Show advisories for only Drupal Core, only contributed projects, or only PSAs

OpenID Connect / OAuth client - Moderately critical - Access bypass - SA-CONTRIB-2021-014

Date: 
2021-June-02
Security risk: 
Moderately critical 14 ∕ 25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:All

This module allows users to authenticate against an Oauth 2.0 / OpenID Connect identity provider to login to your Drupal site.

The module doesn't sufficiently protect against unauthorized local access, by way of using the 'password reset' facility, for users who are supposed to only be able to log in through the identity provider. This creates a scenario where after such a user is blocked from logging in through the identity provider but not explicitly blocked in Drupal, they are still able to log in by sending themselves a Drupal 'password reset' e-mail.

GraphQL - Moderately critical - Information Disclosure - SA-CONTRIB-2021-013

Date: 
2021-June-02
Security risk: 
Moderately critical 11 ∕ 25 AC:Basic/A:None/CI:Some/II:None/E:Theoretical/TD:Uncommon

This module lets you craft and expose a GraphQL web service API.

The module does not sufficiently protect arbitrary exception and error messages thereby exposing an information disclosure vulnerability.

This vulnerability is mitigated by the fact that a GraphQL server must be enabled and a data producer be configured that throws exceptions with confidential error messages that must not be exposed over the GraphQL API.

Frequently Asked Questions - Moderately critical - Cross Site Scripting - SA-CONTRIB-2021-012

Date: 
2021-June-02
Security risk: 
Moderately critical 11 ∕ 25 AC:Basic/A:User/CI:None/II:Some/E:Theoretical/TD:All

The Frequently Asked Questions (faq) module allows users, with appropriate permissions, to create question and answer pairs which they want displayed on the 'faq' page. The 'faq' page is automatically generated from the FAQ nodes configured. Basic Views layouts are also provided and can be customised via the Views UI (rather than via the module settings page).

The module doesn't sufficiently sanitize editor input leading to a Cross Site Scripting (XSS) vulnerability.

Open Social - Critical - Authentication Bypass - SA-CONTRIB-2021-011

Date: 
2021-June-02
Security risk: 
Critical 15 ∕ 25 AC:Basic/A:None/CI:Some/II:Some/E:Theoretical/TD:Default

Open Social is a Drupal distribution for online communities.

The included social_magic_login module doesn't sufficiently validate magic login URLs for user accounts. The lack of validation makes it possible for an adversary to forge valid login URLs and login to such an account.

This vulnerability is mitigated by the fact the module social_magic_login needs to be enabled.

Open Social - Moderately critical - SQL Injection - SA-CONTRIB-2021-010

Date: 
2021-June-02
Security risk: 
Moderately critical 11 ∕ 25 AC:Complex/A:User/CI:All/II:None/E:Theoretical/TD:Default

This Open Social distribution provides a turn-key system for building customized social networks.

The module doesn't sufficiently process data in certain circumstances.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission "access mentions".

Drupal core - Moderately critical - Cross Site Scripting - SA-CORE-2021-003

Date: 
2021-May-26
Security risk: 
Moderately critical 14 ∕ 25 AC:Basic/A:User/CI:Some/II:Some/E:Proof/TD:Default
CVE IDs: 
CVE-2021-33829

Update: 2021-06-11: Added CVE-2021-33829 identifier

Drupal core uses the third-party CKEditor library. This library has an error in parsing HTML that could lead to an XSS attack. CKEditor 4.16.1 and later include the fix.

Update: 2021-06-11: More details are available on CKEditor's blog.

Off Cycle Drupal Core Security Release - PSA-2021-05-25

Date: 
2021-May-25

Update: After some delays, the new estimate for this release is 20:00UTC on May 26th, 2021. Apologies for the inconvenience.

Chaos Tool Suite (ctools) - Moderately critical - Information disclosure - SA-CONTRIB-2021-009

Date: 
2021-May-12
Security risk: 
Moderately critical 12 ∕ 25 AC:Complex/A:None/CI:Some/II:None/E:Theoretical/TD:All

Chaos tool suite (ctools) module provides a number of APIs and extensions for Drupal, it's 8.x-3.x branch is a start from scratch to evaluate the features of ctools that didn't make it into Drupal Core 8.0.x and port them.

The module doesn't sufficiently handle access control on its EntityView plugin.

This vulnerability is mitigated by the fact that successful exploitation requires special conditions in place such as custom solutions that allow injecting the context by means other than the route.

Facets - Moderately critical - Cross site scripting - SA-CONTRIB-2021-008

Date: 
2021-May-12
Security risk: 
Moderately critical 11 ∕ 25 AC:Complex/A:Admin/CI:Some/II:Some/E:Theoretical/TD:Default

This module enables you to add customizable facets on search pages, from core search or searches provided by Search API.

The module doesn't sufficiently filter all output in certain circumstances.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer facets".

Gutenberg - Critical - Access bypass - SA-CONTRIB-2021-007

Date: 
2021-May-12
Security risk: 
Critical 18 ∕ 25 AC:None/A:None/CI:Some/II:Some/E:Theoretical/TD:All

This module provides a new UI experience for node editing using the Gutenberg Editor library.

The module did not correctly validate access rules in certain situations allowing anonymous users to delete blocks.

Pages

Subscribe with RSS Subscribe to Security advisories