Show advisories for only Drupal Core, only contributed projects, or only PSAs

scroll to top - Moderately critical - Cross site scripting - SA-CONTRIB-2019-061

Date: 
2019-August-14
Security risk: 
Moderately critical 13 ∕ 25 AC:Basic/A:Admin/CI:Some/II:Some/E:Theoretical/TD:All

The Scroll To Top module enables you to have an animated scroll to top link in the bottom of the node.

The module does not sufficiently filter configuration text leading to a Cross Site Scripting (XSS) vulnerability.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer scroll to top".

Existing Values Autocomplete Widget - Critical - Access bypass - SA-CONTRIB-2019-060

Date: 
2019-July-24
Security risk: 
Critical 17 ∕ 25 AC:None/A:None/CI:All/II:None/E:Theoretical/TD:All

This module provides an autocomplete widget for text fields that suggests all existing (previously entered) values for that field.

The module doesn't sufficiently check for proper access permission before returning autocomplete results.

This vulnerability is mitigated by the fact that an attacker must know the route to the autocomplete callback controller though this is easily known.

Facebook Messenger Customer Chat Plugin - Critical - Access bypass - SA-CONTRIB-2019-059

Date: 
2019-July-24
Security risk: 
Critical 16 ∕ 25 AC:Basic/A:None/CI:Some/II:Some/E:Theoretical/TD:All

The Facebook Messenger Customer Chat Plugin module enables you to add the Facebook Messenger Customer Chat Plugin to your Drupal site.

The module doesn't require user permissions on the admin page.

Metatag - Moderately critical - Information disclosure - SA-CONTRIB-2019-058

Date: 
2019-July-24
Security risk: 
Moderately critical 13 ∕ 25 AC:None/A:None/CI:Some/II:None/E:Theoretical/TD:Uncommon

This module enables you to customize meta tags to help with a site's search engine ranking and improve the display of page summaries when shared on social networks.

The module doesn't sufficiently check for a site being in maintenance mode.

This vulnerability is mitigated by the fact that the site must be configured to disallow access to certain content, and must be put into maintenance mode.

Drupal core - Critical - Access bypass - SA-CORE-2019-008

Date: 
2019-July-17
Security risk: 
Critical 17 ∕ 25 AC:None/A:None/CI:Some/II:Some/E:Theoretical/TD:Default
CVE IDs: 
CVE-2019-6342

In Drupal 8.7.4, when the experimental Workspaces module is enabled, an access bypass condition is created.

This can be mitigated by disabling the Workspaces module. It does not affect any release other than Drupal 8.7.4.

Drupal 8.7.3 and earlier, Drupal 8.6.x and earlier, and Drupal 7.x are not affected.

Meta tags quick - Moderately critical - Cross Site Scripting - SA-CONTRIB-2019-057

Date: 
2019-July-17
Security risk: 
Moderately critical 13 ∕ 25 AC:Basic/A:Admin/CI:Some/II:Some/E:Theoretical/TD:All

Metatags quick is a module that manages meta tags (tags that appear in HTML's head section) as Drupal 7 fields.
Administration page of metatags quick does not sanitize the output of blocks that appear on the same page. This allows an attacker to inject malicious JavaScript in block markup.
This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer blocks".

ImageCache Actions - Critical - Multiple Vulnerabilities - SA-CONTRIB-2019-056

Date: 
2019-July-17
Security risk: 
Critical 17 ∕ 25 AC:Basic/A:Admin/CI:All/II:All/E:Theoretical/TD:All

The imagecache actions module defines a number of additional image effects that can be used to create image styles. The "Image styles admin" sub module provides additional functionality to duplicate, export and import image styles. The module uses unserialize() to import image styles into another site where unserialize() is known to have security issues when processing potentially unsafe input.

This vulnerability is mitigated by the fact that the "Image styles admin" sub module must be enabled and an attacker must have a role with the permission "'administer image styles'".

Custom Permissions - Critical - Access bypass - SA-CONTRIB-2019-055

Date: 
2019-July-10
Security risk: 
Critical 16 ∕ 25 AC:Basic/A:None/CI:Some/II:Some/E:Theoretical/TD:All

This module enables you to add and manage additional custom permissions through the administration UI.

The module doesn't sufficiently check for the proper access permissions to this page.

This vulnerability is mitigated by the fact that an attacker must know the route of the Custom Permissions administration form though this is easily known.

Advanced Forum - Critical - Cross Site Scripting - SA-CONTRIB-2019-054

Date: 
2019-June-26
Security risk: 
Critical 16 ∕ 25 AC:Basic/A:None/CI:Some/II:Some/E:Theoretical/TD:All

Advanced Forum builds on and enhances Drupal's core forum module. When used in combination with other Drupal contributed modules, many of which are automatically used by Advanced Forum, you can achieve much of what stand alone software provides.

The module doesn't sufficiently sanitise user input in specific circumstances. It is not possible to disable the vulnerable functionality.

This vulnerability is mitigated by the fact that an attacker must have a role with permission to create forum content.

Easy Breadcrumb - Critical - Cross Site Scripting - SA-CONTRIB-2019-053

Date: 
2019-June-19
Security risk: 
Critical 18 ∕ 25 AC:Basic/A:None/CI:Some/II:Some/E:Exploit/TD:Default

This module enables you to use the current URL (path alias) and the current page's title to automatically extract the breadcrumb's segments and its respective links then show them as breadcrumbs on your website.

The module doesn't sufficiently sanitise user input in certain circumstances.

This vulnerability does not require any permissions but can be mitigated by un-checking the 'Allow HTML tags in breadcrumb text' setting (enabled by default). In some cases browsers' built-in XSS protection may prevent exploitation.

Pages

Subscribe with RSS Subscribe to Security advisories