Show advisories for only Drupal Core, only contributed projects, or only PSAs

reCAPTCHA v3 - Critical - Access bypass - SA-CONTRIB-2020-019

Date: 
2020-May-13
Security risk: 
Critical 18 ∕ 25 AC:None/A:None/CI:Some/II:Some/E:Theoretical/TD:All

The reCaptcha v3 module enables you to protect your forms using the Google reCaptcha V3.

If the reCaptcha v3 challenge succeeds, all the other form validations are bypassed. This makes it possible for attackers to submit invalid or incomplete forms.

This vulnerability only affects forms that are protected by reCaptcha v3 and have server side validation steps (e.g required field or custom validation functions).

Webform - Critical - Access bypass - SA-CONTRIB-2020-018

Date: 
2020-May-13
Security risk: 
Critical 15 ∕ 25 AC:None/A:None/CI:Some/II:None/E:Theoretical/TD:All

This webform module enables you to build a 'Term checkboxes' element.

The module doesn't sufficiently check term 'view' access when rendering 'Term checkboxes' elements. Unpublished terms will always appear in the 'Term checkboxes' element.

Webform - Moderately critical - Access bypass - SA-CONTRIB-2020-017

Date: 
2020-May-06
Security risk: 
Moderately critical 11 ∕ 25 AC:Basic/A:None/CI:Some/II:None/E:Theoretical/TD:Uncommon

This module enables you to build forms and surveys in Drupal.

The Webform Node sub-module allows these forms to be associated with a Drupal node. The Webform Node module does not implement access checking in the same manner as other nodes and entities. As such, writers of custom modules which implement webform_node, node, or entity access checks may not achieve the intended access results for Webform Node content.

There is no known exploit of this vulnerability and the vulnerability only exists on sites with custom code and a node access module in use.

Webform - Critical - Access bypass - SA-CONTRIB-2020-016

Date: 
2020-May-06
Security risk: 
Critical 15 ∕ 25 AC:None/A:None/CI:Some/II:None/E:Theoretical/TD:All

This webform module enables you to build 'Term select' and 'Term checkboxes' elements.

The module doesn't sufficiently check term 'view' access when rendering the 'Term select' and 'Term checkboxes' elements. Unpublished terms will always appear in the 'Term select' and 'Term checkboxes' elements.

Webform - Moderately critical - Cross site scripting - SA-CONTRIB-2020-015

Date: 
2020-May-06
Security risk: 
Moderately critical 14 ∕ 25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:All

This module enables you to build forms and surveys in Drupal.

The module doesn't sufficiently sanitize Webform labels nor visibility conditions under the scenario of placing a block. When a webform block is placed and visible on a website any JavaScript code contained within the webform's label was executed.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission "Edit own webform" (or "Edit any webform").

Webform - Moderately critical - Cross site scripting - SA-CONTRIB-2020-014

Date: 
2020-May-06
Security risk: 
Moderately critical 13 ∕ 25 AC:Basic/A:Admin/CI:Some/II:Some/E:Theoretical/TD:All

This module enables you to build forms and surveys in Drupal.

The module doesn't sufficiently filter user input under in the scenario when a webform is edited, namely the message related to character min/max counter does not undergo sufficient filtering and thus allows execution of JavaScript code through it.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission "Edit own webform" (or "Edit any webform").

Webform - Moderately critical - Cross site scripting - SA-CONTRIB-2020-013

Date: 
2020-May-06
Security risk: 
Moderately critical 13 ∕ 25 AC:Basic/A:Admin/CI:Some/II:Some/E:Theoretical/TD:All

The Webform module allows site builders to create forms.

The module doesn't sufficiently prevent malicious code from being render via an options elements (i.e select menu, checkboxes, radios, etc...) under the scenario where the site builder allows the raw option value to be displayed.

This vulnerability is mitigated by the fact that site builder must be allowed to build webform and select raw as the options element's submission display.

Webform - Moderately critical - Access bypass - SA-CONTRIB-2020-012

Date: 
2020-May-06
Security risk: 
Moderately critical 13 ∕ 25 AC:Complex/A:None/CI:Some/II:Some/E:Theoretical/TD:Uncommon

This module enables you to build forms and surveys in Drupal.

The module doesn't sufficiently validate data submitted into Webform Signature element during webform submission creation. This allows a malicious user to generate and extract HMAC hashes for arbitrary data. Such HMAC hashes are used across multiple spots in Drupal 8 core and contrib modules.

An extracted HMAC hash could be used to view restricted site content or log in as another user in certain situations.

Webform - Critical - Remote Code Execution - SA-CONTRIB-2020-011

Date: 
2020-May-06
Security risk: 
Critical 17 ∕ 25 AC:Basic/A:Admin/CI:All/II:All/E:Theoretical/TD:All

This module enables you to build forms and surveys in Drupal.

The module doesn't sufficiently filter webform element properties (attributes) under the scenario of editing a webform. Malicious user could craft such an attribute (#element_validate, for example) that would invoke execution of undesired PHP code.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission "Edit own webform" (or "Edit any webform").

JSON:API - Critical - Unsupported - SA-CONTRIB-2020-010

Date: 
2020-April-15
Security risk: 
Critical 15 ∕ 25 AC:Basic/A:User/CI:Some/II:Some/E:Proof/TD:All

This module provides a JSON API standards-compliant API for accessing and
manipulating Drupal content and configuration entities.

The security team and module maintainers are marking this project unsupported. Both the 8.x-1.x and 8.x-2.x versions are unsupported, and users of either version are strongly encouraged to upgrade to a supported version of Drupal core, which includes a supported version of JSON:API.

Pages

Subscribe with RSS Subscribe to Security advisories