Show advisories for only Drupal core, only PSAs, or all security advisories

Security advisories for third-party projects that are not part of Drupal core - this includes all modules, themes, and installation profiles that have been contributed by community members.

Matomo Analytics - Less critical - Cross Site Scripting - SA-CONTRIB-2023-033

Date: 
2023-August-02
Security risk: 
Less critical 8∕25 AC:Complex/A:Admin/CI:Some/II:None/E:Theoretical/TD:Default

This module enables you to add the Matomo web statistics tracking system to your website.

The module does not check the Matomo JS code loaded on the website. So a user could configure the module to load JS from a malicious website.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer matomo" or "administer matomo tag manager" (D8+ only) to access the settings forms where this can be configured.

Minify Source HTML - Moderately critical - Cross site scripting - SA-CONTRIB-2023-032

Date: 
2023-July-26
Security risk: 
Moderately critical 11∕25 AC:Basic/A:None/CI:None/II:None/E:Proof/TD:All

Carefully crafted input by an attacker will not be sanitized by this module, which can result in a script injection.

Drupal Symfony Mailer - Moderately critical - Cross site request forgery - SA-CONTRIB-2023-031

Date: 
2023-July-26
Security risk: 
Moderately critical 12∕25 AC:Basic/A:None/CI:None/II:Some/E:Theoretical/TD:Default

The module doesn’t sufficiently protect against malicious links, which means an attacker can trick an administrator into performing unwanted actions.

This vulnerability is mitigated by the fact that the set of unwanted actions is limited to specific configurations.

Two-factor Authentication (TFA) - Critical - Access bypass - SA-CONTRIB-2023-030

Date: 
2023-July-12
Security risk: 
Critical 17∕25 AC:Basic/A:None/CI:Some/II:Some/E:Proof/TD:All

This module enables you to allow and/or require users to use a second authentication method in addition to password authentication.

The module doesn't sufficiently ensure all core login routes, including the password reset page, require a second factor credential.

This vulnerability is mitigated by the fact that an attacker must obtain a first-factor login credential.

TacJS - Moderately critical - Cross site scripting - SA-CONTRIB-2023-029

Date: 
2023-June-28
Security risk: 
Moderately critical 13∕25 AC:Basic/A:Admin/CI:Some/II:Some/E:Theoretical/TD:All

This module enables sites to comply with the European cookie law using tarteaucitron.js.

The module doesn't sufficiently filter user-supplied text leading to a Cross Site Scripting (XSS) vulnerability.

This vulnerability is mitigated by the fact that an attacker needs additional permissions. The vulnerability can be exploited by an attacker with a role with the permission "administer tacjs" regardless of other configurations.

Expandable Formatter - Moderately critical - Cross Site Scripting - SA-CONTRIB-2023-028

Date: 
2023-June-28
Security risk: 
Moderately critical 14∕25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:All

This module enables you to render a field in an expandable/collapsible region.

The module doesn't sufficiently sanitize the field content when displaying it to an end user.

This vulnerability is mitigated by the fact that an attacker must have a role capable of creating content that uses the field formatter.

Libraries UI - Moderately critical - Access bypass - SA-CONTRIB-2023-027

Date: 
2023-June-28
Security risk: 
Moderately critical 11∕25 AC:None/A:None/CI:None/II:None/E:Theoretical/TD:Default

This module enables a UI to display all libraries provided by modules and themes on the Drupal site.

The module doesn't sufficiently protect the libraries reporting page. It curently is using the 'access content' permission and not a proper administrative/access permission.

The vulnerability/library information can be exploited by simply visiting/knowing the url of the reporting page. The solution is to protect the page via a module specific permission that must be granted by an administrative user.

Search Autocomplete - Moderately critical - Cross Site Scripting - SA-CONTRIB-2023-026

Date: 
2023-June-28
Security risk: 
Moderately critical 14∕25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:All

This module enables you to use complex autocompletion in forms.

The module doesn't sufficiently filter text in the data it exposes, allowing a malicious user to enter specially crafted tags to exploit a Cross Site Scripting (XSS) attack.

This vulnerability is mitigated by the fact that an attacker must have a role which allows them to publish the kind of data used in the autocomplete (for instance create nodes if the tool is used to search nodes, comments if the tool is used to search comments, etc...)

Mailchimp - Critical - Cross Site Request Forgery - SA-CONTRIB-2023-025

Date: 
2023-June-28
Security risk: 
Critical 15∕25 AC:Complex/A:None/CI:Some/II:Some/E:Theoretical/TD:All

This module provides integration with Mailchimp, a popular email delivery service.

A route related to OAuth authentication is not protected against a Cross Site Request Forgery attack.

GridStack - Less critical - Cross Site Scripting - SA-CONTRIB-2023-024

Date: 
2023-June-28
Security risk: 
Less critical 7∕25 AC:Complex/A:Admin/CI:None/II:None/E:Exploit/TD:Uncommon

This module enables you to create dynamic layouts and add sample color palettes for color selection hints via its UI.

The module doesn't sufficiently sanitize the module's settings in certain scenarios leading to a Cross Site Scripting vulnerability.

This vulnerability is mitigated by the fact that an attacker must have a role with the permissions "administer gridstack".

Pages

Subscribe with RSS Subscribe to Security advisories for contributed projects