Security-news

security-news@drupal.org

1 participants
1782 discussions

Monster Menus - Critical - Arbitrary PHP code execution - SA-CONTRIB-2024-052
by security-news＠drupal.org 23 Oct '24

23 Oct '24

View online: https://www.drupal.org/sa-contrib-2024-052 Project: Monster Menus [1] Date: 2024-October-23 Security risk: *Critical* 19 ∕ 25 AC:Complex/A:None/CI:All/II:All/E:Theoretical/TD:All [2] Vulnerability: Arbitrary PHP code execution Affected versions: <9.3.4 || >=9.4.0 <9.4.2 Description: This module enables you to group nodes within pages that have a highly-granular, distributed permissions structure. In certain cases the module doesn't sufficiently sanitize data before passing it to PHP's unserialize() function, which can result in arbitrary code execution. Solution: Install the latest version: * If you use Monster Menus branch *9.4.x*, upgrade to monster_menus 9.4.2 [3] * If you use Monster Menus branch *9.3.x*, upgrade to monster_menus 9.3.4 [4] Reported By: * Drew Webber [5] of the Drupal Security Team Fixed By: * Drew Webber [6] of the Drupal Security Team * Dan Wilga [7] Coordinated By: * Greg Knaddison [8] of the Drupal Security Team * Juraj Nemec [9] of the Drupal Security Team * Drew Webber [10] of the Drupal Security Team [1] https://www.drupal.org/project/monster_menus [2] https://www.drupal.org/security-team/risk-levels [3] https://www.drupal.org/project/monster_menus/releases/9.4.2 [4] https://www.drupal.org/project/monster_menus/releases/9.3.4 [5] https://www.drupal.org/user/255969 [6] https://www.drupal.org/user/255969 [7] https://www.drupal.org/user/56892 [8] https://www.drupal.org/u/greggles [9] https://www.drupal.org/u/poker10 [10] https://www.drupal.org/user/255969

1 0

Views SVG Animation - Moderately critical - Cross Site Scripting - SA-CONTRIB-2024-051
by security-news＠drupal.org 23 Oct '24

23 Oct '24

View online: https://www.drupal.org/sa-contrib-2024-051 Project: Views SVG Animation [1] Date: 2024-October-23 Security risk: *Moderately critical* 13 ∕ 25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:Default [2] Vulnerability: Cross Site Scripting Affected versions: <1.0.1 Description: This module enables you to animate an SVG graphic by selecting certain rows in a view. The module doesn't sufficiently sanitize the SVG file before embedding it into the html. This vulnerability is mitigated by the fact that an attacker must have a role with the permission to upload SVG files. Solution: Install the latest version: * If you use the views_svg_animation module for Drupal 10 or 11, upgrade to views_svg_animation 1.0.1 [3] Reported By: * Pierre Rudloff [4] Fixed By: * Jürgen Haas [5] Coordinated By: * Juraj Nemec [6] of the Drupal Security Team [1] https://www.drupal.org/project/views_svg_animation [2] https://www.drupal.org/security-team/risk-levels [3] https://www.drupal.org/project/views_svg_animation/releases/1.0.1 [4] https://www.drupal.org/user/3611858 [5] https://www.drupal.org/user/168924 [6] https://www.drupal.org/u/poker10

1 0

SVG Embed - Moderately critical - Cross site scripting - SA-CONTRIB-2024-050
by security-news＠drupal.org 23 Oct '24

23 Oct '24

View online: https://www.drupal.org/sa-contrib-2024-050 Project: SVG Embed [1] Date: 2024-October-23 Security risk: *Moderately critical* 13 ∕ 25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:Default [2] Vulnerability: Cross site scripting Affected versions: <2.1.2 Description: This module enables you to embed the content of an SVG file into the body html of a node and optionally allows to translate text contained within the image. The module doesn't sufficiently sanitize the SVG file before embedding it into the html. This vulnerability is mitigated by the fact that an attacker must have a role with the permission to upload SVG files, and the permission to use a text format that includes the SVG embed filter. Solution: Install the latest version: * If you use the svg_embed module for Drupal 7.x, upgrade to svg_embed 7.x-1.3 [3] * If you use the svg_embed module for Drupal 10 or 11, upgrade to svg_embed 2.1.2 [4] Reported By: * Pierre Rudloff [5] Fixed By: * Ivo Van Geertruyen [6] of the Drupal Security Team * Jürgen Haas [7] Coordinated By: * Ivo Van Geertruyen [8] of the Drupal Security Team [1] https://www.drupal.org/project/svg_embed [2] https://www.drupal.org/security-team/risk-levels [3] https://www.drupal.org/project/svg_embed/releases/7.x-1.3 [4] https://www.drupal.org/project/svg_embed/releases/2.1.2 [5] https://www.drupal.org/user/3611858 [6] https://www.drupal.org/user/383424 [7] https://www.drupal.org/user/168924 [8] https://www.drupal.org/user/383424

