Show advisories for only Drupal Core, only contributed projects, or only PSAs

Prevent anonymous users to access Drupal pages - Critical - Unsupported - SA-CONTRIB-2022-005

Date: 
2022-January-25
Security risk: 
Critical 15 ∕ 25 AC:Basic/A:User/CI:Some/II:Some/E:Proof/TD:All

The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: https://www.drupal.org/node/251466#procedure---own-project---unsupported

Drupal core - Moderately critical - Cross site scripting - SA-CORE-2022-002

Date: 
2022-January-19
Security risk: 
Moderately critical 14 ∕ 25 AC:Basic/A:User/CI:Some/II:Some/E:Proof/TD:Default

jQuery UI is a third-party library used by Drupal. This library was previously thought to be end-of-life.

Late in 2021, jQuery UI announced that they would be continuing development, and released a jQuery UI 1.13.0 version. In addition to the issue covered by SA-CORE-2022-001, further security vulnerabilities disclosed in jQuery UI 1.13.0 may affect Drupal 7 only:

Drupal core - Moderately critical - Cross Site Scripting - SA-CORE-2022-001

Date: 
2022-January-19
Security risk: 
Moderately critical 14 ∕ 25 AC:Basic/A:User/CI:Some/II:Some/E:Proof/TD:Default

jQuery UI is a third-party library used by Drupal. This library was previously thought to be end-of-life.

Late in 2021, jQuery UI announced that they would be continuing development, and released a jQuery UI 1.13.0 version. As part of this 1.13.0 update, they disclosed the following security issue that may affect Drupal 9 and 7:

jQuery UI Datepicker - Moderately critical - Cross Site Scripting - SA-CONTRIB-2022-004

Date: 
2022-January-19
Security risk: 
Moderately critical 14 ∕ 25 AC:Basic/A:User/CI:Some/II:Some/E:Proof/TD:Default

jQuery UI is a third-party library used by Drupal. The jQuery UI Datepicker module provides the jQuery UI Datepicker library, which is not included in Drupal 9 core.

jQuery UI was previously thought to be end-of-life.

Late in 2021, jQuery UI announced that they would be continuing development, and released a jQuery UI 1.13.0 version. As part of this 1.13.0 update, they disclosed the following security issues that may affect site using the jQuery UI Datepicker module:

Wysiwyg - Moderately critical - Cross site scripting - SA-CONTRIB-2022-003

Date: 
2022-January-05
Security risk: 
Moderately critical 14 ∕ 25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:All

This module enables you to integrate various What-You-See-Is-What-You-Get (WYSIWYG) rich text editors into Drupal fields with text formats allowing markup for easier editing.

The module doesn't sufficiently sanitize user input before attaching a WYSIWYG editor to an input field such as a textarea. If the editor used has an XSS vulnerability this would allow for example a commenter to put specially crafted markup which could trigger the vulnerability when viewed in the editor by an administrator.

Simple OAuth (OAuth2) & OpenID Connect - Moderately critical - Access bypass - SA-CONTRIB-2022-002

Date: 
2022-January-05
Security risk: 
Moderately critical 13 ∕ 25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:Default

This module enables you to implement OAuth 2.0 authentication for Drupal.

The module doesn't sufficiently verify client secret keys for "confidential" OAuth 2.0 clients when using certain grant types. The token refresh and client credentials grants are not affected.

This vulnerability is mitigated by the fact that the vast majority of OAuth 2.0 clients in the wild are public, not confidential. Furthermore, all affected grant types still require users to authenticate to Drupal during the OAuth flow.

Super Login - Critical - Access bypass - SA-CONTRIB-2022-001

Date: 
2022-January-05
Security risk: 
Critical 18 ∕ 25 AC:None/A:None/CI:Some/II:Some/E:Theoretical/TD:All

This module enables you to login with an email address.

The module doesn't sufficiently check if a user account is active when using email login.

This vulnerability is mitigated by the fact that an attacker must have an account in the website that is blocked.

Mail Login - Moderately critical - Access bypass - SA-CONTRIB-2021-047

Date: 
2021-December-22
Security risk: 
Moderately critical 14 ∕ 25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:All

This modules enables users to login via email address.

This module does not sufficiently check user status when authenticating.

Search API Pages - Critical - Cross Site Scripting - SA-CONTRIB-2021-046

Date: 
2021-December-08
Security risk: 
Critical 16 ∕ 25 AC:None/A:None/CI:Some/II:Some/E:Theoretical/TD:Uncommon

This module enables you to create simple search pages based on Search API without the use of Views.

The module doesn’t sufficiently escape all variables provided for custom templates.

This vulnerability is mitigated by the fact that the default template provided by the module is not affected.

Webform - Critical - Cross Site Scripting, Access Bypass - SA-CONTRIB-2021-045

Date: 
2021-December-08
Security risk: 
Critical 16 ∕ 25 AC:Basic/A:None/CI:Some/II:Some/E:Theoretical/TD:All

Access Bypass:

This module enables you to build forms and surveys in Drupal.

The module doesn't sufficiently check access for administrative features for webforms attached to nodes using the Webform Node module. This may reveal submitted data or allow an attacker to modify submitted data. Additionally, for sites with webforms that send emails and store submissions this vulnerability would allow an attacker to use the site as an email relay (i.e. sending arbitrary emails).

Pages

Subscribe with RSS Subscribe to Security advisories