Advisories

CKEditor Upload Image - Critical - Access bypass - SA-CONTRIB-2018-014

Project: CKEditor Upload Image
Date: 2018-February-21
Security risk: *Critical* 15∕25
Vulnerability: Access bypass

Description

This module enables you to drag and drop or paste images into CKEditor.
The module does not sufficiently verify users permissions, which leads to
anonymous users being able to upload files to the server.

Solution: 
Install the latest version:

JSON API - Moderately critical - Multiple Vulnerabilities - SA-CONTRIB-2018-15

Project: JSON API
Date: 2018-February-21
Security risk: *Moderately critical* 13∕25
Vulnerability: Multiple Vulnerabilities

Description

This module provides a JSON API standards-compliant API for accessing and
manipulating Drupal content and configuration entities.

Drupal core - Critical - Multiple Vulnerabilities - SA-CORE-2018-001

For Drupion customers

Do not worry about this security update notice if you host your Drupal website on Drupion with automatic core update options checked on per instructions on https://www.drupion.com/blog/automatic-drupal-core-updates-website-basis..., because your website will be updated automatically.

VChess - Critical - Module Unsupported - SA-CONTRIB-2018-009

Project: VChess
Date: 2018-February-14
Security risk: *Critical* 18∕25
Vulnerability: Module Unsupported

Description

The Drupal VChess module allows users to play a chess game.

The security team is marking this module unsupported. There is a known security issue with the module that has not been fixed by the maintainer. If you would like to maintain this module, please read: https://www.drupal.org/node/251466

Entity API - Moderately critical - Information Disclosure - SA-CONTRIB-2018-013

Project: Entity API
Date: 2018-February-14
Security risk: *Moderately critical* 10∕25
Vulnerability: Information Disclosure

Description

The Entity API module extends the entity API of Drupal core in order to provide a unified way to deal with entities and their properties.

The module prints debugging information to the HTML output in certain error conditions thereby causing an information disclosure vulnerability.

FileField Sources - Moderately critical - Information Disclosure - SA-CONTRIB-2018-007

Project: FileField Sources
Date: 2018-February-07
Security risk: *Moderately critical* 12∕25
Vulnerability: Information Disclosure

Description

 
This module enables you to upload files to fields via several sources.

The module doesn't sufficiently handle access control under the scenario of
the autocomplete path of reference sources.

Solution

Install the latest version:

Entity Reference Tab / Accordion Formatter - Moderately critical - Cross Site Scripting - SA-CONTRIB-2018-008

Project: Entity Reference Tab / Accordion Formatter
Date: 2018-February-07
Security risk: *Moderately critical* 14∕25
Vulnerability: Cross Site Scripting

Description

This module enables you to show referenced entities in tabs.

The module doesn't sufficiently sanitize the body fields of the referenced
entities when it prints them to the tabs.

Pages

Subscribe to Advisories