1 0

Drupal core - Moderately critical - Improper error handling - SA-CORE-2024-002
by security-news＠drupal.org 16 Oct '24

16 Oct '24

View online: https://www.drupal.org/sa-core-2024-002 Project: Drupal core [1] Date: 2024-October-16 Security risk: *Moderately critical* 13 ∕ 25 AC:Basic/A:None/CI:None/II:All/E:Theoretical/TD:Uncommon [2] Vulnerability: Improper error handling Affected versions: >=10.0 < 10.2.10 Description: Under certain uncommon site configurations, a bug in the CKEditor 5 module can cause some image uploads to move the entire webroot to a different location on the file system. This could be exploited by a malicious user to take down a site. The issue is mitigated by the fact that several non-default site configurations must exist simultaneously for this to occur. Solution: Install the latest version: * If you are using Drupal 10.2, update to Drupal 10.2.10 [3]. * Drupal 10.3 and above are not affected, nor is Drupal 7. All versions of Drupal 10 prior to 10.2 are end-of-life and do not receive security coverage. (Drupal 8 [4] and Drupal 9 [5] have both reached end-of-life.) This advisory is not covered by Drupal Steward [6]. Reported By: * Pierre Rudloff [7] Fixed By: * catch [8] of the Drupal Security Team * Lee Rowlands [9] of the Drupal Security Team * Benji Fisher [10] of the Drupal Security Team * Kim Pepper [11] * Wim Leers [12] * xjm [13] of the Drupal Security Team Coordinated By: * xjm [14] of the Drupal Security Team * Dave Long [15] of the Drupal Security Team * Juraj Nemec [16] of the Drupal Security Team [1] https://www.drupal.org/project/drupal [2] https://www.drupal.org/security-team/risk-levels [3] https://www.drupal.org/project/drupal/releases/10.2.10 [4] https://www.drupal.org/psa-2021-06-29 [5] https://www.drupal.org/psa-2023-11-01 [6] https://www.drupal.org/steward [7] https://www.drupal.org/user/3611858 [8] https://www.drupal.org/user/35733 [9] https://www.drupal.org/user/395439 [10] https://www.drupal.org/user/683300 [11] https://www.drupal.org/user/370574 [12] https://www.drupal.org/user/99777 [13] https://www.drupal.org/user/65776 [14] https://www.drupal.org/user/65776 [15] https://www.drupal.org/u/longwave [16] https://www.drupal.org/u/poker10

1 0

wkhtmltopdf - Highly critical - Unsupported - SA-CONTRIB-2024-049
by security-news＠drupal.org 09 Oct '24

09 Oct '24

View online: https://www.drupal.org/sa-contrib-2024-049 Project: wkhtmltopdf [1] Date: 2024-October-09 Security risk: *Highly critical* 23 ∕ 25 AC:None/A:None/CI:All/II:All/E:Proof/TD:All [2] Vulnerability: Unsupported Affected versions: * Description: The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: https://www.drupal.org/node/251466#procedure---own-project---unsupported [3] Solution: If you use this project, you should uninstall it. To take over maintainership, please read https://www.drupal.org/node/251466#procedure---own-project---unsupported [4] in full. [1] https://www.drupal.org/project/wkhtmltopdf [2] https://www.drupal.org/security-team/risk-levels [3] https://www.drupal.org/node/251466#procedure---own-project---unsupported [4] https://www.drupal.org/node/251466#procedure---own-project---unsupported

1 0

Block permissions - Moderately critical - Access bypass - SA-CONTRIB-2024-046
by security-news＠drupal.org 09 Oct '24

