Show advisories for only Drupal Core, only contributed projects, or only PSAs

Forum Access - Critical - Arbitrary PHP code execution - SA-CONTRIB-2023-035

Date: 
2023-August-23
Security risk: 
Critical 17 ∕ 25 AC:Basic/A:Admin/CI:All/II:All/E:Theoretical/TD:All

This module changes your forum administration page to allow you to set forums private. You can control what user roles can view, edit, delete, and post to each forum. You can also give each forum a list of users who have administrative access on that forum (AKA moderators). This module requires the ACL module.

The module processes user input in a way that could be unsafe. This can lead to Remote Code Execution via Object Injection.

This vulnerability is mitigated by the fact that an attacker needs the "administer forums" permission.

ACL - Critical - Arbitrary PHP code execution - SA-CONTRIB-2023-034

Date: 
2023-August-23
Security risk: 
Critical 17 ∕ 25 AC:Basic/A:Admin/CI:All/II:All/E:Theoretical/TD:All

The ACL module, short for Access Control Lists, is an API for other modules to create lists of users and give them access to nodes.

The module processes user input in a way that could be unsafe. This can lead to Remote Code Execution via Object Injection.

As this is an API module, it is only exploitable if a "client" module exposes the vulnerability. Details of some contributed client modules are given below. Custom modules using ACL could also expose the vulnerability.

Matomo Analytics - Less critical - Cross Site Scripting - SA-CONTRIB-2023-033

Date: 
2023-August-02
Security risk: 
Less critical 8 ∕ 25 AC:Complex/A:Admin/CI:Some/II:None/E:Theoretical/TD:Default

This module enables you to add the Matomo web statistics tracking system to your website.

The module does not check the Matomo JS code loaded on the website. So a user could configure the module to load JS from a malicious website.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer matomo" or "administer matomo tag manager" (D8+ only) to access the settings forms where this can be configured.

Minify Source HTML - Moderately critical - Cross site scripting - SA-CONTRIB-2023-032

Date: 
2023-July-26
Security risk: 
Moderately critical 11 ∕ 25 AC:Basic/A:None/CI:None/II:None/E:Proof/TD:All

Carefully crafted input by an attacker will not be sanitized by this module, which can result in a script injection.

Drupal Symfony Mailer - Moderately critical - Cross site request forgery - SA-CONTRIB-2023-031

Date: 
2023-July-26
Security risk: 
Moderately critical 12 ∕ 25 AC:Basic/A:None/CI:None/II:Some/E:Theoretical/TD:Default

The module doesn’t sufficiently protect against malicious links, which means an attacker can trick an administrator into performing unwanted actions.

This vulnerability is mitigated by the fact that the set of unwanted actions is limited to specific configurations.

Last chance to adopt Drupal 7 contributed projects before they might be marked unsupported - PSA-2023-07-19

Date: 
2023-July-19

Reminder: As we get ready for the End-of-life (EOL) of Drupal 7 in January 2025, changes are coming to the Drupal 7 ecosystem.

Two-factor Authentication (TFA) - Critical - Access bypass - SA-CONTRIB-2023-030

Date: 
2023-July-12
Security risk: 
Critical 17 ∕ 25 AC:Basic/A:None/CI:Some/II:Some/E:Proof/TD:All

This module enables you to allow and/or require users to use a second authentication method in addition to password authentication.

The module doesn't sufficiently ensure all core login routes, including the password reset page, require a second factor credential.

This vulnerability is mitigated by the fact that an attacker must obtain a first-factor login credential.

Announcement: Drupal core issues with some risk levels may be treated as bugs in the public issue queue, not as private security issues - PSA-2023-07-12

Date: 
2023-July-11

Updated 2023-07-14 to reference PSA-2023-06-07.

TacJS - Moderately critical - Cross site scripting - SA-CONTRIB-2023-029

Date: 
2023-June-28
Security risk: 
Moderately critical 13 ∕ 25 AC:Basic/A:Admin/CI:Some/II:Some/E:Theoretical/TD:All

This module enables sites to comply with the European cookie law using tarteaucitron.js.

The module doesn't sufficiently filter user-supplied text leading to a Cross Site Scripting (XSS) vulnerability.

This vulnerability is mitigated by the fact that an attacker needs additional permissions. The vulnerability can be exploited by an attacker with a role with the permission "administer tacjs" regardless of other configurations.

Expandable Formatter - Moderately critical - Cross Site Scripting - SA-CONTRIB-2023-028

Date: 
2023-June-28
Security risk: 
Moderately critical 14 ∕ 25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:All

This module enables you to render a field in an expandable/collapsible region.

The module doesn't sufficiently sanitize the field content when displaying it to an end user.

This vulnerability is mitigated by the fact that an attacker must have a role capable of creating content that uses the field formatter.

Pages

Subscribe with RSS Subscribe to Security advisories