Show advisories for only Drupal Core, only contributed projects, or only PSAs

Drupal core - Moderately critical - Improper input validation - SA-CORE-2022-003

Date: 
2022-February-16
Security risk: 
Moderately critical 14 ∕ 25 AC:Basic/A:None/CI:Some/II:Some/E:Theoretical/TD:Uncommon
CVE IDs: 
CVE-2022-25271

Drupal core's form API has a vulnerability where certain contributed or custom modules' forms may be vulnerable to improper input validation. This could allow an attacker to inject disallowed values or overwrite data. Affected forms are uncommon, but in certain cases an attacker could alter critical or sensitive data.

This advisory is not covered by Drupal Steward.

Custom Breadcrumbs - Less critical - Cross Site Scripting - SA-CONTRIB-2022-024

Date: 
2022-February-09
Security risk: 
Less critical 8 ∕ 25 AC:Basic/A:User/CI:None/II:None/E:Theoretical/TD:All

The Custom Breadcrumbs module provides a variety of options for customizing the breadcrumb trail.

The module doesn't sufficiently filter on output, leading to a Cross Site Scripting vulnerability.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission "Administer custom breadcrumbs" permission.

Fancy File Delete - Moderately critical - Access Bypass - SA-CONTRIB-2022-023

Date: 
2022-February-09
Security risk: 
Moderately critical 14 ∕ 25 AC:None/A:None/CI:Some/II:None/E:Theoretical/TD:Default

This module enables you to manage and delete files.

The module doesn't sufficiently protect unmanaged files from view under the scenario unauthenticated user knows path to visit the view and can attempt to delete files which results in duplicate files being created.

To mitigate this issue without deploying code, review all views that are based on Fancy File Delete and ensure they have an access control set to use the permission "administer unmanaged files entities".

Private Taxonomy Terms - Critical - Access bypass, Information Disclosure, Multiple vulnerabilities - SA-CONTRIB-2022-014

Date: 
2022-January-26
Security risk: 
Critical 15 ∕ 25 AC:None/A:None/CI:Some/II:None/E:Theoretical/TD:All

This module enables users to create 'private' vocabularies.

The module doesn't sufficiently check user access permissions when attempting to view, edit, or add terms to vocabularies, including vocabularies not managed by the module.

Partial mitigation is available by requiring users have been granted at least "Administer own taxonomy", "Edit own terms in vocabulary_name" or "Delete own terms in vocabulary_name" permissions, however this does not mitigate all known issues.

Printer, email and PDF versions - Critical - Unsupported - SA-CONTRIB-2022-022

Date: 
2022-January-25
Security risk: 
Critical 15 ∕ 25 AC:Basic/A:User/CI:Some/II:Some/E:Proof/TD:All

Update 2022-05-31. A past and new maintainers have created a fix and new releases which include fixes for the security issue that caused the module to be unsupported.

The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: https://www.drupal.org/node/251466#procedure---own-project---unsupported

Image Media Export Import - Critical - Unsupported - SA-CONTRIB-2022-021

Date: 
2022-January-25
Security risk: 
Critical 15 ∕ 25 AC:Basic/A:User/CI:Some/II:Some/E:Proof/TD:All

The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: https://www.drupal.org/node/251466#procedure---own-project---unsupported

Remote Stream Wrapper - Critical - Unsupported - SA-CONTRIB-2022-020

Date: 
2022-January-25
Security risk: 
Critical 15 ∕ 25 AC:Basic/A:User/CI:Some/II:Some/E:Proof/TD:All

Update 2022-05-04: Existing maintainers have updated the project to clarify that the module did not contain a security issue that caused the module to be unsupported.

The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: https://www.drupal.org/node/251466#procedure---own-project---unsupported

Vendor Stream Wrapper - Moderately critical - Unsupported - SA-CONTRIB-2022-019

Date: 
2022-January-25
Security risk: 
Moderately critical 13 ∕ 25 AC:Basic/A:None/CI:Some/II:None/E:Theoretical/TD:All

This module provides a stream wrapper for files located in the vendor directory. Even when the vendor directory is moved outside the webroot, it allows providing publically accessible URLs to these files.

The module exposes all files that are in the vendor directory, without a site owner's knowledge or intention. This could be undesirable behavior, especially since this module is required as a dependency by other modules.

Edited October 24, 2023 after the project has been re-supported by new maintainers and this advisory metadata affects composer.

Cog - Critical - Unsupported - SA-CONTRIB-2022-018

Date: 
2022-January-25
Security risk: 
Critical 15 ∕ 25 AC:Basic/A:User/CI:Some/II:Some/E:Proof/TD:All

The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: https://www.drupal.org/node/251466#procedure---own-project---unsupported

Media Entity Flickr - Critical - Unsupported - SA-CONTRIB-2022-017

Date: 
2022-January-25
Security risk: 
Critical 15 ∕ 25 AC:Basic/A:User/CI:Some/II:Some/E:Proof/TD:All

The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: https://www.drupal.org/node/251466#procedure---own-project---unsupported

Pages

Subscribe with RSS Subscribe to Security advisories