Matomo Analytics - Less critical - Cross Site Scripting - SA-CONTRIB-2023-033

This module enables you to add the Matomo web statistics tracking system to your website. The module does not check the Matomo JS code loaded on the website. So a user could configure the module to load JS from a malicious website. This vulnerability is mitigated by the fact that an attacker must...

Minify Source HTML - Moderately critical - Cross site scripting - SA-CONTRIB-2023-032

Carefully crafted input by an attacker will not be sanitized by this module, which can result in a script injection...

Drupal Symfony Mailer - Moderately critical - Cross site request forgery - SA-CONTRIB-2023-031

The module doesn’t sufficiently protect against malicious links, which means an attacker can trick an administrator into performing unwanted actions. This vulnerability is mitigated by the fact that the set of unwanted actions is limited to specific configurations...

Two-factor Authentication (TFA) - Critical - Access bypass - SA-CONTRIB-2023-030

This module enables you to allow and/or require users to use a second authentication method in addition to password authentication. The module doesn't sufficiently ensure all core login routes, including the password reset page, require a second factor credential. This vulnerability is mitigated ...

GridStack - Less critical - Cross Site Scripting - SA-CONTRIB-2023-024

This module enables you to create dynamic layouts and add sample color palettes for color selection hints via its UI. The module doesn't sufficiently sanitize the module's settings in certain scenarios leading to a Cross Site Scripting vulnerability. This vulnerability is mitigated by the fact th...

Search Autocomplete - Moderately critical - Cross Site Scripting - SA-CONTRIB-2023-026

This module enables you to use complex autocompletion in forms. The module doesn't sufficiently filter text in the data it exposes, allowing a malicious user to enter specially crafted tags to exploit a Cross Site Scripting XSS attack. This vulnerability is mitigated by the fact that an attacker...

GDPR Alert - Moderately critical - Cross Site Scripting - SA-CONTRIB-2023-023

This module enables you to define configurable GDPR alert messages. The module doesn't sufficiently filter user-supplied text leading to a Cross Site Scripting XSS vulnerability. This vulnerability is mitigated by the fact that an attacker needs additional permissions. The vulnerability can be...

TacJS - Moderately critical - Cross site scripting - SA-CONTRIB-2023-029

This module enables sites to comply with the European cookie law using tarteaucitron.js. The module doesn't sufficiently filter user-supplied text leading to a Cross Site Scripting XSS vulnerability. This vulnerability is mitigated by the fact that an attacker needs additional permissions. The...

Expandable Formatter - Moderately critical - Cross Site Scripting - SA-CONTRIB-2023-028

This module enables you to render a field in an expandable/collapsible region. The module doesn't sufficiently sanitize the field content when displaying it to an end user. This vulnerability is mitigated by the fact that an attacker must have a role capable of creating content that uses the fiel...

Mailchimp - Critical - Cross Site Request Forgery - SA-CONTRIB-2023-025

This module provides integration with Mailchimp, a popular email delivery service. A route related to OAuth authentication is not protected against a Cross Site Request Forgery attack...

Libraries UI - Moderately critical - Access bypass - SA-CONTRIB-2023-027

This module enables a UI to display all libraries provided by modules and themes on the Drupal site. The module doesn't sufficiently protect the libraries reporting page. It curently is using the 'access content' permission and not a proper administrative/access permission. The...

Civic Cookie Control - Moderately critical - Cross Site Scripting - SA-CONTRIB-2023-021

CivicCookieControl is a module that can help make a website compliant with EU and UK cookie legislation. The Civic GovUK Cookie Control module does not sufficiently sanitize the configuration resulting in a Cross-Site Scripting XSS vulnerability. This vulnerability is mitigated by the fact that t...

Album Photos - Critical - Access bypass - SA-CONTRIB-2023-022

This module enables you to create and manage photos and photo albums on your website. The module doesn't sufficiently check node access when a user is provided the "edit any photo" or "delete any photo" permissions. This vulnerability is mitigated by the fact that an attacker must have a role wit...

Office Hours - Moderately critical - Cross Site Scripting - SA-CONTRIB-2023-020

This module enables you to define a 'weekly office hours' field type, and add a field to any Content type, in order to display the weekly opening hours for a location. The module doesn't sufficiently filter user-supplied text leading to a Cross Site Scripting XSS vulnerability. This vulnerability...

Consent Popup - Moderately critical - Cross Site Scripting - SA-CONTRIB-2023-017

The Consent Popup provides a configurable popup that requires acceptance of a question before the visitor can continue, typically used for age consent. The module doesn't sufficiently sanitizes the text on the block leading to a cross site scripting XSS vulnerability. This vulnerability is...

Iubenda Integration - Moderately critical - Cross Site Scripting - SA-CONTRIB-2023-016

The Iubenda Integration module provides a custom block to provide a link to the Iubenda privacy policy. On this block, a custom prefix and suffix text can be entered. The module does not sufficiently filter the block text fields on output, resulting in a Cross-Site Scripting XSS vulnerability. Th...

