Drupal Security
Spamicide - Critical - Access bypass - SA-CONTRIB-2020-009
The Spamicide module protects Drupal forms with a form field that is hidden from normal users, but visible to spam bots.
The module doesn't require appropriate permissions for administrative pages leading to an Access Bypass.
Solution:Install the latest version:
- If you use the spamicide module for Drupal 7.x, upgrade to spamicide 7.x-1.3
Also see the Spamicide project page.
Reported By: Fixed By: Coordinated By:- Greg Knaddison of the Drupal Security Team
Svg Image - Critical - Cross site scripting - SA-CONTRIB-2020-008
SVG Image module allows to upload SVG files.
The module did not sufficiently protect against malicious code inside SVG files leading to a Cross Site Scripting vulnerability.
This vulnerability is mitigated by the fact that an attacker must have permission to upload an SVG file.
Solution:Install the latest version:
- If you use the SVG Image module for Drupal 8.x, upgrade to Svg Image 8.x-1.10
Also see the Svg Image project page.
Reported By: Fixed By: Coordinated By:- Greg Knaddison of the Drupal Security Team
CKEditor - WYSIWYG HTML editor - Moderately critical - Cross site scripting - SA-CONTRIB-2020-007
The CKEditor module (and its predecessor, FCKeditor module) allows Drupal to replace textarea fields with CKEditor 3.x/4.x (FCKeditor 2.x in case of FCKeditor module) - a visual HTML editor, sometimes called WYSIWYG editor.
Due to the usage of the JavaScript `eval()` function on non-filtered data in admin section, it was possible for a user with permission to create content visible in the admin area to inject specially crafted malicious script which causes Cross Site Scripting (XSS).
The problem existed in CKEditor module for Drupal, not in JavaScript libraries with the same names.
Solution:Install the latest version:
- If you use the CKEditor module for Drupal 7.x, upgrade to CKEditor 7.x-1.19
Also see the CKEditor- WYSIWYG HTML editor project page
Reported By: Fixed By: Coordinated By:- Greg Knaddison of the Drupal Security Team
Drupal core - Moderately critical - Third-party library - SA-CORE-2020-001
The Drupal project uses the third-party library CKEditor, which has released a security improvement that is needed to protect some Drupal configurations.
Vulnerabilities are possible if Drupal is configured to use the WYSIWYG CKEditor for your site's users. An attacker that can create or edit content may be able to exploit this Cross Site Scripting (XSS) vulnerability to target users with access to the WYSIWYG CKEditor, and this may include site admins with privileged access.
The latest versions of Drupal update CKEditor to 4.14 to mitigate the vulnerabilities.
Solution:Install the latest version:
- If you are using Drupal 8.8.x, upgrade to Drupal 8.8.4.
- If you are using Drupal 8.7.x, upgrade to Drupal 8.7.12.
Versions of Drupal 8 prior to 8.7.x have reached end-of-life and do not receive security coverage.
The CKEditor module can also be disabled to mitigate the vulnerability until the site is updated.
Note for Drupal 7 usersDrupal 7 core is not affected by this release; however, users who have installed the third-party CKEditor library (for example, with a contributed module) should ensure that the downloaded library is updated to CKEditor 4.14 or higher, or that CDN URLs point to a version of CKEditor 4.14 or higher. Disabling all WYSIWYG modules can mitigate the vulnerability until the site is updated.
SAML Service Provider - Critical - Access bypass - SA-CONTRIB-2020-006
This module enables you to authenticate Drupal users using an external SAML Identity Provider.
If the site is configured to allow visitors to register for user accounts but administrator approval is required, the module doesn't sufficiently enforce the administrative approval requirement, in the case where the requesting user has already authenticated through SAML.
This vulnerability is mitigated by the fact that user accounts created in this way have only default roles, which may not have access significantly beyond that of an anonymous user. To mitigate the vulnerability without upgrading sites could disable public registration.
