Show advisories for only Drupal Core, only contributed projects, or only PSAs

Drupal core - Critical - Drupal core - Critical - Third-party libraries - SA-CORE-2021-004

Date: 
2021-July-21
Security risk: 
Critical 15 ∕ 25 AC:Complex/A:User/CI:All/II:All/E:Theoretical/TD:Uncommon
CVE IDs: 
CVE-2021-32610

The Drupal project uses the pear Archive_Tar library, which has released a security update that impacts Drupal.

The vulnerability is mitigated by the fact that Drupal core's use of the Archive_Tar library is not vulnerable, as it does not permit symlinks.

Exploitation may be possible if contrib or custom code uses the library to extract tar archives (for example .tar, .tar.gz, .bz2, or .tlz) which come from a potentially untrusted source.

This advisory is not covered by Drupal Steward.

Block Content Revision UI - Moderately critical - Access bypass - SA-CONTRIB-2021-022

Date: 
2021-June-30
Security risk: 
Moderately critical 11 ∕ 25 AC:Complex/A:User/CI:Some/II:Some/E:Theoretical/TD:Uncommon

This module provides a revision UI for Block Content entities.

The module doesn't sufficiently respect access restrictions to certain entities when used in conjunction with specific modules.

This vulnerability is mitigated by the fact that an attacker must have a role with any of the permissions provided by Block Content Revision UI, and another affected module must be enabled.

Linky Revision UI - Moderately critical - Access bypass - SA-CONTRIB-2021-021

Date: 
2021-June-30
Security risk: 
Moderately critical 11 ∕ 25 AC:Complex/A:User/CI:Some/II:Some/E:Theoretical/TD:Uncommon

This module provides a revision UI for Linky entities.

The module doesn't sufficiently respect access restrictions to certain entities when used in conjunction with specific modules.

This vulnerability is mitigated by the fact that an attacker must have a role with any of the permissions provided by Linky Revision UI, and another affected module must be enabled.

Apigee Edge - Moderately critical - Access bypass - SA-CONTRIB-2021-020

Date: 
2021-June-30
Security risk: 
Moderately critical 11 ∕ 25 AC:Basic/A:User/CI:None/II:Some/E:Theoretical/TD:All

The Apigee Edge module allows connecting a Drupal site to Apigee Edge in order to build a developer portal.

The module did not properly validate user access for data creation in certain circumstances.

Drupal 8 end-of-life on November 2, 2021 - PSA-2021-06-29

Date: 
2021-June-29

Drupal 8 will reach its end-of-life on November 2, 2021, before the release of Drupal 9.3.0, due to Symfony 3's end-of-life. If you are using Drupal 8, you must upgrade to Drupal 9.2 before November to keep your site secure. (Drupal 9.1 security coverage ends shortly after the Drupal 8 end-of-life, so updating to 9.2 directly is best.)

There is no vendor extended support program for Drupal 8.

Opigno group manager - Less critical - UI redressing (clickjacking) - SA-CONTRIB-2021-019

Date: 
2021-June-23
Security risk: 
Less critical 9 ∕ 25 AC:Complex/A:None/CI:None/II:None/E:Theoretical/TD:All

This project is related to Opigno LMS distribution. It implements the group manager in the Opigno LMS.

The module does not set X-Frame-Options and blocks ability of other modules (e.g Security Kit) to add them, leaving it vulnerable to Clickjacking.

Opigno Learning path - Less critical - UI redressing (clickjacking) - SA-CONTRIB-2021-018

Date: 
2021-June-23
Security risk: 
Less critical 9 ∕ 25 AC:Complex/A:None/CI:None/II:None/E:Theoretical/TD:All

This project is related to Opigno LMS distribution. It implements the learning path, that combines together in a very flexible way the differents steps of a training in Opigno LMS.

The module does not set X-Frame-Options and blocks ability of other modules (e.g Security Kit) to add them, leaving it vulnerable to Clickjacking.

Block Content Revision UI - Moderately critical - Access bypass - SA-CONTRIB-2021-017

Date: 
2021-June-16
Security risk: 
Moderately critical 11 ∕ 25 AC:Complex/A:User/CI:Some/II:Some/E:Theoretical/TD:Uncommon

This module provides a revision UI to Block Content entities.

The module doesn't sufficiently respect access restrictions to certain entities when used in conjunction with specific modules.

This vulnerability is mitigated by the fact that an attacker must have a role with any of the permissions provided by Block Content Revision UI, and another affected module must be enabled.

Linky Revision UI - Moderately critical - Access bypass - SA-CONTRIB-2021-016

Date: 
2021-June-16
Security risk: 
Moderately critical 11 ∕ 25 AC:Complex/A:User/CI:Some/II:Some/E:Theoretical/TD:Uncommon

This module provides a revision UI to Linky entities.

The module doesn't sufficiently respect access restrictions to certain entities when used in conjunction with specific modules.

This vulnerability is mitigated by the fact that an attacker must have a role with any of the permissions provided by Linky Revision UI, and another affected module must be enabled.

Chaos Tool Suite (ctools) - Moderately critical - Access bypass - SA-CONTRIB-2021-015

Date: 
2021-June-16
Security risk: 
Moderately critical 13 ∕ 25 AC:None/A:None/CI:Some/II:None/E:Theoretical/TD:Uncommon

Chaos tool suite (ctools) module provides a number of APIs and extensions for Drupal, its 8.x-3.x branch is a start from scratch to evaluate the features of ctools that didn't make it into Drupal Core 8.0.x and port them.

The module doesn't sufficiently handle block access control on its EntityView plugin. This is a followup to more fully implement the fixes from SA-CONTRIB-2021-009

Pages

Subscribe with RSS Subscribe to Security advisories