Hírolvasó
Drupal core - Moderately critical - Third-party libraries - SA-CORE-2022-011
Drupal uses the third-party Guzzle library for handling HTTP requests and responses to external services. Guzzle has released two security advisories:
- Failure to strip the Cookie header on change in host or HTTP downgrade
- Fix failure to strip Authorization header on HTTP downgrade
These do not affect Drupal core, but may affect some contributed projects or custom code on Drupal sites.
We are issuing this security advisory outside our regular Drupal security release window schedule since Guzzle has already published information about the vulnerabilities, and vulnerabilities might exist in contributed modules or custom modules that use Guzzle for outgoing requests. Guzzle has rated these vulnerabilities as high-risk.
This advisory is not covered by Drupal Steward.
Solution:Install the latest version:
- If you are using Drupal 9.4, update to Drupal 9.4.0-rc2.
- If you are using Drupal 9.3, update to Drupal 9.3.16.
- If you are using Drupal 9.2, update to Drupal 9.2.21.
All versions of Drupal 9 prior to 9.2.x are end-of-life and do not receive security coverage. Note that Drupal 8 has reached its end of life.
Drupal 7 is not affected.
Reported By: Fixed By:- Heine of the Drupal Security Team
- Dave Long, provisional member of the Drupal Security Team
- Damien McKenna of the Drupal Security Team
- Michael Hess of the Drupal Security Team
- cilefen of the Drupal Security Team
- xjm of the Drupal Security Team
- Benji Fisher, provisional member of the Drupal Security Team
Drupal core - Moderately critical - Third-party libraries - SA-CORE-2022-010
Drupal uses the third-party Guzzle library for handling HTTP requests and responses to external services. Guzzle has released a security update which does not affect Drupal core, but may affect some contributed projects or custom code on Drupal sites.
We are issuing this security advisory outside our regular Drupal security release window schedule since Guzzle has already published information about the vulnerability, and vulnerabilities might exist in contributed modules or custom modules that use Guzzle for outgoing requests. Guzzle has rated this vulnerability as high-risk.
This advisory is not covered by Drupal Steward.
Solution:Install the latest version:
- If you are using Drupal 9.3, update to Drupal 9.3.14.
- If you are using Drupal 9.2, update to Drupal 9.2.20.
All versions of Drupal 9 prior to 9.2.x are end-of-life and do not receive security coverage. Note that Drupal 8 has reached its end of life.
Drupal 7 is not affected.
Reported By: Fixed By:- cilefen of the Drupal Security Team
- xjm of the Drupal Security Team
- Dezső BICZÓ
- Greg Knaddison of the Drupal Security Team
- Benji Fisher, provisional member of the Drupal Security Team
- Damien McKenna of the Drupal Security Team
- Alex Pott of the Drupal Security Team
Apigee Edge - Moderately critical - Access bypass - SA-CONTRIB-2022-045
The Apigee Edge module allows connecting a Drupal site to Apigee X / Edge in order to build a developer portal. The developers (user) can view API keys for their respective Apps.
The module discloses information by allowing attackers to view cached information of API Keys from the browser cache for a limited time frame after the user login on the same computer.
Solution:Install the latest version:
- If you use the Apigee Edge module version 2.0.x for Drupal 9.x, upgrade to Apigee Edge 2.0.3
- If you use the Apigee Edge module version 8.x-1.x for Drupal 9.x, upgrade to Apigee Edge 8.x-1.26
- Greg Knaddison of the Drupal Security Team
Entity Browser Block - Moderately critical - Access bypass - SA-CONTRIB-2022-044
Entity Browser Block provides a Block Plugin for every Entity Browser on your site.
The module didn't sufficiently check entity view access in the block form.
This vulnerability is mitigated by the fact that an attacker must be able to place a block - either through the core "Block Layout" page or via a module like Layout Builder.
Solution:Install the latest version:
- If you use the entity_browser_block module for Drupal 8+, upgrade to entity_browser_block 8.x-1.2
- Greg Knaddison of the Drupal Security Team
Open Social - Moderately critical - Access bypass - SA-CONTRIB-2022-043
Open Social is a Drupal distribution for online communities.
Group entities created within Open Social did not sufficiently check entity access in group overviews, allowing users to see information in the overviews they should not have access to. Visiting the entity directly resulted in correct access checks applied.
