Show advisories for only Drupal Core, only contributed projects, or only PSAs

Entity Reference Tree Widget - Moderately critical - Cross Site Scripting - SA-CONTRIB-2022-026

Date: 
2022-February-23
Security risk: 
Moderately critical 12 ∕ 25 AC:Complex/A:Admin/CI:Some/II:Some/E:Theoretical/TD:All

This module provides an entity relationship hierarchy tree widget for an entity reference field.

The module doesn't sufficiently filter on output, leading to a Cross Site Scripting vulnerability.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission to modify an entity that is the reference to a field.

Drupal 7's End-of-Life extended to November 1, 2023 - PSA-2022-02-23

Date: 
2022-February-23
Drupal 7 End of Life has received a final extension to January 5th, 2025

Quick Edit - Moderately critical - Information Disclosure - SA-CONTRIB-2022-025

Date: 
2022-February-16
Security risk: 
Moderately critical 12 ∕ 25 AC:None/A:User/CI:Some/II:None/E:Theoretical/TD:Default

This advisory addresses a similar issue to Drupal core - Moderately critical - Information disclosure - SA-CORE-2022-004.

The Quick Edit module does not properly check entity access in some circumstances. This could result in users with the "access in-place editing" permission viewing some content they are are not authorized to access.

Drupal core - Moderately critical - Information disclosure - SA-CORE-2022-004

Date: 
2022-February-16
Security risk: 
Moderately critical 12 ∕ 25 AC:None/A:User/CI:Some/II:None/E:Theoretical/TD:Default
CVE IDs: 
CVE-2022-25270

The Quick Edit module does not properly check entity access in some circumstances. This could result in users with the "access in-place editing" permission viewing some content they are are not authorized to access.

Sites are only affected if the QuickEdit module (which comes with the Standard profile) is installed.

Also see Quick Edit - Moderately critical - Information disclosure - SA-CONTRIB-2022-025 which addresses the same vulnerability for the contributed module.

Drupal core - Moderately critical - Improper input validation - SA-CORE-2022-003

Date: 
2022-February-16
Security risk: 
Moderately critical 14 ∕ 25 AC:Basic/A:None/CI:Some/II:Some/E:Theoretical/TD:Uncommon
CVE IDs: 
CVE-2022-25271

Drupal core's form API has a vulnerability where certain contributed or custom modules' forms may be vulnerable to improper input validation. This could allow an attacker to inject disallowed values or overwrite data. Affected forms are uncommon, but in certain cases an attacker could alter critical or sensitive data.

This advisory is not covered by Drupal Steward.

Custom Breadcrumbs - Less critical - Cross Site Scripting - SA-CONTRIB-2022-024

Date: 
2022-February-09
Security risk: 
Less critical 8 ∕ 25 AC:Basic/A:User/CI:None/II:None/E:Theoretical/TD:All

The Custom Breadcrumbs module provides a variety of options for customizing the breadcrumb trail.

The module doesn't sufficiently filter on output, leading to a Cross Site Scripting vulnerability.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission "Administer custom breadcrumbs" permission.

Fancy File Delete - Moderately critical - Access Bypass - SA-CONTRIB-2022-023

Date: 
2022-February-09
Security risk: 
Moderately critical 14 ∕ 25 AC:None/A:None/CI:Some/II:None/E:Theoretical/TD:Default

This module enables you to manage and delete files.

The module doesn't sufficiently protect unmanaged files from view under the scenario unauthenticated user knows path to visit the view and can attempt to delete files which results in duplicate files being created.

To mitigate this issue without deploying code, review all views that are based on Fancy File Delete and ensure they have an access control set to use the permission "administer unmanaged files entities".

Private Taxonomy Terms - Critical - Access bypass, Information Disclosure, Multiple vulnerabilities - SA-CONTRIB-2022-014

Date: 
2022-January-26
Security risk: 
Critical 15 ∕ 25 AC:None/A:None/CI:Some/II:None/E:Theoretical/TD:All

This module enables users to create 'private' vocabularies.

The module doesn't sufficiently check user access permissions when attempting to view, edit, or add terms to vocabularies, including vocabularies not managed by the module.

Partial mitigation is available by requiring users have been granted at least "Administer own taxonomy", "Edit own terms in vocabulary_name" or "Delete own terms in vocabulary_name" permissions, however this does not mitigate all known issues.

Printer, email and PDF versions - Critical - Unsupported - SA-CONTRIB-2022-022

Date: 
2022-January-25
Security risk: 
Critical 15 ∕ 25 AC:Basic/A:User/CI:Some/II:Some/E:Proof/TD:All

Update 2022-05-31. A past and new maintainers have created a fix and new releases which include fixes for the security issue that caused the module to be unsupported.

The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: https://www.drupal.org/node/251466#procedure---own-project---unsupported

Image Media Export Import - Critical - Unsupported - SA-CONTRIB-2022-021

Date: 
2022-January-25
Security risk: 
Critical 15 ∕ 25 AC:Basic/A:User/CI:Some/II:Some/E:Proof/TD:All

The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: https://www.drupal.org/node/251466#procedure---own-project---unsupported

Pages

Subscribe with RSS Subscribe to Security advisories