April 2018

DRD Agent - Critical - PHP object injection - SA-CONTRIB-2018-022

Project: DRD Agent
Date: 2018-April-25
Security risk: *Critical* 15∕25
Vulnerability: PHP object injection


This module enables you to monitor and manage any number of remote Drupal
sites and aggregate useful information for administrators in a central

JSON API - Moderately critical - Cross Site Request Forgery - SA-CONTRIB-2018-021

Project: JSON API
Version: 8.x-1.15
Date: 2018-April-25
Security risk: *Moderately critical* 11∕25
Vulnerability: Cross Site Request Forgery


This module provides a JSON API standards-compliant API for accessing and
manipulating Drupal content and configuration entities.

The module doesn't provide CSRF protection when processing authenticated
traffic using cookie-based authentication.

Media - Critical - Remote Code Execution - SA-CONTRIB-2018-020

Project: Media
Version: 7.x-2.18
Date: 2018-April-25
Security risk: *Critical* 18∕25
Vulnerability: Remote Code Execution


The Media module provides an extensible framework for managing files and multimedia assets, regardless of whether they are hosted on your own site or a third party site.

The module contained a vulnerability similar to SA-CORE-2018-004, leading to a possible remote code execution (RCE) attack.


Install the latest version:

Drupal 7 and 8 core critical release on April 25th, 2018 PSA-2018-003

There will be a security release of Drupal 7.x, 8.4.x, and 8.5.x on April 25th, 2018 between 16:00 - 18:00 UTC. This PSA is to notify that the Drupal core release is outside of the regular schedule of security releases. For all security updates, the Drupal Security Team urges you to reserve time for core updates at that time because there is some risk that exploits might be developed within hours or days.

Display Suite - Critical - Cross site scripting (XSS) - SA-CONTRIB-2018-019

Project: Display Suite
Version: 7.x-2.147.x-1.9
Date: 2018-April-18
Security risk: *Critical* 17∕25
Vulnerability: Cross site scripting (XSS)


Display Suite allows you to take full control over how your content is
displayed using a drag and drop interface.

The module doesn't sufficiently validate view modes provided dynamically via
URLs leading to a reflected cross site scripting (XSS) attack.

Menu Import and Export - Critical - Access bypass - SA-CONTRIB-2018-018

Project: Menu Import and Export
Version: 8.x-1.0
Date: 2018-April-18
Security risk: *Critical* 17∕25
Vulnerability: Access bypass


This module helps in exporting and importing Menu Items via the
administrative interface.

The module does not properly restrict access to administrative pages,
allowing anonymous users to export and import menu links.

There is no mitigation for this vulnerability.

Drupal core - Moderately critical - Cross Site Scripting - SA-CORE-2018-003

Project: Drupal core
Date: 2018-April-18
Security risk: *Moderately critical* 12∕25
Vulnerability: Cross Site Scripting


CKEditor, a third-party JavaScript library included in Drupal core, has fixed
a cross-site scripting (XSS) vulnerability [3]. The vulnerability stemmed
from the fact that it was possible to execute XSS inside CKEditor when using
the image2 plugin (which Drupal 8 core also uses).

WordPress 4.9.5 Security and Maintenance Release

WordPress 4.9.5 is now available. This is a security and maintenance release for all versions since WordPress 3.7. We strongly encourage you to update your sites immediately.

WordPress versions 4.9.4 and earlier are affected by three security issues. As part of the core team's ongoing commitment to security hardening, the following fixes have been implemented in 4.9.5: