Drupal Security
jQuery UI Checkboxradio - Moderately critical - Cross site scripting - SA-CONTRIB-2022-052
jQuery UI is a third-party library used by Drupal. The jQuery UI Checkboxradio module provides the jQuery UI Checkboxradio library (which was previously in Drupal 8 core, but has since been removed from core and moved to this module).
As part of the jQuery UI 1.13.2 update, the jQuery UI project disclosed following security issue that may affect sites using the jQuery UI Checkboxradio module:
Solution:Install the latest version. If you use the jQuery UI Checkboxradio module for Drupal 9, upgrade to:
Reported By:- Benji Fisher, provisional member of the Drupal Security Team
- Benji Fisher, provisional member of the Drupal Security Team
- xjm of the Drupal Security Team
- Lauri Eskola, provisional member of the Drupal Security Team
- Greg Knaddison of the Drupal Security Team
- xjm of the Drupal Security Team
Tagify - Moderately critical - Access bypass - SA-CONTRIB-2022-051
This module provides a widget to transform entity reference fields into a more user-friendly tags input component with a great performance.
The module doesn't sufficiently check access for the add operation. Users with permission to edit content can view and reference unpublished terms. The edit form may expose term data that users could not otherwise see, since there is no term view route by default.
This vulnerability is slightly mitigated by the fact that an attacker must have a role with the permission "access content", so may not be accessible to anonymous users on all sites.
Solution:Install the latest version:
- If you use the Tagify module for Drupal 9.x, upgrade to Tagify 1.0.5
- Damien McKenna of the Drupal Security Team
- Greg Knaddison of the Drupal Security Team
PDF generator API - Moderately critical - Remote Code Execution - SA-CONTRIB-2022-050
This module enables you to generate PDF versions of content.
Some installations of the module make use of the dompdf/dompdf third-party dependency.
Security vulnerabilities exist for versions of dompdf/dompdf before 2.0.0 as described in the 2.0.0 release notes.
Solution:Install the latest version:
- If you use the pdf_api module for Drupal 2.x, upgrade to pdf_api 2.2.2
- Damien McKenna of the Drupal Security Team
- Greg Knaddison of the Drupal Security Team
Context - Moderately critical - Cross Site Scripting - SA-CONTRIB-2022-049
This module enables you to conditionally display blocks in particular theme regions.
The module doesn't sufficiently sanitize the title of a block as displayed in the admin UI when a site administrator edits a context block reaction.
This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer blocks".
Solution:Install the latest version:
- If you use the Context module for Drupal 7.x, upgrade to Context 7.x-3.11.
- Damien McKenna of the Drupal Security Team
- Greg Knaddison of the Drupal Security Team
- Michael Hess of the Drupal Security Team
Drupal core - Moderately critical - Multiple vulnerabilities - SA-CORE-2022-015
The Media oEmbed iframe route does not properly validate the iframe domain setting, which allows embeds to be displayed in the context of the primary domain. Under certain circumstances, this could lead to cross-site scripting, leaked cookies, or other vulnerabilities.
This advisory is not covered by Drupal Steward.
Solution:Install the latest version:
- If you are using Drupal 9.4, update to Drupal 9.4.3.
- If you are using Drupal 9.3, update to Drupal 9.3.19.
All versions of Drupal 9 prior to 9.3.x are end-of-life and do not receive security coverage. Note that Drupal 8 has reached its end of life.
Drupal 7 core does not include the Media module and therefore is not affected.
Reported By:- Heine of the Drupal Security Team
- Lee Rowlands of the Drupal Security Team
- Alex Pott of the Drupal Security Team
- Samuel Mortenson
- xjm of the Drupal Security Team
- Heine of the Drupal Security Team
- Joseph Zhao, provisional member of the Drupal Security Team
- Vijay Mani, provisional member of the Drupal Security Team
- Alex Bronstein of the Drupal Security Team
- Neil Drumm of the Drupal Security Team
- Benji Fisher, provisional member of the Drupal Security Team
- Jen Lampton, provisional member of the Drupal Security Team
- Dave Long, provisional member of the Drupal Security Team
Drupal core - Critical - Arbitrary PHP code execution - SA-CORE-2022-014
Updated 2022-07-20 19:45 UTC to indicate that this only affects Apache web servers.
Drupal core sanitizes filenames with dangerous extensions upon upload (reference: SA-CORE-2020-012) and strips leading and trailing dots from filenames to prevent uploading server configuration files (reference: SA-CORE-2019-010).
