Show advisories for only Drupal Core, only contributed projects, or only PSAs

Login Disable - Critical - Access bypass - SA-CONTRIB-2024-073

Date: 
2024-December-11
Security risk: 
Critical 16 ∕ 25 AC:None/A:User/CI:Some/II:Some/E:Theoretical/TD:All
CVE IDs: 
CVE-2024-13309

This module enables you to prevent existing users from logging in to your Drupal site unless they know the secret key to add to the end of the ?q=user login form page.

The Login Disable module does not correctly prevent a user with a disabled login from logging in, allowing those users to by-pass the protection offered by the module.

This vulnerability is mitigated by the fact that an attacker must already have a user account to log in. This bug therefore allows users to log in even if their login is disabled.

Browser Back Button - Moderately critical - Cross site scripting - SA-CONTRIB-2024-072

Date: 
2024-December-11
Security risk: 
Moderately critical 13 ∕ 25 AC:Basic/A:Admin/CI:Some/II:Some/E:Theoretical/TD:All
CVE IDs: 
CVE-2024-13308

This module provides a block that renders a link providing the functionality of a browser's back button.

The module does not sufficiently escape text entered by an administrator, resulting in a cross scripting vulnerability.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer blocks".

Entity Form Steps - Moderately critical - Cross site scripting - SA-CONTRIB-2024-071

Date: 
2024-December-04
Security risk: 
Moderately critical 13 ∕ 25 AC:Basic/A:Admin/CI:Some/II:Some/E:Theoretical/TD:All
CVE IDs: 
CVE-2024-13305

This module allows a site builder to create multi-step entity forms leveraging the Field Group field type plugins.

The module doesn't escape plain text administrative configurations. An attacker with admin access could inject arbitrary JavaScript code.

This vulnerability is mitigated by the fact that an attacker must have a role with the 'administer [entity_type] form display' permission allowing access to configure entity form displays.

Minify JS - Moderately critical - Cross site request forgery - SA-CONTRIB-2024-070

Date: 
2024-December-04
Security risk: 
Moderately critical 13 ∕ 25 AC:Basic/A:None/CI:None/II:Some/E:Theoretical/TD:All
CVE IDs: 
CVE-2024-13304

The Minify JS module allows a site administrator to minify all javascript files that exist in the site's code base and use those minified files on the front end of the website.

Several administrator routes are unprotected against Cross-Site Request Forgery (CRSF) attacks.

Download All Files - Critical - Access bypass - SA-CONTRIB-2024-069

Date: 
2024-December-04
Security risk: 
Critical 16 ∕ 25 AC:None/A:None/CI:Some/II:None/E:Proof/TD:All
CVE IDs: 
CVE-2024-13303

This module provides a field formatter for the field type 'file' called `Table of files with download all link` .

The module had vulnerabilities allowing a user to download files they normally should not be able to download.

Pages Restriction Access - Critical - Access bypass - SA-CONTRIB-2024-068

Date: 
2024-December-04
Security risk: 
Critical 15 ∕ 25 AC:None/A:None/CI:Some/II:None/E:Theoretical/TD:All
CVE IDs: 
CVE-2024-13302

Module to restrict access from anonymous and regular users to configured pre-defined pages.

The module does not adequately handle protecting certain types of URLs.

OAuth Client & OpenID Connect SSO | OAuth/OIDC Login - Critical - Cross Site Scripting - SA-CONTRIB-2024-067

Date: 
2024-December-04
Security risk: 
Critical 16 ∕ 25 AC:Basic/A:None/CI:Some/II:Some/E:Theoretical/TD:All
CVE IDs: 
CVE-2024-13301

This module enables you to authenticate users through an Identity Provider (IdP) or OAuth Server, allowing them to log in to your Drupal site.

The module does not sufficiently escape query parameters sent to the callback URL when displaying error messages, particularly if the code parameter is missing in the response.

Print Anything - Critical - Unsupported - SA-CONTRIB-2024-066

Date: 
2024-December-04
Security risk: 
Critical 16 ∕ 25 AC:Complex/A:Admin/CI:All/II:All/E:Theoretical/TD:All
CVE IDs: 
CVE-2024-13300

The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: https://www.drupal.org/node/251466#s-becoming-owner-maintainer-or-co-mai...

Megamenu Framework - Critical - Unsupported - SA-CONTRIB-2024-065

Date: 
2024-December-04
Security risk: 
Critical 16 ∕ 25 AC:Complex/A:Admin/CI:All/II:All/E:Theoretical/TD:All
CVE IDs: 
CVE-2024-13299

The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: https://www.drupal.org/node/251466#s-becoming-owner-maintainer-or-co-mai...

Tarte au Citron - Moderately critical - Cross Site Scripting - SA-CONTRIB-2024-064

Date: 
2024-November-27
Security risk: 
Moderately critical 13 ∕ 25 AC:Basic/A:Admin/CI:Some/II:Some/E:Theoretical/TD:All
CVE IDs: 
CVE-2024-13298

This module integrates Tarte au citron JS library with Drupal and prevent services to be loaded without user consent. Administrators can enable and configure services which will be managed by Tarte au citron.

When Google Tag Manager (GTM) service is enabled, an attacker can load a GTM container that can completely change the page or insert malicious JS.

This vulnerability is mitigated by the fact that the attacker must have a role with the permission "administer tarte au citron".

Pages

Subscribe with RSS Subscribe to Security advisories