Show advisories for only Drupal Core, only contributed projects, or only PSAs

GDPR Alert - Moderately critical - Cross Site Scripting - SA-CONTRIB-2023-023

Date: 
2023-June-28
Security risk: 
Moderately critical 11 ∕ 25 AC:Basic/A:Admin/CI:Some/II:Some/E:Theoretical/TD:Uncommon

This module enables you to define configurable GDPR alert messages.

The module doesn't sufficiently filter user-supplied text leading to a Cross Site Scripting (XSS) vulnerability.

This vulnerability is mitigated by the fact that an attacker needs additional permissions. The vulnerability can be exploited by an attacker with a role with the permission "administer gdpr alert" regardless of other configurations.

Album Photos - Critical - Access bypass - SA-CONTRIB-2023-022

Date: 
2023-June-21
Security risk: 
Critical 15 ∕ 25 AC:None/A:Admin/CI:All/II:Some/E:Theoretical/TD:Uncommon

This module enables you to create and manage photos and photo albums on your website.

The module doesn't sufficiently check node access when a user is provided the "edit any photo" or "delete any photo" permissions.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission "edit any photo" or "delete any photo".

Civic Cookie Control - Moderately critical - Cross Site Scripting - SA-CONTRIB-2023-021

Date: 
2023-June-21
Security risk: 
Moderately critical 11 ∕ 25 AC:Basic/A:Admin/CI:Some/II:Some/E:Theoretical/TD:Uncommon

CivicCookieControl is a module that can help make a website compliant with EU and UK cookie legislation.

The Civic GovUK Cookie Control module does not sufficiently sanitize the configuration resulting in a Cross-Site Scripting (XSS) vulnerability.

This vulnerability is mitigated by the fact that the attacker must have a role with the "Administer Civic Cookie Control" permission.

Office Hours - Moderately critical - Cross Site Scripting - SA-CONTRIB-2023-020

Date: 
2023-June-14
Security risk: 
Moderately critical 14 ∕ 25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:All

This module enables you to define a 'weekly office hours' field type, and add a field to any Content type, in order to display the weekly opening hours for a location.

The module doesn't sufficiently filter user-supplied text leading to a Cross Site Scripting (XSS) vulnerability.

End of life announcement and changes to Drupal 7 support - PSA-2023-06-07

Date: 
2023-June-07

Updated 2023-07-14 to reference PSA-2023-07-12.

Drupal 7's end of life is January 5, 2025

On February 23, 2022, we announced that we would be extending the End-of-Life for Drupal 7 until at least November 1, 2023.

Today, we are officially announcing that Drupal 7 will reach its end of life on January 5, 2025.

With this final extension, the Drupal Security Team is also adjusting the level of support provided.

This will be the final extension.

AddToAny Share Buttons - Moderately critical - Cross Site Scripting - SA-CONTRIB-2023-019

Date: 
2023-May-31
Security risk: 
Moderately critical 13 ∕ 25 AC:Basic/A:Admin/CI:Some/II:Some/E:Theoretical/TD:All

This module provides social media share & follow buttons.

The module doesn't sufficiently restrict AddToAny block settings to users who have permission to administer AddToAny. This allows users with lower permission to configure malicious code leading to a Cross Site Scripting (XSS) vulnerability.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer blocks".

AddToAny Share Buttons - Moderately critical - Access bypass - SA-CONTRIB-2023-018

Date: 
2023-May-31
Security risk: 
Moderately critical 11 ∕ 25 AC:Basic/A:None/CI:Some/II:None/E:Theoretical/TD:Uncommon

This module provides social media share & follow buttons.

The module doesn't sufficiently check access to a node when retrieving the label of an AddToAny block.

This vulnerability is mitigated by the fact it requires the node ID to be passed via the route, requiring another module or specific configuration to provide this ID, as the /node/{id} page doesn't provide this value on an access denied.

Consent Popup - Moderately critical - Cross Site Scripting - SA-CONTRIB-2023-017

Date: 
2023-May-31
Security risk: 
Moderately critical 13 ∕ 25 AC:Basic/A:Admin/CI:Some/II:Some/E:Theoretical/TD:All

The Consent Popup provides a configurable popup that requires acceptance of a question before the visitor can continue, typically used for age consent.

The module doesn't sufficiently sanitizes the text on the block leading to a cross site scripting (XSS) vulnerability.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission to create blocks.

Iubenda Integration - Moderately critical - Cross Site Scripting - SA-CONTRIB-2023-016

Date: 
2023-May-31
Security risk: 
Moderately critical 14 ∕ 25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:All

The Iubenda Integration module provides a custom block to provide a link to the Iubenda privacy policy. On this block, a custom prefix and suffix text can be entered.

The module does not sufficiently filter the block text fields on output, resulting in a Cross-Site Scripting (XSS) vulnerability.

This vulnerability is mitigated by the fact that an attacker must have a role with permission to use the layout builder on content, edit the layout, or with the "Administer blocks" permission.

File Chooser Field - Moderately critical - Server Side Request Forgery, Information Disclosure - SA-CONTRIB-2023-015

Date: 
2023-May-17
Security risk: 
Moderately critical 14 ∕ 25 AC:Basic/A:User/CI:Some/II:None/E:Exploit/TD:All

The File Chooser Field allows users to upload files using 3rd party plugins such as Google Drive and Dropbox.

This module fails to validate user input sufficiently which could under certain circumstances lead to a Server Side Request Forgery (SSRF) vulnerability leading to Information Disclosure. In uncommon configurations and scenarios, it might lead to Remote Code Execution.

Pages

Subscribe with RSS Subscribe to Security advisories