Hírolvasó
Responsive media Image Formatter - Critical - Unsupported - SA-CONTRIB-2023-011
The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: https://www.drupal.org/node/251466#procedure---own-project---unsupported
Solution:If you use this project, you should uninstall it. To take over maintainership, please read https://www.drupal.org/node/251466#procedure---own-project---unsupported in full.
Media Responsive Thumbnail - Moderately critical - Information disclosure - SA-CONTRIB-2023-010
The Media Responsive Thumbnail module allows media reference fields to be rendered as a responsive image.
This module does not properly check entity access prior to rendering media. This may result in users seeing thumbnails of media items they do not have access to.
This release was coordinated with SA-CORE-2023-002.
Solution:Install the latest version:
- If you use the Media Responsive Thumbnail module, upgrade to Media Responsive Thumbnail 8.x-1.5
- Ivan Vidusenko
- Benji Fisher of the Drupal Security Team
- Benji Fisher of the Drupal Security Team
- Lee Rowlands of the Drupal Security Team
- Joseph Zhao Provisional Member of the Drupal Security Team
- Greg Knaddison of the Drupal Security Team
- Dave Long of the Drupal Security Team
Drupal core - Moderately critical - Access bypass - SA-CORE-2023-004
Drupal core provides a page that outputs the markup from phpinfo() to assist with diagnosing PHP configuration.
If an attacker was able to achieve an XSS exploit against a privileged user, they may be able to use the phpinfo page to access sensitive information that could be used to escalate the attack.
This vulnerability is mitigated by the fact that a successful XSS exploit is required in order to exploit it.
Solution:Install the latest version:
- If you are using Drupal 10.0, update to Drupal 10.0.5.
- If you are using Drupal 9.5, update to Drupal 9.5.5.
- If you are using Drupal 9.4, update to Drupal 9.4.12.
- If you are using Drupal 7, update to Drupal 7.95.
All versions of Drupal 9 prior to 9.4.x are end-of-life and do not receive security coverage. Note that Drupal 8 has reached its end of life.
Reported By: Fixed By:- Damien McKenna of the Drupal Security Team
- Elar Lang
- Lee Rowlands of the Drupal Security Team
- Alex Bronstein of the Drupal Security Team
- Joseph Zhao Provisional Member of the Drupal Security Team
- Drew Webber of the Drupal Security Team
- Jen Lampton Provisional Member of the Drupal Security Team
- Nate Lampton
- Greg Knaddison of the Drupal Security Team
Drupal core - Moderately critical - Information Disclosure - SA-CORE-2023-003
The language module provides a Language switcher block which can be placed to provide links to quickly switch between different languages.
The URL of unpublished translations may be disclosed. When used in conjunction with a module like Pathauto, this may reveal the title of unpublished content.
This advisory is not covered by Drupal Steward.
Solution:Install the latest version:
- If you are using Drupal 10.0, update to Drupal 10.0.5.
- If you are using Drupal 9.5, update to Drupal 9.5.5.
- If you are using Drupal 9.4, update to Drupal 9.4.12.
All versions of Drupal 9 prior to 9.4.x are end-of-life and do not receive security coverage. Note that Drupal 8 has reached its end of life.
Drupal 7 core does not include the Language module and therefore is not affected. The contributed modules for translation do not have the same code for language-switching links, so they are not affected, either.
Reported By: Fixed By:- Jan Kellermann
- Lee Rowlands of the Drupal Security Team
- Greg Knaddison of the Drupal Security Team
- Benji Fisher of the Drupal Security Team
- Jess of the Drupal Security Team
- Sascha Grossenbacher
- Neil Drumm of the Drupal Security Team
- Dave Long of the Drupal Security Team
Drupal core - Moderately critical - Information Disclosure - SA-CORE-2023-002
The Media module does not properly check entity access in some circumstances. This may result in users seeing thumbnails of media items they do not have access to, including for private files.
This release was coordinated with SA-CONTRIB-2023-010.
This advisory is not covered by Drupal Steward.
Solution:Install the latest version:
- If you are using Drupal 10.0, update to Drupal 10.0.5.
- If you are using Drupal 9.5, update to Drupal 9.5.5.
- If you are using Drupal 9.4, update to Drupal 9.4.12.
All versions of Drupal 9 prior to 9.4.x are end-of-life and do not receive security coverage. Note that Drupal 8 has reached its end of life.
Drupal 7 core does not include the Media Library module and therefore is not affected.
Reported By: Fixed By:- Lee Rowlands of the Drupal Security Team
- James Williams
- Jess of the Drupal Security Team
- Dave Long of the Drupal Security Team
- Dan Flanagan
- Jen Lampton Provisional Member of the Drupal Security Team
- Joseph Zhao Provisional Member of the Drupal Security Team
- Benji Fisher of the Drupal Security Team
Gutenberg - Less critical - Denial of Service - SA-CONTRIB-2023-009
This module provides a new UI experience for node editing - Gutenberg editor.
