These posts by the Drupal security team are also sent to the security announcements email list.

Drupal core - Moderately critical - Information disclosure - SA-CORE-2020-011

Date: 
2020-September-16
Security risk: 
Moderately critical 12∕25 AC:None/A:User/CI:Some/II:None/E:Theoretical/TD:Default
CVE IDs: 
CVE-2020-13670

A vulnerability exists in the File module which allows an attacker to gain access to the file metadata of a permanent private file that they do not have access to by guessing the ID of the file.

Drupal core - Moderately critical - Access bypass - SA-CORE-2020-008

Date: 
2020-September-16
Security risk: 
Moderately critical 12∕25 AC:Basic/A:None/CI:Some/II:None/E:Theoretical/TD:Default
CVE IDs: 
CVE-2020-13667

The experimental Workspaces module allows you to create multiple workspaces on your site in which draft content can be edited before being published to the live workspace.

The Workspaces module doesn't sufficiently check access permissions when switching workspaces, leading to an access bypass vulnerability. An attacker might be able to see content before the site owner intends people to see the content.

This vulnerability is mitigated by the fact that sites are only vulnerable if they have installed the experimental Workspaces module.

Drupal core - Moderately critical - Cross-site scripting - SA-CORE-2020-010

Date: 
2020-September-16
Security risk: 
Moderately critical 13∕25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:Default
CVE IDs: 
CVE-2020-13669

Drupal core's built-in CKEditor image caption functionality is vulnerable to XSS.

Drupal core - Critical - Cross-site scripting - SA-CORE-2020-009

Date: 
2020-September-16
Security risk: 
Critical 15∕25 AC:Basic/A:None/CI:Some/II:Some/E:Theoretical/TD:Default
CVE IDs: 
CVE-2020-13668

Drupal 8 and 9 have a reflected cross-site scripting (XSS) vulnerability under certain circumstances.

An attacker could leverage the way that HTML is rendered for affected forms in order to exploit the vulnerability.

Drupal core - Moderately critical - Cross-site scripting - SA-CORE-2020-007

Date: 
2020-September-16
Security risk: 
Moderately critical 14∕25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:All
CVE IDs: 
CVE-2020-13666

The Drupal AJAX API does not disable JSONP by default, which can lead to cross-site scripting.

Drupal core - Less critical - Access bypass - SA-CORE-2020-006

Date: 
2020-June-17
Security risk: 
Less critical 8∕25 AC:Complex/A:User/CI:None/II:Some/E:Theoretical/TD:Uncommon
CVE IDs: 
CVE-2020-13665

JSON:API PATCH requests may bypass validation for certain fields.

By default, JSON:API works in a read-only mode which makes it impossible to exploit the vulnerability. Only sites that have the read_only set to FALSE under jsonapi.settings config are vulnerable.

Drupal core - Critical - Arbitrary PHP code execution - SA-CORE-2020-005

Date: 
2020-June-17
Security risk: 
Critical 17∕25 AC:Complex/A:None/CI:All/II:All/E:Theoretical/TD:Uncommon
CVE IDs: 
CVE-2020-13664

Drupal 8 and 9 have a remote code execution vulnerability under certain circumstances.

An attacker could trick an administrator into visiting a malicious site that could result in creating a carefully named directory on the file system. With this directory in place, an attacker could attempt to brute force a remote code execution vulnerability.

Windows servers are most likely to be affected.

Drupal core - Critical - Cross Site Request Forgery - SA-CORE-2020-004

Date: 
2020-June-17
Security risk: 
Critical 15∕25 AC:Complex/A:None/CI:Some/II:Some/E:Theoretical/TD:All
CVE IDs: 
CVE-2020-13663

The Drupal core Form API does not properly handle certain form input from cross-site requests, which can lead to other vulnerabilities.

Drupal core - Moderately critical - Open Redirect - SA-CORE-2020-003

Date: 
2020-May-20
Security risk: 
Moderately critical 10∕25 AC:Basic/A:None/CI:None/II:None/E:Theoretical/TD:All
CVE IDs: 
CVE-2020-13662

Drupal 7 has an Open Redirect vulnerability. For example, a user could be tricked into visiting a specially crafted link which would redirect them to an arbitrary external URL.

The vulnerability is caused by insufficient validation of the destination query parameter in the drupal_goto() function.

Other versions of Drupal core are not vulnerable.

Drupal core - Moderately critical - Cross Site Scripting - SA-CORE-2020-002

Date: 
2020-May-20
Security risk: 
Moderately critical 10∕25 AC:Complex/A:Admin/CI:Some/II:Some/E:Theoretical/TD:Uncommon

The jQuery project released version 3.5.0, and as part of that, disclosed two security vulnerabilities that affect all prior versions. As mentioned in the jQuery blog, both are

[...] security issues in jQuery’s DOM manipulation methods, as in .html(), .append(), and the others. Security advisories for both of these issues have been published on GitHub.

Those advisories are:

Pages

Subscribe with RSS Subscribe to Security advisories