Album Photos - Critical - Access bypass - SA-CONTRIB-2023-022

This module enables you to create and manage photos and photo albums on your website. The module doesn't sufficiently check node access when a user is provided the "edit any photo" or "delete any photo" permissions. This vulnerability is mitigated by the fact that an attacker must have a role wit...

Drupal core - Critical - Arbitrary PHP code execution - SA-CORE-2020-013

The Drupal project uses the PEAR ArchiveTar library. The PEAR ArchiveTar library has released a security update that impacts Drupal. For more information please see: CVE-2020-28948 CVE-2020-28949 Multiple vulnerabilities are possible if Drupal is configured to allow .tar, .tar.gz, .bz2, or .tlz...

ACL - Critical - Arbitrary PHP code execution - SA-CONTRIB-2023-034

The ACL module, short for Access Control Lists, is an API for other modules to create lists of users and give them access to nodes. The module processes user input in a way that could be unsafe. This can lead to Remote Code Execution via Object Injection. As this is an API module, it is only...

Drupal core - Highly critical - Remote Code Execution - SA-CORE-2019-003

Some field types do not properly sanitize data from non-form sources. This can lead to arbitrary PHP code execution in some cases. A site is only affected by this if one of the following conditions is met: The site has the Drupal 8 core RESTful Web Services rest module enabled and allows GET, PAT...

Drupal core - Moderately critical - Access bypass - SA-CORE-2023-004

Drupal core provides a page that outputs the markup from phpinfo to assist with diagnosing PHP configuration. If an attacker was able to achieve an XSS exploit against a privileged user, they may be able to use the phpinfo page to access sensitive information that could be used to escalate the...

Drupal core - Moderately critical - Access bypass - SA-CORE-2023-005

The file download facility doesn't sufficiently sanitize file paths in certain situations. This may result in users gaining access to private files that they should not have access to. Some sites may require configuration changes following this security release. Review the release notes for your...

Drupal core - Moderately critical - Cross Site Scripting - SA-CORE-2020-002

The jQuery project released version 3.5.0, and as part of that, disclosed two security vulnerabilities that affect all prior versions. As mentioned in the jQuery blog, both are ... security issues in jQuery’s DOM manipulation methods, as in .html, .append, and the others. Security advisories for...

Drupal core - Critical - Multiple vulnerabilities - SA-CORE-2019-012

The Drupal project uses the third-party library ArchiveTar, which has released a security improvement that is needed to protect some Drupal configurations. Multiple vulnerabilities are possible if Drupal is configured to allow .tar, .tar.gz, .bz2 or .tlz file uploads and processes them. The lates...

Drupal core - Moderately critical - Cross site scripting - SA-CORE-2022-002

jQuery UI is a third-party library used by Drupal. This library was previously thought to be end-of-life. Late in 2021, jQuery UI announced that they would be continuing development, and released a jQuery UI 1.13.0 version. In addition to the issue covered by SA-CORE-2022-001, further security...

Drupal core - Critical - Remote code execution - SA-CORE-2020-012

Update November 18: Documented longer list of dangerous file extensions Drupal core does not properly sanitize certain filenames on uploaded files, which can lead to files being interpreted as the incorrect extension and served as the wrong MIME type or executed as PHP for certain hosting...

Drupal core - Moderately critical - Gadget Chain - SA-CORE-2026-002

Drupal core contains a chain of methods that could be exploitable when an insecure deserialization vulnerability exists on the site. This so-called "gadget chain" presents no direct threat, but is a vector that can be used to achieve remote code execution or SQL injection if the application...

Drupal core - Moderately critical - Cross Site Scripting - SA-CORE-2019-004

Under certain circumstances the File module/subsystem allows a malicious user to upload a file that can trigger a cross-site scripting XSS vulnerability...

Embed - Moderately critical - Cross-Site Request Forgery - SA-CONTRIB-2022-042

The Drupal Embed module provides a filter to allow embedding various embeddable items like entities in content fields. In certain circumstances, the filter could allow an unprivileged user to inject HTML into a page when it is accessed by a trusted user with permission to embed items. In some...

Drupal core - Critical - Arbitrary PHP code execution - SA-CORE-2022-014

Updated 2022-07-20 19:45 UTC to indicate that this only affects Apache web servers. Drupal core sanitizes filenames with dangerous extensions upon upload reference: SA-CORE-2020-012 and strips leading and trailing dots from filenames to prevent uploading server configuration files reference:...

Drupal core - Moderately critical - Cross Site Scripting - SA-CORE-2019-006

The jQuery project released version 3.4.0, and as part of that, disclosed a security vulnerability that affects all prior versions. As described in their release notes: jQuery 3.4.0 includes a fix for some unintended behavior when using jQuery.extendtrue, , .... If an unsanitized source object...

Drupal core - Critical - Cross-site scripting - SA-CORE-2020-009

Drupal 8 and 9 have a reflected cross-site scripting XSS vulnerability under certain circumstances. An attacker could leverage the way that HTML is rendered for affected forms in order to exploit the vulnerability...

