August 2018

Drupal Commerce - Moderately critical - Access bypass - SA-CONTRIB-2018-057

Project: Drupal Commerce
Version: 8.x-2.x-dev
Date: 2018-August-29
Security risk: *Moderately critical* 14∕25
Vulnerability: Access bypass

Description

This module enables you to build eCommerce websites and applications with Drupal.

The module doesn't sufficiently check access for some of its entity types.

Solution

Update to Commerce 8.x-2.9.

Bing Autosuggest API - Moderately critical - Cross Site Scripting - SA-CONTRIB-2018-058

Project: Bing Autosuggest API
Version: 7.x-1.x-dev
Date: 2018-August-29
Security risk: *Moderately critical* 13∕25
Vulnerability: Cross Site Scripting

Description

 
This module enables you to use the Bing Autosuggest API.

The module doesn't sufficiently sanitize a value used to populate an API
request.

Solution

 
Install the latest version:

File (Field) Paths - Critical - Remote Code Execution - SA-CONTRIB-2018-056

Project: File (Field) Paths
Date: 2018-August-15
Security risk: *Critical* 15∕25
Vulnerability: Remote Code Execution

Description

This module enables you to automatically sort and rename your uploaded files
using token based replacement patterns to maintain a nice clean filesystem.

The module doesn't sufficiently sanitize the path while a new file is
uploading, allowing a remote attacker to execute arbitrary PHP code.

PHP Configuration - Critical - Arbitrary PHP code execution - SA-CONTRIB-2018-055

Project: PHP Configuration
Version: 8.x-1.07.x-1.0
Date: 2018-August-08
Security risk: *Critical* 17∕25
Vulnerability: Arbitrary PHP code execution

Description

 
This module enables you to add or overwrite PHP configuration on a drupal
website.

The module doesn't sufficiently allow access to set these configurations,
leading to arbitrary PHP configuration execution by an attacker.

Drupal Core - 3rd-party libraries -SA-CORE-2018-005

* Advisory ID: SA-CORE-2018-005
* Project: Drupal core
* Version: 8.x
* CVE: CVE-2018-14773
* Date: 2018-August-01

DESCRIPTION

The Drupal project uses the Symfony library. The Symfony library has released
a security update that impacts Drupal. Refer to the Symfony security advisory for the issue.

WordPress 4.9.8 Maintenance Release

We are pleased to announce the immediate availability of WordPress 4.9.8. This maintenance release fixes 46 bugs, enhancements and blessed tasks, including updating the Twenty Seventeen bundled theme.

Following are the highlights of what is now available.

“Try Gutenberg” callout

Most users will now be presented with a notice in their WordPress dashboard. This “Try Gutenberg” is an opportunity for users to use the Gutenberg block editor before it is released in WordPress 5.0.