Next.js - Moderately critical - Access bypass - SA-CONTRIB-2022-054

The Next.js module provides an inline preview for content. Authenticated requests are made to Drupal to fetch JSON:API content and render them in an iframe from the decoupled Next.js site. The current implementation doesn’t sufficiently check access for fetching data. All requests made to Drupal...

Commerce Elavon - Moderately critical - Access bypass - SA-CONTRIB-2022-053

This module enables you to accept payments from the Elavon payment provider. The module doesn't sufficiently verify that it's communicating with the correct server when using the Elavon On-site payment gateway, which could lead to leaking valid payment details as well as accepting invalid payment...

jQuery UI Checkboxradio - Moderately critical - Cross site scripting - SA-CONTRIB-2022-052

jQuery UI is a third-party library used by Drupal. The jQuery UI Checkboxradio module provides the jQuery UI Checkboxradio library which was previously in Drupal 8 core, but has since been removed from core and moved to this module. As part of the jQuery UI 1.13.2 update, the jQuery UI project...

Tagify - Moderately critical - Access bypass - SA-CONTRIB-2022-051

This module provides a widget to transform entity reference fields into a more user-friendly tags input component with a great performance. The module doesn't sufficiently check access for the add operation. Users with permission to edit content can view and reference unpublished terms. The edit...

Context - Moderately critical - Cross Site Scripting - SA-CONTRIB-2022-049

This module enables you to conditionally display blocks in particular theme regions. The module doesn't sufficiently sanitize the title of a block as displayed in the admin UI when a site administrator edits a context block reaction. This vulnerability is mitigated by the fact that an attacker mu...

PDF generator API - Moderately critical - Remote Code Execution - SA-CONTRIB-2022-050

This module enables you to generate PDF versions of content. Some installations of the module make use of the dompdf/dompdf third-party dependency. Security vulnerabilities exist for versions of dompdf/dompdf before 2.0.0 as described in the 2.0.0 release notes...

Drupal core - Moderately critical - Multiple vulnerabilities - SA-CORE-2022-015

The Media oEmbed iframe route does not properly validate the iframe domain setting, which allows embeds to be displayed in the context of the primary domain. Under certain circumstances, this could lead to cross-site scripting, leaked cookies, or other vulnerabilities. This advisory is not covere...

Drupal core - Critical - Arbitrary PHP code execution - SA-CORE-2022-014

Updated 2022-07-20 19:45 UTC to indicate that this only affects Apache web servers. Drupal core sanitizes filenames with dangerous extensions upon upload reference: SA-CORE-2020-012 and strips leading and trailing dots from filenames to prevent uploading server configuration files reference:...

Drupal core - Moderately critical - Information Disclosure - SA-CORE-2022-012

In some situations, the Image module does not correctly check access to image files not stored in the standard public files directory when generating derivative images using the image styles system. Access to a non-public file is checked only if it is stored in the "private" file system. However,...

Drupal core - Moderately critical - Access Bypass - SA-CORE-2022-013

Under certain circumstances, the Drupal core form API evaluates form element access incorrectly. This may lead to a user being able to alter data they should not have access to. No forms provided by Drupal core are known to be vulnerable. However, forms added through contributed or custom modules...

Entity Print - Moderately critical - Multiple: Remote Code Execution, Information disclosure - SA-CONTRIB-2022-048

This module enables you to generate print versions of content. Some installations of the module make use of the dompdf/dompdf third-party dependency. Security vulnerabilities exist for versions of dompdf/dompdf 2.0.0 See the library release notes for more detail:...

Lottiefiles Field - Moderately critical - Cross Site Scripting - SA-CONTRIB-2022-046

The Lottiefiles Field module enables you to integrate the lottiefiles features into your page. The module does not sufficiently filter user-provided text on output, resulting in a Cross-Site Scripting XSS vulnerability. This vulnerability is mitigated by the fact that an attacker must have a role...

Config Terms - Critical - Access bypass - SA-CONTRIB-2022-047

This module enables you to create and manage a version of taxonomy based on configuration entities instead of content. This allows the terms, vocabularies, and their structure to be exported, imported, and managed as site configuration. The module doesn't sufficiently check access for the edit an...

Drupal core - Moderately critical - Third-party libraries - SA-CORE-2022-011

Updated 22:00 UTC 2022-06-10: Added steps to update without drupal/core-recommended. Drupal uses the third-party Guzzle library for handling HTTP requests and responses to external services. Guzzle has released two security advisories: Failure to strip the Cookie header on change in host or HTTP...

Drupal core - Moderately critical - Third-party libraries - SA-CORE-2022-010

Drupal uses the third-party Guzzle library for handling HTTP requests and responses to external services. Guzzle has released a security update which does not affect Drupal core, but may affect some contributed projects or custom code on Drupal sites. We are issuing this security advisory outside...

Entity Browser Block - Moderately critical - Access bypass - SA-CONTRIB-2022-044

Entity Browser Block provides a Block Plugin for every Entity Browser on your site. The module didn't sufficiently check entity view access in the block form. This vulnerability is mitigated by the fact that an attacker must be able to place a block - either through the core "Block Layout" page o...

