" permission viewing some content they are are not authorized to access.

Sites are only affected if the QuickEdit module (which comes with the Standard profile) is installed.

Also see Quick Edit - Moderately critical - Information disclosure - SA-CONTRIB-2022-025 which addresses the same vulnerability for the contributed module.

Drupal core - Moderately critical - Improper input validation - SA-CORE-2022-003

Date: 
2022-February-16
Security risk: 
Moderately critical 14 ∕ 25 AC:Basic/A:None/CI:Some/II:Some/E:Theoretical/TD:Uncommon
CVE IDs: 
CVE-2022-25271

Drupal core's form API has a vulnerability where certain contributed or custom modules' forms may be vulnerable to improper input validation. This could allow an attacker to inject disallowed values or overwrite data. Affected forms are uncommon, but in certain cases an attacker could alter critical or sensitive data.

This advisory is not covered by Drupal Steward.

Drupal core - Moderately critical - Cross site scripting - SA-CORE-2022-002

Date: 
2022-January-19
Security risk: 
Moderately critical 14 ∕ 25 AC:Basic/A:User/CI:Some/II:Some/E:Proof/TD:Default

jQuery UI is a third-party library used by Drupal. This library was previously thought to be end-of-life.

Late in 2021, jQuery UI announced that they would be continuing development, and released a jQuery UI 1.13.0 version. In addition to the issue covered by SA-CORE-2022-001, further security vulnerabilities disclosed in jQuery UI 1.13.0 may affect Drupal 7 only:

Pages

Subscribe with RSS Subscribe to Security advisories