The Workflow module enables you to create arbitrary Workflows, and assign them to Entities.
The module doesn't sufficiently escape HTML in the field settings leading to a Cross Site Scripting (XSS) vulnerability.
This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer nodes" and "administer workflow".
This module enables you to use special routes for user registration with special roles and custom field sets defined for the role.
The module doesn't sufficiently check which user roles can be registered under the scenario when the user tries to register the user with the administrator role.
This vulnerability is mitigated on sites where account approval is required as the user starts as blocked but still gets the "Administrator" role.
In certain configuration cases, when a learning path is configured as semi-private, anonymous users are allowed to join a learning path when they should not.
In certain circumstances it is possible that certain forum information is available to unprivileged users because the access check is done with node access instead of grants.
This vulnerability is mitigated by the fact that the module itself does not disclose information but only if there are listings such as views where the site builder / developer has not taken this into account.
In order to intercept file invocations like file_exists or stat on compromised Phar archives the base name has to be determined and checked before allowing to be handled by PHP Phar stream handling. [...]
The Drupal Security Team will be coordinating a security release for Drupal 7 and 8 this week on Wednesday, May 8th, 2019.
We are issuing this PSA in advance because according to the regular security release window schedule, May 8th would not typically be a core security window.
This release is rated as moderately critical.
The Drupal 7 and 8 core release will be made between 16:00 – 21:00 UTC (noon – 5:00pm Eastern).
The jQuery project released version 3.4.0, and as part of that, disclosed a security vulnerability that affects all prior versions. As described in their release notes:
jQuery 3.4.0 includes a fix for some unintended behavior when using jQuery.extend(true, {}, ...). If an unsanitized source object contained an enumerable __proto__ property, it could extend the native Object.prototype. This fix is included in jQuery 3.4.0, but patch diffs exist to patch previous jQuery versions.
Validation messages were not escaped when using the form theme of the PHP templating engine which, when validation messages may contain user input, could result in an XSS.
This module allows you to attach tabular data to an entity.
The module doesn't sufficiently determine that the data being unserialized is the contents of a tablefield when users request a CSV export, which could lead to Remote Code Execution via Object Injection.
This vulnerability is mitigated by the fact that an attacker must have a role with the permission 'export tablefield', and be able to insert a payload into an entity's field.
Stage File Proxy is a general solution for getting production files on a development server on demand.
The module doesn't sufficiently validate requested urls, allowing an attacker to send repeated requests for files that do not exist which could exhaust resources on the server where Stage File Proxy is installed.
