Drupal

Media - Critical - Remote Code Execution - SA-CONTRIB-2018-020

Project: Media
Version: 7.x-2.18
Date: 2018-April-25
Security risk: *Critical* 18∕25
Vulnerability: Remote Code Execution

Description

The Media module provides an extensible framework for managing files and multimedia assets, regardless of whether they are hosted on your own site or a third party site.

The module contained a vulnerability similar to SA-CORE-2018-004, leading to a possible remote code execution (RCE) attack.

Solution

 
Install the latest version:

JSON API - Moderately critical - Cross Site Request Forgery - SA-CONTRIB-2018-021

Project: JSON API
Version: 8.x-1.15
Date: 2018-April-25
Security risk: *Moderately critical* 11∕25
Vulnerability: Cross Site Request Forgery

Description 

This module provides a JSON API standards-compliant API for accessing and
manipulating Drupal content and configuration entities.

The module doesn't provide CSRF protection when processing authenticated
traffic using cookie-based authentication.

DRD Agent - Critical - PHP object injection - SA-CONTRIB-2018-022

Project: DRD Agent
Date: 2018-April-25
Security risk: *Critical* 15∕25
Vulnerability: PHP object injection

Description

This module enables you to monitor and manage any number of remote Drupal
sites and aggregate useful information for administrators in a central
dashboard.

Drupal 7 and 8 core critical release on April 25th, 2018 PSA-2018-003

There will be a security release of Drupal 7.x, 8.4.x, and 8.5.x on April 25th, 2018 between 16:00 - 18:00 UTC. This PSA is to notify that the Drupal core release is outside of the regular schedule of security releases. For all security updates, the Drupal Security Team urges you to reserve time for core updates at that time because there is some risk that exploits might be developed within hours or days.

Drupal core - Moderately critical - Cross Site Scripting - SA-CORE-2018-003

Project: Drupal core
Date: 2018-April-18
Security risk: *Moderately critical* 12∕25
Vulnerability: Cross Site Scripting

Description

CKEditor, a third-party JavaScript library included in Drupal core, has fixed
a cross-site scripting (XSS) vulnerability [3]. The vulnerability stemmed
from the fact that it was possible to execute XSS inside CKEditor when using
the image2 plugin (which Drupal 8 core also uses).

Display Suite - Critical - Cross site scripting (XSS) - SA-CONTRIB-2018-019

Project: Display Suite
Version: 7.x-2.147.x-1.9
Date: 2018-April-18
Security risk: *Critical* 17∕25
Vulnerability: Cross site scripting (XSS)

Description

Display Suite allows you to take full control over how your content is
displayed using a drag and drop interface.

The module doesn't sufficiently validate view modes provided dynamically via
URLs leading to a reflected cross site scripting (XSS) attack.

Menu Import and Export - Critical - Access bypass - SA-CONTRIB-2018-018

Project: Menu Import and Export
Version: 8.x-1.0
Date: 2018-April-18
Security risk: *Critical* 17∕25
Vulnerability: Access bypass

Description

This module helps in exporting and importing Menu Items via the
administrative interface.

The module does not properly restrict access to administrative pages,
allowing anonymous users to export and import menu links.

There is no mitigation for this vulnerability.

Drupal core - Highly critical - Remote Code Execution - SA-CORE-2018-002

Project: Drupal core
Date: 2018-March-28
Security risk: *Highly critical* 21∕25
Vulnerability: Remote Code Execution

Description

CVE: CVE-2018-7600

A remote code execution vulnerability exists within multiple subsystems of Drupal 7.x and 8.x. This potentially allows attackers to exploit multiple attack vectors on a Drupal site, which could result in the site being completely compromised.

Pages

Subscribe to Drupal