Security

Renderkit - Less critical - Access bypass - SA-CONTRIB-2020-026

Nick

Marketing Project Manager

Jul 1, 2020
Add comment

Renderkit - Less critical - Access bypass - SA-CONTRIB-2020-026

Project: Renderkit
Version: 7.x-1.x-dev
Date: 2020-July-01
Security risk: Less critical 9∕25 
Vulnerability: Access bypass

Description

The renderkit module contains components which can transform the display of field items sent to it.

Some of these components do not respect the '#access' property on the field render element, and thus can make rendered field values visible to visitors who would otherwise not be allowed to see those field values.

Drupal 7's end-of-life has been extended until November 28, 2022

Alex

Technical Support Specialist

Jun 24, 2020
Add comment

Drupal 7's end-of-life has been extended until November 28, 2022

PSA-2020-06-24
Date: 2020-June-24

The Drupal Security Team has announced today that given the impact of COVID-19 on budgets and businesses Drupal 7's end-of-life, previously scheduled for November 2021, will be extended until November 28, 2022.

Drupal 7: Internationalization - Moderately critical - Cross site scripting - SA-CONTRIB-2020-025

Alan

CEO & Founder

Jun 17, 2020
Add comment

Project: Internationalization
Version: 7.x-1.x-dev
Date: 2020-June-17
Security risk: Moderately critical 14∕25 
Vulnerability: Cross site scripting

Description

The Internationalization (i18n) module is a collection of modules to extend Drupal 7 core multilingual capabilities and allows to build real life multilingual sites.

A value in the term translation module is displayed without being escaped leading to a Cross Site Scripting (XSS) vulnerability.

Drupal 8 and 9 core - Less critical - Access bypass - SA-CORE-2020-006

Alan

CEO & Founder

Jun 17, 2020
Add comment

Project: Drupal core
Date: 2020-June-17
Security risk: Less critical 8∕25 
Vulnerability: Access bypass
CVE IDs: CVE-2020-13665

Description

JSON:API PATCH requests may bypass validation for certain fields.

By default, JSON:API works in a read-only mode which makes it impossible to exploit the vulnerability. Only sites that have the read_only set to FALSE under jsonapi.settings config are vulnerable.

Solution

Install the latest version:

Drupal 8 and 9 core - Critical - Arbitrary PHP code execution - SA-CORE-2020-005

Alan

CEO & Founder

Jun 17, 2020
Add comment

Project: Drupal core
Date: 2020-June-17
Security risk: Critical 17∕25 
Vulnerability: Arbitrary PHP code execution
CVE IDs: CVE-2020-13664

Description

Drupal 8 and 9 have a remote code execution vulnerability under certain circumstances.

An attacker could trick an administrator into visiting a malicious site that could result in creating a carefully named directory on the file system. With this directory in place, an attacker could attempt to brute force a remote code execution vulnerability.

Drupal core - Critical - Cross Site Request Forgery - SA-CORE-2020-004

Alan

CEO & Founder

Jun 17, 2020
Add comment

Project: Drupal core
Date: 2020-June-17
Security risk: Critical 15∕25 
Vulnerability: Cross Site Request Forgery
CVE IDs: CVE-2020-13663

Description

The Drupal core Form API does not properly handle certain form input from cross-site requests, which can lead to other vulnerabilities.

YubiKey 7.x - Less critical - Access bypass - SA-CONTRIB-2020-023

Nick

Marketing Project Manager

Jun 11, 2020
Add comment

YubiKey 7.x - Less critical - Access bypass - SA-CONTRIB-2020-023

Project: YubiKey
Version: 7.x-2.x-dev
Date:  2020-June-10
Security risk: Less critical 9∕25 
Vulnerability: Access bypass

Description

This module enables you to use a Yubikey device to protect your Drupal user account. YubiKey is a secure method for logging into many websites using a cryptographically secure USB token.

Open ReadSpeaker - Moderately critical - Cross site scripting - SA-CONTRIB-2020-024

Nick

Marketing Project Manager

Jun 11, 2020
Add comment

Project: Open ReadSpeaker
Version: 8.x-1.x-dev
Date: 2020-June-10
Security risk: Moderately critical 13∕25 
Vulnerability: Cross site scripting

Description

This module enables you to add a configured ReadSpeaker button for text-to-speech for your site visitors.

The module doesn't sufficiently sanitize block configuration causing a Cross Site Scripting (XSS) vulnerability.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer blocks".

WordPress 5.4.2 has been released

Nick

Marketing Project Manager

Jun 11, 2020
Add comment

This security and maintenance release features 22 fixes and enhancements. Plus, it adds a number of security fixes—see the list below.

These bugs affect WordPress versions 5.4.1 and earlier; version 5.4.2 fixes them, so you’ll want to upgrade.

If you haven’t yet updated to 5.4, there are also updated versions of 5.3 and earlier that fix the bugs for you.

Security Updates

Services for Drupal 7- Moderately critical - Access bypass - SA-CONTRIB-2020-022

Nick

Marketing Project Manager

Jun 3, 2020
Add comment

Services for Drupal 7- Moderately critical - Access bypass - SA-CONTRIB-2020-022

Project: Services
Version: 7.x-3.x-dev
Date: 2020-June-03
Security risk: Moderately critical 11∕25
Vulnerability: Access bypass

Description

This module provides a standardized solution for building API's so that external clients can communicate with Drupal.

The module's taxonomy term index resource doesn't take into consideration certain access control tags provided (but unused) by core, that certain contributed modules depend on.

Security

Description

Description

Description

Solution

Description

Description

Description

Description

Description

Pages