09 Oct '24

View online: https://www.drupal.org/sa-contrib-2024-046 Project: Block permissions [1] Date: 2024-October-09 Security risk: *Moderately critical* 13 ∕ 25 AC:Basic/A:Admin/CI:Some/II:Some/E:Theoretical/TD:All [2] Vulnerability: Access bypass Affected versions: >=1.0.0 <1.2.0 Description: This module enables you to manage blocks from specific modules in the specific themes. The module doesn't sufficiently check permissions under the scenario when a block is added using the form "/admin/structure/block/add/{plugin_id}/{theme}" (route "block.admin_add"). The attacker can add the block to the theme where they can't manage blocks. This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer blocks provided by [provider]". Solution: Install the latest version: * If you use the block_permissions module for Drupal 8.x, upgrade to block_permissions version at least 8.x-1.2 [3] or the more recent 8.x-1.3 [4] Reported By: * Francesco Sardara [5] Fixed By: * Francesco Sardara [6] * Evgenii Nikitin [7] Coordinated By: * Greg Knaddison [8] of the Drupal Security Team * Juraj Nemec [9] of the Drupal Security Team [1] https://www.drupal.org/project/block_permissions [2] https://www.drupal.org/security-team/risk-levels [3] https://www.drupal.org/project/block_permissions/releases/8.x-1.2 [4] https://www.drupal.org/project/block_permissions/releases/8.x-1.3 [5] https://www.drupal.org/user/2353864 [6] https://www.drupal.org/user/2353864 [7] https://www.drupal.org/user/682600 [8] https://www.drupal.org/u/greggles [9] https://www.drupal.org/u/poker10

1 0

Facets - Critical - Cross Site Scripting - SA-CONTRIB-2024-047
by security-news＠drupal.org 09 Oct '24

09 Oct '24

View online: https://www.drupal.org/sa-contrib-2024-047 Project: Facets [1] Date: 2024-October-09 Security risk: *Critical* 15 ∕ 25 AC:Basic/A:None/CI:Some/II:Some/E:Theoretical/TD:Default [2] Vulnerability: Cross Site Scripting Affected versions: <2.0.9 Description: This module enables you to to easily create and manage faceted search interfaces. The module doesn't sufficiently filter for malicious script leading to a reflected cross site scripting (XSS) vulnerability. Solution: Install the latest version: * If you use the Facets module, upgrade to Facets 2.0.9 [3] Reported By: * Andrea Racco [4] Fixed By: * Andrea Racco [5] * Markus Kalkbrenner [6] * Joris Vercammen [7] * Jimmy Henderickx [8] Coordinated By: * Greg Knaddison [9] of the Drupal Security Team * Juraj Nemec [10] of the Drupal Security Team [1] https://www.drupal.org/project/facets [2] https://www.drupal.org/security-team/risk-levels [3] https://www.drupal.org/project/facets/releases/2.0.9 [4] https://www.drupal.org/user/2950843 [5] https://www.drupal.org/user/2950843 [6] https://www.drupal.org/user/124705 [7] https://www.drupal.org/user/2393360 [8] https://www.drupal.org/user/462700 [9] https://www.drupal.org/u/greggles [10] https://www.drupal.org/u/poker10

1 0

Gutenberg - Moderately critical - Cross Site Request Forgery - SA-CONTRIB-2024-048
by security-news＠drupal.org 09 Oct '24

09 Oct '24

View online: https://www.drupal.org/sa-contrib-2024-048 Project: Gutenberg [1] Date: 2024-October-09 Security risk: *Moderately critical* 12 ∕ 25 AC:Basic/A:None/CI:None/II:Some/E:Theoretical/TD:Default [2] Vulnerability: Cross Site Request Forgery Affected versions: <2.13.0 || >=3.0.0 <3.0.5 Description: This module provides a new UI experience for node editing using the Gutenberg Editor library. The module did not sufficiently protect some routes against a Cross Site Request Forgery attack. This vulnerability is mitigated by the fact that the tricked user needs to have an active session with the "use gutenberg" permission. Solution: Install the latest version: * If you use the Gutenberg module versions 8.x-2.x, upgrade to Gutenberg 8.x-2.13 [3] * If you use the Gutenberg module versions 3.0.x, upgrade to Gutenberg 3.0.5 [4] Reported By: * Mingsong [5] Fixed By: * Mingsong [6] * Lee Rowlands [7] of the Drupal Security Team * Eirik Morland [8] * Stephan Zeidler [9] * Cathy Theys [10] of the Drupal Security Team * codebymikey [11] * Marco Fernandes [12] Coordinated By: * Greg Knaddison [13] of the Drupal Security Team * Juraj Nemec [14] of the Drupal Security Team [1] https://www.drupal.org/project/gutenberg [2] https://www.drupal.org/security-team/risk-levels [3] https://www.drupal.org/project/gutenberg/releases/8.x-2.13 [4] https://www.drupal.org/project/gutenberg/releases/3.0.5 [5] https://www.drupal.org/user/2986445 [6] https://www.drupal.org/user/2986445 [7] https://www.drupal.org/user/395439 [8] https://www.drupal.org/user/1014468 [9] https://www.drupal.org/user/767652 [10] https://www.drupal.org/user/258568 [11] https://www.drupal.org/user/3573206 [12] https://www.drupal.org/user/2127558 [13] https://www.drupal.org/u/greggles [14] https://www.drupal.org/u/poker10

