February 2018

JSON API - Moderately critical - Multiple Vulnerabilities - SA-CONTRIB-2018-15

Project: JSON API
Date: 2018-February-21
Security risk: *Moderately critical* 13∕25
Vulnerability: Multiple Vulnerabilities


This module provides a JSON API standards-compliant API for accessing and
manipulating Drupal content and configuration entities.

CKEditor Upload Image - Critical - Access bypass - SA-CONTRIB-2018-014

Project: CKEditor Upload Image
Date: 2018-February-21
Security risk: *Critical* 15∕25
Vulnerability: Access bypass


This module enables you to drag and drop or paste images into CKEditor.
The module does not sufficiently verify users permissions, which leads to
anonymous users being able to upload files to the server.

Install the latest version:

Drupal core - Critical - Multiple Vulnerabilities - SA-CORE-2018-001

For Drupion customers

Do not worry about this security update notice if you host your Drupal website on Drupion with automatic core update options checked on per instructions on https://www.drupion.com/blog/automatic-drupal-core-updates-website-basis..., because your website will be updated automatically.

Entity API - Moderately critical - Information Disclosure - SA-CONTRIB-2018-013

Project: Entity API
Date: 2018-February-14
Security risk: *Moderately critical* 10∕25
Vulnerability: Information Disclosure


The Entity API module extends the entity API of Drupal core in order to provide a unified way to deal with entities and their properties.

The module prints debugging information to the HTML output in certain error conditions thereby causing an information disclosure vulnerability.

VChess - Critical - Module Unsupported - SA-CONTRIB-2018-009

Project: VChess
Date: 2018-February-14
Security risk: *Critical* 18∕25
Vulnerability: Module Unsupported


The Drupal VChess module allows users to play a chess game.

The security team is marking this module unsupported. There is a known security issue with the module that has not been fixed by the maintainer. If you would like to maintain this module, please read: https://www.drupal.org/node/251466

Entity Reference Tab / Accordion Formatter - Moderately critical - Cross Site Scripting - SA-CONTRIB-2018-008

Project: Entity Reference Tab / Accordion Formatter
Date: 2018-February-07
Security risk: *Moderately critical* 14∕25
Vulnerability: Cross Site Scripting


This module enables you to show referenced entities in tabs.

The module doesn't sufficiently sanitize the body fields of the referenced
entities when it prints them to the tabs.

FileField Sources - Moderately critical - Information Disclosure - SA-CONTRIB-2018-007

Project: FileField Sources
Date: 2018-February-07
Security risk: *Moderately critical* 12∕25
Vulnerability: Information Disclosure


This module enables you to upload files to fields via several sources.

The module doesn't sufficiently handle access control under the scenario of
the autocomplete path of reference sources.


Install the latest version: