Fraction - Less critical - XSS vulnerability - SA-CONTRIB-2018-059

Project: Fraction
Date: 2018-September-05
Security risk: *Less critical* 5∕25 6/25 ( Less Critical)
Vulnerability: XSS vulnerability


This module enables you to create fields for storing decimal values as two
integers (numerator and denominator) for maximum precision.

The module doesn't sufficiently filter XSS strings out of field labels.

Drupal Commerce - Moderately critical - Access bypass - SA-CONTRIB-2018-057

Project: Drupal Commerce
Version: 8.x-2.x-dev
Date: 2018-August-29
Security risk: *Moderately critical* 14∕25
Vulnerability: Access bypass


This module enables you to build eCommerce websites and applications with Drupal.

The module doesn't sufficiently check access for some of its entity types.


Update to Commerce 8.x-2.9.

Bing Autosuggest API - Moderately critical - Cross Site Scripting - SA-CONTRIB-2018-058

Project: Bing Autosuggest API
Version: 7.x-1.x-dev
Date: 2018-August-29
Security risk: *Moderately critical* 13∕25
Vulnerability: Cross Site Scripting


This module enables you to use the Bing Autosuggest API.

The module doesn't sufficiently sanitize a value used to populate an API


Install the latest version:

File (Field) Paths - Critical - Remote Code Execution - SA-CONTRIB-2018-056

Project: File (Field) Paths
Date: 2018-August-15
Security risk: *Critical* 15∕25
Vulnerability: Remote Code Execution


This module enables you to automatically sort and rename your uploaded files
using token based replacement patterns to maintain a nice clean filesystem.

The module doesn't sufficiently sanitize the path while a new file is
uploading, allowing a remote attacker to execute arbitrary PHP code.

PHP Configuration - Critical - Arbitrary PHP code execution - SA-CONTRIB-2018-055

Project: PHP Configuration
Version: 8.x-1.07.x-1.0
Date: 2018-August-08
Security risk: *Critical* 17∕25
Vulnerability: Arbitrary PHP code execution


This module enables you to add or overwrite PHP configuration on a drupal

The module doesn't sufficiently allow access to set these configurations,
leading to arbitrary PHP configuration execution by an attacker.

Drupal Core - 3rd-party libraries -SA-CORE-2018-005

* Advisory ID: SA-CORE-2018-005
* Project: Drupal core
* Version: 8.x
* CVE: CVE-2018-14773
* Date: 2018-August-01


The Drupal project uses the Symfony library. The Symfony library has released
a security update that impacts Drupal. Refer to the Symfony security advisory for the issue.

WordPress 4.9.8 Maintenance Release

We are pleased to announce the immediate availability of WordPress 4.9.8. This maintenance release fixes 46 bugs, enhancements and blessed tasks, including updating the Twenty Seventeen bundled theme.

Following are the highlights of what is now available.

“Try Gutenberg” callout

Most users will now be presented with a notice in their WordPress dashboard. This “Try Gutenberg” is an opportunity for users to use the Gutenberg block editor before it is released in WordPress 5.0.

Select (or other) - Moderately critical - Cross Site Scripting - SA-CONTRIB-2018-054

Project: Select (or other)
Date: 2018-July-25
Security risk: *Moderately critical* 14∕25
Vulnerability: Cross Site Scripting


This module enables users to select 'other' on certain form elements and a
textfield appears for the user to provide a custom value.

The module doesn't sufficiently escape values of a text field the under the
scenario when "Select or other" formatter is used.

Taxonomy Entity Queue - Critical - SQL Injection - SA-CONTRIB-2018-052

Project: Taxonomy Entity Queue
Date: 2018-July-18
Security risk: *Critical* 17∕25
Vulnerability: SQL Injection


This module enables you to create an entityqueue based on a taxonomy.

The module did not properly use Drupal's database API when querying the
database with user supplied values, allowing an attacker to send a specially
crafted request to modify the query or potentially perform additional

XML sitemap - Moderately critical - Information Disclosure - SA-CONTRIB-2018-053

Project: XML sitemap
Date: 2018-July-18
Security risk: *Moderately critical* 13∕25
Vulnerability: Information Disclosure


This module enables you to generate XML sitemaps and it helps search engines
to more intelligently crawl a website and keep their results up to date.

The module doesn't sufficiently handle access rights under the scenario of
updating contents from cron execution.


Subscribe to Advisories