This vulnerability is mitigated by the fact that an attacker must be able to view Group entities in an overview and have certain common permissions revoked.
Please note the affected versions were already unsupported, this advisory is released additionally as there are still reported installs for the affected versions.
Solution:Install the latest versions:
- If you use Open Social versions prior to 11.0.0, upgrade to at least Open Social 11.0.0 where this issue is resolved
Preferably use one of the supported versions:
Reported By: Fixed By:A variety of people as part of upgrading to version 11.
Coordinated By:- Greg Knaddison of the Drupal Security Team
- Damien McKenna of the Drupal Security Team
- Alex Bronstein of the Drupal Security Team
Embed - Moderately critical - Cross Site Scripting - SA-CONTRIB-2022-042
The Drupal Embed module provides a filter to allow embedding various embeddable items like entities in content fields.
In certain circumstances, the filter could allow an unprivileged user to inject HTML into a page when it is accessed by a trusted user with permission to embed items. In some cases, this could lead to cross-site scripting (XSS).
Solution:Install the latest version:
- If you use the Embed module for Drupal 8.x or 9.x, upgrade to Embed 8.x-1.5
- Dave Reid of the Drupal Security Team
- Drew Webber of the Drupal Security Team
- Adam G-H
- Dave Reid of the Drupal Security Team
Wingsuit - Storybook for UI Patterns - Critical - Access bypass - SA-CONTRIB-2022-040
The Wingsuit module enables site builders to build UI Patterns (and|or) Twig Components with Storybook and use them without any mapping code in Drupal.
The module doesn't have an access check for the admin form allowing an attacker to view and modify the Wingsuit configuration.
Solution:Install the latest version:
- If you use the wingsuit_companion 8.x-1.x module for Drupal 8.x, upgrade to Wingsuit 8.x-1.1
- Greg Knaddison of the Drupal Security Team
Duo Two-Factor Authentication - Critical - Unsupported - SA-CONTRIB-2022-039
The security team is marking this project unsupported. If you would like to maintain this project, please read: https://www.drupal.org/node/251466#procedure---own-project---unsupported.
Quick Node Clone - Moderately critical - Access bypass - SA-CONTRIB-2022-038
The module adds a "Clone" tab to a node. When clicked, a new node is created and fields from the previous node are populated into the new fields. This module supports paragraphs, groups, and other referenced entities.
The module has a vulnerability which allows attackers to bypass the protection to clone any group content with an access check. Users are allowed to copy other group's nodes, and if they do that, the node gets added to groups they don't have access to.
This vulnerability is mitigated by the fact it only affects sites that also use the Groups contributed module.
Solution:Install the latest version:
- If you use the Quick Node Clone module for Drupal 8.x, upgrade to Quick Node Clone 8.x-1.15
- Greg Knaddison of the Drupal Security Team
- Damien McKenna of the Drupal Security Team
Image Field Caption - Moderately critical - Cross Site Scripting - SA-CONTRIB-2022-036
Image Field Caption (image_field_caption) adds an extra text area for captions on image fields.
The module doesn't sanitize user input in certain cases, which leads to a Cross-Site-Scripting (XSS) vulnerability.
The vulnerability is mitigated by several permissions, of which at least some are commonly only assigned to either editors, site builders or administrators.
Solution:Install the latest version:
- If you use the image_field_caption module for Drupal 9.x, upgrade to image_field_caption 8.x-1.2
- Greg Knaddison of the Drupal Security Team
- Damien McKenna of the Drupal Security Team
Doubleclick for Publishers (DFP) - Moderately critical - Cross site scripting - SA-CONTRIB-2022-035
Doubleclick for Publishers (DFP) module enables a site to place ads from Doubleclick For Publishers.
The module doesn't sanitize user input in certain cases, which leads to Cross-Site-Scripting (XSS) vulnerabilities. An attacker that can create or edit certain entities may be able to exploit a Cross-Site-Scripting (XSS) vulnerability to target visitors of the site, including site admins with privileged access.
This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer DFP".
Solution:Install the latest version:
- If you use the Doubleclick for Publishers module for Drupal 9.x, upgrade to DFP 8.x-1.2
Note that the Drupal 7 version of this module is unaffected.