Drupal core - Critical - Arbitrary PHP code execution - SA-CORE-2019-002

A remote code execution vulnerability exists in PHP's built-in phar stream wrapper when performing file operations on an untrusted phar:// URI. Some Drupal code core, contrib, and custom may be performing file operations on insufficiently validated user input, thereby being exposed to this...

Drupal core - Critical - Cross site scripting - SA-CORE-2025-001

Drupal core doesn't sufficiently filter error messages under certain circumstances, leading to a reflected Cross Site Scripting vulnerability XSS. Sites are encouraged to update. There are not yet public documented steps to exploit this, but there may be soon given the nature of this issue. This...

Drupal core - Critical - Third Party Libraries - SA-CORE-2019-001

Drupal core uses the third-party PEAR ArchiveTar library. This library has released a security update which impacts some Drupal configurations. Refer to CVE-2018-1000888 for details...

Drupal core - Moderately critical - Cross Site Scripting - SA-CORE-2022-001

jQuery UI is a third-party library used by Drupal. This library was previously thought to be end-of-life. Late in 2021, jQuery UI announced that they would be continuing development, and released a jQuery UI 1.13.0 version. As part of this 1.13.0 update, they disclosed the following security issu...

GOV.UK Theme - Moderately critical - Cross site scripting - SA-CONTRIB-2022-027

The GOV.UK Theme govuktheme is a Drupal theme for the GOV.UK Design System. The theme doesn't sanitize user input in certain cases, which leads to Cross-Site-Scripting XSS vulnerabilities. An attacker that can create or edit certain entities or configuration may be able to exploit one or more...

Drupal core - Moderately critical - Third-party libraries - SA-CORE-2019-007

This security release fixes third-party dependencies included in or required by Drupal core. As described in TYPO3-PSA-2019-007: By-passing protection of Phar Stream Wrapper Interceptor: In order to intercept file invocations like fileexists or stat on compromised Phar archives the base name has ...

Drupal core - Moderately critical - Improper input validation - SA-CORE-2022-003

Drupal core's form API has a vulnerability where certain contributed or custom modules' forms may be vulnerable to improper input validation. This could allow an attacker to inject disallowed values or overwrite data. Affected forms are uncommon, but in certain cases an attacker could alter...

Drupal core - Moderately critical - Information Disclosure - SA-CORE-2023-001

The Media Library module does not properly check entity access in some circumstances. This may result in users with access to edit content seeing metadata about media items they are not authorized to access. The vulnerability is mitigated by the fact that the inaccessible media will only be visib...

Bible - Critical - Multiple Vulnerabilities - SA-CONTRIB-2018-003

This module enables you to display a Bible on your website. Users can associate notes with a Bible version. This module has a vulnerability that would allow an attacker to wipe out, update or read notes from other users with a carefully crafted title. A user must have the "Access Bible content"...

Drupal core - Moderately critical - Cross-site scripting - SA-CORE-2026-003

Drupal 11.3 comes with support for completing entity suggestions whilst adding a link to CKEditor 5. The suggestions aren't sufficiently sanitized and a malicious user could trigger a stored cross site scripting attack against another user...

Drupal core - Moderately critical - Information disclosure - SA-CORE-2022-004

The Quick Edit module does not properly check entity access in some circumstances. This could result in users with the "access in-place editing" permission viewing some content they are are not authorized to access. Sites are only affected if the QuickEdit module which comes with the Standard...

Modal Form - Critical - Access bypass - SA-CONTRIB-2020-029

The Modal form module is a toolset for quick start of using forms in modal windows. Any form is available for view and submit when the modalform module is installed. The only requirement is to know the form's fully-qualified class name...

Drupal core - Critical - Cross-site scripting - SA-CORE-2021-002

Drupal core's sanitization API fails to properly filter cross-site scripting under certain circumstances. Not all sites and users are affected, but configuration changes to prevent the exploit might be impractical and will vary between sites. Therefore, we recommend all sites update to this relea...

Coder - Highly Critical - Remote Code Execution - SA-CONTRIB-2016-039

The Coder module checks your Drupal code against coding standards and other best practices. It can also fix coding standard violations and perform basic upgrades on modules. The module doesn't sufficiently validate user inputs in a script file that has the php extension. A malicious unauthenticat...

Drupal core - Moderately critical - Third-party libraries - SA-CORE-2022-010

Drupal uses the third-party Guzzle library for handling HTTP requests and responses to external services. Guzzle has released a security update which does not affect Drupal core, but may affect some contributed projects or custom code on Drupal sites. We are issuing this security advisory outside...

Drupal core - Critical - Access bypass - SA-CORE-2019-008

In Drupal 8.7.4, when the experimental Workspaces module is enabled, an access bypass condition is created. This can be mitigated by disabling the Workspaces module. It does not affect any release other than Drupal 8.7.4. Drupal 8.7.3 and earlier, Drupal 8.6.x and earlier, and Drupal 7.x are not...

RESTful Web Services - Critical - Access bypass - SA-CONTRIB-2024-019

This module exposes Drupal resources e.g. entities as RESTful web services. The module doesn't sufficiently restrict access for user resources...

