Show advisories for only Drupal Core, only contributed projects, or only PSAs

Metatag - Critical - Remote code execution - SA-CONTRIB-2019-021

Date: 
2019-February-20
Security risk: 
Critical 18 ∕ 25 AC:None/A:User/CI:All/II:All/E:Theoretical/TD:Uncommon

This resolves issues described in SA-CORE-2019-003 for this module. Not all configurations are affected. See SA-CORE-2019-003 for details.

Link - Critical - Remote Code Execution - SA-CONTRIB-2019-020

Date: 
2019-February-20
Security risk: 
Critical 18 ∕ 25 AC:None/A:User/CI:All/II:All/E:Theoretical/TD:Uncommon

This resolves issues described in SA-CORE-2019-003 for this module. Not all configurations are affected. See SA-CORE-2019-003 for details.

JSON:API - Highly critical - Remote code execution - SA-CONTRIB-2019-019

Date: 
2019-February-20
Security risk: 
Highly critical 25 ∕ 25 AC:None/A:None/CI:All/II:All/E:Exploit/TD:All

This resolves issues described in SA-CORE-2019-003 for this module.

RESTful Web Services - Critical - Access bypass - SA-CONTRIB-2019-018

Date: 
2019-February-20
Security risk: 
Critical 19 ∕ 25 AC:None/A:User/CI:All/II:All/E:Theoretical/TD:Default

This resolves issues described in SA-CORE-2019-003 for this module. Not all configurations are affected. See SA-CORE-2019-003 for details.

Critical Release - PSA-2019-02-19

Date: 
2019-February-19
Security risk: 
Highly critical 20 ∕ 25 AC:None/A:None/CI:All/II:All/E:Theoretical/TD:Uncommon

There will be a security release of 8.5.x and 8.6.x on February 20th 2019 between 1PM to 5PM America/New York (1800 to 2200 UTC). (To see this in your local timezone, refer to the Drupal Core Calendar) . The risk on this is currently rated at 20/25 (Highly critical) AC:None/A:None/CI:All/II:All/E:Theoretical/TD:Uncommon.

Entity Registration - Critical - Multiple Vulnerabilities - SA-CONTRIB-2019-017

Date: 
2019-February-13
Security risk: 
Critical 18 ∕ 25 AC:Basic/A:None/CI:Some/II:Some/E:Exploit/TD:Default

This module enables you to take registrations for events, gathering information from registrants including email address and any other questions you wish to configure.

In some cases, an anonymous user may view, edit, or delete other anonymous registrations by guessing the URL of that registration based on a simple pattern.
If anonymous users are allowed to register and:

Drupal OAuth & OpenID Connect Login - OAuth2 Client SSO Login - Critical - Multiple Vulnerabilities - SA-CONTRIB-2019-016

Date: 
2019-February-13
Security risk: 
Critical 17 ∕ 25 AC:Basic/A:None/CI:Some/II:Some/E:Proof/TD:All

This module enables you to allow login into the Drupal websites through an external provider over the OAuth 2.0 protocol.

The module sets a Drupal variable used for redirection based on unsanitised user input, leading to an Open Redirect vulnerability. It also fails to sanitise user input which is displayed as part of an error message by a test authentication endpoint which is accessible by anonymous users, leading to an XSS vulnerability.

Focal Point - Moderately critical - Cross site scripting - SA-CONTRIB-2019-015

Date: 
2019-February-13
Security risk: 
Moderately critical 13 ∕ 25 AC:Complex/A:User/CI:Some/II:Some/E:Theoretical/TD:All

This module enables a privileged user to specify the important part of an image for the purposes of cropping.

The module doesn't sufficiently sanitize certain form element attributes when the focal point widget is displayed on a form.

This vulnerability is mitigated by the fact that an attacker must have the ability to generate markup (e.g. with a field that accepts "filtered html") AND they must have permission to edit a node or entity whose add/edit form contains the focal point widget.

Acquia Connector - Moderately critical - Access bypass - SA-CONTRIB-2019-014

Date: 
2019-February-06
Security risk: 
Moderately critical 12 ∕ 25 AC:Basic/A:None/CI:Some/II:None/E:Theoretical/TD:Default

Acquia Connector facilitates sending certain telemetry data to Acquia for the purposes of analysis. The module automates the collection of site information to speed support communication and issue resolution. It is required for use with the Acquia Insight service.

The module does not properly enforce access control in a specific case, which can lead to disclosing information.

The vulnerability is mitigated by requiring the module diff feature to be enabled. This feature is enabled by default.

Login Alert - Moderately critical - Access bypass - SA-CONTRIB-2019-013

Date: 
2019-February-06
Security risk: 
Moderately critical 13 ∕ 25 AC:Basic/A:None/CI:None/II:Some/E:Theoretical/TD:All

This module provides a field on user profiles which allows users to get a notification when their account logs in to the site. The notification e-mail includes a link which will terminate all sessions for that user. This is useful in the case of unauthorised access to the account.

The module doesn't employ sufficient randomness in the generation of URLs, which represents an Access Bypass vulnerability.

Pages

Subscribe with RSS Subscribe to Security advisories