Show advisories for only Drupal Core, only contributed projects, or only PSAs

wkhtmltopdf - Highly critical - Unsupported - SA-CONTRIB-2024-049

Date: 
2024-October-09
Security risk: 
Highly critical 23 ∕ 25 AC:None/A:None/CI:All/II:All/E:Proof/TD:All
CVE IDs: 
CVE-2024-13285

The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: https://www.drupal.org/node/251466#s-becoming-owner-maintainer-or-co-mai...

Gutenberg - Moderately critical - Cross Site Request Forgery - SA-CONTRIB-2024-048

Date: 
2024-October-09
Security risk: 
Moderately critical 12 ∕ 25 AC:Basic/A:None/CI:None/II:Some/E:Theoretical/TD:Default
CVE IDs: 
CVE-2024-13284

This module provides a new UI experience for node editing using the Gutenberg Editor library.

The module did not sufficiently protect some routes against a Cross Site Request Forgery attack.

This vulnerability is mitigated by the fact that the tricked user needs to have an active session with the "use gutenberg" permission.

Facets - Critical - Cross Site Scripting - SA-CONTRIB-2024-047

Date: 
2024-October-09
Security risk: 
Critical 15 ∕ 25 AC:Basic/A:None/CI:Some/II:Some/E:Theoretical/TD:Default
CVE IDs: 
CVE-2024-13283

This module enables you to to easily create and manage faceted search interfaces.

The module doesn't sufficiently filter for malicious script leading to a reflected cross site scripting (XSS) vulnerability.

The vulnerability exists in the Facets Summary submodule. If you do not use that sub module your site is not vulnerable to this issue.

Edited October 9, 2024: clarified that Facets Summary is where the vulnerability is located

Block permissions - Moderately critical - Access bypass - SA-CONTRIB-2024-046

Date: 
2024-October-09
Security risk: 
Moderately critical 13 ∕ 25 AC:Basic/A:Admin/CI:Some/II:Some/E:Theoretical/TD:All
CVE IDs: 
CVE-2024-13282

This module enables you to manage blocks from specific modules in the specific themes.

The module doesn't sufficiently check permissions under the scenario when a block is added using the form "/admin/structure/block/add/{plugin_id}/{theme}" (route "block.admin_add"). The attacker can add the block to the theme where they can't manage blocks.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer blocks provided by [provider]".

Monster Menus - Moderately critical - Access bypass, Information Disclosure - SA-CONTRIB-2024-045

Date: 
2024-October-09
Security risk: 
Moderately critical 13 ∕ 25 AC:None/A:None/CI:Some/II:None/E:Theoretical/TD:Uncommon
CVE IDs: 
CVE-2024-13281

This module enables you to group nodes within pages that have a highly-granular, distributed permissions structure.

A function which can be used by third-party code does not return valid data under certain rare circumstances. If the third-party code relies on this data to decide whether to grant access to content, it may grant more access than was intended.

This vulnerability is only present in sites that have custom code calling the mm_content_get_uids_in_group() function with a single UID of zero (0) in the second parameter.

Persistent Login - Moderately critical - Access bypass - SA-CONTRIB-2024-044

Date: 
2024-October-02
Security risk: 
Moderately critical 11 ∕ 25 AC:Basic/A:User/CI:Some/II:None/E:Theoretical/TD:All
CVE IDs: 
CVE-2024-13280

This module enables users to remain logged in separately from session timeouts.

The module doesn't sufficiently check a user's disabled status when validating cookies.

This vulnerability is mitigated by the fact that an attacker must have an unexpired cookie from a previous successful login.

Two-factor Authentication (TFA) - Critical - Access bypass - SA-CONTRIB-2024-043

Date: 
2024-October-02
Security risk: 
Critical 15 ∕ 25 AC:Complex/A:None/CI:Some/II:Some/E:Theoretical/TD:All
CVE IDs: 
CVE-2024-13279

This module enables you to allow and/or require users to use a second authentication method in addition to password authentication.

The module does not sufficiently migrate sessions before prompting for a second factor token.

Diff - Moderately critical - Access bypass, Information Disclosure - SA-CONTRIB-2024-042

Date: 
2024-October-02
Security risk: 
Moderately critical 11 ∕ 25 AC:Basic/A:User/CI:Some/II:None/E:Theoretical/TD:All
CVE IDs: 
CVE-2024-13278

This module adds a tab for sufficiently permissioned users. The tab shows all revisions like standard Drupal but it also allows pretty viewing of all added/changed/deleted words between revisions.

The module doesn't sufficiently check revision access before rendering a diff report for 1) nodes or 2) general entities that support diff.

Smart IP Ban - Critical - Access bypass - SA-CONTRIB-2024-041

Date: 
2024-September-18
Security risk: 
Critical 18 ∕ 25 AC:None/A:None/CI:Some/II:Some/E:Theoretical/TD:All
CVE IDs: 
CVE-2024-13277

The Smart IP Ban module enables a site to automatically ban an IP address based upon too many failed authentications.

The module doesn't sufficiently protect access to certain paths provided by the module allowing a malicious user to view and modify the settings.

File Entity (fieldable files) - Moderately critical - Information Disclosure - SA-CONTRIB-2024-040

Date: 
2024-September-11
Security risk: 
Moderately critical 10 ∕ 25 AC:Basic/A:User/CI:Some/II:None/E:Theoretical/TD:Default
CVE IDs: 
CVE-2024-13276

This module enables you to store and manage both private and public files, provides the ability to add fieldable metadata for file_entity bundle types in addition to core file_managed data.

The module doesn't sufficiently ensure that folders exist within the private destination prior to writing to them. If the subfolder doesn't exist, the module places the file in a publicly accessible directory.

This vulnerability only affects sites with private files.

Pages

Subscribe with RSS Subscribe to Security advisories