Security-news May 2021

security-news@drupal.org

1 participants
5 discussions

Drupal core - Moderately critical - Cross Site Scripting - SA-CORE-2021-003
by security-news＠drupal.org 27 May '21

27 May '21

View online: https://www.drupal.org/sa-core-2021-003 Project: Drupal core [1] Date: 2021-May-26 Security risk: *Moderately critical* 14∕25 AC:Basic/A:User/CI:Some/II:Some/E:Proof/TD:Default [2] Vulnerability: Cross Site Scripting Description: Drupal core uses the third-party CKEditor library. This library has an error in parsing HTML that could lead to an XSS attack. CKEditor 4.16.1 and later include the fix. Users of the CKEditor library via means other than Drupal core should update their 3rd party code (e.g. the WYSIWYG module for Drupal 7). The Drupal Security Team policy is not to alert for issues affecting 3rd party libraries unless those are shipped with Drupal core. See DRUPAL-SA-PSA-2016-004 for more details [3]. This issue is mitigated by the fact that it only affects sites with CKEditor enabled. Solution: Install the latest version: * If you are using Drupal 9.1, update to Drupal 9.1.9 [4]. * If you are using Drupal 9.0, update to Drupal 9.0.14 [5]. * If you are using Drupal 8.9, update to Drupal 8.9.16 [6]. Versions of Drupal 8 prior to 8.9.x are end-of-life and do not receive security coverage. Reported By: * Or Sahar [7] Fixed By: * Greg Knaddison [8] of the Drupal Security Team * Jess [9] of the Drupal Security Team * Krzysztof Krzton [10] * Lee Rowlands [11] of the Drupal Security Team * Michael Hess [12] of the Drupal Security Team [1] https://www.drupal.org/project/drupal [2] https://www.drupal.org/security-team/risk-levels [3] https://www.drupal.org/psa-2016-004 [4] https://www.drupal.org/project/drupal/releases/9.1.9 [5] https://www.drupal.org/project/drupal/releases/9.0.14 [6] https://www.drupal.org/project/drupal/releases/8.9.16 [7] https://www.drupal.org/user/3676145 [8] https://www.drupal.org/user/36762 [9] https://www.drupal.org/user/65776 [10] https://www.drupal.org/user/3618903 [11] https://www.drupal.org/user/395439 [12] https://www.drupal.org/user/102818

1 0

Off Cycle Drupal Core Security Release - PSA-2021-05-25
by security-news＠drupal.org 25 May '21

25 May '21

View online: https://www.drupal.org/psa-2021-05-25 Date: 2021-May-25 Description: There will be a security release of Drupal Core 8.9.x, and 9.1.x on May 26th, 2021 between 16:00 - 18:00 UTC. This Public Service Advisory is to notify that the Drupal core release is outside of the regular schedule of security releases. For all security updates, the Drupal Security Team urges you to reserve time for core updates at that time because there is some risk that exploits might be developed within hours or days. Security release announcements will appear on the Drupal.org security advisory page. The security risk of the advisory is currently rated as Moderately Critical. This is not a mass-exploitable vulnerability as far as the security team is currently aware. Given that this is a moderately critical vulnerability and is not believed to be mass exploitable it is not covered by Drupal Steward partners. [1] [1] https://www.drupal.org/drupal-security-team/steward

1 0

Facets - Moderately critical - Cross site scripting - SA-CONTRIB-2021-008
by security-news＠drupal.org 12 May '21

12 May '21

View online: https://www.drupal.org/sa-contrib-2021-008 Project: Facets [1] Version: 8.x-1.x-dev Date: 2021-May-12 Security risk: *Moderately critical* 11∕25 AC:Complex/A:Admin/CI:Some/II:Some/E:Theoretical/TD:Default [2] Vulnerability: Cross site scripting Description: This module enables you to add customizable facets on search pages, from core search or searches provided by Search API. The module doesn't sufficiently filter all output in certain circumstances. This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer facets". Solution: Install the latest version: * If you use the Facets module for Drupal 8.x/9.x, upgrade to Facets 8.x-1.8 [3] Reported By: * Ide Braakman [4] Fixed By: * Markus Kalkbrenner [5] * Ide Braakman [6] * Joris Vercammen [7] Coordinated By: * Damien McKenna [8] of the Drupal Security Team [1] https://www.drupal.org/project/facets [2] https://www.drupal.org/security-team/risk-levels [3] https://www.drupal.org/project/facets/releases/8.x-1.8 [4] https://www.drupal.org/user/1879760 [5] https://www.drupal.org/user/124705 [6] https://www.drupal.org/user/1879760 [7] https://www.drupal.org/user/2393360 [8] https://www.drupal.org/u/damienmckenna

