Show advisories for only Drupal Core, only contributed projects, or only PSAs

Drupal core - Moderately critical - Access bypass - SA-CORE-2021-009

Date: 
2021-September-15
Security risk: 
Moderately critical 10 ∕ 25 AC:Basic/A:User/CI:Some/II:None/E:Theoretical/TD:Default
CVE IDs: 
CVE-2020-13676

The QuickEdit module does not properly check access to fields in some circumstances, which can lead to unintended disclosure of field data.

Sites are only affected if the QuickEdit module (which comes with the Standard profile) is installed.

This advisory is not covered by Drupal Steward.

Drupal core - Moderately critical - Access bypass - SA-CORE-2021-008

Date: 
2021-September-15
Security risk: 
Moderately critical 11 ∕ 25 AC:Basic/A:None/CI:None/II:Some/E:Theoretical/TD:Uncommon
CVE IDs: 
CVE-2020-13675

Drupal's JSON:API and REST/File modules allow file uploads through their HTTP APIs. The modules do not correctly run all file validation, which causes an access bypass vulnerability. An attacker might be able to upload files that bypass the file validation process implemented by modules on the site.

This vulnerability is mitigated by three factors:

Drupal core - Moderately critical - Cross Site Request Forgery - SA-CORE-2021-007

Date: 
2021-September-15
Security risk: 
Moderately critical 14 ∕ 25 AC:Complex/A:None/CI:Some/II:Some/E:Theoretical/TD:Default
CVE IDs: 
CVE-2020-13674

The QuickEdit module does not properly validate access to routes, which could allow cross-site request forgery under some circumstances and lead to possible data integrity issues.

Sites are only affected if the QuickEdit module (which comes with the Standard profile) is installed. Removing the "access in-place editing" permission from untrusted users will not fully mitigate the vulnerability.

This advisory is not covered by Drupal Steward.

Drupal core - Moderately critical - Cross Site Request Forgery - SA-CORE-2021-006

Date: 
2021-September-15
Security risk: 
Moderately critical 10 ∕ 25 AC:Basic/A:User/CI:None/II:Some/E:Theoretical/TD:Default
CVE IDs: 
CVE-2020-13673

The Drupal core Media module allows embedding internal and external media in content fields. In certain circumstances, the filter could allow an unprivileged user to inject HTML into a page when it is accessed by a trusted user with permission to embed media. In some cases, this could lead to cross-site scripting.

This advisory is not covered by Drupal Steward.

Webform - Moderately critical - Cross Site Scripting - SA-CONTRIB-2021-026

Date: 
2021-August-25
Security risk: 
Moderately critical 12 ∕ 25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:Uncommon

The Webform module uses the CKEditor, library for WYSIWYG editing. CKEditor has released a security update that impacts Webform.

An attacker that can create or edit content (even without access to CKEditor themselves) may be able to exploit one or more Cross-Site Scripting (XSS) vulnerabilities to target users with access to the WYSIWYG CKEditor, including site admins with privileged access.

Admin Toolbar - Moderately critical - Cross Site Scripting, Access Bypass - SA-CONTRIB-2021-025

Date: 
2021-August-25
Security risk: 
Moderately critical 13 ∕ 25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:Default

The Admin Toolbar (admin_toolbar) module extends the default toolbar provided by Drupal Core with various features facilitating day-to-day editorial and administrative work.

The Admin Toolbar Search sub-module of this module

Drupal core - Moderately critical - Third-party libraries - SA-CORE-2021-005

Date: 
2021-August-12
Security risk: 
Moderately critical 13 ∕ 25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:Default

The Drupal project uses the CKEditor, library for WYSIWYG editing. CKEditor has released a security update that impacts Drupal.

Drupal 8 and 9 core release on August 12, 2021 - PSA-2021-08-09

Date: 
2021-August-09

The Drupal Security Team will be coordinating a security release for Drupal core 8.9, 9.1, and 9.2 this week on Thursday, August 12, 2021.

We are issuing this PSA in advance because August 12, 2021 is not a security window in the regular Drupal security release window schedule, so there would not normally be any security release on this date.

Pages Restriction Access - Critical - Access bypass - SA-CONTRIB-2021-024

Date: 
2021-July-28
Security risk: 
Critical 16 ∕ 25 AC:Basic/A:None/CI:Some/II:Some/E:Theoretical/TD:All

This project enables administrators to restrict access from anonymous and regular users to pre-defined pages.

The administration routes used by the project lacked proper permissions, allowing untrusted users to access, create and modify the module's settings.

Form mode manager - Moderately critical - Access bypass - SA-CONTRIB-2021-023

Date: 
2021-July-21
Security risk: 
Moderately critical 11 ∕ 25 AC:Basic/A:User/CI:None/II:Some/E:Proof/TD:Default

This module provides a user interface that allows the implementation and use of Form modes without custom development.

The module does not sufficiently respect access restrictions to entity forms for routes it creates to use specific form modes.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission to use a specific form mode, for example use X form mode.

Pages

Subscribe with RSS Subscribe to Security advisories