The AltaGrade Blog

Drupal core - Moderately critical - Improper input validation - SA-CORE-2022-003

Alex Shaposhnik's picture

Alex

 Technical Support Specialist

Feb 16, 2022
Add comment

Drupal core - Moderately critical - Improper input validation - SA-CORE-2022-003

Project: Drupal core
Date: 2022-February-16
Security risk: Moderately critical 14∕25
Vulnerability: Improper input validation
CVE IDs: CVE-2022-25271

Description

Drupal core's form API has a vulnerability where certain contributed or custom modules' forms may be vulnerable to improper input validation. This could allow an attacker to inject disallowed values or overwrite data. Affected forms are uncommon, but in certain cases an attacker could alter critical or sensitive data.

Read More

Fancy File Delete - Moderately critical - Access Bypass - SA-CONTRIB-2022-023

Alex Shaposhnik's picture

Alex

 Technical Support Specialist

Feb 9, 2022
Add comment

Fancy File Delete - Moderately critical - Access Bypass - SA-CONTRIB-2022-023

Project: Fancy File Delete
Date: 2022-February-09
Security risk: Moderately critical 14∕25 
Vulnerability: Access Bypass

Description

This module enables you to manage and delete files.

The module doesn't sufficiently protect unmanaged files from view under the scenario unauthenticated user knows path to visit the view and can attempt to delete files which results in duplicate files being created.

Read More

Custom Breadcrumbs - Less critical - Cross Site Scripting - SA-CONTRIB-2022-024

Alex Shaposhnik's picture

Alex

 Technical Support Specialist

Feb 9, 2022
Add comment

Custom Breadcrumbs - Less critical - Cross Site Scripting - SA-CONTRIB-2022-024

Project: Custom Breadcrumbs
Date: 2022-February-09
Security risk: Less critical 8∕25 
Vulnerability: Cross Site Scripting

Description

The Custom Breadcrumbs module provides a variety of options for customizing the breadcrumb trail.

The module doesn't sufficiently filter on output, leading to a Cross Site Scripting vulnerability.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission "Administer custom breadcrumbs" permission.

Read More

Is Drupal affected by Log4j vulnerabilities?

Alex Shaposhnik's picture

Alex

 Technical Support Specialist

Jan 30, 2022
Add comment

Is Drupal affected by Log4j shell vulnerabilities?

Since the new vulnerability for Apache Log4j detected in December 2021 got massive news coverage around the globe, we started receiving concerned questions from our customers about how this could affect their Drupal websites hosted on AltaGrade platform. And such Log4j-related support requests still continue to be filed in our customer support portal and because they all have the same or similar resolutions, I decided to summarize them here in form of questions and answers.

Read More

Multiple contributed projects have been marked unsupported by Drupal Security Team today

Alex Shaposhnik's picture

Alex

 Technical Support Specialist

Jan 26, 2022
Add comment

Multiple contributed projects have been marked unsupported by Drupal Security Team today

Because of known security issues for the contributed modules and themes which have not been fixed by their maintainer, as of today - January 25, 2022 - the Drupal Security Team has marked them all as unsupported.

If you are an AltaGrade customer with Drupal websites hosted on our platform and using the following modules or themes, then please let us know and we will make necessary changes.

Read More

Navbar - Moderately critical - Cross Site Scripting - SA-CONTRIB-2022-011

Alex Shaposhnik's picture

Alex

 Technical Support Specialist

Jan 26, 2022
Add comment

Navbar - Moderately critical - Cross Site Scripting - SA-CONTRIB-2022-011

Project: Navbar
Date: 2022-January-25
Security risk: Moderately critical 13∕25
Vulnerability: Cross Site Scripting

Description

This module provides a very simple, mobile-friendly navigation toolbar.

The module doesn't sufficiently check for user-provided input.

This vulnerability is mitigated by the fact that an attacker must have the ability to post content using a text format (like the default "Filtered HTML" format) that won't filter out the exploit code.

Solution

Install the latest version:

Read More

Private Taxonomy Terms - Critical - Access bypass, Information Disclosure, Multiple vulnerabilities - SA-CONTRIB-2022-014

Alex Shaposhnik's picture

Alex

 Technical Support Specialist

Jan 26, 2022
Add comment

Private Taxonomy Terms - Critical - Access bypass, Information Disclosure, Multiple vulnerabilities - SA-CONTRIB-2022-014

Project: Private Taxonomy Terms
Date: 2022-January-26
Security risk: Critical 15∕25
Vulnerability: Access bypass, Information Disclosure, Multiple vulnerabilities

Description

This module enables users to create 'private' vocabularies.

The module doesn't sufficiently check user access permissions when attempting to view, edit, or add terms to vocabularies, including vocabularies not managed by the module.

Read More

jQuery UI Datepicker - Moderately critical - Cross Site Scripting - SA-CONTRIB-2022-004

Alex Shaposhnik's picture

Alex

 Technical Support Specialist

Jan 19, 2022
Add comment

jQuery UI Datepicker - Moderately critical - Cross Site Scripting - SA-CONTRIB-2022-004

Project: jQuery UI Datepicker
Date: 2022-January-19
Security risk: Moderately critical 14∕25 
Vulnerability: Cross Site Scripting

Description

jQuery UI is a third-party library used by Drupal. The jQuery UI Datepicker module provides the jQuery UI Datepicker library, which is not included in Drupal 9 core.

jQuery UI was previously thought to be end-of-life.

Read More

Super Login - Critical - Access bypass - SA-CONTRIB-2022-001

Alex Shaposhnik's picture

Alex

 Technical Support Specialist

Jan 5, 2022
Add comment

Super Login - Critical - Access bypass - SA-CONTRIB-2022-001

Project: Super Login
Date: 2022-January-05
Security risk: Critical 18∕25
Vulnerability: Access bypass

Description

This module enables you to login with an email address.

The module doesn't sufficiently check if a user account is active when using email login.

This vulnerability is mitigated by the fact that an attacker must have an account in the website that is blocked.

Solution

Install the latest version:

Read More

Pages