1 0

Monster Menus - Moderately critical - Access bypass, Information Disclosure - SA-CONTRIB-2024-045
by security-news＠drupal.org 09 Oct '24

09 Oct '24

View online: https://www.drupal.org/sa-contrib-2024-045 Project: Monster Menus [1] Date: 2024-October-09 Security risk: *Moderately critical* 13 ∕ 25 AC:None/A:None/CI:Some/II:None/E:Theoretical/TD:Uncommon [2] Vulnerability: Access bypass, Information Disclosure Affected versions: <9.3.2 Description: This module enables you to group nodes within pages that have a highly-granular, distributed permissions structure. A function which can be used by third-party code does not return valid data under certain rare circumstances. If the third-party code relies on this data to decide whether to grant access to content, it may grant more access than was intended. This vulnerability is only present in sites that have custom code calling the mm_content_get_uids_in_group() function with a single UID of zero (0) in the second parameter. Solution: Install the latest version: * If you use the monster_menus module for Drupal 7.x, upgrade to monster_menus 7.x-1.34 [3]. * If you use the monster_menus module version *9.3.x*, upgrade to monster_menus 9.3.2 [4]. * If you use the monster_menus module version *9.4.0 or newer*, no change is needed. Reported By: * Dan Wilga [5] Fixed By: * Dan Wilga [6] * Ian McBride [7] Coordinated By: * Greg Knaddison [8] of the Drupal Security Team * Juraj Nemec [9] of the Drupal Security Team * Damien McKenna [10] of the Drupal Security Team [1] https://www.drupal.org/project/monster_menus [2] https://www.drupal.org/security-team/risk-levels [3] https://www.drupal.org/project/monster_menus/releases/7.x-1.34 [4] https://www.drupal.org/project/monster_menus/releases/9.3.2 [5] https://www.drupal.org/user/56892 [6] https://www.drupal.org/user/56892 [7] https://www.drupal.org/user/539500 [8] https://www.drupal.org/u/greggles [9] https://www.drupal.org/u/poker10 [10] https://www.drupal.org/u/damienmckenna

1 0

Diff - Moderately critical - Access bypass, Information Disclosure - SA-CONTRIB-2024-042
by security-news＠drupal.org 02 Oct '24

02 Oct '24

View online: https://www.drupal.org/sa-contrib-2024-042 Project: Diff [1] Date: 2024-October-02 Security risk: *Moderately critical* 11 ∕ 25 AC:Basic/A:User/CI:Some/II:None/E:Theoretical/TD:All [2] Vulnerability: Access bypass, Information Disclosure Affected versions: <1.8.0 || >=2.0.0 <2.0.0-beta3 Description: This module adds a tab for sufficiently permissioned users. The tab shows all revisions like standard Drupal but it also allows pretty viewing of all added/changed/deleted words between revisions. The module doesn't sufficiently check revision access before rendering a diff report for 1) nodes or 2) general entities that support diff. This vulnerability is mitigated by the fact that an attacker must have a role with the permission from the general node permission to "view all revisions", one of the more specific node type permissions, "view %bundle revisions" or the equivalent for other general entity types. Solution: Install the latest version: * If you use the Diff module for Drupal, upgrade to Diff 8.x-1.8 [3] Reported By: * Matthias Vogel [4] Fixed By: * Matthias Vogel [5] * Lucas Hedding [6] * Adam Bramley [7] Coordinated By: * Greg Knaddison [8] of the Drupal Security Team * Juraj Nemec [9] of the Drupal Security Team [1] https://www.drupal.org/project/diff [2] https://www.drupal.org/security-team/risk-levels [3] https://www.drupal.org/project/diff/releases/8.x-1.8 [4] https://www.drupal.org/user/3319139 [5] https://www.drupal.org/user/3319139 [6] https://www.drupal.org/user/1463982 [7] https://www.drupal.org/user/1036766 [8] https://www.drupal.org/u/greggles [9] https://www.drupal.org/u/poker10

1 0

Jump to page:

2026

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

Security-news