Drupal core – Highly critical – Remote Code Execution – SA-CORE-2019-003
Project: Drupal coreDate: 2019-February-20Security risk: Highly critical 20∕25 AC:None/A:None/CI:All/II:All/E:Theoretical/TD:UncommonVulnerability: Remote Code ExecutionCVE IDs: CVE-2019-6340Description: Some field types do not properly sanitize data from non-form sources. This can lead to arbitrary PHP code execution in some cases.
A site is only affected by this if one of...
Drupal core – Critical – Third Party Libraries – SA-CORE-2019-001
Project: Drupal coreDate: 2019-January-16Security risk: Critical 16∕25 AC:Complex/A:User/CI:All/II:All/E:Proof/TD:UncommonVulnerability: Third Party Libraries Description: Drupal core uses the third-party PEAR Archive_Tar library. This library has released a security update which impacts some Drupal configurations. Refer to CVE-2018-1000888 for details.Solution: If you are using Drupal 8.6.x, upgrade to...
Drupal core – Critical – Arbitrary PHP code execution – SA-CORE-2019-002
Project: Drupal coreDate: 2019-January-16Security risk: Critical 16∕25 AC:Complex/A:Admin/CI:All/II:All/E:Theoretical/TD:AllVulnerability: Arbitrary PHP code executionDescription: A remote code execution vulnerability exists in PHP's built-in phar stream wrapper when performing file operations on an untrusted phar:// URI.
Some Drupal code (core, contrib, and custom) may be performing file operations...
Drupal Core – Multiple Vulnerabilities – SA-CORE-2018-006
Advisory ID: DRUPAL-SA-CONTRIB-2018-006
Project: Drupal core
Version: 7.x, 8.x
Date: 2018-October-17
Description
Content moderation - Moderately critical - Access bypass - Drupal 8
In some conditions, content moderation fails to check a users access to use certain transitions, leading to an access bypass.
In order...
Drupal Core – 3rd-party libraries -SA-CORE-2018-005
Advisory ID: SA-CORE-2018-005
Project: Drupal core
Version: 8.x
CVE: CVE-2018-14773
Date: 2018-August-01
Description
The Drupal project uses the Symfony library. The Symfony library has released a security update that impacts Drupal. Refer to the Symfony security advisory for the issue.
The same vulnerability also exists in the...
Drupal core – Highly critical – Remote Code Execution – SA-CORE-2018-004
Project: Drupal coreDate: 2018-April-25Security risk: Highly critical 20∕25 AC:Basic/A:User/CI:All/II:All/E:Exploit/TD:DefaultVulnerability: Remote Code ExecutionCVE IDs: CVE-2018-7602Description: A remote code execution vulnerability exists within multiple subsystems of Drupal 7.x and 8.x. This potentially allows attackers to exploit multiple attack vectors on a Drupal site, which could result in...
Drupal core – Moderately critical – Cross Site Scripting – SA-CORE-2018-003
Project: Drupal coreDate: 2018-April-18Security risk: Moderately critical 12∕25 AC:Complex/A:User/CI:Some/II:Some/E:Theoretical/TD:DefaultVulnerability: Cross Site ScriptingDescription:
CKEditor, a third-party JavaScript library included in Drupal core, has fixed a cross-site scripting (XSS) vulnerability. The vulnerability stemmed from the fact that it was possible to execute XSS inside CKEditor...
Drupal core – Highly critical – Remote Code Execution – SA-CORE-2018-002
Project: Drupal coreDate: 2018-March-28Security risk: Highly critical 24∕25 AC:None/A:None/CI:All/II:All/E:Exploit/TD:DefaultVulnerability: Remote Code Execution CVE IDs: CVE-2018-7600Description:
A remote code execution vulnerability exists within multiple subsystems of Drupal 7.x and 8.x. This potentially allows attackers to exploit multiple attack vectors on a Drupal site, which could...
Drupal core – Critical – Multiple Vulnerabilities – SA-CORE-2018-001
Project: Drupal coreVersion: 8.4.x-dev7.x-devDate: 2018-February-21Security risk: Critical 16∕25 AC:Basic/A:User/CI:Some/II:Some/E:Exploit/TD:DefaultVulnerability: Multiple Vulnerabilities Description: This security advisory fixes multiple vulnerabilities in both Drupal 7 and Drupal 8. See below for a list.
Comment reply form allows access to restricted content - Critical - Drupal 8 -...
Can you really sniff out gas station card skimmers with your phone?
A viral post suggests (wrongly) that card skimmers always use Bluetooth. Anyway, just looking at nearby Bluetooth names doesn't help much...
Canada Helping Australia Determine ‘Full Extent’ of Hack
Canada's electronic eavesdropping agency said Wednesday it is working with Canberra to try to determine the scale of computer hacking on Australia's parliament and political parties just months from an election.
read more
Researcher: Not Hard for a Hacker to Capsize a Ship at Sea
Maritime transport still contributes in an important way to the world’s economy, with on-time shipments influencing everything from commodities availability and spot pricing to the stability of small countries. Unfortunately, capsizing a ship with a cyberattack is a relatively...
30 years in: My, how SC and security have changed
1989. Acid wash jeans, Bon Jovi and the compassionate conservatism of the Reagan Era were actually, unironically popular. The Berlin Wall fell, free elections were held in the then Soviet Congress of Deputies, Vaclev Havel became president of Czechoslavakia,...
WinPot ATM Malware Resembles a Slot Machine
A piece of malware targeting automated teller machines (ATMs) has an interface that looks like a slot machine, Kaspersky Lab reports.
Dubbed WinPot, the malware was initially detected in March last year, targeting the ATMs of a popular vendor to...
