Show advisories for only Drupal Core, only contributed projects, or only PSAs

Universally Unique IDentifier - Moderately critical - Access bypass - SA-CONTRIB-2019-052

Date: 
2019-May-29
Security risk: 
Moderately critical 14 ∕ 25 AC:Complex/A:User/CI:All/II:Some/E:Theoretical/TD:Default

This module provides an API for adding universally unique identifiers (UUID) to Drupal objects, most notably entities.

The module has a privilege escalation vulnerability when it's used in combination with Services+REST server.

This vulnerability is mitigated by the fact that an attacker must authenticate to the site, services module must be configured on the site and the user update resource enabled.

TableField - Moderately critical - Access bypass and Cross Site Scripting - SA-CONTRIB-2019-051

Date: 
2019-May-29
Security risk: 
Moderately critical 13 ∕ 25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:Default

This module allows you to attach tabular data to an entity.

Access bypass

There's no access check for users with an "Export Tablefield Data as CSV". They can export data from unpublished nodes or otherwise inaccessible entities.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission 'Export Tablefield Data as CSV'.

XSS

When "Raw data (JSON or XML)" is used in the field's Display settings, it doesn't sanitize JSON output before passing it on to be rendered.

Menu Item Extras - Moderately critical - Cross Site Request Forgery - SA-CONTRIB-2019-050

Date: 
2019-May-22
Security risk: 
Moderately critical 10 ∕ 25 AC:Basic/A:User/CI:None/II:Some/E:Theoretical/TD:Default

This module enables you to handle fields for Custom Menu Links.
The module doesn't sufficiently check requests to one of the module controllers if the user has permission 'administer menu'.
This vulnerability is mitigated by the fact that an attacker must have a role with the permission to create content.

Workflow - Moderately critical - Cross Site Scripting - SA-CONTRIB-2019-049

Date: 
2019-May-22
Security risk: 
Moderately critical 13 ∕ 25 AC:Basic/A:Admin/CI:Some/II:Some/E:Theoretical/TD:All

The Workflow module enables you to create arbitrary Workflows, and assign them to Entities.
The module doesn't sufficiently escape HTML in the field settings leading to a Cross Site Scripting (XSS) vulnerability.
This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer nodes" and "administer workflow".

Multiple Registration - Critical - Access bypass - SA-CONTRIB-2019-048

Date: 
2019-May-15
Security risk: 
Critical 19 ∕ 25 AC:Basic/A:None/CI:All/II:All/E:Theoretical/TD:Default

This module enables you to use special routes for user registration with special roles and custom field sets defined for the role.

The module doesn't sufficiently check which user roles can be registered under the scenario when the user tries to register the user with the administrator role.

This vulnerability is mitigated on sites where account approval is required as the user starts as blocked but still gets the "Administrator" role.

Opigno Learning path - Moderately critical - Access bypass - SA-CONTRIB-2019-047

Date: 
2019-May-15
Security risk: 
Moderately critical 10 ∕ 25 AC:Basic/A:User/CI:Some/II:None/E:Theoretical/TD:Default

In certain configuration cases, when a learning path is configured as semi-private, anonymous users are allowed to join a learning path when they should not.

Opigno forum - Less critical - Access bypass - SA-CONTRIB-2019-046

Date: 
2019-May-15
Security risk: 
Less critical 9 ∕ 25 AC:Basic/A:User/CI:Some/II:None/E:Theoretical/TD:Uncommon

In certain circumstances it is possible that certain forum information is available to unprivileged users because the access check is done with node access instead of grants.

This vulnerability is mitigated by the fact that the module itself does not disclose information but only if there are listings such as views where the site builder / developer has not taken this into account.

Drupal core - Moderately critical - Third-party libraries - SA-CORE-2019-007

Date: 
2019-May-08
Security risk: 
Moderately critical 14 ∕ 25 AC:Complex/A:Admin/CI:All/II:All/E:Theoretical/TD:Uncommon
CVE IDs: 
CVE-2019-11831

This security release fixes third-party dependencies included in or required by Drupal core. As described in TYPO3-PSA-2019-007: By-passing protection of Phar Stream Wrapper Interceptor:

In order to intercept file invocations like file_exists or stat on compromised Phar archives the base name has to be determined and checked before allowing to be handled by PHP Phar stream handling. [...]

Drupal 7 and 8 release on May 8th, 2019 - PSA-2019-05-07

Date: 
2019-May-07

The Drupal Security Team will be coordinating a security release for Drupal 7 and 8 this week on Wednesday, May 8th, 2019.

We are issuing this PSA in advance because according to the regular security release window schedule, May 8th would not typically be a core security window.

This release is rated as moderately critical.

The Drupal 7 and 8 core release will be made between 16:00 – 21:00 UTC (noon – 5:00pm Eastern).

Drupal core - Moderately critical - Cross Site Scripting - SA-CORE-2019-006

Date: 
2019-April-17
Security risk: 
Moderately critical 10 ∕ 25 AC:Complex/A:Admin/CI:Some/II:Some/E:Theoretical/TD:Uncommon
CVE IDs: 
CVE-2019-11358

The jQuery project released version 3.4.0, and as part of that, disclosed a security vulnerability that affects all prior versions. As described in their release notes:

jQuery 3.4.0 includes a fix for some unintended behavior when using jQuery.extend(true, {}, ...). If an unsanitized source object contained an enumerable __proto__ property, it could extend the native Object.prototype. This fix is included in jQuery 3.4.0, but patch diffs exist to patch previous jQuery versions.

Pages

Subscribe with RSS Subscribe to Security advisories