AddToAny Share Buttons - Moderately critical - Cross Site Scripting - SA-CONTRIB-2023-019

This module provides social media share & follow buttons. The module doesn't sufficiently restrict AddToAny block settings to users who have permission to administer AddToAny. This allows users with lower permission to configure malicious code leading to a Cross Site Scripting XSS vulnerability...

AddToAny Share Buttons - Moderately critical - Access bypass - SA-CONTRIB-2023-018

This module provides social media share & follow buttons. The module doesn't sufficiently check access to a node when retrieving the label of an AddToAny block. This vulnerability is mitigated by the fact it requires the node ID to be passed via the route, requiring another module or specific...

File Chooser Field - Moderately critical - Server Side Request Forgery, Information Disclosure - SA-CONTRIB-2023-015

The File Chooser Field allows users to upload files using 3rd party plugins such as Google Drive and Dropbox. This module fails to validate user input sufficiently which could under certain circumstances lead to a Server Side Request Forgery SSRF vulnerability leading to Information Disclosure. I...

S3 File System - Moderately critical - Access bypass - SA-CONTRIB-2023-014

S3 File System s3fs provides an additional file system to your Drupal site, which stores files in Amazon's Simple Storage Service S3 or any other S3-compatible storage service. This module may fail to validate that a file being requested to be moved to storage was uploaded during the same web...

Drupal core - Moderately critical - Access bypass - SA-CORE-2023-005

The file download facility doesn't sufficiently sanitize file paths in certain situations. This may result in users gaining access to private files that they should not have access to. Some sites may require configuration changes following this security release. Review the release notes for your...

Protected Pages - Critical - Access bypass - SA-CONTRIB-2023-013

This module enables you to secure any page with a password. The module does not sufficiently restrict access to the page content...

Xray Audit - Moderately critical - Cross site scripting - SA-CONTRIB-2023-012

This module is a tool for developers, analysts, and administrators that allows them to generate reports on a given Drupal installation. The module does not sufficiently sanitize some data presented in its reports. This vulnerability is mitigated by the fact that an attacker must have a role with...

Drupal core - Moderately critical - Access bypass - SA-CORE-2023-004

Drupal core provides a page that outputs the markup from phpinfo to assist with diagnosing PHP configuration. If an attacker was able to achieve an XSS exploit against a privileged user, they may be able to use the phpinfo page to access sensitive information that could be used to escalate the...

Drupal core - Moderately critical - Information Disclosure - SA-CORE-2023-002

The Media module does not properly check entity access in some circumstances. This may result in users seeing thumbnails of media items they do not have access to, including for private files. This release was coordinated with SA-CONTRIB-2023-010. This advisory is not covered by Drupal Steward...

Drupal core - Moderately critical - Information Disclosure - SA-CORE-2023-003

The language module provides a Language switcher block which can be placed to provide links to quickly switch between different languages. The URL of unpublished translations may be disclosed. When used in conjunction with a module like Pathauto, this may reveal the title of unpublished content...

Media Responsive Thumbnail - Moderately critical - Information disclosure - SA-CONTRIB-2023-010

The Media Responsive Thumbnail module allows media reference fields to be rendered as a responsive image. This module does not properly check entity access prior to rendering media. This may result in users seeing thumbnails of media items they do not have access to. This release was coordinated...

Responsive media Image Formatter - Critical - Unsupported - SA-CONTRIB-2023-011

The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: https://www.drupal.org/node/251466procedure---own-project---unsupported...

Gutenberg - Less critical - Denial of Service - SA-CONTRIB-2023-009

This module provides a new UI experience for node editing - Gutenberg editor. This vulnerability can cause DoS by using reusable blocks improperly. This vulnerability is mitigated by the fact an attacker must have "use gutenberg" permission to exploit it...

Thunder - Moderately critical - Access bypass - SA-CONTRIB-2023-007

Thunder is a Drupal distribution for professional publishing. The thunder distribution ships the thundergqls module which provides a graphql interface. The module doesn't sufficiently check access when serving user data via graphql leading to an access bypass vulnerability potentially exposing...

Group control for forums - Critical - Access bypass - SA-CONTRIB-2023-008

This module enables you to associate Forums as Group 1.x content and use Group access permissions. Previous versions of the module incorrectly set node access on creation, and did not correctly restrict access to lists of forum topics...

Better Social Sharing Buttons - Less critical - Cross Site Scripting - SA-CONTRIB-2023-006

This module enables you to add social sharing buttons to a site. The module doesn't sufficiently sanitize the weight and ratio values entered in the module or block configuration. This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer blocks"...

Apigee Edge - Moderately critical - Access bypass - SA-CONTRIB-2023-005

The Apigee Edge module allows connecting a Drupal site to Apigee X / Edge in order to build a developer portal. Previous module versions did not support entity query level access checking, which could have led to information disclosure or access bypass in various places...

