Show advisories for only Drupal Core, only contributed projects, or only PSAs

Drupal 8 is now end-of-life - PSA-2021-11-30

Date: 
2021-November-30

As of November 17, 2021, the Drupal core version 8 series has reached end-of-life. This means that all releases of Drupal 8 core (with 8.y.x version numbers) and Drupal contributed project releases that are compatible with only Drupal 8 will be marked unsupported as they no longer have security team support.

Drupal 8.0.0 was first released on November 9, 2015. The last version was released on November 17, 2021.

Drupal core - Moderately critical - Cross Site Scripting - SA-CORE-2021-011

Date: 
2021-November-17
Security risk: 
Moderately critical 13 ∕ 25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:Default

The Drupal project uses the CKEditor library for WYSIWYG editing. CKEditor has released a security update that impacts Drupal, along with a hotfix for that update.

OpenID Connect Microsoft Azure Active Directory client - Moderately critical - Access Bypass - SA-CONTRIB-2021-044

Date: 
2021-November-17
Security risk: 
Moderately critical 14 ∕ 25 AC:Complex/A:None/CI:Some/II:Some/E:Theoretical/TD:Default

This module enables users to authenticate through their Microsoft Azure AD account.

The module does not sufficiently check authorization before updating user profile information in certain non-default configurations. This could lead a user being able to hijack another existing account.

Loft Data Grids - Moderately critical - XML External Entity (XXE) Processing - SA-CONTRIB-2021-043

Date: 
2021-October-13
Security risk: 
Moderately critical 11 ∕ 25 AC:Complex/A:Admin/CI:Some/II:Some/E:Proof/TD:Uncommon

This module enables aklump/loft_data_grids to be used as a Drupal module.

Excel support was provided by https://packagist.org/packages/phpoffice/phpexcel, which is abandoned and there are known security vulnerabilities: [CVE-2018-19277]: PHPOffice/PhpSpreadsheet#771. Excel support has since been replaced with the newer https://github.com/PHPOffice/PhpSpreadsheet library.

Linkit - Moderately critical - Cross Site Scripting - SA-CONTRIB-2021-042

Date: 
2021-September-29
Security risk: 
Moderately critical 12 ∕ 25 AC:Basic/A:Admin/CI:Some/II:Some/E:Theoretical/TD:Default

Linkit provides an easy interface for internal and external linking with WYSIWYG editors by using an autocomplete field.

It does not sufficiently sanitize user input.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission to create or edit an entity bundle.

The Better Mega Menu - Moderately critical - Access bypass - SA-CONTRIB-2021-041

Date: 
2021-September-22
Security risk: 
Moderately critical 14 ∕ 25 AC:Basic/A:User/CI:Some/II:Some/E:Proof/TD:Default

This module provides an admin interface for creating drop down menus that combine Drupal menu items with rich media content.

This module has a vulnerability whereby users can select blocks as a menu item they don't have permission to view.

The vulnerability is mitigated by the fact that it can only be exploited by an attacker with the "Administer TB Mega Menu" permission.

The Better Mega Menu - Critical - Cross Site Request Forgery - SA-CONTRIB-2021-040

Date: 
2021-September-22
Security risk: 
Critical 15 ∕ 25 AC:Complex/A:None/CI:Some/II:Some/E:Theoretical/TD:All

This module provides an admin interface for creating drop down menus that combine Drupal menu items with rich media content.

The module does not use CSRF tokens to protect routes for saving menu configurations.

This vulnerability can be exploited by an anonymous user.

The Better Mega Menu - Moderately critical - Cross Site Scripting - SA-CONTRIB-2021-039

Date: 
2021-September-22
Security risk: 
Moderately critical 13 ∕ 25 AC:Complex/A:User/CI:Some/II:Some/E:Theoretical/TD:All

This module provides an admin interface for creating drop down menus that combine Drupal menu items with rich media content.

It does not sufficiently sanitize user input such that an admin with permissions to edit a menu may be able to exploit one or more Cross-Site-Scripting (XSS) vulnerabilities.

This vulnerability is mitigated by the fact that an attacker must have permission to administer mega menus and/or create or edit menu links, to inject the XSS.

The Better Mega Menu - Moderately critical - Cross Site Scripting, Information Disclosure, Multiple vulnerabilities - SA-CONTRIB-2021-038

Date: 
2021-September-22
Security risk: 
Moderately critical 12 ∕ 25 AC:Complex/A:Admin/CI:Some/II:Some/E:Theoretical/TD:All

This module provides an admin interface for creating drop down menus that combine Drupal menu items with rich media content.

The module does not sanitize values for CSS properties that are added by admins and rendered on the front-end, allowing attackers to inject malicious code into the front-end markup.

Domain Group - Critical - Access bypass - SA-CONTRIB-2021-037

Date: 
2021-September-22
Security risk: 
Critical 18 ∕ 25 AC:None/A:None/CI:Some/II:Some/E:Theoretical/TD:All

This module enables sites to define a domain from Domain Access that points directly to a group page.

The module doesn't sufficiently manage the access to content administrative paths allowing an attacker to see and take actions on content (nodes) they should be allowed to.

Pages

Subscribe with RSS Subscribe to Security advisories