Show advisories for only Drupal Core, only contributed projects, or only PSAs

Drupal core - Moderately critical - Access Bypass - SA-CORE-2022-013

Date: 
2022-July-20
Security risk: 
Moderately critical 12∕25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:Uncommon
CVE IDs: 
CVE-2022-25278

Under certain circumstances, the Drupal core form API evaluates form element access incorrectly. This may lead to a user being able to alter data they should not have access to.

No forms provided by Drupal core are known to be vulnerable. However, forms added through contributed or custom modules or themes may be affected.

This advisory is not covered by Drupal Steward.

Drupal core - Moderately critical - Information Disclosure - SA-CORE-2022-012

Date: 
2022-July-20
Security risk: 
Moderately critical 13∕25 AC:None/A:None/CI:Some/II:None/E:Theoretical/TD:Uncommon
CVE IDs: 
CVE-2022-25275

In some situations, the Image module does not correctly check access to image files not stored in the standard public files directory when generating derivative images using the image styles system.

Access to a non-public file is checked only if it is stored in the "private" file system. However, some contributed modules provide additional file systems, or schemes, which may lead to this vulnerability.

Entity Print - Moderately critical - Multiple: Remote Code Execution, Information disclosure - SA-CONTRIB-2022-048

Date: 
2022-July-13
Security risk: 
Moderately critical 13∕25 AC:Complex/A:User/CI:Some/II:Some/E:Proof/TD:Default

This module enables you to generate print versions of content.
Some installations of the module make use of the dompdf/dompdf third-party dependency.
Security vulnerabilities exist for versions of dompdf/dompdf < 2.0.0

See the library release notes for more detail: https://github.com/dompdf/dompdf/releases/tag/v2.0.0

Config Terms - Critical - Access bypass - SA-CONTRIB-2022-047

Date: 
2022-June-29
Security risk: 
Critical 15∕25 AC:Basic/A:User/CI:Some/II:Some/E:Proof/TD:All

This module enables you to create and manage a version of taxonomy based on configuration entities instead of content. This allows the terms, vocabularies, and their structure to be exported, imported, and managed as site configuration.

The module doesn't sufficiently check access for the edit and delete operations. Users with "access content" permission can edit or delete any term. The edit form may expose term data that users could not otherwise see, since there is no term view route by default.

Lottiefiles Field - Moderately critical - Cross Site Scripting - SA-CONTRIB-2022-046

Date: 
2022-June-29
Security risk: 
Moderately critical 14∕25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:All

The Lottiefiles Field module enables you to integrate the lottiefiles features into your page.

The module does not sufficiently filter user-provided text on output, resulting in a Cross-Site Scripting (XSS) vulnerability.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission to create or edit content that has lottiefiles fields.

Updated security policy for Drupal core Composer dependencies - PSA-2022-06-20

Date: 
2022-June-20

In Drupal 9.4 and higher, drupal/core-recommended allows patch-level vendor updates

The drupal/core-recommended metapackage now allows patch-level updates for Composer dependencies. This means that site owners using drupal/core-recommended can now install most Composer dependency security updates themselves, without needing to wait for an upstream release of Drupal core that updates the affected package.

Drupal core - Moderately critical - Third-party libraries - SA-CORE-2022-011

Date: 
2022-June-10
Security risk: 
Moderately critical 13∕25 AC:Complex/A:None/CI:Some/II:Some/E:Theoretical/TD:Uncommon
CVE IDs: 
CVE-2022-31042
CVE-2022-31043

Updated 22:00 UTC 2022-06-10: Added steps to update without drupal/core-recommended.

Drupal uses the third-party Guzzle library for handling HTTP requests and responses to external services. Guzzle has released two security advisories:

Drupal core - Moderately critical - Third-party libraries - SA-CORE-2022-010

Date: 
2022-May-25
Security risk: 
Moderately critical 13∕25 AC:Complex/A:None/CI:Some/II:Some/E:Theoretical/TD:Uncommon
CVE IDs: 
CVE-2022-29248

Drupal uses the third-party Guzzle library for handling HTTP requests and responses to external services. Guzzle has released a security update which does not affect Drupal core, but may affect some contributed projects or custom code on Drupal sites.

Apigee Edge - Moderately critical - Access bypass - SA-CONTRIB-2022-045

Date: 
2022-May-25
Security risk: 
Moderately critical 13∕25 AC:None/A:User/CI:Some/II:None/E:Theoretical/TD:All

The Apigee Edge module allows connecting a Drupal site to Apigee X / Edge in order to build a developer portal. The developers (user) can view API keys for their respective Apps.

The module discloses information by allowing attackers to view cached information of API Keys from the browser cache for a limited time frame after the user login on the same computer.

Entity Browser Block - Moderately critical - Access bypass - SA-CONTRIB-2022-044

Date: 
2022-May-25
Security risk: 
Moderately critical 13∕25 AC:None/A:User/CI:Some/II:None/E:Theoretical/TD:All

Entity Browser Block provides a Block Plugin for every Entity Browser on your site.

The module didn't sufficiently check entity view access in the block form.

This vulnerability is mitigated by the fact that an attacker must be able to place a block - either through the core "Block Layout" page or via a module like Layout Builder.

Pages

Subscribe with RSS Subscribe to Security advisories