Project: Drupal core
Date: 2022-July-20
Security risk: Critical 15∕25
Vulnerability: Arbitrary PHP code executionDrupal core sanitizes filenames with dangerous extensions upon upload (reference: SA-CORE-2020-012) and strips leading and trailing dots from filenames to prevent uploading server configuration files (reference: SA-CORE-2019-010).
Project: Drupal core
Date: 2022-July-20
Security risk: Moderately critical 11∕25
Vulnerability: Multiple vulnerabilitiesThe Media oEmbed iframe route does not properly validate the iframe domain setting, which allows embeds to be displayed in the context of the primary domain. Under certain circumstances, this could lead to cross-site scripting, leaked cookies, or other vulnerabilities.
Install the latest version:
Project: Entity Print
Date: 2022-July-13
Security risk: Moderately critical 13∕25
Vulnerability: Multiple: Remote Code Execution, Information disclosureThis module enables you to generate print versions of content.
Some installations of the module make use of the dompdf/dompdf third-party dependency.
Security vulnerabilities exist for versions of dompdf/dompdf < 2.0.0
Project: Lottiefiles Field
Date: 2022-June-29
Security risk: Moderately critical 14∕25
Vulnerability: Cross Site ScriptingThe Lottiefiles Field module enables you to integrate the lottiefiles features into your page.
The module does not sufficiently filter user-provided text on output, resulting in a Cross-Site Scripting (XSS) vulnerability.
Project: Config Terms
Date: 2022-June-29
Security risk: Critical 15∕25
Vulnerability: Access bypassThis module enables you to create and manage a version of taxonomy based on configuration entities instead of content. This allows the terms, vocabularies, and their structure to be exported, imported, and managed as site configuration.
Project: Drupal core
Date: 2022-June-10
Security risk: Moderately critical 13∕25
Vulnerability: Third-party libraries
CVE IDs: CVE-2022-31042, CVE-2022-31043Drupal uses the third-party Guzzle library for handling HTTP requests and responses to external services. Guzzle has released two security advisories:
Project: Drupal core
Date: 2022-May-25
Security risk: Moderately critical 13∕25
Vulnerability: Third-party libraries
CVE IDs: CVE-2022-29248Drupal uses the third-party Guzzle library for handling HTTP requests and responses to external services. Guzzle has released a security update which does not affect Drupal core, but may affect some contributed projects or custom code on Drupal sites.
Project: Embed
Date: 2022-May-25
Security risk: Moderately critical 13∕25
Vulnerability: Cross Site ScriptingThe Drupal Embed module provides a filter to allow embedding various embeddable items like entities in content fields.
In certain circumstances, the filter could allow an unprivileged user to inject HTML into a page when it is accessed by a trusted user with permission to embed items. In some cases, this could lead to cross-site scripting (XSS).
Project: Open Social
Date: 2022-May-25
Security risk: Moderately critical 14∕25
Vulnerability: Access bypassOpen Social is a Drupal distribution for online communities.
Group entities created within Open Social did not sufficiently check entity access in group overviews, allowing users to see information in the overviews they should not have access to. Visiting the entity directly resulted in correct access checks applied.
Project: Entity Browser Block
Date: 2022-May-25
Security risk: Moderately critical 13∕25
Vulnerability: Access bypassEntity Browser Block provides a Block Plugin for every Entity Browser on your site.
The module didn't sufficiently check entity view access in the block form.
This vulnerability is mitigated by the fact that an attacker must be able to place a block - either through the core "Block Layout" page or via a module like Layout Builder.