Iubenda Integration - Moderately critical - Cross Site Scripting - SA-CONTRIB-2023-016

Date: 
2023-May-31

The Iubenda Integration module provides a custom block to provide a link to the Iubenda privacy policy. On this block, a custom prefix and suffix text can be entered.

The module does not sufficiently filter the block text fields on output, resulting in a Cross-Site Scripting (XSS) vulnerability.

This vulnerability is mitigated by the fact that an attacker must have a role with permission to use the layout builder on content, edit the layout, or with the "Administer blocks" permission.

File Chooser Field - Moderately critical - Server Side Request Forgery, Information Disclosure - SA-CONTRIB-2023-015

Date: 
2023-May-17

The File Chooser Field allows users to upload files using 3rd party plugins such as Google Drive and Dropbox.

This module fails to validate user input sufficiently which could under certain circumstances lead to a Server Side Request Forgery (SSRF) vulnerability leading to Information Disclosure. In uncommon configurations and scenarios, it might lead to Remote Code Execution.

S3 File System - Moderately critical - Access bypass - SA-CONTRIB-2023-014

Date: 
2023-May-03

S3 File System (s3fs) provides an additional file system to your Drupal site, which stores files in Amazon's Simple Storage Service (S3) or any other S3-compatible storage service.

This module may fail to validate that a file being requested to be moved to storage was uploaded during the same web request, possibly allowing an attacker to move files that should normally be inaccessible to them.

This vulnerability is mitigated by the fact that another vulnerability must already exist outside of s3fs.

Drupal core - Moderately critical - Access bypass - SA-CORE-2023-005

Date: 
2023-April-19

The file download facility doesn't sufficiently sanitize file paths in certain situations. This may result in users gaining access to private files that they should not have access to.

Some sites may require configuration changes following this security release. Review the release notes for your Drupal version if you have issues accessing private files after updating.

Protected Pages - Critical - Access bypass - SA-CONTRIB-2023-013

Date: 
2023-April-12

This module enables you to secure any page with a password.

The module does not sufficiently restrict access to the page content.

Xray Audit - Moderately critical - Cross site scripting - SA-CONTRIB-2023-012

Date: 
2023-March-29

This module is a tool for developers, analysts, and administrators that allows them to generate reports on a given Drupal installation.

The module does not sufficiently sanitize some data presented in its reports.

This vulnerability is mitigated by the fact that an attacker must have a role with permissions to administer an impacted content type.

Responsive media Image Formatter - Critical - Unsupported - SA-CONTRIB-2023-011

Date: 
2023-March-15

The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: https://www.drupal.org/node/251466#procedure---own-project---unsupported

Media Responsive Thumbnail - Moderately critical - Information disclosure - SA-CONTRIB-2023-010

Date: 
2023-March-15

The Media Responsive Thumbnail module allows media reference fields to be rendered as a responsive image.

This module does not properly check entity access prior to rendering media. This may result in users seeing thumbnails of media items they do not have access to.

This release was coordinated with SA-CORE-2023-002.

Drupal core - Moderately critical - Access bypass - SA-CORE-2023-004

Date: 
2023-March-15

Drupal core provides a page that outputs the markup from phpinfo() to assist with diagnosing PHP configuration.

If an attacker was able to achieve an XSS exploit against a privileged user, they may be able to use the phpinfo page to access sensitive information that could be used to escalate the attack.

This vulnerability is mitigated by the fact that a successful XSS exploit is required in order to exploit it.

Drupal core - Moderately critical - Information Disclosure - SA-CORE-2023-003

Date: 
2023-March-15

The language module provides a Language switcher block which can be placed to provide links to quickly switch between different languages.

The URL of unpublished translations may be disclosed. When used in conjunction with a module like Pathauto, this may reveal the title of unpublished content.

This advisory is not covered by Drupal Steward.

Pages

Subscribe with RSS Subscribe to Security advisories