Reported By: Fixed By: Coordinated By:- Lee Rowlands of the Drupal Security Team
- Greg Knaddison of the Drupal Security Team
- Damien McKenna of the Drupal Security Team
Link - Moderately critical - Cross site scripting - SA-CONTRIB-2022-034
This module enables you to add URL fields to entity types with a variety of options.
The module doesn't sufficiently filter output when token processing is disabled on an individual field.
This vulnerability is mitigated by the fact that an attacker must have a role with the permission to create content and the token processing option must be disabled.
Solution:Install the latest version:
- If you use the Link module for Drupal 7.x, upgrade to Link 7.x-1.11
- Damien McKenna of the Drupal Security Team
- Brad Bulger
- Greg Knaddison of the Drupal Security Team
- Greg Knaddison of the Drupal Security Team
- Damien McKenna of the Drupal Security Team
Drupal core - Moderately critical - Access bypass - SA-CORE-2022-009
Drupal 9.3 implemented a generic entity access API for entity revisions. However, this API was not completely integrated with existing permissions, resulting in some possible access bypass for users who have access to use revisions of content generally, but who do not have access to individual items of node and media content.
This vulnerability only affects sites using Drupal's revision system.
This advisory is not covered by Drupal Steward.
Solution:Install the latest version:
- If you are using Drupal 9.3, update to Drupal 9.3.12.
All releases prior to Drupal 9.3 (including Drupal 7) are not affected.
Reported By: Fixed By:- Kristiaan Van den Eynde
- Lee Rowlands of the Drupal Security Team
- Adam Bramley
- xjm of the Drupal Security Team
- Dave Long
- Nathaniel Catchpole of the Drupal Security Team
- Jibran Ijaz
- Benji Fisher
Drupal core - Moderately critical - Improper input validation - SA-CORE-2022-008
Drupal core's form API has a vulnerability where certain contributed or custom modules' forms may be vulnerable to improper input validation. This could allow an attacker to inject disallowed values or overwrite data. Affected forms are uncommon, but in certain cases an attacker could alter critical or sensitive data.
We do not know of affected forms within core itself, but contributed and custom project forms could be affected. Installing this update will fix those forms.
This advisory is not covered by Drupal Steward.
Solution:Install the latest version:
- If you are using Drupal 9.3, update to Drupal 9.3.12.
- If you are using Drupal 9.2, update to Drupal 9.2.18.
All versions of Drupal 9 prior to 9.2.x are end-of-life and do not receive security coverage. Note that Drupal 8 has reached its end of life.
Drupal 7 is not affected.
Reported By: Fixed By:- xjm of the Drupal Security Team
- Alex Bronstein of the Drupal Security Team
- Dezső BICZÓ
- Lee Rowlands of the Drupal Security Team
Rename Admin Paths - Moderately critical - Access bypass - SA-CONTRIB-2022-033
The Rename Admin Path module provides additional security to Drupal sites by renaming the admin paths. The module has a vulnerability with allows attackers to bypass the protection by using specially crafted URLs.
The risk is mitigated by the fact that, even though the attacker can bypass the protection offered by this module, all regular permissions still apply.
Solution:Install the latest version:
- If you use the rename_admin_paths module for Drupal 7.x, upgrade to rename_admin_paths 7.x-2.4
Only the 7.x version of the module is vulnerable. If you use the 8.x version, you do not have to take any action.
Reported By:- Ivo Van Geertruyen of the Drupal Security Team
- Ivo Van Geertruyen of the Drupal Security Team
- Raphaël Apard
- Chris McCafferty of the Drupal Security Team
- Ivo Van Geertruyen of the Drupal Security Team
Anti Spam by CleanTalk - Moderately critical - SQL Injection - SA-CONTRIB-2022-032
This module provides integration with the CleanTalk spam protection service.
The module does not properly filter data in certain circumstances.
Solution:Install the latest version:
- If you use the Anti Spam by CleanTalk module for Drupal 8.x, upgrade to Anti Spam by CleanTalk 8.x-4.13
- If you use the Anti Spam by CleanTalk module for Drupal 9.x, upgrade to Anti Spam by CleanTalk 9.1.19
- Chris McCafferty of the Drupal Security Team
- Greg Knaddison of the Drupal Security Team
Role Delegation - Moderately critical - Privilege escalation - SA-CONTRIB-2022-031
This module allows site administrators to grant specific roles the authority to assign selected roles to users, without them needing the administer permissions permission.
