View online: https://www.drupal.org/sa-contrib-2024-073
Project: Login Disable [1]
Date: 2024-December-11
Security risk: *Critical* 16 ∕ 25
AC:None/A:User/CI:Some/II:Some/E:Theoretical/TD:All [2]
Vulnerability: Access bypass
Affected versions: >=2.0.0 <2.1.1
Description:
This module enables you to prevent existing users from logging in to your
Drupal site unless they know the secret key to add to the end of the ?q=user
login form page.
The Login Disable module does not correctly prevent a user with a disabled
login from logging in, allowing those users to by-pass the protection offered
by the module.
This vulnerability is mitigated by the fact that an attacker must already
have a user account to log in. This bug therefore allows users to log in even
if their login is disabled.
Solution:
Install the latest version:
* If you use the Login Disable module for Drupal 9.x / 10.x, upgrade to
Login Disable 2.1.1 [3]
The Drupal 7 version of the module is not affected.
Reported By:
* e5sego [4]
Fixed By:
* e5sego [5]
* Sang Lostrie [6]
Coordinated By:
* Ivo Van Geertruyen [7] of the Drupal Security Team
* Greg Knaddison [8] of the Drupal Security Team
* Benji Fisher [9] of the Drupal Security Team
[1] https://www.drupal.org/project/login_disable
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/login_disable/releases/2.1.1
[4] https://www.drupal.org/user/261590
[5] https://www.drupal.org/user/261590
[6] https://www.drupal.org/user/2727459
[7] https://www.drupal.org/u/mrbaileys
[8] https://security.drupal.org/user/27
[9] https://www.drupal.org/u/benjifisher
View online: https://www.drupal.org/sa-contrib-2024-071
Project: Entity Form Steps [1]
Date: 2024-December-04
Security risk: *Moderately critical* 13 ∕ 25
AC:Basic/A:Admin/CI:Some/II:Some/E:Theoretical/TD:All [2]
Vulnerability: Cross site scripting
Affected versions: <1.1.4
Description:
This module allows a site builder to create multi-step entity forms
leveraging the Field Group field type plugins.
The module doesn't escape plain text administrative configurations. An
attacker with admin access could inject arbitrary JavaScript code.
This vulnerability is mitigated by the fact that an attacker must have a role
with the 'administer [entity_type] form display' permission allowing access
to configure entity form displays.
Solution:
Install the latest version:
* If you use the Entity Form Steps module for Drupal 9.x/10.x, upgrade to
Entity Form Steps 1.1.4 [3]
Reported By:
* Ide Braakman [4]
Fixed By:
* Rob [5]
Coordinated By:
* Ivo Van Geertruyen [6] of the Drupal Security Team
[1] https://www.drupal.org/project/entity_form_steps
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/entity_form_steps/releases/1.1.4
[4] https://www.drupal.org/user/1879760
[5] https://www.drupal.org/user/459772
[6] https://www.drupal.org/u/mrbaileys