Show advisories for only Drupal Core, only contributed projects, or only PSAs

Entity Browser Block - Moderately critical - Access bypass - SA-CONTRIB-2022-044

Date: 
2022-May-25
Security risk: 
Moderately critical 13 ∕ 25 AC:None/A:User/CI:Some/II:None/E:Theoretical/TD:All

Entity Browser Block provides a Block Plugin for every Entity Browser on your site.

The module didn't sufficiently check entity view access in the block form.

This vulnerability is mitigated by the fact that an attacker must be able to place a block - either through the core "Block Layout" page or via a module like Layout Builder.

Open Social - Moderately critical - Access bypass - SA-CONTRIB-2022-043

Date: 
2022-May-25
Security risk: 
Moderately critical 14 ∕ 25 AC:None/A:None/CI:Some/II:None/E:Theoretical/TD:Default

Open Social is a Drupal distribution for online communities.

Group entities created within Open Social did not sufficiently check entity access in group overviews, allowing users to see information in the overviews they should not have access to. Visiting the entity directly resulted in correct access checks applied.

This vulnerability is mitigated by the fact that an attacker must be able to view Group entities in an overview and have certain common permissions revoked.

Embed - Moderately critical - Cross-Site Request Forgery - SA-CONTRIB-2022-042

Date: 
2022-May-25
Security risk: 
Moderately critical 13 ∕ 25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:Default

The Drupal Embed module provides a filter to allow embedding various embeddable items like entities in content fields.

In certain circumstances, the filter could allow an unprivileged user to inject HTML into a page when it is accessed by a trusted user with permission to embed items. In some cases, this could lead to Cross-Site Request Forgery.

Wingsuit - Storybook for UI Patterns - Critical - Access bypass - SA-CONTRIB-2022-040

Date: 
2022-May-18
Security risk: 
Critical 16 ∕ 25 AC:Basic/A:None/CI:Some/II:Some/E:Theoretical/TD:All

The Wingsuit module enables site builders to build UI Patterns (and|or) Twig Components with Storybook and use them without any mapping code in Drupal.

The module doesn't have an access check for the admin form allowing an attacker to view and modify the Wingsuit configuration.

Duo Two-Factor Authentication - Critical - Unsupported - SA-CONTRIB-2022-039

Date: 
2022-May-04
Security risk: 
Critical 15 ∕ 25 AC:Basic/A:User/CI:Some/II:Some/E:Proof/TD:All

The security team is marking this project unsupported. If you would like to maintain this project, please read: https://www.drupal.org/node/251466#procedure---own-project---unsupported.

Quick Node Clone - Moderately critical - Access bypass - SA-CONTRIB-2022-038

Date: 
2022-May-04
Security risk: 
Moderately critical 10 ∕ 25 AC:Complex/A:Admin/CI:None/II:Some/E:Proof/TD:All

The module adds a "Clone" tab to a node. When clicked, a new node is created and fields from the previous node are populated into the new fields. This module supports paragraphs, groups, and other referenced entities.

The module has a vulnerability which allows attackers to bypass the protection to clone any group content with an access check. Users are allowed to copy other group's nodes, and if they do that, the node gets added to groups they don't have access to.

Image Field Caption - Moderately critical - Cross Site Scripting - SA-CONTRIB-2022-036

Date: 
2022-May-04
Security risk: 
Moderately critical 13 ∕ 25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:Default

Image Field Caption (image_field_caption) adds an extra text area for captions on image fields.

The module doesn't sanitize user input in certain cases, which leads to a Cross-Site-Scripting (XSS) vulnerability.

The vulnerability is mitigated by several permissions, of which at least some are commonly only assigned to either editors, site builders or administrators.

Doubleclick for Publishers (DFP) - Moderately critical - Cross site scripting - SA-CONTRIB-2022-035

Date: 
2022-May-04
Security risk: 
Moderately critical 13 ∕ 25 AC:Basic/A:Admin/CI:Some/II:Some/E:Theoretical/TD:All

Doubleclick for Publishers (DFP) module enables a site to place ads from Doubleclick For Publishers.

The module doesn't sanitize user input in certain cases, which leads to Cross-Site-Scripting (XSS) vulnerabilities. An attacker that can create or edit certain entities may be able to exploit a Cross-Site-Scripting (XSS) vulnerability to target visitors of the site, including site admins with privileged access.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer DFP".

Link - Moderately critical - Cross site scripting - SA-CONTRIB-2022-034

Date: 
2022-May-04
Security risk: 
Moderately critical 13 ∕ 25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:Default

This module enables you to add URL fields to entity types with a variety of options.

The module doesn't sufficiently filter output when token processing is disabled on an individual field.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission to create content and the token processing option must be disabled.

Drupal core - Moderately critical - Access bypass - SA-CORE-2022-009

Date: 
2022-April-20
Security risk: 
Moderately critical 13 ∕ 25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:Default
CVE IDs: 
CVE-2022-25274

Drupal 9.3 implemented a generic entity access API for entity revisions. However, this API was not completely integrated with existing permissions, resulting in some possible access bypass for users who have access to use revisions of content generally, but who do not have access to individual items of node and media content.

This vulnerability only affects sites using Drupal's revision system.

This advisory is not covered by Drupal Steward.

Pages

Subscribe with RSS Subscribe to Security advisories