Mailchimp - Critical - Cross Site Request Forgery - SA-CONTRIB-2023-025

Date: 
2023-June-28

This module provides integration with Mailchimp, a popular email delivery service.

A route related to OAuth authentication is not protected against a Cross Site Request Forgery attack.

GridStack - Less critical - Cross Site Scripting - SA-CONTRIB-2023-024

Date: 
2023-June-28

This module enables you to create dynamic layouts and add sample color palettes for color selection hints via its UI.

The module doesn't sufficiently sanitize the module's settings in certain scenarios leading to a Cross Site Scripting vulnerability.

This vulnerability is mitigated by the fact that an attacker must have a role with the permissions "administer gridstack".

GDPR Alert - Moderately critical - Cross Site Scripting - SA-CONTRIB-2023-023

Date: 
2023-June-28

This module enables you to define configurable GDPR alert messages.

The module doesn't sufficiently filter user-supplied text leading to a Cross Site Scripting (XSS) vulnerability.

This vulnerability is mitigated by the fact that an attacker needs additional permissions. The vulnerability can be exploited by an attacker with a role with the permission "administer gdpr alert" regardless of other configurations.

Album Photos - Critical - Access bypass - SA-CONTRIB-2023-022

Date: 
2023-June-21

This module enables you to create and manage photos and photo albums on your website.

The module doesn't sufficiently check node access when a user is provided the "edit any photo" or "delete any photo" permissions.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission "edit any photo" or "delete any photo".

Civic Cookie Control - Moderately critical - Cross Site Scripting - SA-CONTRIB-2023-021

Date: 
2023-June-21

CivicCookieControl is a module that can help make a website compliant with EU and UK cookie legislation.

The Civic GovUK Cookie Control module does not sufficiently sanitize the configuration resulting in a Cross-Site Scripting (XSS) vulnerability.

This vulnerability is mitigated by the fact that the attacker must have a role with the "Administer Civic Cookie Control" permission.

Office Hours - Moderately critical - Cross Site Scripting - SA-CONTRIB-2023-020

Date: 
2023-June-14

This module enables you to define a 'weekly office hours' field type, and add a field to any Content type, in order to display the weekly opening hours for a location.

The module doesn't sufficiently filter user-supplied text leading to a Cross Site Scripting (XSS) vulnerability.

End of life announcement and changes to Drupal 7 support - PSA-2023-06-07

Date: 
2023-June-07

Updated 2023-07-14 to reference PSA-2023-07-12.

Drupal 7's end of life is January 5, 2025

On February 23, 2022, we announced that we would be extending the End-of-Life for Drupal 7 until at least November 1, 2023.

Today, we are officially announcing that Drupal 7 will reach its end of life on January 5, 2025.

With this final extension, the Drupal Security Team is also adjusting the level of support provided.

This will be the final extension.

AddToAny Share Buttons - Moderately critical - Cross Site Scripting - SA-CONTRIB-2023-019

Date: 
2023-May-31

This module provides social media share & follow buttons.

The module doesn't sufficiently restrict AddToAny block settings to users who have permission to administer AddToAny. This allows users with lower permission to configure malicious code leading to a Cross Site Scripting (XSS) vulnerability.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer blocks".

AddToAny Share Buttons - Moderately critical - Access bypass - SA-CONTRIB-2023-018

Date: 
2023-May-31

This module provides social media share & follow buttons.

The module doesn't sufficiently check access to a node when retrieving the label of an AddToAny block.

This vulnerability is mitigated by the fact it requires the node ID to be passed via the route, requiring another module or specific configuration to provide this ID, as the /node/{id} page doesn't provide this value on an access denied.

Consent Popup - Moderately critical - Cross Site Scripting - SA-CONTRIB-2023-017

Date: 
2023-May-31

The Consent Popup provides a configurable popup that requires acceptance of a question before the visitor can continue, typically used for age consent.

The module doesn't sufficiently sanitizes the text on the block leading to a cross site scripting (XSS) vulnerability.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission to create blocks.

Pages

Subscribe with RSS Subscribe to Security advisories