highlight.php - Moderately critical - Cross Site Scripting - SA-CONTRIB-2023-043

Date: 
2023-September-06

Provides highlight.php integration to Drupal, allowing <code> blocks to be automatically highlighted with the correct language.

The module's Twig function doesn't sufficiently filter user-entered data.

Obfuscate Email - Less critical - Cross Site Scripting - SA-CONTRIB-2023-042

Date: 
2023-August-30

This module enables you to hide email addresses from bots and site scrapers by using the rot13 strategy.

The module doesn't sufficiently escape the data attribute under the scenario a user has access to manipulate that value.

This vulnerability is mitigated by the fact that an attacker must have a role with permissions to allow data attributes in content on a site.

Unified Twig Extensions - Moderately critical - Cross Site Scripting - SA-CONTRIB-2023-041

Date: 
2023-August-30

This module makes PatternLab's custom Twig functions available to Drupal theming.

The module's included examples don't sufficiently filter data.

This vulnerability is mitigated by the fact that the included examples must have been copied to a site's theme.

Data field - Moderately critical - Access bypass - SA-CONTRIB-2023-040

Date: 
2023-August-23

The Data Field module provides a way of building field types that are made up of other fields, a simpler alternative to e.g. the Paragraphs system.

Access to these forms isn't properly validated, allowing a user with the "access content" permission to view and edit fields on entities.

SafeDelete - Moderately critical - Access bypass - SA-CONTRIB-2023-039

Date: 
2023-August-23

This module aims to prevent broken content references by informing content editors either on delete or archive moderation.

The module provides an "orphaned content" report for broken references, which may reveal titles of unpublished content.

Shorthand - Critical - Access bypass - SA-CONTRIB-2023-038

Date: 
2023-August-23

This module provides integration with Shorthand, an application which describes itself as "beautifully simple storytelling".

The module does not check appropriate permissions when displaying a list of all shorthand stories.

Config Pages - Moderately critical - Information Disclosure - SA-CONTRIB-2023-037

Date: 
2023-August-23

This module enables you to build administrative pages for managing configuration objects, which may then be used elsewhere in the site.

The module doesn't sufficiently validate access when the JSONAPI module is also installed.

This vulnerability is mitigated by the fact that it only affects sites when the JSONAPI module is installed.

Flexi Access - Critical - Arbitrary PHP code execution - SA-CONTRIB-2023-036

Date: 
2023-August-23

The Flexi Access module will provide a simple and flexible interface to the ACL (Access Control List) module. It will let you set up and mange ACLs naming individual users that are allowed access to a particular node.

The module processes user input in a way that could be unsafe. This can lead to Remote Code Execution via Object Injection.

Forum Access - Critical - Arbitrary PHP code execution - SA-CONTRIB-2023-035

Date: 
2023-August-23

This module changes your forum administration page to allow you to set forums private. You can control what user roles can view, edit, delete, and post to each forum. You can also give each forum a list of users who have administrative access on that forum (AKA moderators). This module requires the ACL module.

The module processes user input in a way that could be unsafe. This can lead to Remote Code Execution via Object Injection.

This vulnerability is mitigated by the fact that an attacker needs the "administer forums" permission.

ACL - Critical - Arbitrary PHP code execution - SA-CONTRIB-2023-034

Date: 
2023-August-23

The ACL module, short for Access Control Lists, is an API for other modules to create lists of users and give them access to nodes.

The module processes user input in a way that could be unsafe. This can lead to Remote Code Execution via Object Injection.

As this is an API module, it is only exploitable if a "client" module exposes the vulnerability. Details of some contributed client modules are given below. Custom modules using ACL could also expose the vulnerability.

Pages

Subscribe with RSS Subscribe to Security advisories