Drupal core - Critical - Multiple vulnerabilities - SA-CORE-2022-016

Drupal uses the Twig third-party library for content templating and sanitization. Twig has released a security update that affects Drupal. Twig has rated the vulnerability as high severity. Drupal core's code extending Twig has also been updated to mitigate a related vulnerability. Multiple...

Drupal core - Moderately critical - Multiple Vulnerabilities - SA-CORE-2019-005

This security release fixes third-party dependencies included in or required by Drupal core. CVE-2019-10909: Escape validation messages in the PHP templating engine. From that advisory: Validation messages were not escaped when using the form theme of the PHP templating engine which, when...

Drupal core - Moderately critical - Access Bypass - SA-CORE-2022-013

Under certain circumstances, the Drupal core form API evaluates form element access incorrectly. This may lead to a user being able to alter data they should not have access to. No forms provided by Drupal core are known to be vulnerable. However, forms added through contributed or custom modules...

Drupal core - Moderately critical - Access bypass - SA-CORE-2021-008

Drupal's JSON:API and REST/File modules allow file uploads through their HTTP APIs. The modules do not correctly run all file validation, which causes an access bypass vulnerability. An attacker might be able to upload files that bypass the file validation process implemented by modules on the...

Drupal core - Moderately critical - Third-party libraries - SA-CORE-2022-005

The Drupal project uses the CKEditor library for WYSIWYG editing. CKEditor has released a security update that impacts Drupal. Vulnerabilities are possible if Drupal is configured to allow use of the CKEditor library for WYSIWYG editing. An attacker that can create or edit content even without...

Drupal core - Critical - Third-party libraries - SA-CORE-2021-001

The Drupal project uses the pear ArchiveTar library, which has released a security update that impacts Drupal. For more information please see: CVE-2020-36193 Exploits may be possible if Drupal is configured to allow .tar, .tar.gz, .bz2, or .tlz file uploads and processes them...

Drupal core - Moderately critical - Cross-site scripting - SA-CORE-2020-010

Drupal core's built-in CKEditor image caption functionality is vulnerable to XSS...

Drupal core - Critical - Cross Site Request Forgery - SA-CORE-2020-004

The Drupal core Form API does not properly handle certain form input from cross-site requests, which can lead to other vulnerabilities...

Drupal core - Critical - Arbitrary PHP code execution - SA-CORE-2020-005

Drupal 8 and 9 have a remote code execution vulnerability under certain circumstances. An attacker could trick an administrator into visiting a malicious site that could result in creating a carefully named directory on the file system. With this directory in place, an attacker could attempt to...

Drupal core - Moderately critical - Access bypass - SA-CORE-2021-009

The QuickEdit module does not properly check access to fields in some circumstances, which can lead to unintended disclosure of field data. Sites are only affected if the QuickEdit module which comes with the Standard profile is installed. This advisory is not covered by Drupal Steward...

LABjs - Less Critical - Open Redirect - SA-CONTRIB-2015-124

The LABjs module integrates LABjs with Drupal for web performance optimization. The module ships with a modified version of the core Overlay JavaScript file, which is vulnerable to an open redirect attack see SA-CORE-2015-002. Only sites with the Overlay module enabled are vulnerable. CVE...

jQuery UI Datepicker - Moderately critical - Cross Site Scripting - SA-CONTRIB-2022-004

jQuery UI is a third-party library used by Drupal. The jQuery UI Datepicker module provides the jQuery UI Datepicker library, which is not included in Drupal 9 core. jQuery UI was previously thought to be end-of-life. Late in 2021, jQuery UI announced that they would be continuing development, an...

Drupal core - Moderately critical - Gadget Chain - SA-CORE-2025-003

Drupal core contains a potential PHP Object Injection vulnerability that if combined with another exploit could lead to Arbitrary File Inclusion. Techniques exist to escalate this attack to Remote Code Execution. It is not directly exploitable. This issue is mitigated by the fact that in order fo...

Drupal core - Moderately critical - Third-party libraries - SA-CORE-2022-006

Drupal uses the third-party Guzzle library for handling HTTP requests and responses to external services. Guzzle has released a security update which may affect some Drupal sites. We are issuing this security advisory outside our regular Drupal security release window schedule since Guzzle has...

Drupal core - Moderately critical - Access bypass - SA-CORE-2020-008

The experimental Workspaces module allows you to create multiple workspaces on your site in which draft content can be edited before being published to the live workspace. The Workspaces module doesn't sufficiently check access permissions when switching workspaces, leading to an access bypass...

Drupal core - Less critical - Access bypass - SA-CORE-2020-006

JSON:API PATCH requests may bypass validation for certain fields. By default, JSON:API works in a read-only mode which makes it impossible to exploit the vulnerability. Only sites that have the readonly set to FALSE under jsonapi.settings config are vulnerable...

Drupal core - Critical - Cache poisoning - SA-CORE-2023-006

In certain scenarios, Drupal's JSON:API module will output error backtraces. With some configurations, this may cause sensitive information to be cached and made available to anonymous users, leading to privilege escalation. This vulnerability only affects sites with the JSON:API module enabled,...