Show advisories for only Drupal Core, only contributed projects, or only PSAs

Webform Multiple File Upload - Critical - Unsupported - SA-CONTRIB-2019-090

Date: 
2019-November-13
Security risk: 
Critical 15 ∕ 25 AC:Basic/A:User/CI:Some/II:Some/E:Proof/TD:All

The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: https://www.drupal.org/node/251466#procedure---own-project---unsupported

Commerce Ingenico - Critical - Unsupported - SA-CONTRIB-2019-089

Date: 
2019-November-13
Security risk: 
Critical 15 ∕ 25 AC:Basic/A:User/CI:Some/II:Some/E:Proof/TD:All

The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: https://www.drupal.org/node/251466#procedure---own-project---unsupported

SendinBlue - Critical - Access bypass - SA-CONTRIB-2019-088

Date: 
2019-November-13
Security risk: 
Critical 15 ∕ 25 AC:Basic/A:User/CI:Some/II:Some/E:Proof/TD:All

Update: This module had an access bypass vulnerability which has now been addressed by the module’s current maintainers.

Original description

The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: https://www.drupal.org/node/251466#procedure---own-project---unsupported

Make Meeting Scheduler - Critical - Unsupported - SA-CONTRIB-2019-087

Date: 
2019-November-13
Security risk: 
Critical 15 ∕ 25 AC:Basic/A:User/CI:Some/II:Some/E:Proof/TD:All

The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: https://www.drupal.org/node/251466#procedure---own-project---unsupported

Webform Report - Critical - Unsupported - SA-CONTRIB-2019-086

Date: 
2019-November-13
Security risk: 
Critical 15 ∕ 25 AC:Basic/A:User/CI:Some/II:Some/E:Proof/TD:All

The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: https://www.drupal.org/node/251466#procedure---own-project---unsupported

Nodequeue - Critical - Cross Site Scripting - SA-CONTRIB-2019-085

Date: 
2019-November-13
Security risk: 
Critical 16 ∕ 25 AC:None/A:User/CI:Some/II:Some/E:Theoretical/TD:All

Updated November 22.

This module enables you to collect nodes in an arbitrarily ordered list.

Nodequeue's JavaScript can be leveraged to insert HTML from attacker-controlled JSON data. This is exploitable if user-submitted "Filtered HTML" content is displayed on a page where nodequeue.js is loaded.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission "manipulate queues".

Taxonomy CSV import/export - Moderately critical - Information disclosure - SA-CONTRIB-2019-084

Date: 
2019-November-13
Security risk: 
Moderately critical 12 ∕ 25 AC:Basic/A:Admin/CI:All/II:None/E:Theoretical/TD:All

Updated January 9th, 2020

This module enables you to import taxonomy terms from different sources, including a text area, a file upload or a file present in the web server.

The module doesn't sufficiently validate user input when providing a local
filename to import.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission "import taxonomy by csv".

Original advisory:

Feeds JSONPath Parser - Critical - Unsupported - SA-CONTRIB-2019-083

Date: 
2019-November-13
Security risk: 
Critical 15 ∕ 25 AC:Basic/A:User/CI:Some/II:Some/E:Proof/TD:All

The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: https://www.drupal.org/node/251466#procedure---own-project---unsupported

Update:

Field Slideshow - Less critical - Cross site scripting - SA-CONTRIB-2019-082

Date: 
2019-November-13
Security risk: 
Less critical 6 ∕ 25 AC:Complex/A:Admin/CI:None/II:None/E:Theoretical/TD:All

This module enables you to output a field as a slideshow.

The module doesn't sufficiently filter strings added to the fields leading to a Cross Site Scripting (XSS) vulnerability.

This vulnerability is mitigated by the fact that an attacker must have the ability to create content which is output as a slideshow.

Bugsnag - Critical - Unsupported - SA-CONTRIB-2019-081

Date: 
2019-November-13
Security risk: 
Critical 15 ∕ 25 AC:Basic/A:User/CI:Some/II:Some/E:Proof/TD:All

The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: https://www.drupal.org/node/251466#procedure---own-project---unsupported

Pages

Subscribe with RSS Subscribe to Security advisories