Project: reCAPTCHA v3
Date: 2020-May-13
Security risk: Critical 18∕25
Vulnerability: Access bypassThe reCaptcha v3 module enables you to protect your forms using the Google reCaptcha V3.
If the reCaptcha v3 challenge succeeds, all the other form validations are bypassed. This makes it possible for attackers to submit invalid or incomplete forms.
Project: Webform
Date: 2020-May-13
Security risk: Critical 15∕25
Vulnerability: Access bypassThis webform module enables you to build a 'Term checkboxes' element.
The module doesn't sufficiently check term 'view' access when rendering 'Term checkboxes' elements. Unpublished terms will always appear in the 'Term checkboxes' element.
Drupal Security team has released multiple critical and moderately critical security advisories for Webform module today. This module enables you to build forms and surveys in Drupal.
Project: Webform
Date: 2020-May-06
Security risk: Critical 17∕25
Vulnerability: Remote Code ExecutionProject: JSON:API
Version: 8.x-1.26
Date: 2020-April-15
Security risk: Critical 15∕25
Vulnerability: UnsupportedThis module provides a JSON API standards-compliant API for accessing and manipulating Drupal content and configuration entities.
Project: Spamicide
Date: 2020-April-08
Security risk: Critical 18∕25
Vulnerability: Access bypassThe Spamicide module protects Drupal forms with a form field that is hidden from normal users, but visible to spam bots.
The module doesn't require appropriate permissions for administrative pages leading to an Access Bypass.
Install the latest version:
Here it is! Named “Adderley” in honor of Nat Adderley, the latest and greatest version of WordPress is available for download or update in your dashboard.
Project: Svg Image
Date: 2020-March-25
Security risk: Critical 15∕25
Vulnerability: Cross site scripting
SVG Image module allows to upload SVG files.
The module did not sufficiently protect against malicious code inside SVG files leading to a Cross Site Scripting vulnerability.
This vulnerability is mitigated by the fact that an attacker must have permission to upload an SVG file.
Install the latest version:
Security risk: Moderately Critical
Advisory ID: BACKDROP-SA-CORE-2020-001
Vulnerability: Third Party LibrariesThe Backdrop project uses the third-party library CKEditor, which has released a security improvement that is needed to protect some Backdrop configurations.
Project: CKEditor - WYSIWYG HTML editor
Date: 2020-March-18
Security risk: Moderately critical 11∕25
Vulnerability: Cross site scriptingThe CKEditor module (and its predecessor, FCKeditor module) allows Drupal to replace textarea fields with CKEditor 3.x/4.x (FCKeditor 2.x in case of FCKeditor module) - a visual HTML editor, sometimes called WYSIWYG editor.
Project: Drupal core
Versions: 8.8.x-dev, 8.7.x-dev
Date: 2020-March-18
Security risk: Moderately critical 13∕25
Vulnerability: Third-party libraryThe Drupal project uses the third-party library CKEditor, which has released a security improvement that is needed to protect some Drupal configurations.