Show advisories for only Drupal Core, only contributed projects, or only PSAs

Drupal core - Moderately critical - Third-party libraries - SA-CORE-2022-006

Date: 
2022-March-21
Security risk: 
Moderately critical 11 ∕ 25 AC:Complex/A:None/CI:None/II:Some/E:Theoretical/TD:Default
CVE IDs: 
CVE-2022-24775

Drupal uses the third-party Guzzle library for handling HTTP requests and responses to external services. Guzzle has released a security update which may affect some Drupal sites.

Drupal core - Moderately critical - Third-party libraries - SA-CORE-2022-005

Date: 
2022-March-16
Security risk: 
Moderately critical 13 ∕ 25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:Default
CVE IDs: 
CVE-2022-24728
CVE-2022-24729

The Drupal project uses the CKEditor library for WYSIWYG editing. CKEditor has released a security update that impacts Drupal.

Opigno Learning path - Moderately critical - Access bypass - SA-CONTRIB-2022-029

Date: 
2022-March-09
Security risk: 
Moderately critical 13 ∕ 25 AC:Basic/A:None/CI:Some/II:None/E:Theoretical/TD:All

This module is used as part of the Opigno LMS distribution and implements learning paths for the LMS.

The module was providing too much user information about users such as the list of groups a uid is in.

SVG Formatter - Critical - Cross Site Scripting - SA-CONTRIB-2022-028

Date: 
2022-March-09
Security risk: 
Critical 15 ∕ 25 AC:Basic/A:User/CI:Some/II:Some/E:Proof/TD:All

SVG Formatter module provides support for using SVG images on your website.

Our dependency library enshrined/svg-sanitize has a cross-site scripting vulnerability.

This vulnerability is mitigated by the fact that an attacker must have a role with permission that enables them to upload SVG images.

End of Drupal 6 vendor support - PSA-2022-03-09

Date: 
2022-March-09

Drupal 6 LTS vendor-provided support will end on October 22, 2022.

On February 24th, 2016, Drupal 6 was marked end-of-life (EOL). The Drupal 6 Long-Term-Support (LTS) program added more than 6 years of additional coverage for program participants and the community.

GOV.UK Theme - Moderately critical - Cross site scripting - SA-CONTRIB-2022-027

Date: 
2022-February-23
Security risk: 
Moderately critical 14 ∕ 25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:All

The GOV.UK Theme (govuk_theme) is a Drupal theme for the GOV.UK Design System.

The theme doesn't sanitize user input in certain cases, which leads to Cross-Site-Scripting (XSS) vulnerabilities. An attacker that can create or edit certain entities or configuration may be able to exploit one or more Cross-Site-Scripting (XSS) vulnerabilities to target visitors of the site, including site admins with privileged access.

The vulnerability is mitigated by the facts, that:

Entity Reference Tree Widget - Moderately critical - Cross Site Scripting - SA-CONTRIB-2022-026

Date: 
2022-February-23
Security risk: 
Moderately critical 12 ∕ 25 AC:Complex/A:Admin/CI:Some/II:Some/E:Theoretical/TD:All

This module provides an entity relationship hierarchy tree widget for an entity reference field.

The module doesn't sufficiently filter on output, leading to a Cross Site Scripting vulnerability.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission to modify an entity that is the reference to a field.

Drupal 7's End-of-Life extended to November 1, 2023 - PSA-2022-02-23

Date: 
2022-February-23
Drupal 7 End of Life has received a final extension to January 5th, 2025

Quick Edit - Moderately critical - Information Disclosure - SA-CONTRIB-2022-025

Date: 
2022-February-16
Security risk: 
Moderately critical 12 ∕ 25 AC:None/A:User/CI:Some/II:None/E:Theoretical/TD:Default

This advisory addresses a similar issue to Drupal core - Moderately critical - Information disclosure - SA-CORE-2022-004.

The Quick Edit module does not properly check entity access in some circumstances. This could result in users with the "access in-place editing" permission viewing some content they are are not authorized to access.

Drupal core - Moderately critical - Information disclosure - SA-CORE-2022-004

Date: 
2022-February-16
Security risk: 
Moderately critical 12 ∕ 25 AC:None/A:User/CI:Some/II:None/E:Theoretical/TD:Default
CVE IDs: 
CVE-2022-25270

The Quick Edit module does not properly check entity access in some circumstances. This could result in users with the "access in-place editing" permission viewing some content they are are not authorized to access.

Sites are only affected if the QuickEdit module (which comes with the Standard profile) is installed.

Also see Quick Edit - Moderately critical - Information disclosure - SA-CONTRIB-2022-025 which addresses the same vulnerability for the contributed module.

Pages

Subscribe with RSS Subscribe to Security advisories