Show advisories for only Drupal Core, only contributed projects, or only PSAs

Bugsnag - Critical - Unsupported - SA-CONTRIB-2019-081

Date: 
2019-November-13
Security risk: 
Critical 15 ∕ 25 AC:Basic/A:User/CI:Some/II:Some/E:Proof/TD:All

The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: https://www.drupal.org/node/251466#procedure---own-project---unsupported

Noggin - Critical - Unsupported - SA-CONTRIB-2019-080

Date: 
2019-November-13
Security risk: 
Critical 15 ∕ 25 AC:Basic/A:User/CI:Some/II:Some/E:Proof/TD:All

Update - 2021-01-22

This maintainer has fixed this security issue. Please install https://www.drupal.org/project/noggin/releases/7.x-1.2 to resolve the issue.

Bypass Form Validations - Critical - Unsupported - SA-CONTRIB-2019-079

Date: 
2019-November-13
Security risk: 
Critical 15 ∕ 25 AC:Basic/A:User/CI:Some/II:Some/E:Proof/TD:All

The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: https://www.drupal.org/node/251466#procedure---own-project---unsupported

Nexus Theme - Critical - Unsupported - SA-CONTRIB-2019-078

Date: 
2019-November-13
Security risk: 
Critical 15 ∕ 25 AC:Basic/A:User/CI:Some/II:Some/E:Proof/TD:All

The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: https://www.drupal.org/node/251466#procedure---own-project---unsupported

Frequently Asked Questions - Critical - Unsupported - SA-CONTRIB-2019-077

Date: 
2019-November-13
Security risk: 
Critical 15 ∕ 25 AC:Basic/A:User/CI:Some/II:Some/E:Proof/TD:All

The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: https://www.drupal.org/node/251466#procedure---own-project---unsupported

Administration Views - Moderately critical - Access bypass - SA-CONTRIB-2019-076

Date: 
2019-November-13
Security risk: 
Moderately critical 13 ∕ 25 AC:None/A:None/CI:Some/II:None/E:Theoretical/TD:Uncommon

This module replaces administrative overview/listing pages with actual views for superior usability.

The module doesn't sufficiently check user access when using the "Menu system path" access handler on a Views displays other than "System".

Update:
This project had been unsupported due to this advisory. The security issue is now fixed and the project is supported again.

Open Social - Critical - Insecure Session Management - SA-CONTRIB-2019-075

Date: 
2019-November-06
Security risk: 
Critical 15 ∕ 25 AC:Basic/A:None/CI:Some/II:Some/E:Theoretical/TD:Default

Open Social is a Drupal distribution for online communities. The included social_magic_login module doesn't sufficiently validate magic login URLs for user accounts that do not have a local password, but login via external systems. The lack of validation makes it possible for an adversary to forge valid login URLs and login to such an account.

This vulnerability is mitigated by the fact the module social_magic_login needs to be enabled.

Booking and Availability Management Tools for Drupal - Moderately critical - Access Bypass - SA-CONTRIB-2019-074

Date: 
2019-October-16
Security risk: 
Moderately critical 11 ∕ 25 AC:Basic/A:User/CI:Some/II:None/E:Theoretical/TD:All

The Bat module provides a foundation through which a wide range of availability management, reservation and booking use cases can be addressed.

The routes used to view events don't sufficiently guard access for non-privileged users. Specifically, a user with the 'View own' permission for bat events can view others' events as well.

MaxLength - Moderately critical - Cross Site Scripting - SA-CONTRIB-2019-073

Date: 
2019-October-09
Security risk: 
Moderately critical 13 ∕ 25 AC:Basic/A:Admin/CI:Some/II:Some/E:Theoretical/TD:All

This module enables you to set a maximum length allowed on text fields and indicate how many characters are left.

The module doesn't sufficiently filter strings leading to a Cross Site Scripting (XSS) vulnerability.

This vulnerability is mitigated by the fact the malicious script will not be triggered in the browser of UID 1 nor any user with "Bypass maxlength setting".

Localization update - Moderately critical - Insecure server configuration - SA-CONTRIB-2019-072

Date: 
2019-October-02
Security risk: 
Moderately critical 10 ∕ 25 AC:Complex/A:Admin/CI:Some/II:Some/E:Theoretical/TD:Uncommon

This module enables you to automatically download and update the site's interface translation by fetching them from localize.drupal.org or any other Localization server.

The module doesn't sufficiently protect the directory it stores translation files in. It's conventional for directories which may be writeable to be protected by a .htaccess file to prevent malicious PHP files placed within them being executed by the webserver. This vulnerability is mitigated by the fact that an attacker typically wouldn't be able to place a malicious file in the module's storage directory.

Pages

Subscribe with RSS Subscribe to Security advisories