Show advisories for only Drupal Core, only contributed projects, or only PSAs

ACL - Critical - Arbitrary PHP code execution - SA-CONTRIB-2023-034

Date: 
2023-August-23
Security risk: 
Critical 17∕25 AC:Basic/A:Admin/CI:All/II:All/E:Theoretical/TD:All

The ACL module, short for Access Control Lists, is an API for other modules to create lists of users and give them access to nodes.

The module processes user input in a way that could be unsafe. This can lead to Remote Code Execution via Object Injection.

As this is an API module, it is only exploitable if a "client" module exposes the vulnerability. Details of some contributed client modules are given below. Custom modules using ACL could also expose the vulnerability.

Matomo Analytics - Less critical - Cross Site Scripting - SA-CONTRIB-2023-033

Date: 
2023-August-02
Security risk: 
Less critical 8∕25 AC:Complex/A:Admin/CI:Some/II:None/E:Theoretical/TD:Default

This module enables you to add the Matomo web statistics tracking system to your website.

The module does not check the Matomo JS code loaded on the website. So a user could configure the module to load JS from a malicious website.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer matomo" or "administer matomo tag manager" (D8+ only) to access the settings forms where this can be configured.

Minify Source HTML - Moderately critical - Cross site scripting - SA-CONTRIB-2023-032

Date: 
2023-July-26
Security risk: 
Moderately critical 11∕25 AC:Basic/A:None/CI:None/II:None/E:Proof/TD:All

Carefully crafted input by an attacker will not be sanitized by this module, which can result in a script injection.

Drupal Symfony Mailer - Moderately critical - Cross site request forgery - SA-CONTRIB-2023-031

Date: 
2023-July-26
Security risk: 
Moderately critical 12∕25 AC:Basic/A:None/CI:None/II:Some/E:Theoretical/TD:Default

The module doesn’t sufficiently protect against malicious links, which means an attacker can trick an administrator into performing unwanted actions.

This vulnerability is mitigated by the fact that the set of unwanted actions is limited to specific configurations.

Last chance to adopt Drupal 7 contributed projects before they might be marked unsupported - PSA-2023-07-19

Date: 
2023-July-19

Reminder: As we get ready for the End-of-life (EOL) of Drupal 7 in January 2025, changes are coming to the Drupal 7 ecosystem.

Two-factor Authentication (TFA) - Critical - Access bypass - SA-CONTRIB-2023-030

Date: 
2023-July-12
Security risk: 
Critical 17∕25 AC:Basic/A:None/CI:Some/II:Some/E:Proof/TD:All

This module enables you to allow and/or require users to use a second authentication method in addition to password authentication.

The module doesn't sufficiently ensure all core login routes, including the password reset page, require a second factor credential.

This vulnerability is mitigated by the fact that an attacker must obtain a first-factor login credential.

Announcement: Drupal core issues with some risk levels may be treated as bugs in the public issue queue, not as private security issues - PSA-2023-07-12

Date: 
2023-July-11

Updated 2023-07-14 to reference PSA-2023-06-07.

TacJS - Moderately critical - Cross site scripting - SA-CONTRIB-2023-029

Date: 
2023-June-28
Security risk: 
Moderately critical 13∕25 AC:Basic/A:Admin/CI:Some/II:Some/E:Theoretical/TD:All

This module enables sites to comply with the European cookie law using tarteaucitron.js.

The module doesn't sufficiently filter user-supplied text leading to a Cross Site Scripting (XSS) vulnerability.

This vulnerability is mitigated by the fact that an attacker needs additional permissions. The vulnerability can be exploited by an attacker with a role with the permission "administer tacjs" regardless of other configurations.

Expandable Formatter - Moderately critical - Cross Site Scripting - SA-CONTRIB-2023-028

Date: 
2023-June-28
Security risk: 
Moderately critical 14∕25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:All

This module enables you to render a field in an expandable/collapsible region.

The module doesn't sufficiently sanitize the field content when displaying it to an end user.

This vulnerability is mitigated by the fact that an attacker must have a role capable of creating content that uses the field formatter.

Libraries UI - Moderately critical - Access bypass - SA-CONTRIB-2023-027

Date: 
2023-June-28
Security risk: 
Moderately critical 11∕25 AC:None/A:None/CI:None/II:None/E:Theoretical/TD:Default

This module enables a UI to display all libraries provided by modules and themes on the Drupal site.

The module doesn't sufficiently protect the libraries reporting page. It curently is using the 'access content' permission and not a proper administrative/access permission.

The vulnerability/library information can be exploited by simply visiting/knowing the url of the reporting page. The solution is to protect the page via a module specific permission that must be granted by an administrative user.

Pages

Subscribe with RSS Subscribe to Security advisories