Show advisories for only Drupal Core, only contributed projects, or only PSAs

REST Views - Moderately critical - Information Disclosure - SA-CONTRIB-2024-018

Date: 
2024-April-24
Security risk: 
Moderately critical 14∕25 AC:None/A:None/CI:Some/II:None/E:Theoretical/TD:Default

The Rest views module lets site admins create rest exports in views with additional options for serializing data.

This module does not accurately check access and may expose paths to unpublished content.

This vulnerability is mitigated by the fact that there must be a specific content structure to expose.

Paths to unpublished entities (such as nodes) will be exposed if those entities are referenced from other entities listed in a REST display, and the reference field on those listed entities is displayed with the "Entity path" formatter.

Advanced PWA - Critical - Access bypass - SA-CONTRIB-2024-017

Date: 
2024-April-24
Security risk: 
Critical 16∕25 AC:None/A:User/CI:Some/II:Some/E:Theoretical/TD:All

Progressive web applications are web applications that load like regular web pages or websites but can offer the user functionality such as working offline, push notifications, and device hardware access traditionally available only to native applications.

This module doesn't sufficiently protect access to the settings form, allowing an unauthorized malicious user to view and modify the module settings.

TacJS - Moderately critical - Cross Site Scripting - SA-CONTRIB-2024-016

Date: 
2024-March-27
Security risk: 
Moderately critical 14∕25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:All

This module enables sites to comply with the European cookie law using tarteaucitron.js.

The module doesn't sufficiently filter user-supplied markup inside of content leading to a persistent Cross Site Scripting (XSS) vulnerability. More details are available in CVE-2023-3620.

This vulnerability is mitigated by the fact that an attacker needs to be able to write content in the page, a feature commonly available on Drupal sites.

Registration role - Critical - Access bypass - SA-CONTRIB-2024-015

Date: 
2024-March-06
Security risk: 
Critical 18∕25 AC:Basic/A:None/CI:All/II:All/E:Theoretical/TD:Uncommon

The Registration role module lets an administrator select a role (or multiple roles) to automatically assign to new users. The selected role (or roles) will be assigned to new registrants.

The module has a logic error when handling sites that upgraded code and did not run the Drupal update process (e.g. update.php).

This vulnerability is mitigated by the fact that the problem does not exist on sites that followed the process of updating code and running the standard updates.

Drupal Symfony Mailer Lite - Moderately critical - Cross Site Request Forgery - SA-CONTRIB-2024-014

Date: 
2024-February-28
Security risk: 
Moderately critical 12∕25 AC:Basic/A:None/CI:None/II:Some/E:Theoretical/TD:Default

The module doesn’t sufficiently protect against malicious links, which means an attacker can trick an administrator into performing unwanted actions.

This vulnerability is mitigated by the fact that the set of unwanted actions is limited to specific configurations.

Node Access Rebuild Progressive - Less critical - Access bypass - SA-CONTRIB-2024-013

Date: 
2024-February-28
Security risk: 
Less critical 9∕25 AC:Complex/A:Admin/CI:Some/II:None/E:Theoretical/TD:All

This module provides an alternative mean of rebuilding the Content Access table.

The module doesn't sufficiently reset the state of content access when the module is uninstalled.

Private content - Moderately critical - Access bypass - SA-CONTRIB-2024-012

Date: 
2024-February-28
Security risk: 
Moderately critical 12∕25 AC:None/A:User/CI:Some/II:None/E:Theoretical/TD:Default

This module gives each node a 'private' checkbox. If it's set, the node can only be seen by the node author, or users with the 'access private content' permission.

The module incorrectly grants access to private nodes under certain specific circumstances. This vulnerability is mitigated by the fact that an attacker must have a role with the permission "Access private content".

Coffee - Moderately critical - Cross Site Scripting - SA-CONTRIB-2024-011

Date: 
2024-February-28
Security risk: 
Moderately critical 13∕25 AC:Basic/A:Admin/CI:Some/II:Some/E:Theoretical/TD:All

The Coffee module helps you to navigate through the Drupal admin menus faster with a shortcut popup.

The module doesn't sufficiently escape menu names when displaying them in the popup, thereby exposing a XSS vulnerability.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission "Administer menus and menu links".

Node Access Rebuild Progressive - Less critical - Access bypass - SA-CONTRIB-2024-010

Date: 
2024-February-21
Security risk: 
Less critical 9∕25 AC:Complex/A:Admin/CI:Some/II:None/E:Theoretical/TD:All

This module provides an alternative mean of rebuilding the Content Access table.

The module doesn't sufficiently reset the state of content access when the module is uninstalled.

CKEditor 4 LTS - WYSIWYG HTML editor - Moderately critical - Cross Site Scripting - SA-CONTRIB-2024-009

Date: 
2024-February-14
Security risk: 
Moderately critical 12∕25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:Uncommon

The CKEditor 4 LTS - WYSIWYG HTML editor module uses the CKEditor library for WYSIWYG editing. CKEditor has released a security update that on certain configurations may impact the Drupal module that bundles and integrates this code.

The vulnerability is mitigated by the fact it requires:

Pages

Subscribe with RSS Subscribe to Security advisories