Show advisories for only contributed projects, only PSAs, or all security advisories

Drupal core - Moderately critical - Cross Site Scripting - SA-CORE-2022-001

Date: 
2022-January-19
Security risk: 
Moderately critical 14 ∕ 25 AC:Basic/A:User/CI:Some/II:Some/E:Proof/TD:Default

jQuery UI is a third-party library used by Drupal. This library was previously thought to be end-of-life.

Late in 2021, jQuery UI announced that they would be continuing development, and released a jQuery UI 1.13.0 version. As part of this 1.13.0 update, they disclosed the following security issue that may affect Drupal 9 and 7:

Drupal core - Moderately critical - Cross Site Scripting - SA-CORE-2021-011

Date: 
2021-November-17
Security risk: 
Moderately critical 13 ∕ 25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:Default

The Drupal project uses the CKEditor library for WYSIWYG editing. CKEditor has released a security update that impacts Drupal, along with a hotfix for that update.

Drupal core - Moderately critical - Access Bypass - SA-CORE-2021-010

Date: 
2021-September-15
Security risk: 
Moderately critical 12 ∕ 25 AC:Basic/A:None/CI:Some/II:None/E:Theoretical/TD:Default
CVE IDs: 
CVE-2020-13677

Under some circumstances, the Drupal core JSON:API module does not properly restrict access to certain content, which may result in unintended access bypass.

Sites that do not have the JSON:API module enabled are not affected.

This advisory is not covered by Drupal Steward.

Drupal core - Moderately critical - Access bypass - SA-CORE-2021-009

Date: 
2021-September-15
Security risk: 
Moderately critical 10 ∕ 25 AC:Basic/A:User/CI:Some/II:None/E:Theoretical/TD:Default
CVE IDs: 
CVE-2020-13676

The QuickEdit module does not properly check access to fields in some circumstances, which can lead to unintended disclosure of field data.

Sites are only affected if the QuickEdit module (which comes with the Standard profile) is installed.

This advisory is not covered by Drupal Steward.

Drupal core - Moderately critical - Access bypass - SA-CORE-2021-008

Date: 
2021-September-15
Security risk: 
Moderately critical 11 ∕ 25 AC:Basic/A:None/CI:None/II:Some/E:Theoretical/TD:Uncommon
CVE IDs: 
CVE-2020-13675

Drupal's JSON:API and REST/File modules allow file uploads through their HTTP APIs. The modules do not correctly run all file validation, which causes an access bypass vulnerability. An attacker might be able to upload files that bypass the file validation process implemented by modules on the site.

This vulnerability is mitigated by three factors:

Drupal core - Moderately critical - Cross Site Request Forgery - SA-CORE-2021-007

Date: 
2021-September-15
Security risk: 
Moderately critical 14 ∕ 25 AC:Complex/A:None/CI:Some/II:Some/E:Theoretical/TD:Default
CVE IDs: 
CVE-2020-13674

The QuickEdit module does not properly validate access to routes, which could allow cross-site request forgery under some circumstances and lead to possible data integrity issues.

Sites are only affected if the QuickEdit module (which comes with the Standard profile) is installed. Removing the "access in-place editing" permission from untrusted users will not fully mitigate the vulnerability.

This advisory is not covered by Drupal Steward.

Drupal core - Moderately critical - Cross Site Request Forgery - SA-CORE-2021-006

Date: 
2021-September-15
Security risk: 
Moderately critical 10 ∕ 25 AC:Basic/A:User/CI:None/II:Some/E:Theoretical/TD:Default
CVE IDs: 
CVE-2020-13673

The Drupal core Media module allows embedding internal and external media in content fields. In certain circumstances, the filter could allow an unprivileged user to inject HTML into a page when it is accessed by a trusted user with permission to embed media. In some cases, this could lead to cross-site scripting.

This advisory is not covered by Drupal Steward.

Drupal core - Moderately critical - Third-party libraries - SA-CORE-2021-005

Date: 
2021-August-12
Security risk: 
Moderately critical 13 ∕ 25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:Default

The Drupal project uses the CKEditor, library for WYSIWYG editing. CKEditor has released a security update that impacts Drupal.

Drupal core - Critical - Drupal core - Critical - Third-party libraries - SA-CORE-2021-004

Date: 
2021-July-21
Security risk: 
Critical 15 ∕ 25 AC:Complex/A:User/CI:All/II:All/E:Theoretical/TD:Uncommon
CVE IDs: 
CVE-2021-32610

The Drupal project uses the pear Archive_Tar library, which has released a security update that impacts Drupal.

The vulnerability is mitigated by the fact that Drupal core's use of the Archive_Tar library is not vulnerable, as it does not permit symlinks.

Exploitation may be possible if contrib or custom code uses the library to extract tar archives (for example .tar, .tar.gz, .bz2, or .tlz) which come from a potentially untrusted source.

This advisory is not covered by Drupal Steward.

Drupal core - Moderately critical - Cross Site Scripting - SA-CORE-2021-003

Date: 
2021-May-26
Security risk: 
Moderately critical 14 ∕ 25 AC:Basic/A:User/CI:Some/II:Some/E:Proof/TD:Default
CVE IDs: 
CVE-2021-33829

Update: 2021-06-11: Added CVE-2021-33829 identifier

Drupal core uses the third-party CKEditor library. This library has an error in parsing HTML that could lead to an XSS attack. CKEditor 4.16.1 and later include the fix.

Update: 2021-06-11: More details are available on CKEditor's blog.

Pages

Subscribe with RSS Subscribe to Security advisories