September 2018

Taxonomy File Tree - Moderately critical - Access bypass - SA-CONTRIB-2018-061

Project: Taxonomy File Tree
Version: 7.x-1.0
Date: 2018-September-26
Security risk: *Moderately critical* 13∕25
Vulnerability: Access bypass


Taxonomy File Tree allows site managers to create file trees.

For files managed as Drupal files, the module does not properly check that a
user has access to a file before letting the user download the file.

This vulnerability only affects sites that use private files.

Commerce Klarna Checkout - Moderately critical - Access bypass - SA-CONTRIB-2018-062

Project: Commerce Klarna Checkout
Version: 7.x-1.4
Date: 2018-September-26
Security risk: *Moderately critical* 13∕25
Vulnerability: Access bypass


The Commerce Klarna Checkout module enables you to accept payments from the
Klarna Checkout payment provider

The module doesn't sufficiently validate the payment callback made by Klarna.
An attacker could bypass the payment step.


Install the latest version:

Renderkit - Moderately critical - Access bypass - SA-CONTRIB-2018-060

Project: Renderkit
Date: 2018-September-19
Security risk: *Moderately critical* 11∕25
Vulnerability: Access bypass


This module, typically in combination with cfr:cfrplugin, allows to compose
behaviors from granular components. One of such behaviors is to display a
list of related entities, for a given source entity and a given entity
relation (e.g. an entity reference field).

Fraction - Less critical - XSS vulnerability - SA-CONTRIB-2018-059

Project: Fraction
Date: 2018-September-05
Security risk: *Less critical* 5∕25 6/25 ( Less Critical)
Vulnerability: XSS vulnerability


This module enables you to create fields for storing decimal values as two
integers (numerator and denominator) for maximum precision.

The module doesn't sufficiently filter XSS strings out of field labels.

Drupal 8.6.0 released

What's new in Drupal 8.6.0?

The most significant update to Drupal 8 in its history, this new release includes two new easy ways to install Drupal, a cooking magazine demo, oEmbed media support, stable upgrades for monolingual Drupal sites, a new media library and workspaces experimental modules, significant layout improvements, various REST fixes and testing improvements.