These posts by the Drupal security team are also sent to the security announcements e-mail list.

Drupal core - Critical - Access bypass - SA-CORE-2019-008

Date: 
2019-July-17
CVE IDs: 
CVE-2019-6342

In Drupal 8.7.4, when the experimental Workspaces module is enabled, an access bypass condition is created.

This can be mitigated by disabling the Workspaces module. It does not affect any release other than Drupal 8.7.4.

Drupal 8.7.3 and earlier, Drupal 8.6.x and earlier, and Drupal 7.x are not affected.

Drupal core - Moderately critical - Third-party libraries - SA-CORE-2019-007

Date: 
2019-May-08
CVE IDs: 
CVE-2019-11831

This security release fixes third-party dependencies included in or required by Drupal core. As described in TYPO3-PSA-2019-007: By-passing protection of Phar Stream Wrapper Interceptor:

In order to intercept file invocations like file_exists or stat on compromised Phar archives the base name has to be determined and checked before allowing to be handled by PHP Phar stream handling. [...]

Drupal core - Moderately critical - Cross Site Scripting - SA-CORE-2019-006

Date: 
2019-April-17
CVE IDs: 
CVE-2019-11358

The jQuery project released version 3.4.0, and as part of that, disclosed a security vulnerability that affects all prior versions. As described in their release notes:

jQuery 3.4.0 includes a fix for some unintended behavior when using jQuery.extend(true, {}, ...). If an unsanitized source object contained an enumerable __proto__ property, it could extend the native Object.prototype. This fix is included in jQuery 3.4.0, but patch diffs exist to patch previous jQuery versions.

Drupal core - Moderately critical - Multiple Vulnerabilities - SA-CORE-2019-005

Date: 
2019-April-17

This security release fixes third-party dependencies included in or required by Drupal core.

Drupal core - Moderately critical - Cross Site Scripting - SA-CORE-2019-004

Date: 
2019-March-20
CVE IDs: 
CVE-2019-6341

Under certain circumstances the File module/subsystem allows a malicious user to upload a file that can trigger a cross-site scripting (XSS) vulnerability.

Drupal core - Highly critical - Remote Code Execution - SA-CORE-2019-003

Date: 
2019-February-20
CVE IDs: 
CVE-2019-6340

Some field types do not properly sanitize data from non-form sources. This can lead to arbitrary PHP code execution in some cases.

A site is only affected by this if one of the following conditions is met:

Drupal core - Critical - Arbitrary PHP code execution - SA-CORE-2019-002

Date: 
2019-January-16
CVE IDs: 
CVE-2019-6339

A remote code execution vulnerability exists in PHP's built-in phar stream wrapper when performing file operations on an untrusted phar:// URI.

Some Drupal code (core, contrib, and custom) may be performing file operations on insufficiently validated user input, thereby being exposed to this vulnerability.

This vulnerability is mitigated by the fact that such code paths typically require access to an administrative permission or an atypical configuration.

Drupal core - Critical - Third Party Libraries - SA-CORE-2019-001

Date: 
2019-January-16
CVE IDs: 
CVE-2019-6338

Drupal core uses the third-party PEAR Archive_Tar library. This library has released a security update which impacts some Drupal configurations. Refer to CVE-2018-1000888 for details.

Drupal Core - Multiple Vulnerabilities - SA-CORE-2018-006

  • Advisory ID: DRUPAL-SA-CORE-2018-006
  • Project: Drupal core
  • Version: 7.x, 8.x
  • Date: 2018-October-17

Drupal Core - 3rd-party libraries -SA-CORE-2018-005

  • Advisory ID: DRUPAL-SA-CORE-2018-005
  • Project: Drupal core
  • Version: 8.x
  • CVE: CVE-2018-14773
  • Date: 2018-August-01

Pages

Subscribe with RSS Subscribe to Security advisories