These posts by the Drupal security team are also sent to the security announcements e-mail list.

Drupal core - Moderately critical - Cross Site Scripting - SA-CORE-2019-004

Date: 
2019-March-20

Under certain circumstances the File module/subsystem allows a malicious user to upload a file that can trigger a cross-site scripting (XSS) vulnerability.

Drupal core - Highly critical - Remote Code Execution - SA-CORE-2019-003

Date: 
2019-February-20
CVE IDs: 
CVE-2019-6340

Some field types do not properly sanitize data from non-form sources. This can lead to arbitrary PHP code execution in some cases.

A site is only affected by this if one of the following conditions is met:

Drupal core - Critical - Arbitrary PHP code execution - SA-CORE-2019-002

Date: 
2019-January-16
CVE IDs: 
CVE-2019-6339

A remote code execution vulnerability exists in PHP's built-in phar stream wrapper when performing file operations on an untrusted phar:// URI.

Some Drupal code (core, contrib, and custom) may be performing file operations on insufficiently validated user input, thereby being exposed to this vulnerability.

This vulnerability is mitigated by the fact that such code paths typically require access to an administrative permission or an atypical configuration.

Drupal core - Critical - Third Party Libraries - SA-CORE-2019-001

Date: 
2019-January-16
CVE IDs: 
CVE-2019-6338

Drupal core uses the third-party PEAR Archive_Tar library. This library has released a security update which impacts some Drupal configurations. Refer to CVE-2018-1000888 for details.

Drupal Core - Multiple Vulnerabilities - SA-CORE-2018-006

  • Advisory ID: DRUPAL-SA-CORE-2018-006
  • Project: Drupal core
  • Version: 7.x, 8.x
  • Date: 2018-October-17

Drupal Core - 3rd-party libraries -SA-CORE-2018-005

  • Advisory ID: DRUPAL-SA-CORE-2018-005
  • Project: Drupal core
  • Version: 8.x
  • CVE: CVE-2018-14773
  • Date: 2018-August-01

Drupal core - Highly critical - Remote Code Execution - SA-CORE-2018-004

Date: 
2018-April-25
CVE IDs: 
CVE-2018-7602

A remote code execution vulnerability exists within multiple subsystems of Drupal 7.x and 8.x. This potentially allows attackers to exploit multiple attack vectors on a Drupal site, which could result in the site being compromised. This vulnerability is related to Drupal core - Highly critical - Remote Code Execution - SA-CORE-2018-002. Both SA-CORE-2018-002 and this vulnerability are being exploited in the wild.

Updated — this vulnerability is being exploited in the wild.

Drupal core - Moderately critical - Cross Site Scripting - SA-CORE-2018-003

Date: 
2018-April-18
CVE IDs: 
CVE-2018-9861

CKEditor, a third-party JavaScript library included in Drupal core, has fixed a cross-site scripting (XSS) vulnerability. The vulnerability stemmed from the fact that it was possible to execute XSS inside CKEditor when using the image2 plugin (which Drupal 8 core also uses).

We would like to thank the CKEditor team for patching the vulnerability and coordinating the fix and release process, and matching the Drupal core security window.

Drupal core - Highly critical - Remote Code Execution - SA-CORE-2018-002

Date: 
2018-March-28
CVE IDs: 
CVE-2018-7600

A remote code execution vulnerability exists within multiple subsystems of Drupal 7.x and 8.x. This potentially allows attackers to exploit multiple attack vectors on a Drupal site, which could result in the site being completely compromised.

The security team has written an FAQ about this issue.

Drupal core - Critical - Multiple Vulnerabilities - SA-CORE-2018-001

Date: 
2018-February-21

This security advisory fixes multiple vulnerabilities in both Drupal 7 and Drupal 8. See below for a list.

Comment reply form allows access to restricted content - Critical - Drupal 8 - CVE-2017-6926

Users with permission to post comments are able to view content and comments they do not have access to, and are also able to add comments to this content.

This vulnerability is mitigated by the fact that the comment system must be enabled and the attacker must have permission to post comments.

Pages

Subscribe with RSS Subscribe to Security advisories