Drupal

Wingsuit - Storybook for UI Patterns - Critical - Access bypass - SA-CONTRIB-2022-040

Nick

Marketing Project Manager

May 18, 2022
Add comment

Wingsuit - Storybook for UI Patterns - Critical - Access bypass - SA-CONTRIB-2022-040

Project: Wingsuit - Storybook for UI Patterns
Version: 8.x-2.x-dev, 8.x-1.x-dev
Date: 2022-May-18
Security risk: Critical 16∕25
Vulnerability: Access bypass

Description

The Wingsuit module enables site builders to build UI Patterns (and|or) Twig Components with Storybook and use them without any mapping code in Drupal.

The module doesn't have an access check for the admin form allowing an attacker to view and modify the Wingsuit configuration.

Solution

Install the latest version:

Duo Two-Factor Authentication - Critical - Unsupported - SA-CONTRIB-2022-039

Nick

Marketing Project Manager

May 5, 2022
Add comment

Duo Two-Factor Authentication - Critical - Unsupported - SA-CONTRIB-2022-039

Project: Duo Two-Factor Authentication
Date: 2022-May-04
Security risk: Critical 15∕25
Vulnerability: Unsupported

Description

The security team is marking this project unsupported. If you would like to maintain this project, please read: https://www.drupal.org/node/251466#procedure---own-project---unsupported.

Quick Node Clone - Moderately critical - Access bypass - SA-CONTRIB-2022-038

Nick

Marketing Project Manager

May 5, 2022
Add comment

Quick Node Clone - Moderately critical - Access bypass - SA-CONTRIB-2022-038

Project: Quick Node Clone
Date: 2022-May-04
Security risk: Moderately critical 10∕25 
Vulnerability: Access bypass

Description

The module adds a "Clone" tab to a node. When clicked, a new node is created and fields from the previous node are populated into the new fields. This module supports paragraphs, groups, and other referenced entities.

Image Field Caption - Moderately critical - Cross Site Scripting - SA-CONTRIB-2022-036

Nick

Marketing Project Manager

May 5, 2022
Add comment

Image Field Caption - Moderately critical - Cross Site Scripting - SA-CONTRIB-2022-036

Project: Image Field Caption
Version: 8.x-1.1
Date: 2022-May-04
Security risk: Moderately critical 13∕25
Vulnerability: Cross Site Scripting

Description

Image Field Caption (image_field_caption) adds an extra text area for captions on image fields.

The module doesn't sanitize user input in certain cases, which leads to a Cross-Site-Scripting (XSS) vulnerability.

Doubleclick for Publishers (DFP) - Moderately critical - Cross site scripting - SA-CONTRIB-2022-035

Nick

Marketing Project Manager

May 5, 2022
Add comment

Doubleclick for Publishers (DFP) - Moderately critical - Cross site scripting - SA-CONTRIB-2022-035

Project: Doubleclick for Publishers (DFP)
Date: 2022-May-04
Security risk: Moderately critical 13∕25
Vulnerability: Cross site scripting

Description

Doubleclick for Publishers (DFP) module enables a site to place ads from Doubleclick For Publishers.

Link - Moderately critical - Cross site scripting - SA-CONTRIB-2022-034

Nick

Marketing Project Manager

May 5, 2022
Add comment

Link - Moderately critical - Cross site scripting - SA-CONTRIB-2022-034

Project: Link
Date: 2022-May-04
Security risk: Moderately critical 13∕25
Vulnerability: Cross site scripting

Description

This module enables you to add URL fields to entity types with a variety of options.

The module doesn't sufficiently filter output when token processing is disabled on an individual field.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission to create content and the token processing option must be disabled.

Drupal core - Moderately critical - Access bypass - SA-CORE-2022-009

Nick

Marketing Project Manager

Apr 20, 2022
Add comment

Drupal core - Moderately critical - Access bypass - SA-CORE-2022-009

Project: Drupal core
Date: 2022-April-20
Security risk: Moderately critical 13∕25 
Vulnerability: Access bypass

Description

Drupal 9.3 implemented a generic entity access API for entity revisions. However, this API was not completely integrated with existing permissions, resulting in some possible access bypass for users who have access to use revisions of content generally, but who do not have access to individual items of node and media content.

Drupal core - Moderately critical - Improper input validation - SA-CORE-2022-008

Nick

Marketing Project Manager

Apr 20, 2022
Add comment

Drupal core - Moderately critical - Improper input validation - SA-CORE-2022-008

Project: Drupal core
Date: 2022-April-20
Security risk: Moderately critical 12∕25 
Vulnerability: Improper input validation

Description

Drupal core's form API has a vulnerability where certain contributed or custom modules' forms may be vulnerable to improper input validation. This could allow an attacker to inject disallowed values or overwrite data. Affected forms are uncommon, but in certain cases an attacker could alter critical or sensitive data.

Rename Admin Paths - Moderately critical - Access bypass - SA-CONTRIB-2022-033

Nick

Marketing Project Manager

Apr 13, 2022
Add comment

Rename Admin Paths - Moderately critical - Access bypass - SA-CONTRIB-2022-033

Project: Rename Admin Paths
Version: 7.x-2.3, 7.x-2.2, 7.x-2.1
Date: 2022-April-12
Security risk: Moderately critical 10∕25 
Vulnerability: Access bypass

Description

The Rename Admin Path module provides additional security to Drupal sites by renaming the admin paths. The module has a vulnerability with allows attackers to bypass the protection by using specially crafted URLs.

Colorbox Node - Critical - Unsupported - SA-CONTRIB-2022-030

Nick

Marketing Project Manager

Mar 23, 2022
Add comment

Colorbox Node - Critical - Unsupported - SA-CONTRIB-2022-030

Project: Colorbox Node
Date: 2022-March-23
Security risk: Critical 15∕25
Vulnerability: Unsupported

Drupal

Description

Solution

Description

Description

Description

Description

Description

Description

Description

Description

Pages