Show advisories for only Drupal Core, only contributed projects, or only PSAs

Email Contact - Moderately critical - Access bypass - SA-CONTRIB-2024-020

Date: 
2024-May-22
Security risk: 
Moderately critical 12 ∕ 25 AC:Basic/A:None/CI:Some/II:None/E:Theoretical/TD:Default
CVE IDs: 
CVE-2024-13256

The Email Contact module provides email field display formatters that can display the field as a link to the contact form, or as an inline contact form.

The module does not sufficiently handle restricted entity or field access to the mail sending form, when the "Email contact link" formatter is used.

This vulnerability is mitigated by the fact that it requires the "Email contact link" formatter to be used.

RESTful Web Services - Critical - Access bypass - SA-CONTRIB-2024-019

Date: 
2024-May-15
Security risk: 
Critical 16 ∕ 25 AC:None/A:None/CI:Some/II:None/E:Proof/TD:All
CVE IDs: 
CVE-2024-13255

This module exposes Drupal resources (e.g. entities) as RESTful web services.

The module doesn't sufficiently restrict access for user resources.

REST Views - Moderately critical - Information Disclosure - SA-CONTRIB-2024-018

Date: 
2024-April-24
Security risk: 
Moderately critical 14 ∕ 25 AC:None/A:None/CI:Some/II:None/E:Theoretical/TD:Default
CVE IDs: 
CVE-2024-13254

The Rest views module lets site admins create rest exports in views with additional options for serializing data.

This module does not accurately check access and may expose paths to unpublished content.

This vulnerability is mitigated by the fact that there must be a specific content structure to expose.

Paths to unpublished entities (such as nodes) will be exposed if those entities are referenced from other entities listed in a REST display, and the reference field on those listed entities is displayed with the "Entity path" formatter.

Advanced PWA inc Push Notifications - Critical - Access bypass - SA-CONTRIB-2024-017

Date: 
2024-April-24
Security risk: 
Critical 16 ∕ 25 AC:None/A:User/CI:Some/II:Some/E:Theoretical/TD:All
CVE IDs: 
CVE-2024-13253

Progressive web applications are web applications that load like regular web pages or websites but can offer the user functionality such as working offline, push notifications, and device hardware access traditionally available only to native applications.

This module doesn't sufficiently protect access to the settings form, allowing an unauthorized malicious user to view and modify the module settings.

TacJS - Moderately critical - Cross Site Scripting - SA-CONTRIB-2024-016

Date: 
2024-March-27
Security risk: 
Moderately critical 14 ∕ 25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:All
CVE IDs: 
CVE-2024-13252

This module enables sites to comply with the European cookie law using tarteaucitron.js.

The module doesn't sufficiently filter user-supplied markup inside of content leading to a persistent Cross Site Scripting (XSS) vulnerability. More details are available in CVE-2023-3620.

This vulnerability is mitigated by the fact that an attacker needs to be able to write content in the page, a feature commonly available on Drupal sites.

Registration role - Critical - Access bypass - SA-CONTRIB-2024-015

Date: 
2024-March-06
Security risk: 
Critical 18 ∕ 25 AC:Basic/A:None/CI:All/II:All/E:Theoretical/TD:Uncommon
CVE IDs: 
CVE-2024-13251

The Registration role module lets an administrator select a role (or multiple roles) to automatically assign to new users. The selected role (or roles) will be assigned to new registrants.

The module has a logic error when handling sites that upgraded code and did not run the Drupal update process (e.g. update.php).

This vulnerability is mitigated by the fact that the problem does not exist on sites that followed the process of updating code and running the standard updates.

Drupal Symfony Mailer Lite - Moderately critical - Cross Site Request Forgery - SA-CONTRIB-2024-014

Date: 
2024-February-28
Security risk: 
Moderately critical 12 ∕ 25 AC:Basic/A:None/CI:None/II:Some/E:Theoretical/TD:Default
CVE IDs: 
CVE-2024-13250

The module doesn’t sufficiently protect against malicious links, which means an attacker can trick an administrator into performing unwanted actions.

This vulnerability is mitigated by the fact that the set of unwanted actions is limited to specific configurations.

Node Access Rebuild Progressive - Less critical - Access bypass - SA-CONTRIB-2024-013

Date: 
2024-February-28
Security risk: 
Less critical 9 ∕ 25 AC:Complex/A:Admin/CI:Some/II:None/E:Theoretical/TD:All
CVE IDs: 
CVE-2024-13249

This module provides an alternative mean of rebuilding the Content Access table.

The module doesn't sufficiently reset the state of content access when the module is uninstalled.

Private content - Moderately critical - Access bypass - SA-CONTRIB-2024-012

Date: 
2024-February-28
Security risk: 
Moderately critical 12 ∕ 25 AC:None/A:User/CI:Some/II:None/E:Theoretical/TD:Default
CVE IDs: 
CVE-2024-13248

This module gives each node a 'private' checkbox. If it's set, the node can only be seen by the node author, or users with the 'access private content' permission.

The module incorrectly grants access to private nodes under certain specific circumstances. This vulnerability is mitigated by the fact that an attacker must have a role with the permission "Access private content".

Coffee - Moderately critical - Cross Site Scripting - SA-CONTRIB-2024-011

Date: 
2024-February-28
Security risk: 
Moderately critical 13 ∕ 25 AC:Basic/A:Admin/CI:Some/II:Some/E:Theoretical/TD:All
CVE IDs: 
CVE-2024-13247

The Coffee module helps you to navigate through the Drupal admin menus faster with a shortcut popup.

The module doesn't sufficiently escape menu names when displaying them in the popup, thereby exposing a XSS vulnerability.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission "Administer menus and menu links".

Pages

Subscribe with RSS Subscribe to Security advisories