Show advisories for only Drupal Core, only contributed projects, or only PSAs

SA-CORE-2019-003 Notice of increased risk and Additional exploit path - PSA-2019-02-22

Date: 
2019-February-23

This Public Service Announcement is a follow-up to SA-CORE-2019-003. This is not an announcement of a new vulnerability. If you have not updated your site as described in SA-CORE-2019-003 you should do that now.

There are public exploits now available for this SA.

Update, February 25: Mass exploits are now being reported in the wild.

Drupal core - Highly critical - Remote Code Execution - SA-CORE-2019-003

Date: 
2019-February-20
Security risk: 
Highly critical 23 ∕ 25 AC:None/A:None/CI:All/II:All/E:Exploit/TD:Uncommon
CVE IDs: 
CVE-2019-6340

Some field types do not properly sanitize data from non-form sources. This can lead to arbitrary PHP code execution in some cases.

A site is only affected by this if one of the following conditions is met:

Font Awesome Icons - Critical - Remote Code Execution - SA-CONTRIB-2019-025

Date: 
2019-February-20
Security risk: 
Critical 18 ∕ 25 AC:None/A:User/CI:All/II:All/E:Theoretical/TD:Uncommon

This resolves issues described in SA-CORE-2019-003 for this module. Not all configurations are affected. See SA-CORE-2019-003 for details.

Translation Management Tool - Critical - Remote Code Execution - SA-CONTRIB-2019-024

Date: 
2019-February-20
Security risk: 
Critical 16 ∕ 25 AC:Basic/A:User/CI:All/II:All/E:Theoretical/TD:Uncommon

This resolves issues described in SA-CORE-2019-003 for this module. Not all configurations are affected. See SA-CORE-2019-003 for details.

Paragraphs - Critical - Remote Code Execution - SA-CONTRIB-2019-023

Date: 
2019-February-20
Security risk: 
Critical 18 ∕ 25 AC:None/A:User/CI:All/II:All/E:Theoretical/TD:Uncommon

This resolves issues described in SA-CORE-2019-003 for this module. Not all configurations are affected. See SA-CORE-2019-003 for details.

Video - Critical - Remote Code Execution - SA-CONTRIB-2019-022

Date: 
2019-February-20
Security risk: 
Critical 18 ∕ 25 AC:None/A:User/CI:All/II:All/E:Theoretical/TD:Uncommon

This resolves issues described in SA-CORE-2019-003 for this module. Not all configurations are affected. See SA-CORE-2019-003 for details.

Metatag - Critical - Remote code execution - SA-CONTRIB-2019-021

Date: 
2019-February-20
Security risk: 
Critical 18 ∕ 25 AC:None/A:User/CI:All/II:All/E:Theoretical/TD:Uncommon

This resolves issues described in SA-CORE-2019-003 for this module. Not all configurations are affected. See SA-CORE-2019-003 for details.

Link - Critical - Remote Code Execution - SA-CONTRIB-2019-020

Date: 
2019-February-20
Security risk: 
Critical 18 ∕ 25 AC:None/A:User/CI:All/II:All/E:Theoretical/TD:Uncommon

This resolves issues described in SA-CORE-2019-003 for this module. Not all configurations are affected. See SA-CORE-2019-003 for details.

JSON:API - Highly critical - Remote code execution - SA-CONTRIB-2019-019

Date: 
2019-February-20
Security risk: 
Highly critical 25 ∕ 25 AC:None/A:None/CI:All/II:All/E:Exploit/TD:All

This resolves issues described in SA-CORE-2019-003 for this module.

RESTful Web Services - Critical - Access bypass - SA-CONTRIB-2019-018

Date: 
2019-February-20
Security risk: 
Critical 19 ∕ 25 AC:None/A:User/CI:All/II:All/E:Theoretical/TD:Default

This resolves issues described in SA-CORE-2019-003 for this module. Not all configurations are affected. See SA-CORE-2019-003 for details.

Pages

Subscribe with RSS Subscribe to Security advisories