Drupal Security
Registration role - Critical - Access bypass - SA-CONTRIB-2024-015
The Registration role module lets an administrator select a role (or multiple roles) to automatically assign to new users. The selected role (or roles) will be assigned to new registrants.
The module has a logic error when handling sites that upgraded code and did not run the Drupal update process (e.g. update.php).
This vulnerability is mitigated by the fact that the problem does not exist on sites that followed the process of updating code and running the standard updates.
Solution:Install the latest version:
- If you use the Registration role module version 2.x, upgrade to Registration role 2.0.1
Review user accounts registered between 2023 July 11 and now for having additional roles you did not intend for them to have. If your site missed or reverted an update to configuration in the version 2.0.0 release of Registration Role (or development branch from 2020 August 17 on), non-selected roles were not removed from configuration. Without this update, up until you re-saved the settings form or until you install the new release - whichever came first - users who registered receive all roles.
Also, upgrade to the latest version and run update hooks at update.php or with Drush, drush updb
OR: Immediately re-save the the configuration page at /admin/people/registration-role
Reported By: Fixed By:- Juraj Nemec of the Drupal Security Team
- Benjamin Melançon
- Juraj Nemec of the Drupal Security Team
- Greg Knaddison of the Drupal Security Team
- Drew Webber of the Drupal Security Team
Drupal Symfony Mailer Lite - Moderately critical - Cross Site Request Forgery - SA-CONTRIB-2024-014
The module doesn’t sufficiently protect against malicious links, which means an attacker can trick an administrator into performing unwanted actions.
This vulnerability is mitigated by the fact that the set of unwanted actions is limited to specific configurations.
Solution:Upgrade to Symfony Mailer Lite 1.0.6 and rebuild Drupal's cache.
Reported By: Fixed By:- Lee Rowlands of the Drupal Security Team
- Wayne Eaker
- Greg Knaddison of the Drupal Security Team
- Juraj Nemec of the Drupal Security Team
- Lee Rowlands of the Drupal Security Team
Node Access Rebuild Progressive - Less critical - Access bypass - SA-CONTRIB-2024-013
This module provides an alternative mean of rebuilding the Content Access table.
The module doesn't sufficiently reset the state of content access when the module is uninstalled.
Solution:Install the latest version:
- If you use the node_access_rebuild_progressive module for Drupal 7, upgrade to node_access_rebuild_progressive 7.x-1.2
- Jen Lampton Provisional Member of the Drupal Security Team
- Shelane French
- Juraj Nemec of the Drupal Security Team
- Jen Lampton Provisional Member of the Drupal Security Team
- Greg Knaddison of the Drupal Security Team
- Juraj Nemec of the Drupal Security Team
Private content - Moderately critical - Access bypass - SA-CONTRIB-2024-012
This module gives each node a 'private' checkbox. If it's set, the node can only be seen by the node author, or users with the 'access private content' permission.
The module incorrectly grants access to private nodes under certain specific circumstances. This vulnerability is mitigated by the fact that an attacker must have a role with the permission "Access private content".
Solution:Install the latest version:
- If you use the Private Content module for Drupal 8.x, upgrade to Private Content 8.x-2.1
- Greg Knaddison of the Drupal Security Team
- Juraj Nemec of the Drupal Security Team
Coffee - Moderately critical - Cross Site Scripting - SA-CONTRIB-2024-011
The Coffee module helps you to navigate through the Drupal admin menus faster with a shortcut popup.
The module doesn't sufficiently escape menu names when displaying them in the popup, thereby exposing a XSS vulnerability.
This vulnerability is mitigated by the fact that an attacker must have a role with the permission "Administer menus and menu links".
Solution:Install the latest version:
- If you use the Coffee module for Drupal 10, upgrade to Coffee 8.x-1.4
- Greg Knaddison of the Drupal Security Team
Node Access Rebuild Progressive - Less critical - Access bypass - SA-CONTRIB-2024-010
This module provides an alternative mean of rebuilding the Content Access table.
The module doesn't sufficiently reset the state of content access when the module is uninstalled.
Solution:Install the latest version:
- If you use the node_access_rebuild_progressive module for Drupal 9.4+, upgrade to node_access_rebuild_progressive 2.0.2
- Greg Knaddison of the Drupal Security Team
- Damien McKenna of the Drupal Security Team
CKEditor 4 LTS - WYSIWYG HTML editor - Moderately critical - Cross Site Scripting - SA-CONTRIB-2024-009
The CKEditor 4 LTS - WYSIWYG HTML editor module uses the CKEditor library for WYSIWYG editing. CKEditor has released a security update that on certain configurations may impact the Drupal module that bundles and integrates this code.
The vulnerability is mitigated by the fact it requires:
- full-page editing mode is enabled
- or CDATA elements in Advanced Content Filtering configuration (defaults to script and style elements) are enabled.
- An attacker must have a permission with access to the CKEditor instance.