However, the protections for these two vulnerabilities previously did not work correctly together. As a result, if the site were configured to allow the upload of files with an htaccess extension, these files' filenames would not be properly sanitized. This could allow bypassing the protections provided by Drupal core's default .htaccess files and possible remote code execution on Apache web servers.
This issue is mitigated by the fact that it requires a field administrator to explicitly configure a file field to allow htaccess as an extension (a restricted permission), or a contributed module or custom code that overrides allowed file uploads.
Solution:Install the latest version:
- If you are using Drupal 9.4, update to Drupal 9.4.3.
- If you are using Drupal 9.3, update to Drupal 9.3.19.
All versions of Drupal 9 prior to 9.3.x are end-of-life and do not receive security coverage. Note that Drupal 8 has reached its end of life.
Drupal 7 core is not affected.
Auditing your files directory's .htaccess to ensure it has not been overwritten or overridden in a subdirectoryIf your web server uses Apache httpd with AllowOverride, you should check within your files directories and subdirectories to ensure that any .htaccess files present are intentional. You can search for files named .htaccess by running the following command in the roots of both your public and private files directory:
find ./ -name ".htaccess" -print
Drupal automatically creates .htaccess files like the following in the root of the public files directory:
# Turn off all options we don't need. Options -Indexes -ExecCGI -Includes -MultiViews # Set the catch-all handler to prevent scripts from being executed. SetHandler Drupal_Security_Do_Not_Remove_See_SA_2006_006 <Files *> # Override the handler again if we're run later in the evaluation list. SetHandler Drupal_Security_Do_Not_Remove_See_SA_2013_003 </Files> # If we know how to do it safely, disable the PHP engine entirely. <IfModule mod_php7.c> php_flag engine off </IfModule> <IfModule mod_php.c> php_flag engine off </IfModule>Check with your system administrator for the correct .htaccess configuration for the given files directory.
This advisory is not covered by Drupal Steward.
Reported By: Fixed By:- Peter Wolanin of the Drupal Security Team
- xjm of the Drupal Security Team
- Drew Webber of the Drupal Security Team
- Alex Bronstein of the Drupal Security Team
- Greg Knaddison of the Drupal Security Team
- Jen Lampton, provisional member of the Drupal Security Team
- Lee Rowlands of the Drupal Security Team
- Dave Long, provisional member of the Drupal Security Team
Drupal core - Moderately critical - Access Bypass - SA-CORE-2022-013
Under certain circumstances, the Drupal core form API evaluates form element access incorrectly. This may lead to a user being able to alter data they should not have access to.
No forms provided by Drupal core are known to be vulnerable. However, forms added through contributed or custom modules or themes may be affected.
This advisory is not covered by Drupal Steward.
Solution:Install the latest version:
- If you are using Drupal 9.4, update to Drupal 9.4.3.
- If you are using Drupal 9.3, update to Drupal 9.3.19.
All versions of Drupal 9 prior to 9.3.x are end-of-life and do not receive security coverage. Note that Drupal 8 has reached its end of life.
Drupal 7 core is not affected.
Reported By: Fixed By:- Pierre Rudloff
- Tim Plunkett
- Heine of the Drupal Security Team
- Alex Bronstein of the Drupal Security Team
- xjm of the Drupal Security Team
- Lauri Eskola, provisional member of the Drupal Security Team
- Dave Long, provisional member of the Drupal Security Team
- Lee Rowlands of the Drupal Security Team
Drupal core - Moderately critical - Information Disclosure - SA-CORE-2022-012
In some situations, the Image module does not correctly check access to image files not stored in the standard public files directory when generating derivative images using the image styles system.
Access to a non-public file is checked only if it is stored in the "private" file system. However, some contributed modules provide additional file systems, or schemes, which may lead to this vulnerability.
This vulnerability is mitigated by the fact that it only applies when the site sets (Drupal 9) $config['image.settings']['allow_insecure_derivatives'] or (Drupal 7) $conf['image_allow_insecure_derivatives'] to TRUE. The recommended and default setting is FALSE, and Drupal core does not provide a way to change that in the admin UI.
Some sites may require configuration changes following this security release. Review the release notes for your Drupal version if you have issues accessing files or image styles after updating.
Solution:Install the latest version:
- If you are using Drupal 9.4, update to Drupal 9.4.3.
- If you are using Drupal 9.3, update to Drupal 9.3.19.
- If you are using Drupal 7, update to Drupal 7.91.
All versions of Drupal 9 prior to 9.3.x are end-of-life and do not receive security coverage. Note that Drupal 8 has reached its end of life.
