Show advisories for only Drupal Core, only contributed projects, or only PSAs

Anti-Spam by CleanTalk - Critical - Cross site scripting and SQL Injection - SA-CONTRIB-2019-010

Date: 
2019-January-23
Security risk: 
Critical 15 ∕ 25 AC:Basic/A:User/CI:Some/II:Some/E:Proof/TD:All

Anti-spam module by CleanTalk to protect your Drupal sites from spambot registration and spam comments publications thru comment and contact forms.

This module does not sufficiently filter submitted content in certain circumstances.

Nodeaccess - Critical - Unsupported - SA-CONTRIB-2019-009

Date: 
2019-January-23
Security risk: 
Critical 15 ∕ 25 AC:Basic/A:User/CI:Some/II:Some/E:Proof/TD:All

The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: https://www.drupal.org/node/251466.

Expand collapse formatter - Critical - Unsupported - SA-CONTRIB-2019-011

Date: 
2019-January-23
Security risk: 
Critical 15 ∕ 25 AC:Basic/A:User/CI:Some/II:Some/E:Proof/TD:All

The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: https://www.drupal.org/node/251466.

Gridstack field - Critical - Unsupported - SA-CONTRIB-2019-008

Date: 
2019-January-23
Security risk: 
Critical 15 ∕ 25 AC:Basic/A:User/CI:Some/II:Some/E:Proof/TD:All

The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: https://www.drupal.org/node/251466.

Panels Breadcrumbs - Moderately critical - Cross site scripting - SA-CONTRIB-2019-007

Date: 
2019-January-23
Security risk: 
Moderately critical 14 ∕ 25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:All

Panels Breadcrumbs allows you to set your breadcrumbs directly from Panels configuration.

This module doesn't properly sanitize custom breadcrumb configuration in all cases, leading to an XSS vulnerability.

This vulnerability is mitigated by the fact that an attacker must have permission to edit breadcrumb configuration, or the value of a token used in breadcrumb configuration.

Image Annotator [Annotorious] - Critical - Unsupported - SA-CONTRIB-2019-006

Date: 
2019-January-23
Security risk: 
Critical 15 ∕ 25 AC:Basic/A:User/CI:Some/II:Some/E:Proof/TD:All

The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: https://www.drupal.org/node/251466.

Webform Table Element - Critical - Unsupported - SA-CONTRIB-2019-005

Date: 
2019-January-23
Security risk: 
Critical 15 ∕ 25 AC:Basic/A:User/CI:Some/II:Some/E:Proof/TD:All

The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: https://www.drupal.org/node/251466.

Preview Link - Moderately critical - Access bypass - SA-CONTRIB-2019-004

Date: 
2019-January-23
Security risk: 
Moderately critical 13 ∕ 25 AC:Basic/A:None/CI:Some/II:None/E:Theoretical/TD:All

The Preview Link module enables you to generate preview links so anonymous users can access unpublished revisions of content.
The last release of the module introduced an access bypass allowing users to present invalid tokens but still access unpublished content.

Drupal core - Critical - Arbitrary PHP code execution - SA-CORE-2019-002

Date: 
2019-January-16
Security risk: 
Critical 16 ∕ 25 AC:Complex/A:Admin/CI:All/II:All/E:Theoretical/TD:All
CVE IDs: 
CVE-2019-6339

A remote code execution vulnerability exists in PHP's built-in phar stream wrapper when performing file operations on an untrusted phar:// URI.

Some Drupal code (core, contrib, and custom) may be performing file operations on insufficiently validated user input, thereby being exposed to this vulnerability.

This vulnerability is mitigated by the fact that such code paths typically require access to an administrative permission or an atypical configuration.

Drupal core - Critical - Third Party Libraries - SA-CORE-2019-001

Date: 
2019-January-16
Security risk: 
Critical 16 ∕ 25 AC:Complex/A:User/CI:All/II:All/E:Proof/TD:Uncommon
CVE IDs: 
CVE-2019-6338

Drupal core uses the third-party PEAR Archive_Tar library. This library has released a security update which impacts some Drupal configurations. Refer to CVE-2018-1000888 for details.

Pages

Subscribe with RSS Subscribe to Security advisories