For more information, see CKEditor's security advisory:
CVE-2024-24815: Cross-site scripting (XSS) vulnerability caused by incorrect CDATA detection
Install the latest version:
- If you use the CKEditor 4 LTS - WYSIWYG HTML editor module for Drupal 9.4+, upgrade to ckeditor_lts 1.0.1
- Juraj Nemec of the Drupal Security Team
- Greg Knaddison of the Drupal Security Team
- catch of the Drupal Security Team
- cilefen of the Drupal Security Team
Migrate Tools - Moderately critical - Cross Site Request Forgery - SA-CONTRIB-2024-008
The Migrate Tools module provides tools for running and managing Drupal migrations.
The module doesn't sufficiently protect against Cross Site Request Forgery under specific scenarios allowing an attacker to trick an authenticated administrator into initiating a migration.
This vulnerability is mitigated by the fact that an attacker must know the name of the migration.
Solution:Install the latest version:
- If you use the Migrate Tools module for Drupal 10, upgrade to Migrate Tools 6.0.3
- Greg Knaddison of the Drupal Security Team
Entity Delete Log - Moderately critical - Access bypass - SA-CONTRIB-2024-007
The Entity Delete Log module tracks the deletion of configured entity types, such as node or comments.
It does not add sufficient permission to the log report page, allowing an attacker to view information from deleted entities.
Solution:Install the latest version:
- If you use the Entity Delete Log module for Drupal 9.x/10.x, upgrade to Entity Delete Log 1.1.1
Note: This release updates the default permissions for the entity_delete_log view. After the update, you may want to review that permission if you already changed it from the default.
Reported By: Fixed By: Coordinated By:- Greg Knaddison of the Drupal Security Team
- Heine of the Drupal Security Team
- Benji Fisher of the Drupal Security Team
Swift Mailer - Moderately critical - Access bypass - SA-CONTRIB-2024-006
The Drupal Swift Mailer module extends the basic e-mail sending functionality provided by Drupal by delegating all e-mail handling to the Swift Mailer library. This enables your site to take advantage of the many features which the Swift Mailer library provides.
The module could allow an attacker to gain widespread access to a Drupal site. This vulnerability is mitigated by the fact that an attacker must have a means to trigger sending an email with a body that they can control, which would requires either another contributed module or custom integration.
Solution:Uninstall this module immediately. The swiftmailer library has been unsupported for a year, and this module is now also unsupported.
Changing to a replacement module is suggested, the following were specifically suggested by the module maintainers:
Reported By: Fixed By: Coordinated By:- Damien McKenna of the Drupal Security Team
- Greg Knaddison of the Drupal Security Team
Open Social - Moderately critical - Information Disclosure - SA-CONTRIB-2024-005
Open Social is a Drupal distribution for online communities.
The included optional social_group_flexible_group module doesn't sufficiently validate group updates. The lack of validation makes it possible to have content inside the group changing it's visibility, which could lead to that content being shown to a broader audience than intended.
This vulnerability is mitigated by the fact the module social_group_flexible_group needs to be enabled.
Solution:Install the latest version of Open Social:
- If you use the Open Social distribution for Drupal 12.x, upgrade to Open Social 12.0.5
- Damien McKenna of the Drupal Security Team
- Greg Knaddison of the Drupal Security Team
Open Social - Moderately critical - Access bypass - SA-CONTRIB-2024-004
Content within Open Social can have different visibilities. It is possible for a user to create public content even when this should not be allowed.
This vulnerability is mitigated by the fact that the site must have public visibility disabled on a global level.
Install the latest version of Open Social:
- If you use the Open Social distribution for Drupal 12.x, upgrade to Open Social 12.0.5
- Damien McKenna of the Drupal Security Team
- Greg Knaddison of the Drupal Security Team
Two-factor Authentication (TFA) - Moderately critical - Access bypass - SA-CONTRIB-2024-003
This module enables you to allow and/or require users to use a second authentication method in addition to password authentication.
In some cases, the module allows users to log in with an authentication plugin that an administrator has disabled.
This vulnerability is mitigated by the fact that an attacker must obtain a valid first-factor login credential, that an administrator must enable and then disable an authentication plugin, and that an attacker must obtain the valid second factor credential for the disabled plugin.
Solution:Install the latest 8.x-1.2 version:
- If you use the Two-factor Authentication (TFA) for Drupal 8, 9, or 10 upgrade to TFA 8.x-1.5
After installing this update disabled plugins will no longer be offered or accepted as a second factor option.
If an account is configured with only disabled plugins login will be prohibited and the the configured TFA "Help text" displayed instead of a second factor prompt.
To allow access for a locked out user site owners may consider enabling the plugin (admin/config/people/tfa) or may use their existing procedures for granting access to accounts where the user has forgotten/lost their second factor tokens.
Accounts with both enabled and disabled plugins will prompt the account owner with one of the remaining enabled plugins.
Reported By: Fixed By:- Conrad Lara
- Juraj Nemec of the Drupal Security Team
- João Ventura
- Damien McKenna of the Drupal Security Team
- Greg Knaddison of the Drupal Security Team
- Benji Fisher of the Drupal Security Team
- Heine of the Drupal Security Team
Drupal core - Moderately critical - Denial of Service - SA-CORE-2024-001
The Comment module allows users to reply to comments. In certain cases, an attacker could make comment reply requests that would trigger a denial of service (DOS).
