Show advisories for only Drupal Core, only contributed projects, or only PSAs

Cookiebot + GTM - Moderately critical - Cross Site Scripting - SA-CONTRIB-2024-055

Date: 
2024-October-30
Security risk: 
Moderately critical 14 ∕ 25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:All
CVE IDs: 
CVE-2024-13289

This module makes it possible for you to integrate Cookiebot and Google Tag Manager in a fast and simple way.

The module doesn't sufficiently filter for malicious script leading to a persistent cross site scripting (XSS) vulnerability.

Loft Data Grids - Moderately critical - Multiple vulnerabilities - SA-CONTRIB-2024-054

Date: 
2024-October-23
Security risk: 
Moderately critical 11 ∕ 25 AC:Complex/A:User/CI:Some/II:Some/E:Theoretical/TD:Uncommon
CVE IDs: 
CVE-2024-45048
CVE-2024-45293
CVE-2024-45292
CVE-2024-45291
CVE-2024-45290
CVE-2024-45060
CVE-2024-45048
CVE-2024-45046
CVE-2018-19277

This module provides serialization formats for use by other modules.

The module includes a version of phpoffice/phpspreadsheet which has multiple known security vulnerabilities.

Smartling Connector - Less critical - Multiple vulnerabilities - SA-CONTRIB-2024-053

Date: 
2024-October-23
Security risk: 
Less critical 9 ∕ 25 AC:Complex/A:Admin/CI:Some/II:None/E:Theoretical/TD:All
CVE IDs: 
CVE-2022-29248
CVE-2022-31043
CVE-2022-31042
CVE-2022-31091
CVE-2022-31090

Smartling module allows you to translate content in Drupal 7 using the Smartling Translation Management Platform.

The module includes an outdated version of the Guzzle package (guzzlehttp/guzzle 6.3.3), which has known security vulnerabilities.

Monster Menus - Critical - Arbitrary PHP code execution - SA-CONTRIB-2024-052

Date: 
2024-October-23
Security risk: 
Critical 19 ∕ 25 AC:Complex/A:None/CI:All/II:All/E:Theoretical/TD:All
CVE IDs: 
CVE-2024-13288

This module enables you to group nodes within pages that have a highly-granular, distributed permissions structure.

In certain cases the module doesn't sufficiently sanitize data before passing it to PHP's unserialize() function, which can result in arbitrary code execution.

Views SVG Animation - Moderately critical - Cross Site Scripting - SA-CONTRIB-2024-051

Date: 
2024-October-23
Security risk: 
Moderately critical 13 ∕ 25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:Default
CVE IDs: 
CVE-2024-13287

This module enables you to animate an SVG graphic by selecting certain rows in a view.

The module doesn't sufficiently sanitize the SVG file before embedding it into the html.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission to upload SVG files.

SVG Embed - Moderately critical - Cross site scripting - SA-CONTRIB-2024-050

Date: 
2024-October-23
Security risk: 
Moderately critical 13 ∕ 25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:Default
CVE IDs: 
CVE-2024-13286

This module enables you to embed the content of an SVG file into the body html of a node and optionally allows to translate text contained within the image.

The module doesn't sufficiently sanitize the SVG file before embedding it into the html.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission to upload SVG files, and the permission to use a text format that includes the SVG embed filter.

Drupal core - Moderately critical - Improper error handling - SA-CORE-2024-002

Date: 
2024-October-16
Security risk: 
Moderately critical 13 ∕ 25 AC:Basic/A:None/CI:None/II:All/E:Theoretical/TD:Uncommon
CVE IDs: 
CVE-2024-11942

Under certain uncommon site configurations, a bug in the CKEditor 5 module can cause some image uploads to move the entire webroot to a different location on the file system. This could be exploited by a malicious user to take down a site.

The issue is mitigated by the fact that several non-default site configurations must exist simultaneously for this to occur.

wkhtmltopdf - Highly critical - Unsupported - SA-CONTRIB-2024-049

Date: 
2024-October-09
Security risk: 
Highly critical 23 ∕ 25 AC:None/A:None/CI:All/II:All/E:Proof/TD:All
CVE IDs: 
CVE-2024-13285

The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: https://www.drupal.org/node/251466#s-becoming-owner-maintainer-or-co-mai...

Gutenberg - Moderately critical - Cross Site Request Forgery - SA-CONTRIB-2024-048

Date: 
2024-October-09
Security risk: 
Moderately critical 12 ∕ 25 AC:Basic/A:None/CI:None/II:Some/E:Theoretical/TD:Default
CVE IDs: 
CVE-2024-13284

This module provides a new UI experience for node editing using the Gutenberg Editor library.

The module did not sufficiently protect some routes against a Cross Site Request Forgery attack.

This vulnerability is mitigated by the fact that the tricked user needs to have an active session with the "use gutenberg" permission.

Facets - Critical - Cross Site Scripting - SA-CONTRIB-2024-047

Date: 
2024-October-09
Security risk: 
Critical 15 ∕ 25 AC:Basic/A:None/CI:Some/II:Some/E:Theoretical/TD:Default
CVE IDs: 
CVE-2024-13283

This module enables you to to easily create and manage faceted search interfaces.

The module doesn't sufficiently filter for malicious script leading to a reflected cross site scripting (XSS) vulnerability.

The vulnerability exists in the Facets Summary submodule. If you do not use that sub module your site is not vulnerable to this issue.

Edited October 9, 2024: clarified that Facets Summary is where the vulnerability is located

Pages

Subscribe with RSS Subscribe to Security advisories