Security

File (Field) Paths - Critical - Remote Code Execution - SA-CONTRIB-2018-056

Project: File (Field) Paths
Date: 2018-August-15
Security risk: *Critical* 15∕25
Vulnerability: Remote Code Execution

Description

This module enables you to automatically sort and rename your uploaded files
using token based replacement patterns to maintain a nice clean filesystem.

The module doesn't sufficiently sanitize the path while a new file is
uploading, allowing a remote attacker to execute arbitrary PHP code.

PHP Configuration - Critical - Arbitrary PHP code execution - SA-CONTRIB-2018-055

Project: PHP Configuration
Version: 8.x-1.07.x-1.0
Date: 2018-August-08
Security risk: *Critical* 17∕25
Vulnerability: Arbitrary PHP code execution

Description

 
This module enables you to add or overwrite PHP configuration on a drupal
website.

The module doesn't sufficiently allow access to set these configurations,
leading to arbitrary PHP configuration execution by an attacker.

Drupal Core - 3rd-party libraries -SA-CORE-2018-005

* Advisory ID: SA-CORE-2018-005
* Project: Drupal core
* Version: 8.x
* CVE: CVE-2018-14773
* Date: 2018-August-01

DESCRIPTION

The Drupal project uses the Symfony library. The Symfony library has released
a security update that impacts Drupal. Refer to the Symfony security advisory for the issue.

WordPress 4.9.8 Maintenance Release

We are pleased to announce the immediate availability of WordPress 4.9.8. This maintenance release fixes 46 bugs, enhancements and blessed tasks, including updating the Twenty Seventeen bundled theme.

Following are the highlights of what is now available.

“Try Gutenberg” callout

Most users will now be presented with a notice in their WordPress dashboard. This “Try Gutenberg” is an opportunity for users to use the Gutenberg block editor before it is released in WordPress 5.0.

Select (or other) - Moderately critical - Cross Site Scripting - SA-CONTRIB-2018-054

Project: Select (or other)
Date: 2018-July-25
Security risk: *Moderately critical* 14∕25
Vulnerability: Cross Site Scripting

Description

This module enables users to select 'other' on certain form elements and a
textfield appears for the user to provide a custom value.

The module doesn't sufficiently escape values of a text field the under the
scenario when "Select or other" formatter is used.

XML sitemap - Moderately critical - Information Disclosure - SA-CONTRIB-2018-053

Project: XML sitemap
Date: 2018-July-18
Security risk: *Moderately critical* 13∕25
Vulnerability: Information Disclosure

Description

This module enables you to generate XML sitemaps and it helps search engines
to more intelligently crawl a website and keep their results up to date.

The module doesn't sufficiently handle access rights under the scenario of
updating contents from cron execution.

Taxonomy Entity Queue - Critical - SQL Injection - SA-CONTRIB-2018-052

Project: Taxonomy Entity Queue
Date: 2018-July-18
Security risk: *Critical* 17∕25
Vulnerability: SQL Injection

Description

This module enables you to create an entityqueue based on a taxonomy.

The module did not properly use Drupal's database API when querying the
database with user supplied values, allowing an attacker to send a specially
crafted request to modify the query or potentially perform additional
queries.

litejazz - Moderately critical - Cross Site Scripting - SA-CONTRIB-2018-050

Project: litejazz
Date: 2018-July-11
Security risk: *Moderately critical* 14∕25
Vulnerability: Cross Site Scripting

Description

This theme features 3 color styles, 12 fully collapsible regions, suckerfish
menus, fluid or fixed widths, easy configuration, and more.

The theme doesn't sufficiently sanitize user input.

This vulnerability is mitigated by the fact that the theme is only
exploitable with non-default settings and under certain site configurations.

Tapestry - Moderately critical - Cross Site Scripting - SA-CONTRIB-2018-051

Project: Tapestry
Date: 2018-July-11
Security risk: *Moderately critical* 14∕25
Vulnerability: Cross Site Scripting

Description

This theme provides Drupal users with many advanced features including 20
Different Color Styles, 30 User Regions, Custom Block Theme Templates,
Suckerfish Menus, Icon Support, Advanced Page Layout Options, Simple
Configuration, Custom Typography...

The theme doesn't sufficiently sanitize user input.

NewsFlash - Moderately critical - Cross Site Scripting - SA-CONTRIB-2018-049

Project: NewsFlash
Date: 2018-July-11
Security risk: *Moderately critical* 14∕25
Vulnerability: Cross Site Scripting

Description

This theme features 7 color styles, 12 collapsible regions, suckerfish menus,
fluid or fixed widths, and lots more.

The theme doesn't sufficiently sanitize user input.

This vulnerability is mitigated by the fact that the theme is only
exploitable with non-default settings and under certain site configurations.

Pages

Subscribe to Security