The AltaGrade Blog

Project: Drupal core
Date: 2022-February-16
Security risk: Moderately critical 14∕25
Vulnerability: Improper input validation
CVE IDs: CVE-2022-25271

Description

Drupal core's form API has a vulnerability where certain contributed or custom modules' forms may be vulnerable to improper input validation. This could allow an attacker to inject disallowed values or overwrite data. Affected forms are uncommon, but in certain cases an attacker could alter critical or sensitive data.

Project: Custom Breadcrumbs
Date: 2022-February-09
Security risk: Less critical 8∕25 
Vulnerability: Cross Site Scripting

Description

The Custom Breadcrumbs module provides a variety of options for customizing the breadcrumb trail.

The module doesn't sufficiently filter on output, leading to a Cross Site Scripting vulnerability.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission "Administer custom breadcrumbs" permission.

Because of known security issues for the contributed modules and themes which have not been fixed by their maintainer, as of today - January 25, 2022 - the Drupal Security Team has marked them all as unsupported.

If you are an AltaGrade customer with Drupal websites hosted on our platform and using the following modules or themes, then please let us know and we will make necessary changes.

Project: Private Taxonomy Terms
Date: 2022-January-26
Security risk: Critical 15∕25
Vulnerability: Access bypass, Information Disclosure, Multiple vulnerabilities

Description

This module enables users to create 'private' vocabularies.

The module doesn't sufficiently check user access permissions when attempting to view, edit, or add terms to vocabularies, including vocabularies not managed by the module.