Project: Drupal core
Date: 2020-June-17
Security risk: Critical 15∕25
Vulnerability: Cross Site Request Forgery
CVE IDs: CVE-2020-13663The Drupal core Form API does not properly handle certain form input from cross-site requests, which can lead to other vulnerabilities.
Project: YubiKey
Version: 7.x-2.x-dev
Date: 2020-June-10
Security risk: Less critical 9∕25
Vulnerability: Access bypassThis module enables you to use a Yubikey device to protect your Drupal user account. YubiKey is a secure method for logging into many websites using a cryptographically secure USB token.
Project: Open ReadSpeaker
Version: 8.x-1.x-dev
Date: 2020-June-10
Security risk: Moderately critical 13∕25
Vulnerability: Cross site scriptingThis module enables you to add a configured ReadSpeaker button for text-to-speech for your site visitors.
The module doesn't sufficiently sanitize block configuration causing a Cross Site Scripting (XSS) vulnerability.
This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer blocks".
The first official release of Drupal 9 has been announced today on June 3, 2020. This is the first supported release of the new Drupal 9 major version, and it is ready for use on production sites!
Project: Services
Version: 7.x-3.x-dev
Date: 2020-June-03
Security risk: Moderately critical 11∕25
Vulnerability: Access bypassThis module provides a standardized solution for building API's so that external clients can communicate with Drupal.
The module's taxonomy term index resource doesn't take into consideration certain access control tags provided (but unused) by core, that certain contributed modules depend on.
Drupal 7.71 has been released today on 3 June 2020. This maintenance release of the Drupal 7 series includes bug fixes and small API/feature improvements. It does not have any major, non-backwards-compatible new functionalities. No security fixes are included in this release either.
Project: Password Reset Landing Page (PRLP)
Date: 2020-May-27
Security risk: Highly critical 20∕25
Vulnerability: Access bypassProject: Drupal Commerce
Date: 2020-May-27
Security risk: Moderately critical 12∕25
Vulnerability: Access bypassDrupal Commerce is used to build eCommerce websites and applications. It's possible to configure commerce to permit orders by anonymous users. In this configuration, customers who do not choose to create an account upon checkout completion remain anonymous, and the resulting orders are never assigned an owner.
Project: Drupal core
Date: 2020-May-20
Security risk: Moderately critical 10∕25
Vulnerability: Open RedirectDrupal 7 has an Open Redirect vulnerability. For example, a user could be tricked into visiting a specially crafted link which would redirect them to an arbitrary external URL.
The vulnerability is caused by insufficient validation of the destination query parameter in the drupal_goto() function.
Project: reCAPTCHA v3
Date: 2020-May-13
Security risk: Critical 18∕25
Vulnerability: Access bypassThe reCaptcha v3 module enables you to protect your forms using the Google reCaptcha V3.
If the reCaptcha v3 challenge succeeds, all the other form validations are bypassed. This makes it possible for attackers to submit invalid or incomplete forms.