Sites that do not use the Comment module are not affected.
Solution:Install the latest version:
- If you are using Drupal 10.2, update to Drupal 10.2.2.
- If you are using Drupal 10.1, update to Drupal 10.1.8.
All versions of Drupal 10 prior to 10.1 are end-of-life and do not receive security coverage. (Drupal 8 and Drupal 9 have both reached end-of-life.)
Drupal 7 is not affected.
Reported By: Fixed By:- Lee Rowlands of the Drupal Security Team
- Benji Fisher of the Drupal Security Team
- Juraj Nemec of the Drupal Security Team
- xjm of the Drupal Security Team
- Lauri Eskola, provisional member of the Drupal Security Team
Typogrify - Moderately critical - Cross Site Scripting - SA-CONTRIB-2024-002
The Typogrify module brings the typographic refinements of Typogrify to Drupal. It provides a text filter and a Twig filter.
The typogrify Twig filter can be used to bypass the Twig auto-escape feature, leading to a persistent Cross Site Scripting (XSS) vulnerability.
This vulnerability is mitigated by the fact that it is only exposed when the twig filter is specifically used in a template to render content.
Solution:Install the latest version:
- If you use the Typogrify module for Drupal 10.x, upgrade to Typogrify 8.x-1.3
If you use the typogrify Twig filter provided by this module, then this update may cause double-encoding of text. See the updated README for best practices.
Reported By: Fixed By:- Benji Fisher of the Drupal Security Team
- Damien McKenna of the Drupal Security Team
- Greg Knaddison of the Drupal Security Team
File Entity (fieldable files) - Moderately critical - Cross Site Scripting, Access bypass - SA-CONTRIB-2024-001
File entity provides interfaces for managing files. It also extends the core file entity, allowing files to be fieldable, grouped into types, viewed (using display modes) and formatted using field formatters.
The module previously did not sufficiently validate files under the scenario of a file replacement leading to multiple exploit paths including persistent Cross Site Scripting.
This vulnerability is mitigated by the fact that an attacker must have a role with the permission to edit files.
Solution:Install the latest version:
- If you use the file_entity module for Drupal 7.x, upgrade to File Entity 7.x-2.38.
- Damien McKenna of the Drupal Security Team
- Greg Knaddison of the Drupal Security Team
Data Visualisation Framework - Moderately critical - Cross Site Scripting - SA-CONTRIB-2023-055
This module allows you to turn various data sources (Eg CSV or JSON file) into interactive visualisation. The DVF module provides a field (storage, widget & formatter) that can be added to any entity.
This module uses two third-party JS libraries having from low to medium vulnerabilities. One of the vulnerabilities is a Cross Site Scripting vulnerability that may affect Drupal sites as a Persistent Cross Site Scripting vulnerability (i.e. not reflected). This release updates the libraries.
The issue is mitigated by the fact an attacker needs the permission to create or edit content that is displayed using the Data Visualization Framework.
Solution:Install the latest version:
- If you use the Data Visualisation Framework for Drupal module (DVF for short), upgrade to dvf 2.0.2
- Damien McKenna of the Drupal Security Team
- Greg Knaddison of the Drupal Security Team
- cilefen of the Drupal Security Team
- Lee Rowlands of the Drupal Security Team
Group - Less critical - Access bypass - SA-CONTRIB-2023-054
The Group module has the ability to make content private to specific groups. When viewing a list of entities, e.g. nodes, a visitor should only see those entities that are either not attached to a group or that they have group access to.
The module doesn't sufficiently enforce list access under the scenario where two users have the same outsider and insider permissions, but are members of different groups without any individual roles being assigned to said memberships. In such a scenario, the permissions hash for both will be the same even though it should differ.
This vulnerability is mitigated by the fact that an attacker must have the same hash as someone else, which is quite rare yet not unthinkable.
Solution:Install the latest version:
- Sites using Group version 2 should upgrade to Group v2.2.2
- Sites using Group version 3 should upgrade to Group v3.2.2
- Damien McKenna of the Drupal Security Team
- Greg Knaddison of the Drupal Security Team
Xsendfile - Moderately critical - Access bypass - SA-CONTRIB-2023-053
The Xsendfile module enables fast transfer for private files in Drupal.
In order to control private file downloads, the module overrides ImageStyleDownloadController, for which a vulnerability was disclosed in SA-CORE-2023-005. The Xsendfile module was still based on an insecure version of ImageStyleDownloadController.
Solution:Install the latest version:
- If you use the Xsendfile module for Drupal 8.x, upgrade to Xsendfile 8.x-1.2.
- Greg Knaddison of the Drupal Security Team
Neue Kommentare
vor 4 Stunden 45 Minuten
vor 1 Tag 19 Stunden
vor 2 Tagen 5 Stunden
vor 2 Tagen 21 Stunden
vor 2 Tagen 22 Stunden
vor 2 Tagen 23 Stunden
vor 3 Tagen 14 Minuten
vor 3 Tagen 3 Stunden
vor 3 Tagen 3 Stunden
vor 3 Tagen 15 Stunden