Show advisories for only Drupal Core, only contributed projects, or only PSAs

Content Moderation Notifications - Moderately critical - Information disclosure - SA-CONTRIB-2023-047

Date: 
2023-September-27
Security risk: 
Moderately critical 11 ∕ 25 AC:Complex/A:User/CI:Some/II:None/E:Proof/TD:All

This module enables notifications to be sent to all users of a particular role, or to the content's author when a piece of content is transitioned from one state to another via core's content_moderation module.

The module doesn't sufficiently check access to content when sending notifications.
This vulnerability is mitigated by the fact that an attacker must have been assigned to receive notifications for the given content. Additionally, only data sent in the email is visible, so the attacker cannot access the content on the site.

Entity cache - Critical - Information disclosure - SA-CONTRIB-2023-046

Date: 
2023-September-27
Security risk: 
Critical 16 ∕ 25 AC:Basic/A:User/CI:All/II:All/E:Theoretical/TD:Uncommon

Entity Cache puts core entities into Drupal's cache API.

A recent release of the module does not sanitize certain inputs appropriately. This can lead to unintended behavior when wildcard characters are included in the input.

The impact of this bug should be relatively minor in most configurations, but in worst-case scenarios it could lead to significant Access Bypass.

Drupal core - Critical - Cache poisoning - SA-CORE-2023-006

Date: 
2023-September-20
Security risk: 
Critical 16 ∕ 25 AC:Complex/A:None/CI:All/II:Some/E:Theoretical/TD:Default
CVE IDs: 
CVE-2023-5256

In certain scenarios, Drupal's JSON:API module will output error backtraces. With some configurations, this may cause sensitive information to be cached and made available to anonymous users, leading to privilege escalation.

This vulnerability only affects sites with the JSON:API module enabled, and can be mitigated by uninstalling JSON:API.

The core REST and contributed GraphQL modules are not affected.

Mail Login - Critical - Access bypass - SA-CONTRIB-2023-045

Date: 
2023-September-13
Security risk: 
Critical 16 ∕ 25 AC:Basic/A:None/CI:Some/II:Some/E:Theoretical/TD:All

This module enables users to log in by email address with minimal configurations.

Drupal core contains protection against brute force attacks via a flood control mechanism. This module's functionality did not replicate the flood control, enabling brute force attacks.

WebProfiler - Moderately critical - Cross Site Scripting - SA-CONTRIB-2023-044

Date: 
2023-September-06
Security risk: 
Moderately critical 10 ∕ 25 AC:Complex/A:Admin/CI:Some/II:Some/E:Theoretical/TD:Uncommon

The Webprofiler module provides a way of displaying the Symfony profile debugging tool at the bottom of each page.

The abbr_class Twig filter can be used to bypass the Twig auto-escape feature.

This vulnerability is mitigated by the fact that it is only exposed when the filter is specifically used in a theme to render content that contains an attack vector.

highlight.php - Moderately critical - Cross Site Scripting - SA-CONTRIB-2023-043

Date: 
2023-September-06
Security risk: 
Moderately critical 13 ∕ 25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:Default

Provides highlight.php integration to Drupal, allowing <code> blocks to be automatically highlighted with the correct language.

The module's Twig function doesn't sufficiently filter user-entered data.

Obfuscate Email - Less critical - Cross Site Scripting - SA-CONTRIB-2023-042

Date: 
2023-August-30
Security risk: 
Less critical 5 ∕ 25 AC:Complex/A:User/CI:None/II:None/E:Theoretical/TD:Uncommon

This module enables you to hide email addresses from bots and site scrapers by using the rot13 strategy.

The module doesn't sufficiently escape the data attribute under the scenario a user has access to manipulate that value.

This vulnerability is mitigated by the fact that an attacker must have a role with permissions to allow data attributes in content on a site.

Unified Twig Extensions - Moderately critical - Cross Site Scripting - SA-CONTRIB-2023-041

Date: 
2023-August-30
Security risk: 
Moderately critical 13 ∕ 25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:Default

This module makes PatternLab's custom Twig functions available to Drupal theming.

The module's included examples don't sufficiently filter data.

This vulnerability is mitigated by the fact that the included examples must have been copied to a site's theme.

Data field - Moderately critical - Access bypass - SA-CONTRIB-2023-040

Date: 
2023-August-23
Security risk: 
Moderately critical 12 ∕ 25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:Uncommon

The Data Field module provides a way of building field types that are made up of other fields, a simpler alternative to e.g. the Paragraphs system.

Access to these forms isn't properly validated, allowing a user with the "access content" permission to view and edit fields on entities.

SafeDelete - Moderately critical - Access bypass - SA-CONTRIB-2023-039

Date: 
2023-August-23
Security risk: 
Moderately critical 13 ∕ 25 AC:Basic/A:None/CI:Some/II:None/E:Theoretical/TD:All

This module aims to prevent broken content references by informing content editors either on delete or archive moderation.

The module provides an "orphaned content" report for broken references, which may reveal titles of unpublished content.

Pages

Subscribe with RSS Subscribe to Security advisories