Project: Next.js
Version: 1.2.0, 1.1.0, 1.0.0
Date: 2022-September-07
Security risk: Moderately critical 12∕25
Vulnerability: Access bypassThe Next.js module provides an inline preview for content. Authenticated requests are made to Drupal to fetch JSON:API content and render them in an iframe from the decoupled Next.js site.
Project: Permissions by Term
Version: 3.1.18
Date: 2022-September-07
Security risk: Moderately critical 14∕25
Vulnerability: Access bypassThis module enables you to set content permissions based on taxonomy terms.
The module doesn't sufficiently restrict access to translated and unpublished nodes.
This vulnerability is mitigated by the fact that it only affects sites with translated content.
Install the latest version:
Project: jQuery UI Checkboxradio
Version: 8.x-1.3, 8.x-1.2, 8.x-1.1, 8.x-1.0
Date: 2022-August-10
Security risk: Moderately critical 13∕25
Vulnerability: Cross site scriptingjQuery UI is a third-party library used by Drupal. The jQuery UI Checkboxradio module provides the jQuery UI Checkboxradio library (which was previously in Drupal 8 core, but has since been removed from core and moved to this module).
Project: Context
Version: 7.x-3.x
Date: 2022-July-27
Security risk: Moderately critical 12∕25
Vulnerability: Cross Site ScriptingThis module enables you to conditionally display blocks in particular theme regions.
The module doesn't sufficiently sanitize the title of a block as displayed in the admin UI when a site administrator edits a context block reaction.
This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer blocks".
Project: PDF generator API
Version: 2.2.1, 2.2.0, 2.1.0, 2.0.0
Date: 2022-July-27
Security risk: Moderately critical 12∕25
Vulnerability: Remote Code ExecutionThis module enables you to generate PDF versions of content.
Some installations of the module make use of the dompdf/dompdf third-party dependency.
Project: Tagify
Version: 1.0.4, 1.0.3, 1.0.2-beta1, 1.0.1-beta1, 1.0.0-beta1
Date: 2022-July-27
Security risk: Moderately critical 11∕25
Vulnerability: Access bypassThis module provides a widget to transform entity reference fields into a more user-friendly tags input component with a great performance.
Project: Drupal core
Date: 2022-July-20
Security risk: Moderately critical 13∕25
Vulnerability: Information DisclosureIn some situations, the Image module does not correctly check access to image files not stored in the standard public files directory when generating derivative images using the image styles system.
Project: Drupal core
Date: 2022-July-20
Security risk: Moderately critical 12∕25
Vulnerability: Access BypassUnder certain circumstances, the Drupal core form API evaluates form element access incorrectly. This may lead to a user being able to alter data they should not have access to.
No forms provided by Drupal core are known to be vulnerable. However, forms added through contributed or custom modules or themes may be affected.
Install the latest version:
Project: Drupal core
Date: 2022-July-20
Security risk: Critical 15∕25
Vulnerability: Arbitrary PHP code executionDrupal core sanitizes filenames with dangerous extensions upon upload (reference: SA-CORE-2020-012) and strips leading and trailing dots from filenames to prevent uploading server configuration files (reference: SA-CORE-2019-010).
Project: Drupal core
Date: 2022-July-20
Security risk: Moderately critical 11∕25
Vulnerability: Multiple vulnerabilitiesThe Media oEmbed iframe route does not properly validate the iframe domain setting, which allows embeds to be displayed in the context of the primary domain. Under certain circumstances, this could lead to cross-site scripting, leaked cookies, or other vulnerabilities.
Install the latest version: