Show advisories for only Drupal Core, only contributed projects, or only PSAs

Baidu Analytics - Critical - Unsupported - SA-CONTRIB-2018-029

Date: 
2018-May-23
Security risk: 
Critical 15 ∕ 25 AC:Basic/A:User/CI:Some/II:Some/E:Proof/TD:All

The security team is marking this module unsupported. There is a known security issue with the module that has not been fixed by the maintainer. If you would like to maintain this module, please read: https://www.drupal.org/node/251466.

The security team marks all unsupported modules critical by default.

Protected Pages - Critical - Unsupported - SA-CONTRIB-2018-028

Date: 
2018-May-23
Security risk: 
Critical 15 ∕ 25 AC:Basic/A:User/CI:Some/II:Some/E:Proof/TD:All

Update: 2018-06-03

A new maintainer has stepped forward and this project now has a stable release.

The security team is marking this module unsupported. There is a known security issue with the module that has not been fixed by the maintainer. If you would like to maintain this module, please read: https://www.drupal.org/node/251466.

The security team marks all unsupported modules critical by default.

SVG Formatter - Critical - Cross Site Scripting - SA-CONTRIB-2018-027

Date: 
2018-May-09
Security risk: 
Critical 15 ∕ 25 AC:Basic/A:User/CI:Some/II:Some/E:Proof/TD:All

This module adds a new formatter for the file fields, which allows any file extension to be uploaded.
The module doesn't sufficiently handle sanitization under the scenario uploaded SVG files.
This vulnerability is mitigated by the fact that an attacker must have a role with the permission create or edit on certain content types that allows SVG files to be uploaded.

Scrollable Content - Critical - Unsupported - SA-CONTRIB-2018-026

Date: 
2018-May-09
Security risk: 
Critical 16 ∕ 25 AC:None/A:User/CI:Some/II:Some/E:Proof/TD:Default

Scrollable Content provides a scrolling functionality for your content. Scrollable Content will give you a nice content slider preview of your site's nodes, and provides some display options.

The security team is marking this module unsupported. There is a known security issue with the module that has not been fixed by the maintainer. If you would like to maintain this module, please read: https://www.drupal.org/node/251466.

The security team marks all unsupported modules critical by default.

Simple Taxonomy Revision - Critical - Unsupported - SA-CONTRIB-2018-025

Date: 
2018-May-09
Security risk: 
Critical 16 ∕ 25 AC:None/A:User/CI:Some/II:Some/E:Proof/TD:Default

Simple Taxonomy Revision module enables revisions for taxonomy terms for Drupal 8.

The security team is marking this module unsupported. There is a known security issue with the module that has not been fixed by the maintainer. If you would like to maintain this module, please read: https://www.drupal.org/node/251466.

The security team marks all unsupported modules critical by default.

KCFinder integration - Critical - Unsupported Module - SA-CONTRIB-2018-024

Date: 
2018-May-09
Security risk: 
Critical 16 ∕ 25 AC:None/A:User/CI:Some/II:Some/E:Proof/TD:Default

KCFinder is a multi-language file / image manager you can use to easily select, insert, upload and arrange images, flash movies, and other kinds of files.

The security team is marking this module unsupported. There is a known security issue with the module that has not been fixed by the maintainer. If you would like to maintain this module, please read: https://www.drupal.org/node/251466.

The security team marks all unsupported modules critical by default.

Multi-Step Registration - Critical - Unsupported Module - SA-CONTRIB-2018-023

Date: 
2018-May-09
Security risk: 
Critical 16 ∕ 25 AC:None/A:User/CI:Some/II:Some/E:Proof/TD:Default

With Multi-Step Registration you can create multi-step (wizard) user account registration forms.

The security team is marking this module unsupported. There is a known security issue with the module that has not been fixed by the maintainer. If you would like to maintain this module, please read: https://www.drupal.org/node/251466.

The security team marks all unsupported modules critical by default.

JSON:API - Moderately critical - Cross Site Request Forgery - SA-CONTRIB-2018-021

Date: 
2018-April-25
Security risk: 
Moderately critical 11 ∕ 25 AC:Basic/A:Admin/CI:Some/II:Some/E:Theoretical/TD:Uncommon

This module provides a JSON API standards-compliant API for accessing and manipulating Drupal content and configuration entities.

The module doesn't provide CSRF protection when processing authenticated traffic using cookie-based authentication.

This vulnerability is mitigated by the fact that an attacker must be allowed to create or modify entities of a certain type, and a very specific and uncommon CORS configuration that allows all other pre-checks to be skipped.

DRD Agent - Critical - PHP object injection - SA-CONTRIB-2018-022

Date: 
2018-April-25
Security risk: 
Critical 15 ∕ 25 AC:None/A:None/CI:None/II:Some/E:Theoretical/TD:All

This module enables you to monitor and manage any number of remote Drupal sites and aggregate useful information for administrators in a central dashboard.

The modules (DRD and DRD Agent) encrypt the data which is exchanged between them but in order to do so, they use the PHP serialize/unserialize functions instead of the json_encode/json_decode combination. As the unserialize function is called on unauthenticated content, this introduces a PHP object injection vulnerability.

D7 Media - Critical - Remote Code Execution - SA-CONTRIB-2018-020

Date: 
2018-April-25
Security risk: 
Critical 18 ∕ 25 AC:Basic/A:User/CI:All/II:All/E:Theoretical/TD:All

The Media module provides an extensible framework for managing files and multimedia assets, regardless of whether they are hosted on your own site or a third party site.

The module contained a vulnerability similar to SA-CORE-2018-004, leading to a possible remote code execution (RCE) attack.

Pages

Subscribe with RSS Subscribe to Security advisories