Show advisories for only Drupal Core, only contributed projects, or only PSAs

Ink Filepicker - Critical - Unsupported - SA-CONTRIB-2020-037

Date: 
2020-November-18
Security risk: 
Critical 17 ∕ 25 AC:Basic/A:User/CI:All/II:All/E:Theoretical/TD:Default

The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer.

It looks like the 3rd party service that this module integrates with may have been retired.

If you would like to maintain this project nevertheless, please read: https://www.drupal.org/node/251466#procedure---own-project---unsupported

Media: oEmbed - Critical - Remote Code Execution - SA-CONTRIB-2020-036

Date: 
2020-November-18
Security risk: 
Critical 17 ∕ 25 AC:Basic/A:User/CI:All/II:All/E:Theoretical/TD:Default

Media oEmbed does not properly sanitize certain filenames as described in SA-CORE-2020-012.

Drupal core - Critical - Remote code execution - SA-CORE-2020-012

Date: 
2020-November-18
Security risk: 
Critical 17 ∕ 25 AC:Basic/A:User/CI:All/II:All/E:Theoretical/TD:Default
CVE IDs: 
CVE-2020-13671

Update November 18: Documented longer list of dangerous file extensions

Drupal core does not properly sanitize certain filenames on uploaded files, which can lead to files being interpreted as the incorrect extension and served as the wrong MIME type or executed as PHP for certain hosting configurations.

Examples for Developers - Critical - Remote Code Execution - SA-CONTRIB-2020-035

Date: 
2020-November-18
Security risk: 
Critical 17 ∕ 25 AC:Basic/A:User/CI:All/II:All/E:Theoretical/TD:Default

The File Example submodule within the Examples project does not properly sanitize certain filenames as described in SA-CORE-2020-012, along with other related vulnerabilities.

Therefore, File Example so is being removed from Examples until a version demonstrating file security best practices can added back in the future.

Drupal OAuth Server ( OAuth / OIDC Provider) - Single Sign On ( SSO ) - Moderately critical - SQL Injection - SA-CONTRIB-2020-034

Date: 
2020-October-14
Security risk: 
Moderately critical 12 ∕ 25 AC:Basic/A:None/CI:None/II:Some/E:Theoretical/TD:Default

This module enables you login into any OAuth 2.0 compliant application using Drupal credentials.

The 8.x branch of the module is vulnerable to SQL injection.

Drupal core - Moderately critical - Information disclosure - SA-CORE-2020-011

Date: 
2020-September-16
Security risk: 
Moderately critical 12 ∕ 25 AC:None/A:User/CI:Some/II:None/E:Theoretical/TD:Default
CVE IDs: 
CVE-2020-13670

A vulnerability exists in the File module which allows an attacker to gain access to the file metadata of a permanent private file that they do not have access to by guessing the ID of the file.

Drupal core - Moderately critical - Access bypass - SA-CORE-2020-008

Date: 
2020-September-16
Security risk: 
Moderately critical 12 ∕ 25 AC:Basic/A:None/CI:Some/II:None/E:Theoretical/TD:Default
CVE IDs: 
CVE-2020-13667

The experimental Workspaces module allows you to create multiple workspaces on your site in which draft content can be edited before being published to the live workspace.

The Workspaces module doesn't sufficiently check access permissions when switching workspaces, leading to an access bypass vulnerability. An attacker might be able to see content before the site owner intends people to see the content.

This vulnerability is mitigated by the fact that sites are only vulnerable if they have installed the experimental Workspaces module.

Drupal core - Moderately critical - Cross-site scripting - SA-CORE-2020-010

Date: 
2020-September-16
Security risk: 
Moderately critical 13 ∕ 25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:Default
CVE IDs: 
CVE-2020-13669

Drupal core's built-in CKEditor image caption functionality is vulnerable to XSS.

Drupal core - Critical - Cross-site scripting - SA-CORE-2020-009

Date: 
2020-September-16
Security risk: 
Critical 15 ∕ 25 AC:Basic/A:None/CI:Some/II:Some/E:Theoretical/TD:Default
CVE IDs: 
CVE-2020-13688

Drupal 8 and 9 have a reflected cross-site scripting (XSS) vulnerability under certain circumstances.

An attacker could leverage the way that HTML is rendered for affected forms in order to exploit the vulnerability.

Drupal core - Moderately critical - Cross-site scripting - SA-CORE-2020-007

Date: 
2020-September-16
Security risk: 
Moderately critical 14 ∕ 25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:All
CVE IDs: 
CVE-2020-13666

The Drupal AJAX API does not disable JSONP by default, which can lead to cross-site scripting.

Pages

Subscribe with RSS Subscribe to Security advisories