Solution:Install the latest version:
- If you use the SAML Service Provider module for Drupal 8.x, upgrade to SAML Service Provider 8.x-3.7
Also see the SAML Service Provider project page.
Reported By: Fixed By: Coordinated By:- Greg Knaddison of the Drupal Security Team
SVG Formatter - Critical - Cross site scripting - SA-CONTRIB-2020-005
SVG Formatter module provides support for using SVG images on your website.
This security release fixes third-party dependencies included in or required by SVG Formatter. XSS bypass using entities and tab.
This vulnerability is mitigated by the fact that an attacker must be able to upload SVG files.
Solution:Install the latest version:
- If you use the SVG Formatter module for Drupal 8.x, upgrade to SVG Formatter 8.x-1.12
Also see the SVG Formatter project page.
Reported By: Fixed By: Coordinated By:- Greg Knaddison of the Drupal Security Team
Profile - Moderately critical - Access Bypass - SA-CONTRIB-2020-004
The Profile module enables you to allow users to have configurable user profiles.
The module doesn't sufficiently check access when creating a user profile. Users with the "create profiles" permission could create profiles for any users.
Solution:Install the latest version:
- If you use the Profile module for Drupal 8.x, upgrade to Profile 8.x-1.1
Also see the Profile project page.
Reported By: Fixed By: Coordinated By:- Greg Knaddison of the Drupal Security Team
Views Bulk Operations (VBO) - Moderately critical - Access bypass - SA-CONTRIB-2020-003
Views Bulk Operations provides enhancements to running bulk actions on views.
The module contains an access bypass vulnerability that might allow users to execute views actions that they should not have access to.
This vulnerability is mitigated by the fact that it only occurs in the case of customised action access (by means of hook_action_info_alter).
Solution:Install the latest version:
- If you use Views Bulk Operations version 3.x for Drupal 8.x, upgrade to Views Bulk Operations 8.x-3.4
- If you use Views Bulk Operations version 2.x for Drupal 8.x, upgrade to Views Bulk Operations 8.x-2.6
Also see the Views Bulk Operations (VBO) project page.
Reported By: Fixed By: Coordinated By:- Greg Knaddison of the Drupal Security Team
SpamSpan filter - Moderately critical - Cross site scripting - SA-CONTRIB-2020-002
The SpamSpan module obfuscates email addresses to help prevent spambots from collecting them.
This module contains a spamspan twig filter which doesn't sanitize the passed HTML string.
This vulnerability is mitigated by the fact that sites must have custom twig template files that use the SpamSpan filter on a field that an attacker could populate. By default the SpamSpan module does not use the vulnerable twig filter.
Solution:Install the latest version:
- If you use the SpamSpan module for Drupal 8.x, upgrade to SpamSpan 8.x-1.1
Also see the SpamSpan filter project page.
Reported By: Fixed By: Coordinated By:- Ben Jeavons of the Drupal Security Team
Radix - Moderately critical - Cross site scripting - SA-CONTRIB-2020-001
Radix is a base theme for Drupal, with Bootstrap 4, Sass, ES6 and BrowserSync built-in.
The module doesn't sufficiently filter menu titles when used in a dropdown in the main menu.
This vulnerability is mitigated by the fact that an attacker must have permission to edit a menu title used in the main menu.
Solution:Install the latest version:
- If you use the Radix theme for Drupal 7.x, upgrade to Radix 7.x-3.8
Also see the Radix project page.
Reported By: Fixed By:- David Snopek of the Drupal Security Team
- David Snopek of the Drupal Security Team
Neue Kommentare
vor 14 Stunden 12 Minuten
vor 14 Stunden 55 Minuten
vor 1 Tag 6 Stunden
vor 1 Tag 7 Stunden
vor 1 Tag 10 Stunden
vor 1 Tag 11 Stunden
vor 2 Tagen 16 Stunden
vor 3 Tagen 5 Stunden
vor 3 Tagen 8 Stunden
vor 3 Tagen 12 Stunden