This vulnerability can cause DoS by using reusable blocks improperly.
This vulnerability is mitigated by the fact an attacker must have "use gutenberg" permission to exploit it.
Solution:Install the latest version:
- If you use the Gutenberg module versions 8.x-2.x, upgrade to Gutenberg 8.x-2.7
- Damien McKenna of the Drupal Security Team
- Greg Knaddison of the Drupal Security Team
Group control for forums - Critical - Access bypass - SA-CONTRIB-2023-008
This module enables you to associate Forums as Group 1.x content and use Group access permissions.
Previous versions of the module incorrectly set node access on creation, and did not correctly restrict access to lists of forum topics.
Solution:Install the latest version:
- If you use the Group control for forums module for Drupal 9.x or 10.x, upgrade to Group control for forums 2.0.2
- Damien McKenna of the Drupal Security Team
- Greg Knaddison of the Drupal Security Team
Thunder - Moderately critical - Access bypass - SA-CONTRIB-2023-007
Thunder is a Drupal distribution for professional publishing. The thunder distribution ships the thunder_gqls module which provides a graphql interface.
The module doesn't sufficiently check access when serving user data via graphql leading to an access bypass vulnerability potentially exposing email addresses.
Solution:Install the latest version:
- If you use the thunder distribution for Drupal 9.x and have the thunder_gqls module enabled, upgrade to thunder 6.4.6 or thunder 6.5.3 respectively.
- Greg Knaddison of the Drupal Security Team
Better Social Sharing Buttons - Less critical - Cross Site Scripting - SA-CONTRIB-2023-006
This module enables you to add social sharing buttons to a site.
The module doesn't sufficiently sanitize the weight and ratio values entered in the module or block configuration.
This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer blocks".
Solution:Install the latest version:
- If you use the Better Social Sharing Buttons module for Drupal 9 or 10, upgrade to Better Social Sharing Buttons 4.0.3
- Damien McKenna of the Drupal Security Team
Apigee Edge - Moderately critical - Access bypass - SA-CONTRIB-2023-005
The Apigee Edge module allows connecting a Drupal site to Apigee X / Edge in order to build a developer portal.
Previous module versions did not support entity query level access checking, which could have led to information disclosure or access bypass in various places.
Solution:Install the latest version:
- If you use the Apigee Edge module version 2.0.x for Drupal 9.x, upgrade to Apigee Edge 2.0.8
- If you use the Apigee Edge module version 8.x-1.x for Drupal 9.x, upgrade to Apigee Edge 8.x-1.27
- Greg Knaddison of the Drupal Security Team
Media Library Form API Element - Moderately critical - Information Disclosure - SA-CONTRIB-2023-004
This module enables you to use the media library in custom forms without the Media Library Widget.
The module does not properly check entity access in some circumstances. This may result in users with access to edit content seeing metadata about media items they are not authorized to access.
The vulnerability is mitigated by the fact that the inaccessible media will only be visible to users who can already edit content that includes a media reference field.
Solution:Install the latest version:
- If you use the Media Library Form API Element module versions 2.x for Drupal 9 or 10, upgrade to 2.0.6.
- If you use the Media Library Form API Element module version 8.x-1.* they are all affected and are no longer supported. You should upgrade to 2.0.6.
- Benji Fisher of the Drupal Security Team
- Dan Flanagan
- Kim Kennof
- Lauri Eskola
- Alex Bronstein of the Drupal Security Team
- Luke Leber
- Lee Rowlands of the Drupal Security Team
- xjm of the Drupal Security Team
- Lee Rowlands of the Drupal Security Team
- Benji Fisher of the Drupal Security Team
Drupal core - Moderately critical - Information Disclosure - SA-CORE-2023-001
The Media Library module does not properly check entity access in some circumstances. This may result in users with access to edit content seeing metadata about media items they are not authorized to access.
The vulnerability is mitigated by the fact that the inaccessible media will only be visible to users who can already edit content that includes a media reference field.
This advisory is not covered by Drupal Steward.
Solution:Install the latest version:
- If you are using Drupal 10.0, update to Drupal 10.0.2.
- If you are using Drupal 9.5, update to Drupal 9.5.2.
- If you are using Drupal 9.4, update to Drupal 9.4.10.
All versions of Drupal 9 prior to 9.4.x are end-of-life and do not receive security coverage. Note that Drupal 8 has reached its end of life.
Drupal 7 core does not include the Media Library module and therefore is not affected.
Reported By: Fixed By:- Lee Rowlands of the Drupal Security Team
- Dan Flanagan
- Sean Blommaert
- xjm of the Drupal Security Team
- Benji Fisher of the Drupal Security Team
- Dave Long of the Drupal Security Team
- Jen Lampton, provisional member of the Drupal Security Team
- Sascha Grossenbacher
- Lauri Eskola, provisional member of the Drupal Security Team
Media Library Block - Moderately critical - Information Disclosure - SA-CONTRIB-2023-003
The Media Library Block module allows you to render a media entity in a block.
