Show advisories for only Drupal core, only PSAs, or all security advisories

Security advisories for third-party projects that are not part of Drupal core - this includes all modules, themes, and installation profiles that have been contributed by community members.

Registration role - Critical - Access bypass - SA-CONTRIB-2024-015

Date: 
2024-March-06

The Registration role module lets an administrator select a role (or multiple roles) to automatically assign to new users. The selected role (or roles) will be assigned to new registrants.

The module has a logic error when handling sites that upgraded code and did not run the Drupal update process (e.g. update.php).

This vulnerability is mitigated by the fact that the problem does not exist on sites that followed the process of updating code and running the standard updates.

Drupal Symfony Mailer Lite - Moderately critical - Cross Site Request Forgery - SA-CONTRIB-2024-014

Date: 
2024-February-28

The module doesn’t sufficiently protect against malicious links, which means an attacker can trick an administrator into performing unwanted actions.

This vulnerability is mitigated by the fact that the set of unwanted actions is limited to specific configurations.

Node Access Rebuild Progressive - Less critical - Access bypass - SA-CONTRIB-2024-013

Date: 
2024-February-28

This module provides an alternative mean of rebuilding the Content Access table.

The module doesn't sufficiently reset the state of content access when the module is uninstalled.

Private content - Moderately critical - Access bypass - SA-CONTRIB-2024-012

Date: 
2024-February-28

This module gives each node a 'private' checkbox. If it's set, the node can only be seen by the node author, or users with the 'access private content' permission.

The module incorrectly grants access to private nodes under certain specific circumstances. This vulnerability is mitigated by the fact that an attacker must have a role with the permission "Access private content".

Coffee - Moderately critical - Cross Site Scripting - SA-CONTRIB-2024-011

Date: 
2024-February-28

The Coffee module helps you to navigate through the Drupal admin menus faster with a shortcut popup.

The module doesn't sufficiently escape menu names when displaying them in the popup, thereby exposing a XSS vulnerability.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission "Administer menus and menu links".

Node Access Rebuild Progressive - Less critical - Access bypass - SA-CONTRIB-2024-010

Date: 
2024-February-21

This module provides an alternative mean of rebuilding the Content Access table.

The module doesn't sufficiently reset the state of content access when the module is uninstalled.

CKEditor 4 LTS - WYSIWYG HTML editor - Moderately critical - Cross Site Scripting - SA-CONTRIB-2024-009

Date: 
2024-February-14

The CKEditor 4 LTS - WYSIWYG HTML editor module uses the CKEditor library for WYSIWYG editing. CKEditor has released a security update that on certain configurations may impact the Drupal module that bundles and integrates this code.

The vulnerability is mitigated by the fact it requires:

Migrate Tools - Moderately critical - Cross Site Request Forgery - SA-CONTRIB-2024-008

Date: 
2024-February-07

The Migrate Tools module provides tools for running and managing Drupal migrations.

The module doesn't sufficiently protect against Cross Site Request Forgery under specific scenarios allowing an attacker to trick an authenticated administrator into initiating a migration.

This vulnerability is mitigated by the fact that an attacker must know the name of the migration.

Entity Delete Log - Moderately critical - Access bypass - SA-CONTRIB-2024-007

Date: 
2024-January-31

The Entity Delete Log module tracks the deletion of configured entity types, such as node or comments.

It does not add sufficient permission to the log report page, allowing an attacker to view information from deleted entities.

Swift Mailer - Moderately critical - Access bypass - SA-CONTRIB-2024-006

Date: 
2024-January-24

The Drupal Swift Mailer module extends the basic e-mail sending functionality provided by Drupal by delegating all e-mail handling to the Swift Mailer library. This enables your site to take advantage of the many features which the Swift Mailer library provides.

The module could allow an attacker to gain widespread access to a Drupal site. This vulnerability is mitigated by the fact that an attacker must have a means to trigger sending an email with a body that they can control, which would requires either another contributed module or custom integration.

Pages

Subscribe with RSS Subscribe to Security advisories for contributed projects