Monday, January 24, 2022
Drupal

Drupal core – Moderately critical – Cross site scripting – SA-CORE-2022-002

Project: Drupal coreDate: 2022-January-19Security risk: Moderately critical 14∕25 AC:Basic/A:User/CI:Some/II:Some/E:Proof/TD:DefaultVulnerability: Cross site scriptingDescription: jQuery UI is a third-party library used by Drupal. This library was previously thought to be end-of-life. Late in 2021, jQuery UI announced that they would be continuing development, and released a jQuery...
Drupal

Drupal core – Moderately critical – Cross Site Scripting – SA-CORE-2022-001

Project: Drupal coreDate: 2022-January-19Security risk: Moderately critical 14∕25 AC:Basic/A:User/CI:Some/II:Some/E:Proof/TD:DefaultVulnerability: Cross Site ScriptingDescription: jQuery UI is a third-party library used by Drupal. This library was previously thought to be end-of-life. Late in 2021, jQuery UI announced that they would be continuing development, and released a...
Drupal

Drupal core – Moderately critical – Cross Site Scripting – SA-CORE-2021-011

Project: Drupal coreDate: 2021-November-17Security risk: Moderately critical 13∕25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:DefaultVulnerability: Cross Site ScriptingDescription: The Drupal project uses the CKEditor library for WYSIWYG editing. CKEditor has released a security update that impacts Drupal. Vulnerabilities are possible if Drupal is configured to allow use of the CKEditor library...
Drupal

Drupal core – Moderately critical – Access Bypass – SA-CORE-2021-010

Project: Drupal coreDate: 2021-September-15Security risk: Moderately critical 12∕25 AC:Basic/A:None/CI:Some/II:None/E:Theoretical/TD:DefaultVulnerability: Access BypassCVE IDs: CVE-2020-13677Description: Under some circumstances, the Drupal core JSON:API module does not properly restrict access to certain content, which may result in unintended access bypass. Sites that do not have the JSON:API module enabled are...
Drupal

Drupal core – Moderately critical – Access bypass – SA-CORE-2021-009

Project: Drupal coreDate: 2021-September-15Security risk: Moderately critical 10∕25 AC:Basic/A:User/CI:Some/II:None/E:Theoretical/TD:DefaultVulnerability: Access bypassCVE IDs: CVE-2020-13676Description: The QuickEdit module does not properly check access to fields in some circumstances, which can lead to unintended disclosure of field data. Sites are only affected if the QuickEdit module (which comes with...
Drupal

Drupal core – Moderately critical – Access bypass – SA-CORE-2021-008

Project: Drupal coreDate: 2021-September-15Security risk: Moderately critical 11∕25 AC:Basic/A:None/CI:None/II:Some/E:Theoretical/TD:UncommonVulnerability: Access bypassCVE IDs: CVE-2020-13675Description: Drupal's JSON:API and REST/File modules allow file uploads through their HTTP APIs. The modules do not correctly run all file validation, which causes an access bypass vulnerability. An attacker might be able...
Drupal

Drupal core – Moderately critical – Cross Site Request Forgery – SA-CORE-2021-007

Project: Drupal coreDate: 2021-September-15Security risk: Moderately critical 14∕25 AC:Complex/A:None/CI:Some/II:Some/E:Theoretical/TD:DefaultVulnerability: Cross Site Request ForgeryCVE IDs: CVE-2020-13674Description: The QuickEdit module does not properly validate access to routes, which could allow cross-site request forgery under some circumstances and lead to possible data integrity issues. Sites are only affected if...
Drupal

Drupal core – Moderately critical – Cross Site Request Forgery – SA-CORE-2021-006

Project: Drupal coreDate: 2021-September-15Security risk: Moderately critical 10∕25 AC:Basic/A:User/CI:None/II:Some/E:Theoretical/TD:DefaultVulnerability: Cross Site Request ForgeryCVE IDs: CVE-2020-13673Description: The Drupal core Media module provides a filter to allow embedding internal and external media in content fields. In certain circumstances, the filter could allow an unprivileged user to inject...
Drupal

Drupal core – Moderately critical – Third-party libraries – SA-CORE-2021-005

Project: Drupal coreDate: 2021-August-12Security risk: Moderately critical 13∕25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:DefaultVulnerability: Third-party librariesDescription: The Drupal project uses the CKEditor, library for WYSIWYG editing. CKEditor has released a security update that impacts Drupal. Vulnerabilities are possible if Drupal is configured to allow use of the CKEditor library for...
Drupal

Drupal core – Critical – Drupal core – Critical – Third-party libraries – SA-CORE-2021-004

Project: Drupal coreDate: 2021-July-21Security risk: Critical 15∕25 AC:Complex/A:User/CI:All/II:All/E:Theoretical/TD:UncommonVulnerability: Drupal core - Critical - Third-party librariesCVE IDs: CVE-2021-32610Description: The Drupal project uses the pear Archive_Tar library, which has released a security update that impacts Drupal. The vulnerability is mitigated by the fact that Drupal core's use of...
Drupal

Drupal core – Moderately critical – Cross Site Scripting – SA-CORE-2021-003

Project: Drupal coreDate: 2021-May-26Security risk: Moderately critical 14∕25 AC:Basic/A:User/CI:Some/II:Some/E:Proof/TD:DefaultVulnerability: Cross Site ScriptingDescription: Drupal core uses the third-party CKEditor library. This library has an error in parsing HTML that could lead to an XSS attack. Solution: Install the latest version: If you are using Drupal 9.1, update...
Drupal

Drupal core – Critical – Cross-site scripting – SA-CORE-2021-002

Project: Drupal coreDate: 2021-April-21Security risk: Critical 15∕25 AC:Basic/A:None/CI:Some/II:Some/E:Theoretical/TD:DefaultVulnerability: Cross-site scriptingDescription: Drupal core's sanitization API fails to properly filter cross-site scripting under certain circumstances. Not all sites and users are affected, but configuration changes to prevent the exploit might be impractical and will vary between sites....

MoleRats APT Launches Spy Campaign on Bankers, Politicians, Journalists

State-sponsored cyberattackers are using Google Drive, Dropbox and other legitimate services to drop spyware on Middle-Eastern targets and exfiltrate data.

The Case for Backing Up Source Code

As enterprise data security concerns grow, security experts urge businesses to back up their GitLab, GitHub, and BitBucket repositories.

Surge in Malicious QR Codes Sparks FBI Alert

QR codes have become a go-to staple for contactless transactions of all sorts during the pandemic, and the FBI is warning cybercriminals are capitalizing on their lax security to steal data and money, and drop malware.

Dark Souls 3 Servers Shut Down Due to Critical RCE Bug

The bug can allow attackers to remotely execute code on gamers’ computers. The devs temporarily deactivated PvP servers across multiple affected versions.
TechRepublic

REvil gang member arrests strike fear among cybercriminals on the Dark Web

Dark Web forum posts uncovered by Trustwave show that the recent arrests in Russia have triggered major concerns among fellow criminals.