Reported By: Fixed By:- Lee Rowlands of the Drupal Security Team
- Conrad Lara
- mondrake
- Alex Bronstein of the Drupal Security Team
- Dave Reid of the Drupal Security Team
- xjm of the Drupal Security Team
- Guy Elsmore-Paddock
- Dave Long Provisional Member of the Drupal Security Team
- Lauri Eskola Provisional Member of the Drupal Security Team
- David Strauss of the Drupal Security Team
- Benji Fisher Provisional Member of the Drupal Security Team
- Alex Pott of the Drupal Security Team
- Drew Webber of the Drupal Security Team
- Fabian Franz
Entity Print - Moderately critical - Multiple: Remote Code Execution, Information disclosure - SA-CONTRIB-2022-048
This module enables you to generate print versions of content.
Some installations of the module make use of the dompdf/dompdf third-party dependency.
Security vulnerabilities exist for versions of dompdf/dompdf < 2.0.0
See the library release notes for more detail: https://github.com/dompdf/dompdf/releases/tag/v2.0.0
Note on 3rd party vulnerabilitiesThis security advisory corresponds to a 3rd party vulnerability. Normally the Drupal Security Team would not issue advisories related to 3rd party code that is shipped separately from a module per our policy (most recent update is PSA-2019-09-04). In this case, because the module required a specific version and could not be updated without a change to the Drupal module we do issue an advisory.
Solution:Install the latest version (8.x-2.6) of this module and update dompdf/dompdf at the same time. It is recommended to use composer to do the update using commands similar to the following:
composer update drupal/entity_printcomposer require dompdf/dompdf:~2 Reported By: Fixed By:
- Lee Rowlands of the Drupal Security Team
- Carlos Santana
- Manoj Selvan
- Lee Rowlands of the Drupal Security Team
- Greg Knaddison of the Drupal Security Team
Config Terms - Critical - Access bypass - SA-CONTRIB-2022-047
This module enables you to create and manage a version of taxonomy based on configuration entities instead of content. This allows the terms, vocabularies, and their structure to be exported, imported, and managed as site configuration.
The module doesn't sufficiently check access for the edit and delete operations. Users with "access content" permission can edit or delete any term. The edit form may expose term data that users could not otherwise see, since there is no term view route by default.
This vulnerability is slightly mitigated by the fact that an attacker must have a role with the permission "access content", so may not be accessible to anonymous users on all sites.
Solution:Install the latest version:
- If you use the Config Terms module for Drupal 9.x, upgrade to Config Terms 8.x-1.6 or later
Lottiefiles Field - Moderately critical - Cross Site Scripting - SA-CONTRIB-2022-046
The Lottiefiles Field module enables you to integrate the lottiefiles features into your page.
The module does not sufficiently filter user-provided text on output, resulting in a Cross-Site Scripting (XSS) vulnerability.
This vulnerability is mitigated by the fact that an attacker must have a role with the permission to create or edit content that has lottiefiles fields.
Solution:Install the latest version:
- If you use the lottifiles_field module for Drupal 8.x or 9.x, upgrade to Lottiefiles Field 1.0.3.
- Greg Knaddison of the Drupal Security Team
Updated security policy for Drupal core Composer dependencies - PSA-2022-06-20
The drupal/core-recommended metapackage now allows patch-level updates for Composer dependencies. This means that site owners using drupal/core-recommended can now install most Composer dependency security updates themselves, without needing to wait for an upstream release of Drupal core that updates the affected package.
For example, in the future, a Guzzle vendor update like the recent Guzzle security release can be installed by running:
composer update guzzlehttp/guzzleThe change record on drupal/core-recommended and patch-level updates has more detailed information on how this change affects site dependency management.
Drupal security advisories and same-day releases for vendor updates will only be issued if Drupal core is known to be exploitableIt is the Drupal Security Team's policy to create new core releases and issue security advisories for third-party vendor libraries only if an exploit is possible in Drupal core. However, both the earlier version of the drupal/core-recommended metapackage and Drupal.org file archive downloads restrict sites to the exact Composer dependency versions used in Drupal core. Therefore, in practice, we have issued numerous security advisories (or same-day releases without security advisories) where only contributed or custom code might be vulnerable.
For Drupal 9.4.0 and higher, the Security Team plans to no longer issue these "just-in-case" security advisories for Composer dependency security updates. Instead, the dependency updates will be handled as public security hardenings, and will be included alongside other bugfixes in normal Drupal core patch releases. These security hardenings may be released within a few days as off-schedule bugfix releases if contributed projects are known to be vulnerable, or on the next scheduled monthly bugfix window for uncommon or theoretical vulnerabilities. (Keep in mind that Drupal core often already mitigates vulnerabilities present in its dependencies, so automated security scanners sometimes raise false positives when an upstream CVE is announced.)
