Friday, June 5, 2020
Drupal

Drupal core – Moderately critical – Open Redirect – SA-CORE-2020-003

Project: Drupal coreDate: 2020-May-20Security risk: Moderately critical 10∕25 AC:Basic/A:None/CI:None/II:None/E:Theoretical/TD:AllVulnerability: Open RedirectDescription: Drupal 7 has an Open Redirect vulnerability. For example, a user could be tricked into visiting a specially crafted link which would redirect them to an arbitrary external URL. The vulnerability is caused by...
Drupal

Drupal core – Moderately critical – Cross Site Scripting – SA-CORE-2020-002

Project: Drupal coreDate: 2020-May-20Security risk: Moderately critical 10∕25 AC:Complex/A:Admin/CI:Some/II:Some/E:Theoretical/TD:UncommonVulnerability: Cross Site ScriptingDescription: The jQuery project released version 3.5.0, and as part of that, disclosed two security vulnerabilities that affect all prior versions. As mentioned in the jQuery blog, both are security issues in...
Drupal

Drupal core – Moderately critical – Third-party library – SA-CORE-2020-001

Project: Drupal coreVersion: 8.8.x-dev8.7.x-devDate: 2020-March-18Security risk: Moderately critical 13∕25 AC:Complex/A:User/CI:Some/II:Some/E:Proof/TD:DefaultVulnerability: Third-party libraryDescription: The Drupal project uses the third-party library CKEditor, which has released a security improvement that is needed to protect some Drupal configurations. Vulnerabilities are possible if Drupal is configured to use the WYSIWYG CKEditor...
Drupal

Drupal core – Moderately critical – Access bypass – SA-CORE-2019-011

Project: Drupal coreVersion: 8.8.x-dev8.7.x-devDate: 2019-December-18Security risk: Moderately critical 10∕25 AC:Basic/A:User/CI:Some/II:None/E:Theoretical/TD:DefaultVulnerability: Access bypassDescription: The Media Library module has a security vulnerability whereby it doesn't sufficiently restrict access to media items in certain configurations.Solution: If you are using Drupal 8.7.x, you should upgrade to Drupal 8.7.11. If you are...
Drupal

Drupal core – Critical – Multiple vulnerabilities – SA-CORE-2019-012

Project: Drupal coreVersion: 8.8.x-dev8.7.x-dev7.x-devDate: 2019-December-18Security risk: Critical 17∕25 AC:Basic/A:User/CI:All/II:All/E:Proof/TD:UncommonVulnerability: Multiple vulnerabilitiesDescription: The Drupal project uses the third-party library Archive_Tar, which has released a security update that impacts some Drupal configurations. Multiple vulnerabilities are possible if Drupal is configured to allow .tar, .tar.gz, .bz2 or .tlz file...
Drupal

Drupal core – Moderately critical – Multiple vulnerabilities – SA-CORE-2019-010

Project: Drupal coreVersion: 8.8.x-dev8.7.x-devDate: 2019-December-18Security risk: Moderately critical 14∕25 AC:Basic/A:Admin/CI:Some/II:All/E:Theoretical/TD:DefaultVulnerability: Multiple vulnerabilitiesDescription: Drupal 8 core's file_save_upload() function does not strip the leading and trailing dot ('.') from filenames, like Drupal 7 did. Users with the ability to upload files with any extension in conjunction with contributed...
Drupal

Drupal core – Moderately critical – Denial of Service – SA-CORE-2019-009

Project: Drupal coreVersion: 8.8.x-dev8.7.x-devDate: 2019-December-18Security risk: Moderately critical 12∕25 AC:None/A:None/CI:None/II:None/E:Theoretical/TD:AllVulnerability: Denial of ServiceDescription: A visit to install.php can cause cached data to become corrupted. This could cause a site to be impaired until caches are rebuilt.Solution: Install the latest version: If you are using Drupal 8.7.x, upgrade...
Drupal

Drupal core – Critical – Access bypass – SA-CORE-2019-008

Project: Drupal coreDate: 2019-July-17Security risk: Critical 17∕25 AC:None/A:None/CI:Some/II:Some/E:Theoretical/TD:DefaultVulnerability: Access bypassCVE IDs: CVE-2019-6342Description: In Drupal 8.7.4, when the experimental Workspaces module is enabled, an access bypass condition is created. This can be mitigated by disabling the Workspaces module. It does not affect any release other than...

Electrolux, Others Conned Out of Big Money by BEC Scammer

Kenenty Hwan Kim has pleaded guilty to swindling the appliance giant and other companies in a set of elaborate schemes.
The Register

Kind of goes without saying, but fix your admin passwords or risk getting borged by this brute-forcing botnet

Publishing platforms, hosts being targeted by Stealthworker malware Servers are being targeted with a malware attack that uses its infected hosts to brute-force other machines.…

News Wrap: Fake Minneapolis Police Breach, Zoom End-To-End Encryption Debate

Threatpost editors discuss debunked reports of a Minneapolis police department breach and Zoom announcing only paying users would get end-to-end encryption.
ZDNet

QNAP NAS devices targeted in another wave of ransomware attacks

eCh0raix ransomware gang returns with a new wave of attacks against QNAP NAS devices.

Name That Toon: Sign of the Tides

Feeling creative? Submit your caption in the comments, and our panel of experts will reward the winner with a $25 Amazon gift card.