Drupal core - Moderately critical - Information Disclosure - SA-CORE-2023-002

Date: 
2023-March-15

The Media module does not properly check entity access in some circumstances. This may result in users seeing thumbnails of media items they do not have access to, including for private files.

This release was coordinated with SA-CONTRIB-2023-010.

This advisory is not covered by Drupal Steward.

Gutenberg - Less critical - Denial of Service - SA-CONTRIB-2023-009

Date: 
2023-March-08

This module provides a new UI experience for node editing - Gutenberg editor.

This vulnerability can cause DoS by using reusable blocks improperly.

This vulnerability is mitigated by the fact an attacker must have "use gutenberg" permission to exploit it.

Group control for forums - Critical - Access bypass - SA-CONTRIB-2023-008

Date: 
2023-March-01

This module enables you to associate Forums as Group 1.x content and use Group access permissions.

Previous versions of the module incorrectly set node access on creation, and did not correctly restrict access to lists of forum topics.

Thunder - Moderately critical - Access bypass - SA-CONTRIB-2023-007

Date: 
2023-March-01

Thunder is a Drupal distribution for professional publishing. The thunder distribution ships the thunder_gqls module which provides a graphql interface.

The module doesn't sufficiently check access when serving user data via graphql leading to an access bypass vulnerability potentially exposing email addresses.

Better Social Sharing Buttons - Less critical - Cross Site Scripting - SA-CONTRIB-2023-006

Date: 
2023-March-01

This module enables you to add social sharing buttons to a site.

The module doesn't sufficiently sanitize the weight and ratio values entered in the module or block configuration.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer blocks".

Apigee Edge - Moderately critical - Access bypass - SA-CONTRIB-2023-005

Date: 
2023-February-01

The Apigee Edge module allows connecting a Drupal site to Apigee X / Edge in order to build a developer portal.

Previous module versions did not support entity query level access checking, which could have led to information disclosure or access bypass in various places.

Media Library Form API Element - Moderately critical - Information Disclosure - SA-CONTRIB-2023-004

Date: 
2023-January-18

This module enables you to use the media library in custom forms without the Media Library Widget.

The module does not properly check entity access in some circumstances. This may result in users with access to edit content seeing metadata about media items they are not authorized to access.

The vulnerability is mitigated by the fact that the inaccessible media will only be visible to users who can already edit content that includes a media reference field.

Drupal core - Moderately critical - Information Disclosure - SA-CORE-2023-001

Date: 
2023-January-18

The Media Library module does not properly check entity access in some circumstances. This may result in users with access to edit content seeing metadata about media items they are not authorized to access.

The vulnerability is mitigated by the fact that the inaccessible media will only be visible to users who can already edit content that includes a media reference field.

This advisory is not covered by Drupal Steward.

Media Library Block - Moderately critical - Information Disclosure - SA-CONTRIB-2023-003

Date: 
2023-January-18

The Media Library Block module allows you to render a media entity in a block.

The module does not properly check media access in some circumstances. This may result in unauthorized users (including anonymous users) seeing media items they are not authorized to access if a block containing a restricted media item is placed on the page.

Administrators may mitigate this vulnerability by removing blocks referencing media items that have access restrictions.

Entity Browser - Moderately critical - Information Disclosure - SA-CONTRIB-2023-002

Date: 
2023-January-18

The Entity Browser module allows you to select entities from entity reference fields using a custom entity browser widget.

Entity Browser does not properly check entity access in some circumstances. This may result in users with access to edit content seeing metadata about entities they are not authorized to access.

The vulnerability is mitigated by the fact that the inaccessible entities will only be visible to users who can already edit content using Entity Browser.

Pages

Subscribe with RSS Subscribe to Security advisories