1 0

Gutenberg - Critical - Cross site scripting - SA-CONTRIB-2021-007
by security-news＠drupal.org 12 May '21

12 May '21

View online: https://www.drupal.org/sa-contrib-2021-007 Project: Gutenberg [1] Version: 8.x-2.x-dev8.x-1.x-dev Date: 2021-May-12 Security risk: *Critical* 18∕25 AC:None/A:None/CI:Some/II:Some/E:Theoretical/TD:All [2] Vulnerability: Cross site scripting Description: This module provides a new UI experience for node editing using the Gutenberg Editor library. The module did not correctly validate access rules in certain situations allowing anonymous users to delete blocks. Solution: Install the latest version: * If you use the Gutenberg module 8.x-1.x, upgrade to 8.x-1.12 [3] * If you use the Gutenberg module 8.x-2.x, upgrade to 8.x-2.0 [4] * For roles other than administrator, the "Administer Gutenberg" (8.x-1.x) or the "Use Gutenberg" (8.x-2.x) permission must be given to view and delete reusable blocks. Reported By: * Stephan Zeidler [5] * Mariusz Andrzejewski [6] Fixed By: * Stephan Zeidler [7] * codebymikey [8] * Marco Fernandes [9] Coordinated By: * Damien McKenna [10] of the Drupal Security Team [1] https://www.drupal.org/project/gutenberg [2] https://www.drupal.org/security-team/risk-levels [3] https://www.drupal.org/project/gutenberg/releases/8.x-1.12 [4] https://www.drupal.org/project/gutenberg/releases/8.x-2.0 [5] https://www.drupal.org/user/767652 [6] https://www.drupal.org/user/3517832 [7] https://www.drupal.org/user/767652 [8] https://www.drupal.org/user/3573206 [9] https://www.drupal.org/user/2127558 [10] https://www.drupal.org/u/damienmckenna

1 0

Chaos Tool Suite (ctools) - Moderately critical - Information disclosure - SA-CONTRIB-2021-009
by security-news＠drupal.org 12 May '21

12 May '21

View online: https://www.drupal.org/sa-contrib-2021-009 Project: Chaos Tool Suite (ctools) [1] Version: 8.x-3.58.x-3.48.x-3.38.x-3.28.x-3.18.x-3.0 Date: 2021-May-12 Security risk: *Moderately critical* 12∕25 AC:Complex/A:None/CI:Some/II:None/E:Theoretical/TD:All [2] Vulnerability: Information disclosure Description: Chaos tool suite (ctools) module provides a number of APIs and extensions for Drupal, it's 8.x-3.x branch is a start from scratch to evaluate the features of ctools that didn't make it into Drupal Core 8.0.x and port them. The module doesn't sufficiently handle access control on its EntityView plugin. This vulnerability is mitigated by the fact that successful exploitation requires special conditions in place such as custom solutions that allow injecting the context by means other than the route. Solution: Install the latest version: * If you use the Chaos tool suite module for Drupal 8.x, upgrade to Chaos tool suite 8.x-3.6 [3] Reported By: * Jonathan Hedstrom [4] Fixed By: * Jonathan Hedstrom [5] * Balazs Janos Tatar [6] * Jakob Perry [7] Coordinated By: * Greg Knaddison [8] of the Drupal Security Team [1] https://www.drupal.org/project/ctools [2] https://www.drupal.org/security-team/risk-levels [3] https://www.drupal.org/project/ctools/releases/8.x-3.6 [4] https://www.drupal.org/user/208732 [5] https://www.drupal.org/user/208732 [6] https://www.drupal.org/user/649590 [7] https://www.drupal.org/user/45640 [8] https://www.drupal.org/u/greggles

1 0

2026

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

Security-news May 2021