Site owners are responsible for monitoring security announcements for third-party dependencies as well as for Drupal projects, and for installing dependency security updates when necessary.
Sites built using .tar.gz or .zip file downloads should convert to drupal/core-recommended for same-day dependency updatesDrupal 9.4 sites built with tarball or zip file archives will no longer receive the same level of security support for core dependencies. Going forward, if core is not known to be exploitable, the core file downloads' dependencies will be updated in normal bugfix releases within a few days (if contributed projects are known to be vulnerable) to a few weeks (if the vulnerability is uncommon or theoretical).
Sites built with tarball or zip files should convert to using drupal/core-recommended to apply security updates more promptly than the above timeframe.
Drupal 9.3 will receive prompt, best-effort updates until its end of lifeDrupal 9.3 receives security coverage until the release of Drupal 9.5.0 in December 2022, and will not include the above improvement to drupal/core-recommended. Therefore, we will still try to provide prompt releases of Drupal 9.3 for vendor security updates when it is possible for us to do so.
Since normal bugfixes are no longer backported to Drupal 9.3, there will already be few to no other changes between its future releases, so dependency updates may be released as normal bugfix releases (rather than security-only releases). Security advisories for Drupal 9.3 vendor updates may still be issued depending on the nature of the vulnerability.
Drupal 7 is not affected by this change and Drupal 7 core file downloads remain fully covered by the Drupal Security TeamDrupal 7 core includes only limited use of third-party dependencies (in particular, the jQuery and jQuery UI JavaScript packages). Therefore, Drupal 7 is not affected by this policy change. Note that Drupal 7 sites that use third-party libraries with Drupal 7 contributed modules must still monitor and apply updates for those third-party libraries.
For press contacts, please email security-press@drupal.org.
Drupal core - Moderately critical - Third-party libraries - SA-CORE-2022-011
Updated 22:00 UTC 2022-06-10: Added steps to update without drupal/core-recommended.
Drupal uses the third-party Guzzle library for handling HTTP requests and responses to external services. Guzzle has released two security advisories:
- Failure to strip the Cookie header on change in host or HTTP downgrade
- Fix failure to strip Authorization header on HTTP downgrade
These do not affect Drupal core, but may affect some contributed projects or custom code on Drupal sites.
We are issuing this security advisory outside our regular Drupal security release window schedule since Guzzle has already published information about the vulnerabilities, and vulnerabilities might exist in contributed modules or custom modules that use Guzzle for outgoing requests. Guzzle has rated these vulnerabilities as high-risk.
This advisory is not covered by Drupal Steward.
Solution:Install the latest version:
- If you are using Drupal 9.4, update to Drupal 9.4.0-rc2.
- If you are using Drupal 9.3, update to Drupal 9.3.16.
- If you are using Drupal 9.2, update to Drupal 9.2.21.
All versions of Drupal 9 prior to 9.2.x are end-of-life and do not receive security coverage. Note that Drupal 8 has reached its end of life.
Drupal 7 is not affected.
Advanced users may also work around this issue by temporarily using drupal/core instead of drupal/core-recommended and then updating Guzzle to the desired version. More information on managing Guzzle with Drupal 9.4.
Reported By: Fixed By:- Heine of the Drupal Security Team
- Dave Long, provisional member of the Drupal Security Team
- Damien McKenna of the Drupal Security Team
- Michael Hess of the Drupal Security Team
- cilefen of the Drupal Security Team
- xjm of the Drupal Security Team
- Benji Fisher, provisional member of the Drupal Security Team
Drupal core - Moderately critical - Third-party libraries - SA-CORE-2022-010
Drupal uses the third-party Guzzle library for handling HTTP requests and responses to external services. Guzzle has released a security update which does not affect Drupal core, but may affect some contributed projects or custom code on Drupal sites.
We are issuing this security advisory outside our regular Drupal security release window schedule since Guzzle has already published information about the vulnerability, and vulnerabilities might exist in contributed modules or custom modules that use Guzzle for outgoing requests. Guzzle has rated this vulnerability as high-risk.
This advisory is not covered by Drupal Steward.
Solution:Install the latest version:
- If you are using Drupal 9.3, update to Drupal 9.3.14.
- If you are using Drupal 9.2, update to Drupal 9.2.20.