The module contains an access bypass vulnerability when used in combination with the Views Bulk Operations module. An authenticated user is able to assign the administrator role to his own user.
This vulnerability is mitigated by the fact that an attacker must have access to an overview of users with the views bulk operations module enabled. E.g. The admin_views module provides such a view.
Solution:Install the latest version:
- If you use the Role Delegation module for Drupal 7.x, upgrade to Role Delegation 7.x-1.3
- Greg Knaddison of the Drupal Security Team
Colorbox Node - Critical - Unsupported - SA-CONTRIB-2022-030
The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: https://www.drupal.org/node/251466#procedure---own-project---unsupported
This module was unsupported on 2022-01-26, however, the SA was missed in publishing them at that time.
Solution:If you use this project, you should uninstall it. To take over maintainership, please read https://www.drupal.org/node/251466#procedure---own-project---unsupported in full.
Drupal core - Moderately critical - Third-party libraries - SA-CORE-2022-006
Drupal uses the third-party Guzzle library for handling HTTP requests and responses to external services. Guzzle has released a security update which may affect some Drupal sites.
We are issuing this security advisory outside our regular Drupal security release window schedule since Guzzle has already published information about the vulnerability, and vulnerabilities might exist with core, contributed modules, or custom modules that use Guzzle for outgoing requests. Guzzle has rated this vulnerability as low-risk.
This advisory is not covered by Drupal Steward.
Solution:Install the latest version:
- If you are using Drupal 9.3, update to Drupal 9.3.9.
- If you are using Drupal 9.2, update to Drupal 9.2.16.
All versions of Drupal 9 prior to 9.2.x are end-of-life and do not receive security coverage. Note that Drupal 8 has reached its end of life.
Drupal 7 is not affected.
Reported By:- Jeroen Tubex
- Damien McKenna of the Drupal Security Team
- xjm of the Drupal Security Team
- Alex Pott of the Drupal Security Team
- Lee Rowlands of the Drupal Security Team
- Greg Knaddison of the Drupal Security Team
- Peter Wolanin of the Drupal Security Team
Drupal core - Moderately critical - Third-party libraries - SA-CORE-2022-005
The Drupal project uses the CKEditor library for WYSIWYG editing. CKEditor has released a security update that impacts Drupal.
Vulnerabilities are possible if Drupal is configured to allow use of the CKEditor library for WYSIWYG editing. An attacker that can create or edit content (even without access to CKEditor themselves) may be able to exploit one or more Cross-Site Scripting (XSS) vulnerabilities to target users with access to the WYSIWYG CKEditor, including site admins with privileged access.
For more information, see CKEditor's security advisories:
- CVE-2022-24728: HTML processing vulnerability allowing to execute JavaScript code
- CVE-2022-24729: Regular expression Denial of Service in dialog plugin
This advisory is not covered by Drupal Steward.
Solution:Install the latest version:
- If you are using Drupal 9.3, update to Drupal 9.3.8.
- If you are using Drupal 9.2, update to Drupal 9.2.15.
All versions of Drupal 9 prior to 9.2.x are end-of-life and do not receive security coverage. Note that Drupal 8 has reached its end of life.
Instructions for Drupal 7 and contributed modulesDrupal 7 core is not affected, although Drupal 7, 8, and 9 site owners should review their site following the protocol for managing external libraries and plugins previously suggested by the Drupal Security Team, as contributed projects may use additional CKEditor plugins not packaged in Drupal core.
Users of the Webform module should ensure Webform's version of CKEditor 4 is also up-to-date after updating Drupal core and libraries for any affected contributed modules. If it is not, Webform users can try the following steps to update it:
- If using Composer, run drush webform:libraries:composer > DRUPAL_ROOT/composer.libraries.json and run composer update
- If using Drush without Composer, run drush webform:libraries:update.
Learn more about updating Webform libraries.
Reported By: Fixed By:- Jess of the Drupal Security Team
- Wim Leers
- Lee Rowlands of the Drupal Security Team