Project: Drupal core
Date: 2023-September-20
Security risk: Critical 16∕25
Vulnerability: Cache poisoning
Affected versions: >=8.7.0 =10.0 = 10.1 In certain scenarios, Drupal's JSON:API module will output error backtraces. With some configurations, this may cause sensitive information to be cached and made available to anonymous users, leading to privilege escalation.
Project: Drupal core
Date: 2023-April-19
Security risk: Moderately critical 13∕25
Vulnerability: Access bypassThe file download facility doesn't sufficiently sanitize file paths in certain situations. This may result in users gaining access to private files that they should not have access to.
Some sites may require configuration changes following this security release. Review the release notes for your Drupal version if you have issues accessing private files after updating.
Project: Drupal core
Date: 2023-March-15
Security risk: Moderately critical 13∕25
Vulnerability: Information Disclosure
Affected versions: >=8.0.0 =9.5.0 =10.0.0 The language module provides a Language switcher block which can be placed to provide links to quickly switch between different languages.
The URL of unpublished translations may be disclosed. When used in conjunction with a module like Pathauto, this may reveal the title of unpublished content.
Project: Drupal core
Date: 2023-March-15
Security risk: Moderately critical 14∕25
Vulnerability: Information Disclosure
Affected versions: >=8.0.0 =9.5.0 =10.0.0 The Media module does not properly check entity access in some circumstances. This may result in users seeing thumbnails of media items they do not have access to, including for private files.
Project: Media Responsive Thumbnail
Date: 2023-March-15
Security risk: Moderately critical 14∕25
Vulnerability: Information disclosureThe Media Responsive Thumbnail module allows media reference fields to be rendered as a responsive image.
This module does not properly check entity access prior to rendering media. This may result in users seeing thumbnails of media items they do not have access to.
Project: Drupal core
Date:2023-January-18
Security risk: Moderately critical 12∕25
Vulnerability: Information Disclosure
Affected versions: >=8.0.0 =9.5.0 =10.0.0 The Media Library module does not properly check entity access in some circumstances. This may result in users with access to edit content seeing metadata about media items they are not authorized to access.
Project: Private Taxonomy Terms
Date: 2023-January-11
Security risk: Moderately critical 10∕25
Vulnerability: Access bypassThis module enables users to create 'private' vocabularies.
The module doesn't enforce permissions appropriately for the taxonomy overview page and overview form.
This vulnerability is mitigated by the fact that an attacker must have a role with the permission "Administer own taxonomy" or "View private taxonomies"
Project: Search API
Date: 2022-October-19
Security risk: Moderately critical 13∕25
Vulnerability: Information DisclosureThis module enables you to build searches using a wide range of features, data sources and backends.
The module doesn't in all cases correctly detect whether a given search is active on the current page, leading to potential information disclosure for some setups.
Project: Twig Field Value
Date: 2022-October-12
Security risk: Moderately critical 12∕25
Vulnerability: Access bypassThis module enables themers to get partial data from field render arrays. It gives them more control over the output without drilling deep into the render array or using preprocess functions.
The module doesn't sufficiently apply access restrictions when using the filters field_label, field_value, field_raw and field_target_entity.
Project: S3 File System
Date: 2022-September-28
Security risk: Moderately critical 10∕25
Vulnerability: Access bypassThis module enables you to utilize S3-compatible storage as a Drupal filesystem.
The module doesn't sufficiently prevent file access across multiple filesystem schemes stored in the same bucket.