Apigee Edge - Moderately critical - Access bypass - SA-CONTRIB-2022-045

The Apigee Edge module allows connecting a Drupal site to Apigee X / Edge in order to build a developer portal. The developers user can view API keys for their respective Apps. The module discloses information by allowing attackers to view cached information of API Keys from the browser cache for...

Embed - Moderately critical - Cross-Site Request Forgery - SA-CONTRIB-2022-042

The Drupal Embed module provides a filter to allow embedding various embeddable items like entities in content fields. In certain circumstances, the filter could allow an unprivileged user to inject HTML into a page when it is accessed by a trusted user with permission to embed items. In some...

Open Social - Moderately critical - Access bypass - SA-CONTRIB-2022-043

Open Social is a Drupal distribution for online communities. Group entities created within Open Social did not sufficiently check entity access in group overviews, allowing users to see information in the overviews they should not have access to. Visiting the entity directly resulted in correct...

Wingsuit - Storybook for UI Patterns - Critical - Access bypass - SA-CONTRIB-2022-040

The Wingsuit module enables site builders to build UI Patterns and|or Twig Components with Storybook and use them without any mapping code in Drupal. The module doesn't have an access check for the admin form allowing an attacker to view and modify the Wingsuit configuration...

Doubleclick for Publishers (DFP) - Moderately critical - Cross site scripting - SA-CONTRIB-2022-035

Doubleclick for Publishers DFP module enables a site to place ads from Doubleclick For Publishers. The module doesn't sanitize user input in certain cases, which leads to Cross-Site-Scripting XSS vulnerabilities. An attacker that can create or edit certain entities may be able to exploit a...

Image Field Caption - Moderately critical - Cross Site Scripting - SA-CONTRIB-2022-036

Image Field Caption imagefieldcaption adds an extra text area for captions on image fields. The module doesn't sanitize user input in certain cases, which leads to a Cross-Site-Scripting XSS vulnerability. The vulnerability is mitigated by several permissions, of which at least some are commonly...

Quick Node Clone - Moderately critical - Access bypass - SA-CONTRIB-2022-038

The module adds a "Clone" tab to a node. When clicked, a new node is created and fields from the previous node are populated into the new fields. This module supports paragraphs, groups, and other referenced entities. The module has a vulnerability which allows attackers to bypass the protection ...

Link - Moderately critical - Cross site scripting - SA-CONTRIB-2022-034

This module enables you to add URL fields to entity types with a variety of options. The module doesn't sufficiently filter output when token processing is disabled on an individual field. This vulnerability is mitigated by the fact that an attacker must have a role with the permission to create...

Duo Two-Factor Authentication - Critical - Unsupported - SA-CONTRIB-2022-039

The security team is marking this project unsupported. If you would like to maintain this project, please read: https://www.drupal.org/node/251466procedure---own-project---unsupported...

Drupal core - Moderately critical - Access bypass - SA-CORE-2022-009

Drupal 9.3 implemented a generic entity access API for entity revisions. However, this API was not completely integrated with existing permissions, resulting in some possible access bypass for users who have access to use revisions of content generally, but who do not have access to individual...

Drupal core - Moderately critical - Improper input validation - SA-CORE-2022-008

Drupal core's form API has a vulnerability where certain contributed or custom modules' forms may be vulnerable to improper input validation. This could allow an attacker to inject disallowed values or overwrite data. Affected forms are uncommon, but in certain cases an attacker could alter...

Rename Admin Paths - Moderately critical - Access bypass - SA-CONTRIB-2022-033

The Rename Admin Path module provides additional security to Drupal sites by renaming the admin paths. The module has a vulnerability with allows attackers to bypass the protection by using specially crafted URLs. The risk is mitigated by the fact that, even though the attacker can bypass the...

Anti-Spam by CleanTalk - Moderately critical - SQL Injection - SA-CONTRIB-2022-032

This module provides integration with the CleanTalk spam protection service. The module does not properly filter data in certain circumstances. Update: 2022-03-31 - fix release node links...

Colorbox Node - Critical - Unsupported - SA-CONTRIB-2022-030

The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: https://www.drupal.org/node/251466procedure---own-project---unsupported This module was...

Role Delegation - Moderately critical - Privilege escalation - SA-CONTRIB-2022-031

This module allows site administrators to grant specific roles the authority to assign selected roles to users, without them needing the administer permissions permission. The module contains an access bypass vulnerability when used in combination with the Views Bulk Operations module. An...

Drupal core - Moderately critical - Third-party libraries - SA-CORE-2022-006

Drupal uses the third-party Guzzle library for handling HTTP requests and responses to external services. Guzzle has released a security update which may affect some Drupal sites. We are issuing this security advisory outside our regular Drupal security release window schedule since Guzzle has...

