The AltaGrade Blog

Booking and Availability Management Tools for Drupal - Moderately critical - Access Bypass - SA-CONTRIB-2019-074

Public

Oct 16, 2019
Add comment

Project: Booking and Availability Management Tools for Drupal
Date: 2019-October-16
Security risk: Moderately critical 11∕25
Vulnerability: Access Bypass

Description

The Bat module provides a foundation through which a wide range of availability management, reservation and booking use cases can be addressed.

The routes used to view events don't sufficiently guard access for non-privileged users. Specifically, a user with the 'View own' permission for bat events can view others' events as well.

Nick

Marketing Project Manager

Oct 15, 2019
Add comment

WordPress 5.2.4 security release has been announced

WordPress 5.2.4 is now available! This security release fixes 6 security issues.

WordPress versions 5.2.3 and earlier are affected by these bugs, which are fixed in version 5.2.4. Updated versions of WordPress 5.1 and earlier are also available for any users who have not yet updated to 5.2.

The following security vulnerabilities have been detected and addressed in this release:

Public

Oct 10, 2019
Add comment

Type: Maintenance work
Category: Advanced infrastructure
Start: October 16, 2019 3:00 AM CEST
End: October 16, 2019 3:05 AM CEST

Description

In the above mentioned period maintenance on our European data-center will be performed. During this maintenance, the affected servers and the websites hosted accounts on them will not be available for about five minutes.

Affected clients

AltaGrade clients who have their projects hosted on Germany-based AltaGrade servers.

Public

Oct 9, 2019
Add comment

Maxlength - Moderately critical - Cross Site Scripting - SA-CONTRIB-2019-073

Project: Maxlength
Date: 2019-October-09
Security risk: Moderately critical 13∕25 
Vulnerability: Cross Site Scripting

Description

This module enables you to set a maximum length allowed on text fields and indicate how many characters are left.

The module doesn't sufficiently filter strings leading to a Cross Site Scripting (XSS) vulnerability.

Nick

Marketing Project Manager

Oct 2, 2019
Add comment

Localization update - Moderately critical - Insecure server configuration - SA-CONTRIB-2019-072

Project: Localization update
Date: 2019-October-02
Security risk: Moderately critical 10∕25 
Vulnerability: Insecure server configuration

Description

This module enables you to automatically download and update the site's interface translation by fetching them from localize.drupal.org or any other Localization server.

Nick

Marketing Project Manager

Oct 2, 2019
Add comment

Simple AMP (Accelerated Mobile Pages) - Moderately critical - Access bypass - SA-CONTRIB-2019-071

Project: Simple AMP (Accelerated Mobile Pages)
Date: 2019-October-02
Security risk: Moderately critical 13∕25 
Vulnerability: Access bypass

Description

This module allows display of a site's content in AMP format.

The module doesn't sufficiently check access on unpublished or restricted content.

Solution

Install the latest version of the module.

Nick

Marketing Project Manager

Sep 25, 2019
Add comment

Gutenberg - Critical - Access bypass - SA-CONTRIB-2019-069

Project: Gutenberg
Date: 2019-September-25
Security risk: Critical 16∕25 
Vulnerability: Access bypass

Description

This module provides a new UI experience for node editing - Gutenberg editor.

The routes used by the Gutenberg editor lack proper permissions allowing untrusted users to view and modify some content they should not be able to view or modify.

Solution

Install the latest version:

Nick

Marketing Project Manager

Sep 25, 2019
Add comment

Permissions by Term - Moderately critical - Access bypass - SA-CONTRIB-2019-068

Project: Permissions by Term
Version: 8.x-1.x-dev
Date: 2019-September-25
Security risk: Moderately critical 14∕25
Vulnerability: Access bypass

Description

This module enables you to control access to content based on taxonomy terms. The module doesn't sufficiently check if a given entity should be access controlled, defaulting to allowing access even to unpublished nodes.

The vulnerability is mitigated by the fact that the submodule Permissions by Entity must also be enabled.

Solution

Install the latest version:

Nick

Marketing Project Manager

Sep 18, 2019
Add comment

Project: TableField
Version: 8.x-2.x-dev
Date: 2019-September-18
Security risk: Moderately critical 12∕25 
Vulnerability: Access bypass

Description

This module allows you to attach tabular data to an entity.

There is insufficient access checking for users with the ability to "Export Tablefield Data as CSV". They can export data from unpublished nodes or otherwise inaccessible entities.

Nick

Marketing Project Manager

Sep 5, 2019
Add comment

According to the Public Service Advisory PSA-2011-002 - External libraries and plugins Drupal Security team has released an advisory today with regard to an exploit found in the third party library.

The AltaGrade Blog

Booking and Availability Management Tools for Drupal - Moderately critical - Access Bypass - SA-CONTRIB-2019-074

Description

WordPress 5.2.4 security release has been announced

Maintenance on all Germany-based servers

Description

Affected clients

Maxlength - Moderately critical - Cross Site Scripting - SA-CONTRIB-2019-073

Description

Localization update - Moderately critical - Insecure server configuration - SA-CONTRIB-2019-072

Description

Simple AMP (Accelerated Mobile Pages) - Moderately critical - Access bypass - SA-CONTRIB-2019-071

Description

Solution

Gutenberg - Critical - Access bypass - SA-CONTRIB-2019-069

Description

Solution

Permissions by Term - Moderately critical - Access bypass - SA-CONTRIB-2019-068

Description

Solution

TableField - Moderately critical - Access bypass - SA-CONTRIB-2019-067

Description

Security vulnerability is found in the PHPUnit/Mailchimp library for Drupal

Pages