Show advisories for only Drupal Core, only contributed projects, or only PSAs

Public Download Count - Less critical - Open Redirect Vulnerability - SA-CONTRIB-2019-012

Date: 
2019-February-06
Security risk: 
Less critical 8 ∕ 25 AC:Basic/A:None/CI:None/II:None/E:Theoretical/TD:Uncommon

This module enables you to track download counts of files linked from a Drupal site. Links in Drupal content are rewritten to go through an intermediate page that records download stats and then redirects to the final destination.

The module did not verify that the links provided to the intermediate page were actually present in the Drupal site content and did not contain checks to prevent external sites from accessing the counter.

Anti-Spam by CleanTalk - Critical - Cross site scripting and SQL Injection - SA-CONTRIB-2019-010

Date: 
2019-January-23
Security risk: 
Critical 15 ∕ 25 AC:Basic/A:User/CI:Some/II:Some/E:Proof/TD:All

Anti-spam module by CleanTalk to protect your Drupal sites from spambot registration and spam comments publications thru comment and contact forms.

This module does not sufficiently filter submitted content in certain circumstances.

Nodeaccess - Critical - Unsupported - SA-CONTRIB-2019-009

Date: 
2019-January-23
Security risk: 
Critical 15 ∕ 25 AC:Basic/A:User/CI:Some/II:Some/E:Proof/TD:All

The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: https://www.drupal.org/node/251466.

Expand collapse formatter - Critical - Unsupported - SA-CONTRIB-2019-011

Date: 
2019-January-23
Security risk: 
Critical 15 ∕ 25 AC:Basic/A:User/CI:Some/II:Some/E:Proof/TD:All

The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: https://www.drupal.org/node/251466.

Gridstack field - Critical - Unsupported - SA-CONTRIB-2019-008

Date: 
2019-January-23
Security risk: 
Critical 15 ∕ 25 AC:Basic/A:User/CI:Some/II:Some/E:Proof/TD:All

The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: https://www.drupal.org/node/251466.

Panels Breadcrumbs - Moderately critical - Cross site scripting - SA-CONTRIB-2019-007

Date: 
2019-January-23
Security risk: 
Moderately critical 14 ∕ 25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:All

Panels Breadcrumbs allows you to set your breadcrumbs directly from Panels configuration.

This module doesn't properly sanitize custom breadcrumb configuration in all cases, leading to an XSS vulnerability.

This vulnerability is mitigated by the fact that an attacker must have permission to edit breadcrumb configuration, or the value of a token used in breadcrumb configuration.

Image Annotator [Annotorious] - Critical - Unsupported - SA-CONTRIB-2019-006

Date: 
2019-January-23
Security risk: 
Critical 15 ∕ 25 AC:Basic/A:User/CI:Some/II:Some/E:Proof/TD:All

The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: https://www.drupal.org/node/251466.

Webform Table Element - Critical - Unsupported - SA-CONTRIB-2019-005

Date: 
2019-January-23
Security risk: 
Critical 15 ∕ 25 AC:Basic/A:User/CI:Some/II:Some/E:Proof/TD:All

The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: https://www.drupal.org/node/251466.

Preview Link - Moderately critical - Access bypass - SA-CONTRIB-2019-004

Date: 
2019-January-23
Security risk: 
Moderately critical 13 ∕ 25 AC:Basic/A:None/CI:Some/II:None/E:Theoretical/TD:All

The Preview Link module enables you to generate preview links so anonymous users can access unpublished revisions of content.
The last release of the module introduced an access bypass allowing users to present invalid tokens but still access unpublished content.

Drupal core - Critical - Arbitrary PHP code execution - SA-CORE-2019-002

Date: 
2019-January-16
Security risk: 
Critical 16 ∕ 25 AC:Complex/A:Admin/CI:All/II:All/E:Theoretical/TD:All
CVE IDs: 
CVE-2019-6339

A remote code execution vulnerability exists in PHP's built-in phar stream wrapper when performing file operations on an untrusted phar:// URI.

Some Drupal code (core, contrib, and custom) may be performing file operations on insufficiently validated user input, thereby being exposed to this vulnerability.

This vulnerability is mitigated by the fact that such code paths typically require access to an administrative permission or an atypical configuration.

Pages

Subscribe with RSS Subscribe to Security advisories