These posts by the Drupal security team are also sent to the security announcements email list.

Drupal core - Less critical - Access bypass - SA-CORE-2020-006

Date: 
2020-June-17
Security risk: 
Less critical 8∕25 AC:Complex/A:User/CI:None/II:Some/E:Theoretical/TD:Uncommon
CVE IDs: 
CVE-2020-13665

JSON:API PATCH requests may bypass validation for certain fields.

By default, JSON:API works in a read-only mode which makes it impossible to exploit the vulnerability. Only sites that have the read_only set to FALSE under jsonapi.settings config are vulnerable.

Drupal core - Critical - Arbitrary PHP code execution - SA-CORE-2020-005

Date: 
2020-June-17
Security risk: 
Critical 17∕25 AC:Complex/A:None/CI:All/II:All/E:Theoretical/TD:Uncommon
CVE IDs: 
CVE-2020-13664

Drupal 8 and 9 have a remote code execution vulnerability under certain circumstances.

An attacker could trick an administrator into visiting a malicious site that could result in creating a carefully named directory on the file system. With this directory in place, an attacker could attempt to brute force a remote code execution vulnerability.

Windows servers are most likely to be affected.

Drupal core - Critical - Cross Site Request Forgery - SA-CORE-2020-004

Date: 
2020-June-17
Security risk: 
Critical 15∕25 AC:Complex/A:None/CI:Some/II:Some/E:Theoretical/TD:All
CVE IDs: 
CVE-2020-13663

The Drupal core Form API does not properly handle certain form input from cross-site requests, which can lead to other vulnerabilities.

Drupal core - Moderately critical - Open Redirect - SA-CORE-2020-003

Date: 
2020-May-20
Security risk: 
Moderately critical 10∕25 AC:Basic/A:None/CI:None/II:None/E:Theoretical/TD:All
CVE IDs: 
CVE-2020-13662

Drupal 7 has an Open Redirect vulnerability. For example, a user could be tricked into visiting a specially crafted link which would redirect them to an arbitrary external URL.

The vulnerability is caused by insufficient validation of the destination query parameter in the drupal_goto() function.

Other versions of Drupal core are not vulnerable.

Drupal core - Moderately critical - Cross Site Scripting - SA-CORE-2020-002

Date: 
2020-May-20
Security risk: 
Moderately critical 10∕25 AC:Complex/A:Admin/CI:Some/II:Some/E:Theoretical/TD:Uncommon

The jQuery project released version 3.5.0, and as part of that, disclosed two security vulnerabilities that affect all prior versions. As mentioned in the jQuery blog, both are

[...] security issues in jQuery’s DOM manipulation methods, as in .html(), .append(), and the others. Security advisories for both of these issues have been published on GitHub.

Those advisories are:

Drupal core - Moderately critical - Third-party library - SA-CORE-2020-001

Date: 
2020-March-18
Security risk: 
Moderately critical 13∕25 AC:Complex/A:User/CI:Some/II:Some/E:Proof/TD:Default

The Drupal project uses the third-party library CKEditor, which has released a security improvement that is needed to protect some Drupal configurations.

Drupal core - Critical - Multiple vulnerabilities - SA-CORE-2019-012

Date: 
2019-December-18
Security risk: 
Critical 17∕25 AC:Basic/A:User/CI:All/II:All/E:Proof/TD:Uncommon

The Drupal project uses the third-party library Archive_Tar, which has released a security improvement that is needed to protect some Drupal configurations.

Multiple vulnerabilities are possible if Drupal is configured to allow .tar, .tar.gz, .bz2 or .tlz file uploads and processes them.

Drupal core - Moderately critical - Access bypass - SA-CORE-2019-011

Date: 
2019-December-18
Security risk: 
Moderately critical 10∕25 AC:Basic/A:User/CI:Some/II:None/E:Theoretical/TD:Default

The Media Library module has a security vulnerability whereby it doesn't sufficiently restrict access to media items in certain configurations.

Drupal core - Moderately critical - Multiple vulnerabilities - SA-CORE-2019-010

Date: 
2019-December-18
Security risk: 
Moderately critical 14∕25 AC:Basic/A:Admin/CI:Some/II:All/E:Theoretical/TD:Default

Drupal 8 core's file_save_upload() function does not strip the leading and trailing dot ('.') from filenames, like Drupal 7 did.

Users with the ability to upload files with any extension in conjunction with contributed modules may be able to use this to upload system files such as .htaccess in order to bypass protections afforded by Drupal's default .htaccess file.

After this fix, file_save_upload() now trims leading and trailing dots from filenames.

Drupal core - Moderately critical - Denial of Service - SA-CORE-2019-009

Date: 
2019-December-18
Security risk: 
Moderately critical 12∕25 AC:None/A:None/CI:None/II:None/E:Theoretical/TD:All

A visit to install.php can cause cached data to become corrupted. This could cause a site to be impaired until caches are rebuilt.

Pages

Subscribe with RSS Subscribe to Security advisories