The module does not properly check media access in some circumstances. This may result in unauthorized users (including anonymous users) seeing media items they are not authorized to access if a block containing a restricted media item is placed on the page.
Administrators may mitigate this vulnerability by removing blocks referencing media items that have access restrictions.
Solution:Install the latest version:
- If you use the Media Library Block module for Drupal 9 or 10, upgrade to Media Library Block 1.0.4.
- Lee Rowlands of the Drupal Security Team
- Dan Flanagan
- ayalon
- xjm of the Drupal Security Team
- Jan Hug
- Dan Flanagan
- Dave Reid of the Drupal Security Team
- Damien McKenna of the Drupal Security Team
Entity Browser - Moderately critical - Information Disclosure - SA-CONTRIB-2023-002
The Entity Browser module allows you to select entities from entity reference fields using a custom entity browser widget.
Entity Browser does not properly check entity access in some circumstances. This may result in users with access to edit content seeing metadata about entities they are not authorized to access.
The vulnerability is mitigated by the fact that the inaccessible entities will only be visible to users who can already edit content using Entity Browser.
Solution:Install the latest version:
- If you use the Entity Browser module for Drupal 9 or 10, upgrade to Entity Browser 8.x-2.9.
- Lee Rowlands of the Drupal Security Team
- Lee Rowlands of the Drupal Security Team
- Sascha Grossenbacher
- Benji Fisher of the Drupal Security Team
- xjm of the Drupal Security Team
- Lauri Eskola, provisional member of the Drupal Security Team
- Dan Flanagan
- xjm of the Drupal Security Team
- Lee Rowlands of the Drupal Security Team
- Benji Fisher of the Drupal Security Team
Private Taxonomy Terms - Moderately critical - Access bypass - SA-CONTRIB-2023-001
This module enables users to create 'private' vocabularies.
The module doesn't enforce permissions appropriately for the taxonomy overview page and overview form.
This vulnerability is mitigated by the fact that an attacker must have a role with the permission "Administer own taxonomy" or "View private taxonomies"
Solution:Install the latest version:
- If you use the Private Taxonomy Terms module for Drupal 8.x, upgrade to Private Taxonomy Terms 8.x-2.6
- Damien McKenna of the Drupal Security Team
- Jess of the Drupal Security Team
- Greg Knaddison of the Drupal Security Team
File (Field) Paths - Moderately critical - Access bypass - SA-CONTRIB-2022-065
The File (Field) Paths module extends the default functionality of Drupal's core File module, by adding the ability to use entity-based tokens in destination paths and file names.
The module's default configuration could temporarily expose private files to anonymous visitors.
Important note: to fix the problem, database updates must be run in addition to updating the module.
It's possible to make a configuration change to mitigate this problem in the admin UI at /admin/config/media/file-system/filefield-paths - the temp file location should use either the temporary:// or private:// stream wrapper if uploaded files should not be exposed publicly.
This vulnerability is mitigated by the fact that an attacker must be able to guess the temporary path used for file upload.
Solution:Install the latest version:
- If you use the File (Field) Paths module for Drupal 7.x, upgrade to File (Field) Paths 7.x-1.2
- Hayato Goto
- Drew Webber of the Drupal Security Team
- Steve Bink
- Hayato Goto
- David Snopek of the Drupal Security Team
- Vijay Mani provisional member of the Drupal Security Team
- Drew Webber of the Drupal Security Team
- Oleh Vehera
- Damien McKenna of the Drupal Security Team
- David Snopek of the Drupal Security Team
- Drew Webber of the Drupal Security Team
- Greg Knaddison of the Drupal Security Team
H5P - Create and Share Rich Content and Applications - Moderately critical - Remote Code Execution - SA-CONTRIB-2022-064
This module enables you to create interactive content.
The module doesn't sufficiently stop path traversal attacks through zipped filenames for the uploadable .h5p files.
This vulnerability is mitigated by the fact that an attacker must have a role with the permission "update h5p libraries". In addition, it is only exploitable on Windows servers.
Solution:Install the latest version:
- If you use the H5P module for Drupal 7.x, upgrade to H5P 7.x-1.51
Disclosed publicly.
Fixed By: Coordinated By:- Greg Knaddison of the Drupal Security Team
Entity Registration - Moderately critical - Access bypass - SA-CONTRIB-2022-063
This module enables you to create registration entities related to nodes.
The module doesn't sufficiently restrict update access to a user's own registrations.
This vulnerability is mitigated by the fact that an attacker must have the "update own [registration type]" permission.
Solution:Install the latest version:
- If you use the Entity Registration module for Drupal 7.x, upgrade to Entity Registration 7.x-1.9 release
Note: Sites that allow non-administrative users to manage registrations because the users can update the registration host entity and have "update own registration" permission for a given registration type, may need to give those users the "administer own registration" permission for them to retain the ability to manage registrations after installing this upgrade.
Reported By: Fixed By: Coordinated By:- James Gilliland of the Drupal Security Team