Drupal core - Moderately critical - Third-party libraries - SA-CORE-2022-005

The Drupal project uses the CKEditor library for WYSIWYG editing. CKEditor has released a security update that impacts Drupal. Vulnerabilities are possible if Drupal is configured to allow use of the CKEditor library for WYSIWYG editing. An attacker that can create or edit content even without...

Opigno Learning path - Moderately critical - Access bypass - SA-CONTRIB-2022-029

This module is used as part of the Opigno LMS distribution and implements learning paths for the LMS. The module was providing too much user information about users such as the list of groups a uid is in...

SVG Formatter - Critical - Cross Site Scripting - SA-CONTRIB-2022-028

SVG Formatter module provides support for using SVG images on your website. Our dependency library enshrined/svg-sanitize has a cross-site scripting vulnerability. This vulnerability is mitigated by the fact that an attacker must have a role with permission that enables them to upload SVG images...

GOV.UK Theme - Moderately critical - Cross site scripting - SA-CONTRIB-2022-027

The GOV.UK Theme govuktheme is a Drupal theme for the GOV.UK Design System. The theme doesn't sanitize user input in certain cases, which leads to Cross-Site-Scripting XSS vulnerabilities. An attacker that can create or edit certain entities or configuration may be able to exploit one or more...

Entity Reference Tree Widget - Moderately critical - Cross Site Scripting - SA-CONTRIB-2022-026

This module provides an entity relationship hierarchy tree widget for an entity reference field. The module doesn't sufficiently filter on output, leading to a Cross Site Scripting vulnerability. This vulnerability is mitigated by the fact that an attacker must have a role with the permission to...

Drupal core - Moderately critical - Improper input validation - SA-CORE-2022-003

Drupal core's form API has a vulnerability where certain contributed or custom modules' forms may be vulnerable to improper input validation. This could allow an attacker to inject disallowed values or overwrite data. Affected forms are uncommon, but in certain cases an attacker could alter...

Drupal core - Moderately critical - Information disclosure - SA-CORE-2022-004

The Quick Edit module does not properly check entity access in some circumstances. This could result in users with the "access in-place editing" permission viewing some content they are are not authorized to access. Sites are only affected if the QuickEdit module which comes with the Standard...

Quick Edit - Moderately critical - Information Disclosure - SA-CONTRIB-2022-025

This advisory addresses a similar issue to Drupal core - Moderately critical - Information disclosure - SA-CORE-2022-004. The Quick Edit module does not properly check entity access in some circumstances. This could result in users with the "access in-place editing" permission viewing some conten...

Fancy File Delete - Moderately critical - Access Bypass - SA-CONTRIB-2022-023

This module enables you to manage and delete files. The module doesn't sufficiently protect unmanaged files from view under the scenario unauthenticated user knows path to visit the view and can attempt to delete files which results in duplicate files being created. To mitigate this issue without...

Custom Breadcrumbs - Less critical - Cross Site Scripting - SA-CONTRIB-2022-024

The Custom Breadcrumbs module provides a variety of options for customizing the breadcrumb trail. The module doesn't sufficiently filter on output, leading to a Cross Site Scripting vulnerability. This vulnerability is mitigated by the fact that an attacker must have a role with the permission...

Private Taxonomy Terms - Critical - Access bypass, Information Disclosure, Multiple vulnerabilities - SA-CONTRIB-2022-014

This module enables users to create 'private' vocabularies. The module doesn't sufficiently check user access permissions when attempting to view, edit, or add terms to vocabularies, including vocabularies not managed by the module. Partial mitigation is available by requiring users have been...

Colorbox - Critical - Unsupported - SA-CONTRIB-2022-007

Updated 2022-02-02: New maintainers have volunteered for the project and created new releases which includes fixes for the security issues that caused the module to be unsupported. The security team is marking this project unsupported. There is a known security issue with the project that has not...

Vocabulary Permissions Per Role - Critical - Access bypass - SA-CONTRIB-2022-016

Update Maintainers stepped forward, fixed the security issue, and Vocabulary Permissions Per Role is supported again. The module allows adding to/editing terms of/removing terms from vocabularies per role. The module did not properly check access for certain operations allowing an unauthorized...

Image Media Export Import - Critical - Unsupported - SA-CONTRIB-2022-021

The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: https://www.drupal.org/node/251466procedure---own-project---unsupported...

Media Entity Flickr - Critical - Unsupported - SA-CONTRIB-2022-017

The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: https://www.drupal.org/node/251466procedure---own-project---unsupported...

Navbar - Moderately critical - Cross Site Scripting - SA-CONTRIB-2022-011

This module provides a very simple, mobile-friendly navigation toolbar. The module doesn't sufficiently check for user-provided input. This vulnerability is mitigated by the fact that an attacker must have the ability to post content using a text format like the default "Filtered HTML" format tha...

Swiftype integration - Critical - Unsupported - SA-CONTRIB-2022-012

The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: https://www.drupal.org/node/251466procedure---own-project---unsupported...

Business Responsive Theme - Critical - Unsupported - SA-CONTRIB-2022-013

The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: https://www.drupal.org/node/251466procedure---own-project---unsupported...