Show advisories for only Drupal Core, only contributed projects, or only PSAs

Node export - Moderately critical - Arbitrary PHP code execution - SA-CONTRIB-2024-061

Date: 
2024-November-20
Security risk: 
Moderately critical 14 ∕ 25 AC:Complex/A:Admin/CI:All/II:All/E:Theoretical/TD:Uncommon
CVE IDs: 
CVE-2024-13295

This module allows users to export nodes and then import it into another Drupal installation, or on the same site.

In certain cases the module doesn't sufficiently sanitize data before passing it to PHP's unserialize() function, which could results in Remote Code Execution via PHP Object Injection.

This vulnerability is mitigated by the fact that an attack must operate with the permission "Use PHP to import nodes", however this could be the case if this issue were combined with others in an "attack chain".

POST File - Critical - Cross Site Scripting, Arbitrary PHP code execution - SA-CONTRIB-2024-060

Date: 
2024-November-13
Security risk: 
Critical 17 ∕ 25 AC:Basic/A:User/CI:All/II:All/E:Theoretical/TD:Default
CVE IDs: 
CVE-2024-13294

The module creates an endpoint on the site at /postfile/upload that accepts a POST request for uploading a single file into a specified file system (public, private, etc).

This module accepts any uploaded file extension, including dangerous file formats so it can be used to bypass the allow_insecure_uploads config.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission "postfile upload".

POST File - Moderately critical - Cross Site Request Forgery - SA-CONTRIB-2024-059

Date: 
2024-November-13
Security risk: 
Moderately critical 12 ∕ 25 AC:Complex/A:None/CI:None/II:Some/E:Theoretical/TD:All
CVE IDs: 
CVE-2024-13293

The module creates an endpoint on the site at /postfile/upload that accepts a POST request for uploading a single file into a specified file system (public, private, etc).

The module doesn't sufficiently protect against Cross Site Request Forgery
under allowing an attacker to trick a site user into uploading a file.

Tooltip - Moderately critical - Cross site scripting - SA-CONTRIB-2024-058

Date: 
2024-November-06
Security risk: 
Moderately critical 13 ∕ 25 AC:Basic/A:Admin/CI:Some/II:Some/E:Theoretical/TD:All
CVE IDs: 
CVE-2024-13292

This module enables you to add any HTML content you want in a tooltip displayed on mouse hover.

The module does not sufficiently escape the markup inserted in the tooltip block.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer blocks".

Basic HTTP Authentication - Critical - Access bypass - SA-CONTRIB-2024-057

Date: 
2024-November-06
Security risk: 
Critical 16 ∕ 25 AC:None/A:None/CI:Some/II:Some/E:Theoretical/TD:Uncommon
CVE IDs: 
CVE-2024-13291

The module provides a possibility to restrict access to specific paths using
basic HTTP authentication, in addition to standard Drupal access checks.

In some cases, the module removes existing access checks from some paths, resulting in an access bypass vulnerability.

OhDear Integration - Moderately critical - Access bypass - SA-CONTRIB-2024-056

Date: 
2024-October-30
Security risk: 
Moderately critical 13 ∕ 25 AC:None/A:None/CI:Some/II:None/E:Theoretical/TD:Uncommon
CVE IDs: 
CVE-2024-13290

Integrates your Drupal website with the Oh Dear monitoring app.

Cached data of monitoring results is accessible to non-logged in users when caching is enabled on the module.

This vulnerability is mitigated by the fact that it only affects sites where caching is enabled for OhDear report healthcheck endpoint. It is not enabled by default and there's no UI option to do it. It has to be done directly in the ohdear_integration.settings.yml.

Cookiebot + GTM - Moderately critical - Cross Site Scripting - SA-CONTRIB-2024-055

Date: 
2024-October-30
Security risk: 
Moderately critical 14 ∕ 25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:All
CVE IDs: 
CVE-2024-13289

This module makes it possible for you to integrate Cookiebot and Google Tag Manager in a fast and simple way.

The module doesn't sufficiently filter for malicious script leading to a persistent cross site scripting (XSS) vulnerability.

Loft Data Grids - Moderately critical - Multiple vulnerabilities - SA-CONTRIB-2024-054

Date: 
2024-October-23
Security risk: 
Moderately critical 11 ∕ 25 AC:Complex/A:User/CI:Some/II:Some/E:Theoretical/TD:Uncommon
CVE IDs: 
CVE-2024-45048
CVE-2024-45293
CVE-2024-45292
CVE-2024-45291
CVE-2024-45290
CVE-2024-45060
CVE-2024-45048
CVE-2024-45046
CVE-2018-19277

This module provides serialization formats for use by other modules.

The module includes a version of phpoffice/phpspreadsheet which has multiple known security vulnerabilities.

Smartling Connector - Less critical - Multiple vulnerabilities - SA-CONTRIB-2024-053

Date: 
2024-October-23
Security risk: 
Less critical 9 ∕ 25 AC:Complex/A:Admin/CI:Some/II:None/E:Theoretical/TD:All
CVE IDs: 
CVE-2022-29248
CVE-2022-31043
CVE-2022-31042
CVE-2022-31091
CVE-2022-31090

Smartling module allows you to translate content in Drupal 7 using the Smartling Translation Management Platform.

The module includes an outdated version of the Guzzle package (guzzlehttp/guzzle 6.3.3), which has known security vulnerabilities.

Monster Menus - Critical - Arbitrary PHP code execution - SA-CONTRIB-2024-052

Date: 
2024-October-23
Security risk: 
Critical 19 ∕ 25 AC:Complex/A:None/CI:All/II:All/E:Theoretical/TD:All
CVE IDs: 
CVE-2024-13288

This module enables you to group nodes within pages that have a highly-granular, distributed permissions structure.

In certain cases the module doesn't sufficiently sanitize data before passing it to PHP's unserialize() function, which can result in arbitrary code execution.

Pages

Subscribe with RSS Subscribe to Security advisories