Show advisories for only contributed projects, only PSAs, or all security advisories

Drupal core - Critical - Cross-site scripting - SA-CORE-2021-002

Date: 
2021-April-21
Security risk: 
Critical 15 ∕ 25 AC:Basic/A:None/CI:Some/II:Some/E:Theoretical/TD:Default
CVE IDs: 
CVE-2020-13672

Drupal core's sanitization API fails to properly filter cross-site scripting under certain circumstances.

Not all sites and users are affected, but configuration changes to prevent the exploit might be impractical and will vary between sites. Therefore, we recommend all sites update to this release as soon as possible.

Drupal core - Critical - Third-party libraries - SA-CORE-2021-001

Date: 
2021-January-20
Security risk: 
Critical 18 ∕ 25 AC:Complex/A:User/CI:All/II:All/E:Exploit/TD:Uncommon

The Drupal project uses the pear Archive_Tar library, which has released a security update that impacts Drupal. For more information please see:

Exploits may be possible if Drupal is configured to allow .tar, .tar.gz, .bz2, or .tlz file uploads and processes them.

Drupal core - Critical - Arbitrary PHP code execution - SA-CORE-2020-013

Date: 
2020-November-25
Security risk: 
Critical 18 ∕ 25 AC:Complex/A:User/CI:All/II:All/E:Exploit/TD:Uncommon
CVE IDs: 
CVE-2020-28949
CVE-2020-28948

The Drupal project uses the PEAR Archive_Tar library. The PEAR Archive_Tar library has released a security update that impacts Drupal. For more information please see:

Drupal core - Critical - Remote code execution - SA-CORE-2020-012

Date: 
2020-November-18
Security risk: 
Critical 17 ∕ 25 AC:Basic/A:User/CI:All/II:All/E:Theoretical/TD:Default
CVE IDs: 
CVE-2020-13671

Update November 18: Documented longer list of dangerous file extensions

Drupal core does not properly sanitize certain filenames on uploaded files, which can lead to files being interpreted as the incorrect extension and served as the wrong MIME type or executed as PHP for certain hosting configurations.

Drupal core - Moderately critical - Information disclosure - SA-CORE-2020-011

Date: 
2020-September-16
Security risk: 
Moderately critical 12 ∕ 25 AC:None/A:User/CI:Some/II:None/E:Theoretical/TD:Default
CVE IDs: 
CVE-2020-13670

A vulnerability exists in the File module which allows an attacker to gain access to the file metadata of a permanent private file that they do not have access to by guessing the ID of the file.

Drupal core - Moderately critical - Access bypass - SA-CORE-2020-008

Date: 
2020-September-16
Security risk: 
Moderately critical 12 ∕ 25 AC:Basic/A:None/CI:Some/II:None/E:Theoretical/TD:Default
CVE IDs: 
CVE-2020-13667

The experimental Workspaces module allows you to create multiple workspaces on your site in which draft content can be edited before being published to the live workspace.

The Workspaces module doesn't sufficiently check access permissions when switching workspaces, leading to an access bypass vulnerability. An attacker might be able to see content before the site owner intends people to see the content.

This vulnerability is mitigated by the fact that sites are only vulnerable if they have installed the experimental Workspaces module.

Drupal core - Moderately critical - Cross-site scripting - SA-CORE-2020-010

Date: 
2020-September-16
Security risk: 
Moderately critical 13 ∕ 25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:Default
CVE IDs: 
CVE-2020-13669

Drupal core's built-in CKEditor image caption functionality is vulnerable to XSS.

Drupal core - Critical - Cross-site scripting - SA-CORE-2020-009

Date: 
2020-September-16
Security risk: 
Critical 15 ∕ 25 AC:Basic/A:None/CI:Some/II:Some/E:Theoretical/TD:Default
CVE IDs: 
CVE-2020-13688

Drupal 8 and 9 have a reflected cross-site scripting (XSS) vulnerability under certain circumstances.

An attacker could leverage the way that HTML is rendered for affected forms in order to exploit the vulnerability.

Drupal core - Moderately critical - Cross-site scripting - SA-CORE-2020-007

Date: 
2020-September-16
Security risk: 
Moderately critical 14 ∕ 25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:All
CVE IDs: 
CVE-2020-13666

The Drupal AJAX API does not disable JSONP by default, which can lead to cross-site scripting.

Drupal core - Less critical - Access bypass - SA-CORE-2020-006

Date: 
2020-June-17
Security risk: 
Less critical 8 ∕ 25 AC:Complex/A:User/CI:None/II:Some/E:Theoretical/TD:Uncommon
CVE IDs: 
CVE-2020-13665

JSON:API PATCH requests may bypass validation for certain fields.

By default, JSON:API works in a read-only mode which makes it impossible to exploit the vulnerability. Only sites that have the read_only set to FALSE under jsonapi.settings config are vulnerable.

Pages

Subscribe with RSS Subscribe to Security advisories