Drupal core - Moderately critical - SA-CORE-2021-006(-010)

Drupal core - Moderately critical - Cross Site Request Forgery - SA-CORE-2021-006

Project: Drupal core
Date: 2021-September-15
Security risk: Moderately critical 10∕25
Vulnerability: Cross Site Request Forgery
CVE IDs: CVE-2020-13673

Description

The Drupal core Media module allows embedding internal and external media in content fields. In certain circumstances, the filter could allow an unprivileged user to inject HTML into a page when it is accessed by a trusted user with permission to embed media. In some cases, this could lead to cross-site scripting.

Also see Entity Embed - Moderately critical - Cross Site Request Forgery - SA-CONTRIB-2021-028 which addresses a similar vulnerability for that module.

Drupal core - Moderately critical - Cross Site Request Forgery - SA-CORE-2021-007

Project: Drupal core
Date: 2021-September-15
Security risk: Moderately critical 14∕25
Vulnerability: Cross Site Request Forgery
CVE IDs: CVE-2020-13674

Description

The QuickEdit module does not properly validate access to routes, which could allow cross-site request forgery under some circumstances and lead to possible data integrity issues.

Sites are only affected if the QuickEdit module (which comes with the Standard profile) is installed. Removing the "access in-place editing" permission from untrusted users will not fully mitigate the vulnerability.

Uninstalling the QuickEdit module will also mitigate the vulnerability. Site owners may wish to consider this option as the QuickEdit module will be removed from core in Drupal 10.

Drupal core - Moderately critical - Access bypass - SA-CORE-2021-008

Project: Drupal core
Date: 2021-September-15
Security risk: Moderately critical 11∕25 
Vulnerability: Access bypass
CVE IDs: CVE-2020-13675

Description

Drupal's JSON:API and REST/File modules allow file uploads through their HTTP APIs. The modules do not correctly run all file validation, which causes an access bypass vulnerability. An attacker might be able to upload files that bypass the file validation process implemented by modules on the site.

This vulnerability is mitigated by three factors:

The JSON:API or REST File upload modules must be enabled on the site.
An attacker must have access to a file upload via JSON:API or REST.
The site must employ a file validation module.

Also see GraphQL - Moderately critical - Access bypass - SA-CONTRIB-2021-029 which addresses a similar vulnerability for that module.

Drupal core - Moderately critical - Access bypass - SA-CORE-2021-009

Project: Drupal core
Date: 2021-September-15
Security risk: Moderately critical 10∕25
Vulnerability: Access bypass
CVE IDs: CVE-2020-13676

Description

The QuickEdit module does not properly check access to fields in some circumstances, which can lead to unintended disclosure of field data.

Sites are only affected if the QuickEdit module (which comes with the Standard profile) is installed.

Uninstalling the QuickEdit module will also mitigate the vulnerability. Site owners may wish to consider this option as the QuickEdit module will be removed from core in Drupal 10.

Drupal core - Moderately critical - Access Bypass - SA-CORE-2021-010

Project: Drupal core
Date: 2021-September-15
Security risk: Moderately critical 12∕25
Vulnerability: Access Bypass
CVE IDs: CVE-2020-13677

Description

Under some circumstances, the Drupal core JSON:API module does not properly restrict access to certain content, which may result in unintended access bypass.

Sites that do not have the JSON:API module enabled are not affected.

Solution for SA-CORE-2021-006, SA-CORE-2021-007, SA-CORE-2021-008, SA-CORE-2021-008 and SA-CORE-2021-010

Install the latest version:

If you are using Drupal 9.2, update to Drupal 9.2.6.
If you are using Drupal 9.1, update to Drupal 9.1.13.
If you are using Drupal 8.9, update to Drupal 8.9.19.

Versions of Drupal 8 prior to 8.9.x and versions of Drupal 9 prior to 9.1.x are end-of-life and do not receive security coverage.

Drupal 7 core is not affected.