Show advisories for only Drupal Core, only contributed projects, or only PSAs

Paragraphs admin - Moderately critical - - SA-CONTRIB-2023-049

Date: 
2023-November-01
Security risk: 
Moderately critical 14 ∕ 25 AC:None/A:None/CI:Some/II:None/E:Theoretical/TD:Default

This module enables you to view all paragraph entities in an admin view.
The module contains an access bypass that allows non admin users to access the view.
The vulnerability can be mitigated by editing the view to change the permission required to access the page.

Drupal 9 is end of life - PSA-2023-11-01

Date: 
2023-November-01

Drupal 9 is end of life as of November 1st, 2023

Drupal 9 relies on several other software projects, including Symfony, CKEditor, and Twig. With Symfony 4's end of life, CKEditor 4's end of life, and Twig 2's end of life all coming up soon, Drupal 9 went end of life on November 1st, 2023. There will be no further releases of Drupal 9.

Mail Login - Moderately critical - Access bypass - SA-CONTRIB-2023-048

Date: 
2023-October-04
Security risk: 
Moderately critical 13 ∕ 25 AC:Basic/A:None/CI:None/II:Some/E:Theoretical/TD:All

This module enables users to log in by email address with minimal configurations.

Drupal core contains protection against brute force attacks via a flood control mechanism. This module's functionality did not replicate the flood control, enabling brute force attacks.

A previous security advisory, SA-CONTRIB-2023-45, was released for this issue, but that release did not successfully address the vulnerability. This security advisory and updated module version supersede the previous one.

Content Moderation Notifications - Moderately critical - Information disclosure - SA-CONTRIB-2023-047

Date: 
2023-September-27
Security risk: 
Moderately critical 11 ∕ 25 AC:Complex/A:User/CI:Some/II:None/E:Proof/TD:All

This module enables notifications to be sent to all users of a particular role, or to the content's author when a piece of content is transitioned from one state to another via core's content_moderation module.

The module doesn't sufficiently check access to content when sending notifications.
This vulnerability is mitigated by the fact that an attacker must have been assigned to receive notifications for the given content. Additionally, only data sent in the email is visible, so the attacker cannot access the content on the site.

Entity cache - Critical - Information disclosure - SA-CONTRIB-2023-046

Date: 
2023-September-27
Security risk: 
Critical 16 ∕ 25 AC:Basic/A:User/CI:All/II:All/E:Theoretical/TD:Uncommon

Entity Cache puts core entities into Drupal's cache API.

A recent release of the module does not sanitize certain inputs appropriately. This can lead to unintended behavior when wildcard characters are included in the input.

The impact of this bug should be relatively minor in most configurations, but in worst-case scenarios it could lead to significant Access Bypass.

Drupal core - Critical - Cache poisoning - SA-CORE-2023-006

Date: 
2023-September-20
Security risk: 
Critical 16 ∕ 25 AC:Complex/A:None/CI:All/II:Some/E:Theoretical/TD:Default
CVE IDs: 
CVE-2023-5256

In certain scenarios, Drupal's JSON:API module will output error backtraces. With some configurations, this may cause sensitive information to be cached and made available to anonymous users, leading to privilege escalation.

This vulnerability only affects sites with the JSON:API module enabled, and can be mitigated by uninstalling JSON:API.

The core REST and contributed GraphQL modules are not affected.

Mail Login - Critical - Access bypass - SA-CONTRIB-2023-045

Date: 
2023-September-13
Security risk: 
Critical 16 ∕ 25 AC:Basic/A:None/CI:Some/II:Some/E:Theoretical/TD:All

This module enables users to log in by email address with minimal configurations.

Drupal core contains protection against brute force attacks via a flood control mechanism. This module's functionality did not replicate the flood control, enabling brute force attacks.

WebProfiler - Moderately critical - Cross Site Scripting - SA-CONTRIB-2023-044

Date: 
2023-September-06
Security risk: 
Moderately critical 10 ∕ 25 AC:Complex/A:Admin/CI:Some/II:Some/E:Theoretical/TD:Uncommon

The Webprofiler module provides a way of displaying the Symfony profile debugging tool at the bottom of each page.

The abbr_class Twig filter can be used to bypass the Twig auto-escape feature.

This vulnerability is mitigated by the fact that it is only exposed when the filter is specifically used in a theme to render content that contains an attack vector.

highlight.php - Moderately critical - Cross Site Scripting - SA-CONTRIB-2023-043

Date: 
2023-September-06
Security risk: 
Moderately critical 13 ∕ 25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:Default

Provides highlight.php integration to Drupal, allowing <code> blocks to be automatically highlighted with the correct language.

The module's Twig function doesn't sufficiently filter user-entered data.

Obfuscate Email - Less critical - Cross Site Scripting - SA-CONTRIB-2023-042

Date: 
2023-August-30
Security risk: 
Less critical 5 ∕ 25 AC:Complex/A:User/CI:None/II:None/E:Theoretical/TD:Uncommon

This module enables you to hide email addresses from bots and site scrapers by using the rot13 strategy.

The module doesn't sufficiently escape the data attribute under the scenario a user has access to manipulate that value.

This vulnerability is mitigated by the fact that an attacker must have a role with permissions to allow data attributes in content on a site.

Pages

Subscribe with RSS Subscribe to Security advisories