Media Library Block - Moderately critical - Information Disclosure - SA-CONTRIB-2023-003

The Media Library Block module allows you to render a media entity in a block. The module does not properly check media access in some circumstances. This may result in unauthorized users including anonymous users seeing media items they are not authorized to access if a block containing a...

Media Library Form API Element - Moderately critical - Information Disclosure - SA-CONTRIB-2023-004

This module enables you to use the media library in custom forms without the Media Library Widget. The module does not properly check entity access in some circumstances. This may result in users with access to edit content seeing metadata about media items they are not authorized to access. The...

Entity Browser - Moderately critical - Information Disclosure - SA-CONTRIB-2023-002

The Entity Browser module allows you to select entities from entity reference fields using a custom entity browser widget. Entity Browser does not properly check entity access in some circumstances. This may result in users with access to edit content seeing metadata about entities they are not...

Drupal core - Moderately critical - Information Disclosure - SA-CORE-2023-001

The Media Library module does not properly check entity access in some circumstances. This may result in users with access to edit content seeing metadata about media items they are not authorized to access. The vulnerability is mitigated by the fact that the inaccessible media will only be visib...

Private Taxonomy Terms - Moderately critical - Access bypass - SA-CONTRIB-2023-001

This module enables users to create 'private' vocabularies. The module doesn't enforce permissions appropriately for the taxonomy overview page and overview form. This vulnerability is mitigated by the fact that an attacker must have a role with the permission "Administer own taxonomy" or "View...

File (Field) Paths - Moderately critical - Access bypass - SA-CONTRIB-2022-065

The File Field Paths module extends the default functionality of Drupal's core File module, by adding the ability to use entity-based tokens in destination paths and file names. The module's default configuration could temporarily expose private files to anonymous visitors. Important note: to fix...

H5P - Create and Share Rich Content and Applications - Moderately critical - Remote Code Execution - SA-CONTRIB-2022-064

This module enables you to create interactive content. The module doesn't sufficiently stop path traversal attacks through zipped filenames for the uploadable .h5p files. This vulnerability is mitigated by the fact that an attacker must have a role with the permission "update h5p libraries". In...

Entity Registration - Moderately critical - Access bypass - SA-CONTRIB-2022-063

This module enables you to create registration entities related to nodes. The module doesn't sufficiently restrict update access to a user's own registrations. This vulnerability is mitigated by the fact that an attacker must have the "update own registration type" permission...

Social Base - Moderately critical - Access bypass - SA-CONTRIB-2022-060

The Social Base theme is designed as a base theme for Open Social. This base theme holds has a lot of sensible defaults. It doesn't however contain much styling. We expect developers to want to change this for their own project. When content within the Open Social distribution is placed within a...

Open Social - Moderately critical - Access bypass - SA-CONTRIB-2022-062

Social Private Message module allows users on the platform to allow users to send private messages to each other. The module does not properly perform the correct access checks for certain operations...

Open Social - Moderately critical - Access bypass - SA-CONTRIB-2022-061

Social Flexible Group is an Open Social extension that allows users to create groups with many different configurations. In specific uncommon scenarios, where a platform doesn't have any flexible groups with the "Group members only secret" visibility, community groups are visible to anonymous use...

Search API - Moderately critical - Information Disclosure - SA-CONTRIB-2022-059

This module enables you to build searches using a wide range of features, data sources and backends. The module doesn't in all cases correctly detect whether a given search is active on the current page, leading to potential information disclosure for some setups. This vulnerability is mitigated ...

Twig Field Value - Moderately critical - Access bypass - SA-CONTRIB-2022-058

This module enables themers to get partial data from field render arrays. It gives them more control over the output without drilling deep into the render array or using preprocess functions. The module doesn't sufficiently apply access restrictions when using the filters fieldlabel, fieldvalue,...

S3 File System - Moderately critical - Access bypass - SA-CONTRIB-2022-057

This module enables you to utilize S3-compatible storage as a Drupal filesystem. The module doesn't sufficiently prevent file access across multiple filesystem schemes stored in the same bucket. This vulnerability is mitigated by the fact that an attacker must obtain a method to access arbitrary...

Drupal core - Critical - Multiple vulnerabilities - SA-CORE-2022-016

Drupal uses the Twig third-party library for content templating and sanitization. Twig has released a security update that affects Drupal. Twig has rated the vulnerability as high severity. Drupal core's code extending Twig has also been updated to mitigate a related vulnerability. Multiple...

Permissions by Term - Moderately critical - Access bypass - SA-CONTRIB-2022-055

This module enables you to restrict content via taxonomy terms and related permissions. The module doesn't sufficiently restrict cached content in certain circumstances. This vulnerability is mitigated by the fact that it only occurs when multiple entity types are enabled in the module...

Permissions by Term - Moderately critical - Access bypass - SA-CONTRIB-2022-056

This module enables you to set content permissions based on taxonomy terms. The module doesn't sufficiently restrict access to translated and unpublished nodes. This vulnerability is mitigated by the fact that it only affects sites with translated content...