Show advisories for only Drupal Core, only contributed projects, or only PSAs

Drupal core - Highly critical - Remote Code Execution - SA-CORE-2018-004

Date: 
2018-April-25
Security risk: 
Highly critical 20 ∕ 25 AC:Basic/A:User/CI:All/II:All/E:Exploit/TD:Default
CVE IDs: 
CVE-2018-7602

A remote code execution vulnerability exists within multiple subsystems of Drupal 7.x and 8.x. This potentially allows attackers to exploit multiple attack vectors on a Drupal site, which could result in the site being compromised. This vulnerability is related to Drupal core - Highly critical - Remote Code Execution - SA-CORE-2018-002. Both SA-CORE-2018-002 and this vulnerability are being exploited in the wild.

Updated — this vulnerability is being exploited in the wild.

Drupal 7 and 8 core critical release on April 25th, 2018 - PSA-2018-003

Date: 
2018-April-23

There will be a security release of Drupal 7.x, 8.4.x, and 8.5.x on April 25th, 2018 between 16:00 - 18:00 UTC. This PSA is to notify that the Drupal core release is outside of the regular schedule of security releases. For all security updates, the Drupal Security Team urges you to reserve time for core updates at that time because there is some risk that exploits might be developed within hours or days. Security release announcements will appear on the Drupal.org security advisory page.

Display Suite - Critical - Cross site scripting (XSS) - SA-CONTRIB-2018-019

Date: 
2018-April-18
Security risk: 
Critical 17 ∕ 25 AC:None/A:None/CI:Some/II:Some/E:Theoretical/TD:Default

Display Suite allows you to take full control over how your content is displayed using a drag and drop interface.

The module doesn't sufficiently validate view modes provided dynamically via URLs leading to a reflected cross site scripting (XSS) attack.

This vulnerability is mitigated only by the fact that most modern browsers protect against reflected XSS via the url.

Menu Import and Export - Critical - Access bypass - SA-CONTRIB-2018-018

Date: 
2018-April-18
Security risk: 
Critical 17 ∕ 25 AC:Basic/A:None/CI:Some/II:Some/E:Exploit/TD:Uncommon

This module helps in exporting and importing Menu Items via the administrative interface.

The module does not properly restrict access to administrative pages, allowing anonymous users to export and import menu links.

There is no mitigation for this vulnerability.

Drupal core - Moderately critical - Cross Site Scripting - SA-CORE-2018-003

Date: 
2018-April-18
Security risk: 
Moderately critical 12 ∕ 25 AC:Complex/A:User/CI:Some/II:Some/E:Theoretical/TD:Default
CVE IDs: 
CVE-2018-9861

CKEditor, a third-party JavaScript library included in Drupal core, has fixed a cross-site scripting (XSS) vulnerability. The vulnerability stemmed from the fact that it was possible to execute XSS inside CKEditor when using the image2 plugin (which Drupal 8 core also uses).

We would like to thank the CKEditor team for patching the vulnerability and coordinating the fix and release process, and matching the Drupal core security window.

Drupal Core - Highly Critical - Public Service announcement - PSA-2018-002

Date: 
2018-April-13
Security risk: 
Highly critical 24 ∕ 25 AC:None/A:None/CI:All/II:All/E:Exploit/TD:Default

Description

This Public Service Announcement is a follow-up to SA-CORE-2018-002 - Drupal core - RCE. This is not an announcement of a new vulnerability. If you have not updated your site as described in SA-CORE-2018-002 you should assume your site has been targeted and follow directions for remediation as described below.

Drupal core - Highly critical - Remote Code Execution - SA-CORE-2018-002

Date: 
2018-March-28
Security risk: 
Highly critical 24 ∕ 25 AC:None/A:None/CI:All/II:All/E:Exploit/TD:Default
CVE IDs: 
CVE-2018-7600

A remote code execution vulnerability exists within multiple subsystems of Drupal 7.x and 8.x. This potentially allows attackers to exploit multiple attack vectors on a Drupal site, which could result in the site being completely compromised.

The security team has written an FAQ about this issue.

Edited 2020, February 13 to fix links to patch files.

Drupal 7 and 8 core highly critical release on March 28th, 2018 - PSA-2018-001

Date: 
2018-March-21
  • Advisory ID: DRUPAL-PSA-2018-001
  • Project: Drupal Core
  • Version: 7.x, 8.x
  • Date: 2018-March-21

Exif - Critical - Access bypass - SA-CONTRIB-2018-017

Date: 
2018-March-21
Security risk: 
Critical 16 ∕ 25 AC:Basic/A:None/CI:Some/II:Some/E:Theoretical/TD:All

This module enables you to retrieve image metadata and use them in fields or title.

The module doesn't sufficiently restrict access to module setting pages thereby causing an access bypass vulnerability.

This vulnerability is mitigated by the fact that an attacker must have permission to create entities of certain content entity types.

JSON:API - Moderately critical - Access Bypass - SA-CONTRIB-2018-016

Date: 
2018-March-21
Security risk: 
Moderately critical 11 ∕ 25 AC:Basic/A:User/CI:Some/II:None/E:Theoretical/TD:All

This module provides a JSON API standards-compliant API for accessing and manipulating Drupal content and configuration entities.

The module doesn't sufficiently check access when viewing related resources or relationships, thereby causing an access bypass vulnerability.

This vulnerability is mitigated by the fact that an attacker must be allowed to view the related data, otherwise all they can glean is an entity type UUID and a UUID, which are meaningless by themselves.

Pages

Subscribe with RSS Subscribe to Security advisories