Show advisories for only Drupal Core, only contributed projects, or only PSAs

Context - Moderately critical - Cross site scripting - SA-CONTRIB-2019-028

Date: 
2019-February-27
Security risk: 
Moderately critical 14 ∕ 25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:All

This module enables you to manage contextual conditions and reactions for different portions of your site.

The module doesn't sufficiently sanitize user output when displayed leading to a Cross Site Scripting (XSS) vulnerability.

This vulnerability is mitigated by the fact that an attacker must have the ability to store malicious markup in the site (e.g. permission to create a node with a field that accepts "filtered html").

Path Breadcrumbs - Moderately critical - Cross site scripting - SA-CONTRIB-2019-027

Date: 
2019-February-27
Security risk: 
Moderately critical 13 ∕ 25 AC:Basic/A:Admin/CI:Some/II:Some/E:Theoretical/TD:All

This module enables you to configure breadcrumbs for any Drupal page.

This module doesn't properly sanitize custom breadcrumb configuration in all cases, leading to an XSS vulnerability.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission "Administer Path Breadcrumbs".

Services - Critical - SQL Injection - SA-CONTRIB-2019-026

Date: 
2019-February-27
Security risk: 
Critical 19 ∕ 25 AC:None/A:None/CI:All/II:Some/E:Theoretical/TD:Default

This module provides a standardized solution for building API's so that external clients can communicate with Drupal.

The module doesn't sufficiently sanitize user input for entity index resources thus allowing SQL Injection attacks.

This vulnerability is mitigated by the fact that the Drupal 7 site must have an "index" resource(s) enabled under the Services endpoint configuration (admin/structure/services/list/MY-ENDPOINT/resources) and an attacker must know the endpoint's machine name.

Drupal 7 will reach end-of-life in November of 2022 - PSA-2019-02-25

Date: 
2019-February-25

This PSA has been superceded by: https://www.drupal.org/psa-2022-02-23

SA-CORE-2019-003 Notice of increased risk and Additional exploit path - PSA-2019-02-22

Date: 
2019-February-23

This Public Service Announcement is a follow-up to SA-CORE-2019-003. This is not an announcement of a new vulnerability. If you have not updated your site as described in SA-CORE-2019-003 you should do that now.

There are public exploits now available for this SA.

Update, February 25: Mass exploits are now being reported in the wild.

Drupal core - Highly critical - Remote Code Execution - SA-CORE-2019-003

Date: 
2019-February-20
Security risk: 
Highly critical 23 ∕ 25 AC:None/A:None/CI:All/II:All/E:Exploit/TD:Uncommon
CVE IDs: 
CVE-2019-6340

Some field types do not properly sanitize data from non-form sources. This can lead to arbitrary PHP code execution in some cases.

A site is only affected by this if one of the following conditions is met:

Font Awesome Icons - Critical - Remote Code Execution - SA-CONTRIB-2019-025

Date: 
2019-February-20
Security risk: 
Critical 18 ∕ 25 AC:None/A:User/CI:All/II:All/E:Theoretical/TD:Uncommon

This resolves issues described in SA-CORE-2019-003 for this module. Not all configurations are affected. See SA-CORE-2019-003 for details.

Translation Management Tool - Critical - Remote Code Execution - SA-CONTRIB-2019-024

Date: 
2019-February-20
Security risk: 
Critical 16 ∕ 25 AC:Basic/A:User/CI:All/II:All/E:Theoretical/TD:Uncommon

This resolves issues described in SA-CORE-2019-003 for this module. Not all configurations are affected. See SA-CORE-2019-003 for details.

Paragraphs - Critical - Remote Code Execution - SA-CONTRIB-2019-023

Date: 
2019-February-20
Security risk: 
Critical 18 ∕ 25 AC:None/A:User/CI:All/II:All/E:Theoretical/TD:Uncommon

This resolves issues described in SA-CORE-2019-003 for this module. Not all configurations are affected. See SA-CORE-2019-003 for details.

Video - Critical - Remote Code Execution - SA-CONTRIB-2019-022

Date: 
2019-February-20
Security risk: 
Critical 18 ∕ 25 AC:None/A:User/CI:All/II:All/E:Theoretical/TD:Uncommon

This resolves issues described in SA-CORE-2019-003 for this module. Not all configurations are affected. See SA-CORE-2019-003 for details.

Pages

Subscribe with RSS Subscribe to Security advisories