Show advisories for only Drupal Core, only contributed projects, or only PSAs

Drupal core - Moderately critical - Improper input validation - SA-CORE-2022-008

Date: 
2022-April-20
Security risk: 
Moderately critical 12 ∕ 25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:Uncommon
CVE IDs: 
CVE-2022-25273

Drupal core's form API has a vulnerability where certain contributed or custom modules' forms may be vulnerable to improper input validation. This could allow an attacker to inject disallowed values or overwrite data. Affected forms are uncommon, but in certain cases an attacker could alter critical or sensitive data.

We do not know of affected forms within core itself, but contributed and custom project forms could be affected. Installing this update will fix those forms.

This advisory is not covered by Drupal Steward.

Rename Admin Paths - Moderately critical - Access bypass - SA-CONTRIB-2022-033

Date: 
2022-April-12
Security risk: 
Moderately critical 10 ∕ 25 AC:Basic/A:None/CI:None/II:None/E:Theoretical/TD:All

The Rename Admin Path module provides additional security to Drupal sites by renaming the admin paths. The module has a vulnerability with allows attackers to bypass the protection by using specially crafted URLs.

The risk is mitigated by the fact that, even though the attacker can bypass the protection offered by this module, all regular permissions still apply.

Anti-Spam by CleanTalk - Moderately critical - SQL Injection - SA-CONTRIB-2022-032

Date: 
2022-March-30
Security risk: 
Moderately critical 14 ∕ 25 AC:Basic/A:None/CI:None/II:All/E:Theoretical/TD:Default

This module provides integration with the CleanTalk spam protection service.

The module does not properly filter data in certain circumstances.

Update: 2022-03-31 - fix release node links

Role Delegation - Moderately critical - Privilege escalation - SA-CONTRIB-2022-031

Date: 
2022-March-23
Security risk: 
Moderately critical 14 ∕ 25 AC:Basic/A:User/CI:Some/II:Some/E:Proof/TD:Default

This module allows site administrators to grant specific roles the authority to assign selected roles to users, without them needing the administer permissions permission.

The module contains an access bypass vulnerability when used in combination with the Views Bulk Operations module. An authenticated user is able to assign the administrator role to his own user.

This vulnerability is mitigated by the fact that an attacker must have access to an overview of users with the views bulk operations module enabled. E.g. The admin_views module provides such a view.

Colorbox Node - Critical - Unsupported - SA-CONTRIB-2022-030

Date: 
2022-March-23
Security risk: 
Critical 15 ∕ 25 AC:Basic/A:User/CI:Some/II:Some/E:Proof/TD:All

The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: https://www.drupal.org/node/251466#procedure---own-project---unsupported

This module was unsupported on 2022-01-26, however, the SA was missed in publishing them at that time.

Drupal core - Moderately critical - Third-party libraries - SA-CORE-2022-006

Date: 
2022-March-21
Security risk: 
Moderately critical 11 ∕ 25 AC:Complex/A:None/CI:None/II:Some/E:Theoretical/TD:Default
CVE IDs: 
CVE-2022-24775

Drupal uses the third-party Guzzle library for handling HTTP requests and responses to external services. Guzzle has released a security update which may affect some Drupal sites.

Drupal core - Moderately critical - Third-party libraries - SA-CORE-2022-005

Date: 
2022-March-16
Security risk: 
Moderately critical 13 ∕ 25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:Default
CVE IDs: 
CVE-2022-24728
CVE-2022-24729

The Drupal project uses the CKEditor library for WYSIWYG editing. CKEditor has released a security update that impacts Drupal.

Opigno Learning path - Moderately critical - Access bypass - SA-CONTRIB-2022-029

Date: 
2022-March-09
Security risk: 
Moderately critical 13 ∕ 25 AC:Basic/A:None/CI:Some/II:None/E:Theoretical/TD:All

This module is used as part of the Opigno LMS distribution and implements learning paths for the LMS.

The module was providing too much user information about users such as the list of groups a uid is in.

SVG Formatter - Critical - Cross Site Scripting - SA-CONTRIB-2022-028

Date: 
2022-March-09
Security risk: 
Critical 15 ∕ 25 AC:Basic/A:User/CI:Some/II:Some/E:Proof/TD:All

SVG Formatter module provides support for using SVG images on your website.

Our dependency library enshrined/svg-sanitize has a cross-site scripting vulnerability.

This vulnerability is mitigated by the fact that an attacker must have a role with permission that enables them to upload SVG images.

End of Drupal 6 vendor support - PSA-2022-03-09

Date: 
2022-March-09

Drupal 6 LTS vendor-provided support will end on October 22, 2022.

On February 24th, 2016, Drupal 6 was marked end-of-life (EOL). The Drupal 6 Long-Term-Support (LTS) program added more than 6 years of additional coverage for program participants and the community.

Pages

Subscribe with RSS Subscribe to Security advisories