Show advisories for only Drupal Core, only contributed projects, or only PSAs

Announcement: Drupal core issues with some risk levels may be treated as bugs in the public issue queue, not as private security issues - PSA-2023-07-12

Date: 
2023-July-11

Updated 2023-07-14 to reference PSA-2023-06-07.

TacJS - Moderately critical - Cross site scripting - SA-CONTRIB-2023-029

Date: 
2023-June-28
Security risk: 
Moderately critical 13 ∕ 25 AC:Basic/A:Admin/CI:Some/II:Some/E:Theoretical/TD:All

This module enables sites to comply with the European cookie law using tarteaucitron.js.

The module doesn't sufficiently filter user-supplied text leading to a Cross Site Scripting (XSS) vulnerability.

This vulnerability is mitigated by the fact that an attacker needs additional permissions. The vulnerability can be exploited by an attacker with a role with the permission "administer tacjs" regardless of other configurations.

Expandable Formatter - Moderately critical - Cross Site Scripting - SA-CONTRIB-2023-028

Date: 
2023-June-28
Security risk: 
Moderately critical 14 ∕ 25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:All

This module enables you to render a field in an expandable/collapsible region.

The module doesn't sufficiently sanitize the field content when displaying it to an end user.

This vulnerability is mitigated by the fact that an attacker must have a role capable of creating content that uses the field formatter.

Libraries UI - Moderately critical - Access bypass - SA-CONTRIB-2023-027

Date: 
2023-June-28
Security risk: 
Moderately critical 11 ∕ 25 AC:None/A:None/CI:None/II:None/E:Theoretical/TD:Default

This module enables a UI to display all libraries provided by modules and themes on the Drupal site.

The module doesn't sufficiently protect the libraries reporting page. It curently is using the 'access content' permission and not a proper administrative/access permission.

The vulnerability/library information can be exploited by simply visiting/knowing the url of the reporting page. The solution is to protect the page via a module specific permission that must be granted by an administrative user.

Search Autocomplete - Moderately critical - Cross Site Scripting - SA-CONTRIB-2023-026

Date: 
2023-June-28
Security risk: 
Moderately critical 14 ∕ 25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:All

This module enables you to use complex autocompletion in forms.

The module doesn't sufficiently filter text in the data it exposes, allowing a malicious user to enter specially crafted tags to exploit a Cross Site Scripting (XSS) attack.

This vulnerability is mitigated by the fact that an attacker must have a role which allows them to publish the kind of data used in the autocomplete (for instance create nodes if the tool is used to search nodes, comments if the tool is used to search comments, etc...)

Mailchimp - Critical - Cross Site Request Forgery - SA-CONTRIB-2023-025

Date: 
2023-June-28
Security risk: 
Critical 15 ∕ 25 AC:Complex/A:None/CI:Some/II:Some/E:Theoretical/TD:All

This module provides integration with Mailchimp, a popular email delivery service.

A route related to OAuth authentication is not protected against a Cross Site Request Forgery attack.

GridStack - Less critical - Cross Site Scripting - SA-CONTRIB-2023-024

Date: 
2023-June-28
Security risk: 
Less critical 7 ∕ 25 AC:Complex/A:Admin/CI:None/II:None/E:Exploit/TD:Uncommon

This module enables you to create dynamic layouts and add sample color palettes for color selection hints via its UI.

The module doesn't sufficiently sanitize the module's settings in certain scenarios leading to a Cross Site Scripting vulnerability.

This vulnerability is mitigated by the fact that an attacker must have a role with the permissions "administer gridstack".

GDPR Alert - Moderately critical - Cross Site Scripting - SA-CONTRIB-2023-023

Date: 
2023-June-28
Security risk: 
Moderately critical 11 ∕ 25 AC:Basic/A:Admin/CI:Some/II:Some/E:Theoretical/TD:Uncommon

This module enables you to define configurable GDPR alert messages.

The module doesn't sufficiently filter user-supplied text leading to a Cross Site Scripting (XSS) vulnerability.

This vulnerability is mitigated by the fact that an attacker needs additional permissions. The vulnerability can be exploited by an attacker with a role with the permission "administer gdpr alert" regardless of other configurations.

Album Photos - Critical - Access bypass - SA-CONTRIB-2023-022

Date: 
2023-June-21
Security risk: 
Critical 15 ∕ 25 AC:None/A:Admin/CI:All/II:Some/E:Theoretical/TD:Uncommon

This module enables you to create and manage photos and photo albums on your website.

The module doesn't sufficiently check node access when a user is provided the "edit any photo" or "delete any photo" permissions.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission "edit any photo" or "delete any photo".

Civic Cookie Control - Moderately critical - Cross Site Scripting - SA-CONTRIB-2023-021

Date: 
2023-June-21
Security risk: 
Moderately critical 11 ∕ 25 AC:Basic/A:Admin/CI:Some/II:Some/E:Theoretical/TD:Uncommon

CivicCookieControl is a module that can help make a website compliant with EU and UK cookie legislation.

The Civic GovUK Cookie Control module does not sufficiently sanitize the configuration resulting in a Cross-Site Scripting (XSS) vulnerability.

This vulnerability is mitigated by the fact that the attacker must have a role with the "Administer Civic Cookie Control" permission.

Pages

Subscribe with RSS Subscribe to Security advisories