All versions of Drupal 9 prior to 9.2.x are end-of-life and do not receive security coverage. Note that Drupal 8 has reached its end of life.
Drupal 7 is not affected.
Reported By: Fixed By:- cilefen of the Drupal Security Team
- xjm of the Drupal Security Team
- Dezső BICZÓ
- Greg Knaddison of the Drupal Security Team
- Benji Fisher, provisional member of the Drupal Security Team
- Damien McKenna of the Drupal Security Team
- Alex Pott of the Drupal Security Team
Apigee Edge - Moderately critical - Access bypass - SA-CONTRIB-2022-045
The Apigee Edge module allows connecting a Drupal site to Apigee X / Edge in order to build a developer portal. The developers (user) can view API keys for their respective Apps.
The module discloses information by allowing attackers to view cached information of API Keys from the browser cache for a limited time frame after the user login on the same computer.
Solution:Install the latest version:
- If you use the Apigee Edge module version 2.0.x for Drupal 9.x, upgrade to Apigee Edge 2.0.3
- If you use the Apigee Edge module version 8.x-1.x for Drupal 9.x, upgrade to Apigee Edge 8.x-1.26
- Greg Knaddison of the Drupal Security Team
Entity Browser Block - Moderately critical - Access bypass - SA-CONTRIB-2022-044
Entity Browser Block provides a Block Plugin for every Entity Browser on your site.
The module didn't sufficiently check entity view access in the block form.
This vulnerability is mitigated by the fact that an attacker must be able to place a block - either through the core "Block Layout" page or via a module like Layout Builder.
Solution:Install the latest version:
- If you use the entity_browser_block module for Drupal 8+, upgrade to entity_browser_block 8.x-1.2
- Greg Knaddison of the Drupal Security Team
Open Social - Moderately critical - Access bypass - SA-CONTRIB-2022-043
Open Social is a Drupal distribution for online communities.
Group entities created within Open Social did not sufficiently check entity access in group overviews, allowing users to see information in the overviews they should not have access to. Visiting the entity directly resulted in correct access checks applied.
This vulnerability is mitigated by the fact that an attacker must be able to view Group entities in an overview and have certain common permissions revoked.
Please note the affected versions were already unsupported, this advisory is released additionally as there are still reported installs for the affected versions.
Solution:Install the latest versions:
- If you use Open Social versions prior to 11.0.0, upgrade to at least Open Social 11.0.0 where this issue is resolved
Preferably use one of the supported versions:
Reported By: Fixed By:A variety of people as part of upgrading to version 11.
Coordinated By:- Greg Knaddison of the Drupal Security Team
- Damien McKenna of the Drupal Security Team
- Alex Bronstein of the Drupal Security Team
Embed - Moderately critical - Cross-Site Request Forgery - SA-CONTRIB-2022-042
The Drupal Embed module provides a filter to allow embedding various embeddable items like entities in content fields.
In certain circumstances, the filter could allow an unprivileged user to inject HTML into a page when it is accessed by a trusted user with permission to embed items. In some cases, this could lead to Cross-Site Request Forgery.
Solution:Install the latest version:
- If you use the Embed module for Drupal 8.x or 9.x, upgrade to Embed 8.x-1.5
- Dave Reid of the Drupal Security Team
- Drew Webber of the Drupal Security Team
- Adam G-H
- Dave Reid of the Drupal Security Team
Wingsuit - Storybook for UI Patterns - Critical - Access bypass - SA-CONTRIB-2022-040
The Wingsuit module enables site builders to build UI Patterns (and|or) Twig Components with Storybook and use them without any mapping code in Drupal.
The module doesn't have an access check for the admin form allowing an attacker to view and modify the Wingsuit configuration.
Solution:Install the latest version:
- If you use the wingsuit_companion 8.x-1.x module for Drupal 8.x, upgrade to Wingsuit 8.x-1.1
- Greg Knaddison of the Drupal Security Team
Duo Two-Factor Authentication - Critical - Unsupported - SA-CONTRIB-2022-039
The security team is marking this project unsupported. If you would like to maintain this project, please read: https://www.drupal.org/node/251466#procedure---own-project---unsupported.
Neue Kommentare
vor 2 Tagen 9 Stunden
vor 2 Tagen 9 Stunden
vor 2 Tagen 13 Stunden
vor 3 Tagen 21 Stunden
vor 5 Tagen 20 Stunden
vor 6 Tagen 11 Stunden
vor 6 Tagen 13 Stunden
vor 6 Tagen 13 Stunden
vor 6 Tagen 18 Stunden
vor 6 Tagen 18 Stunden