Show advisories for only Drupal Core, only contributed projects, or only PSAs

Drupal core - Critical - Cache poisoning - SA-CORE-2023-006

Date: 
2023-September-20
Security risk: 
Critical 16∕25 AC:Complex/A:None/CI:All/II:Some/E:Theoretical/TD:Default
CVE IDs: 
CVE-2023-5256

In certain scenarios, Drupal's JSON:API module will output error backtraces. With some configurations, this may cause sensitive information to be cached and made available to anonymous users, leading to privilege escalation.

This vulnerability only affects sites with the JSON:API module enabled, and can be mitigated by uninstalling JSON:API.

The core REST and contributed GraphQL modules are not affected.

Mail Login - Critical - Access bypass - SA-CONTRIB-2023-045

Date: 
2023-September-13
Security risk: 
Critical 16∕25 AC:Basic/A:None/CI:Some/II:Some/E:Theoretical/TD:All

This module enables users to log in by email address with minimal configurations.

Drupal core contains protection against brute force attacks via a flood control mechanism. This module's functionality did not replicate the flood control, enabling brute force attacks.

WebProfiler - Moderately critical - Cross Site Scripting - SA-CONTRIB-2023-044

Date: 
2023-September-06
Security risk: 
Moderately critical 10∕25 AC:Complex/A:Admin/CI:Some/II:Some/E:Theoretical/TD:Uncommon

The Webprofiler module provides a way of displaying the Symfony profile debugging tool at the bottom of each page.

The abbr_class Twig filter can be used to bypass the Twig auto-escape feature.

This vulnerability is mitigated by the fact that it is only exposed when the filter is specifically used in a theme to render content that contains an attack vector.

highlight.php - Moderately critical - Cross Site Scripting - SA-CONTRIB-2023-043

Date: 
2023-September-06
Security risk: 
Moderately critical 13∕25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:Default

Provides highlight.php integration to Drupal, allowing <code> blocks to be automatically highlighted with the correct language.

The module's Twig function doesn't sufficiently filter user-entered data.

Obfuscate Email - Less critical - Cross Site Scripting - SA-CONTRIB-2023-042

Date: 
2023-August-30
Security risk: 
Less critical 5∕25 AC:Complex/A:User/CI:None/II:None/E:Theoretical/TD:Uncommon

This module enables you to hide email addresses from bots and site scrapers by using the rot13 strategy.

The module doesn't sufficiently escape the data attribute under the scenario a user has access to manipulate that value.

This vulnerability is mitigated by the fact that an attacker must have a role with permissions to allow data attributes in content on a site.

Unified Twig Extensions - Moderately critical - Cross Site Scripting - SA-CONTRIB-2023-041

Date: 
2023-August-30
Security risk: 
Moderately critical 13∕25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:Default

This module makes PatternLab's custom Twig functions available to Drupal theming.

The module's included examples don't sufficiently filter data.

This vulnerability is mitigated by the fact that the included examples must have been copied to a site's theme.

Data field - Moderately critical - Access bypass - SA-CONTRIB-2023-040

Date: 
2023-August-23
Security risk: 
Moderately critical 12∕25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:Uncommon

The Data Field module provides a way of building field types that are made up of other fields, a simpler alternative to e.g. the Paragraphs system.

Access to these forms isn't properly validated, allowing a user with the "access content" permission to view and edit fields on entities.

SafeDelete - Moderately critical - Access bypass - SA-CONTRIB-2023-039

Date: 
2023-August-23
Security risk: 
Moderately critical 13∕25 AC:Basic/A:None/CI:Some/II:None/E:Theoretical/TD:All

This module aims to prevent broken content references by informing content editors either on delete or archive moderation.

The module provides an "orphaned content" report for broken references, which may reveal titles of unpublished content.

Shorthand - Critical - Access bypass - SA-CONTRIB-2023-038

Date: 
2023-August-23
Security risk: 
Critical 15∕25 AC:None/A:None/CI:Some/II:None/E:Theoretical/TD:All

This module provides integration with Shorthand, an application which describes itself as "beautifully simple storytelling".

The module does not check appropriate permissions when displaying a list of all shorthand stories.

Config Pages - Moderately critical - Information Disclosure - SA-CONTRIB-2023-037

Date: 
2023-August-23
Security risk: 
Moderately critical 12∕25 AC:Basic/A:None/CI:Some/II:None/E:Theoretical/TD:Default

This module enables you to build administrative pages for managing configuration objects, which may then be used elsewhere in the site.

The module doesn't sufficiently validate access when the JSONAPI module is also installed.

This vulnerability is mitigated by the fact that it only affects sites when the JSONAPI module is installed.

Pages

Subscribe with RSS Subscribe to Security advisories