Show advisories for only Drupal Core, only contributed projects, or only PSAs

Block permissions - Moderately critical - Access bypass - SA-CONTRIB-2024-046

Date: 
2024-October-09
Security risk: 
Moderately critical 13 ∕ 25 AC:Basic/A:Admin/CI:Some/II:Some/E:Theoretical/TD:All
CVE IDs: 
CVE-2024-13282

This module enables you to manage blocks from specific modules in the specific themes.

The module doesn't sufficiently check permissions under the scenario when a block is added using the form "/admin/structure/block/add/{plugin_id}/{theme}" (route "block.admin_add"). The attacker can add the block to the theme where they can't manage blocks.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer blocks provided by [provider]".

Monster Menus - Moderately critical - Access bypass, Information Disclosure - SA-CONTRIB-2024-045

Date: 
2024-October-09
Security risk: 
Moderately critical 13 ∕ 25 AC:None/A:None/CI:Some/II:None/E:Theoretical/TD:Uncommon
CVE IDs: 
CVE-2024-13281

This module enables you to group nodes within pages that have a highly-granular, distributed permissions structure.

A function which can be used by third-party code does not return valid data under certain rare circumstances. If the third-party code relies on this data to decide whether to grant access to content, it may grant more access than was intended.

This vulnerability is only present in sites that have custom code calling the mm_content_get_uids_in_group() function with a single UID of zero (0) in the second parameter.

Persistent Login - Moderately critical - Access bypass - SA-CONTRIB-2024-044

Date: 
2024-October-02
Security risk: 
Moderately critical 11 ∕ 25 AC:Basic/A:User/CI:Some/II:None/E:Theoretical/TD:All
CVE IDs: 
CVE-2024-13280

This module enables users to remain logged in separately from session timeouts.

The module doesn't sufficiently check a user's disabled status when validating cookies.

This vulnerability is mitigated by the fact that an attacker must have an unexpired cookie from a previous successful login.

Two-factor Authentication (TFA) - Critical - Access bypass - SA-CONTRIB-2024-043

Date: 
2024-October-02
Security risk: 
Critical 15 ∕ 25 AC:Complex/A:None/CI:Some/II:Some/E:Theoretical/TD:All
CVE IDs: 
CVE-2024-13279

This module enables you to allow and/or require users to use a second authentication method in addition to password authentication.

The module does not sufficiently migrate sessions before prompting for a second factor token.

Diff - Moderately critical - Access bypass, Information Disclosure - SA-CONTRIB-2024-042

Date: 
2024-October-02
Security risk: 
Moderately critical 11 ∕ 25 AC:Basic/A:User/CI:Some/II:None/E:Theoretical/TD:All
CVE IDs: 
CVE-2024-13278

This module adds a tab for sufficiently permissioned users. The tab shows all revisions like standard Drupal but it also allows pretty viewing of all added/changed/deleted words between revisions.

The module doesn't sufficiently check revision access before rendering a diff report for 1) nodes or 2) general entities that support diff.

Smart IP Ban - Critical - Access bypass - SA-CONTRIB-2024-041

Date: 
2024-September-18
Security risk: 
Critical 18 ∕ 25 AC:None/A:None/CI:Some/II:Some/E:Theoretical/TD:All
CVE IDs: 
CVE-2024-13277

The Smart IP Ban module enables a site to automatically ban an IP address based upon too many failed authentications.

The module doesn't sufficiently protect access to certain paths provided by the module allowing a malicious user to view and modify the settings.

File Entity (fieldable files) - Moderately critical - Information Disclosure - SA-CONTRIB-2024-040

Date: 
2024-September-11
Security risk: 
Moderately critical 10 ∕ 25 AC:Basic/A:User/CI:Some/II:None/E:Theoretical/TD:Default
CVE IDs: 
CVE-2024-13276

This module enables you to store and manage both private and public files, provides the ability to add fieldable metadata for file_entity bundle types in addition to core file_managed data.

The module doesn't sufficiently ensure that folders exist within the private destination prior to writing to them. If the subfolder doesn't exist, the module places the file in a publicly accessible directory.

This vulnerability only affects sites with private files.

Security Kit - Less critical - Denial of Service - SA-CONTRIB-2024-039

Date: 
2024-September-11
Security risk: 
Less critical 9 ∕ 25 AC:Basic/A:None/CI:None/II:None/E:Theoretical/TD:Default
CVE IDs: 
CVE-2024-13275

This module provides Drupal with various security-hardening options, for example by emitting various configurable HTTP response headers.

The module doesn't sufficiently validate input in Content Security Policy (CSP) violation reports. This can cause errors when a logging module (e.g. dblog or syslog) attempts to parse the resulting log message which contains invalid data.

Open Social - Moderately critical - Denial of Service - SA-CONTRIB-2024-038

Date: 
2024-September-04
Security risk: 
Moderately critical 10 ∕ 25 AC:Basic/A:None/CI:None/II:None/E:Theoretical/TD:All
CVE IDs: 
CVE-2024-13274

Open Social is a Drupal distribution for online communities.

The distribution didn't validate the flood control limits on the password reset form correctly resulting in a potential attacker flooding the password reset which could result in a Denial of Service. Fortunately the message does not disclose any information to the attacker.

Open Social - Moderately critical - Cross Site Scripting, Denial of Service - SA-CONTRIB-2024-037

Date: 
2024-September-04
Security risk: 
Moderately critical 13 ∕ 25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:Default
CVE IDs: 
CVE-2024-13273

Open Social is a Drupal distribution for online communities, which ships with an optional module called Social Embed.

This module allows a website to display embedded content (such as photos or videos) when a user posts a link to that resource, without having to parse the resource directly.

Added URL's were not sufficiently validated which could lead to a DoS via Blind SSRF and/or Application Takeover via Stored XSS.

This vulnerability is mitigated by the fact that social_embed submodule needs to be enabled.

Pages

Subscribe with RSS Subscribe to Security advisories