Drupal News

  1. Project: 
    Version: 
    8.8.x-dev
    8.7.x-dev
    Date: 
    2020-March-18
    Vulnerability: 
    Third-party library
    Description: 

    The Drupal project uses the third-party library CKEditor, which has released a security improvement that is needed to protect some Drupal configurations.

    Vulnerabilities are possible if Drupal is configured to use the WYSIWYG CKEditor for your site's users. An attacker that can create or edit content may be able to exploit this Cross Site Scripting (XSS) vulnerability to target users with access to the WYSIWYG CKEditor, and this may include site admins with privileged access.

    The latest versions of Drupal update CKEditor to 4.14 to mitigate the vulnerabilities.

    Solution: 

    Install the latest version:

    Versions of Drupal 8 prior to 8.7.x have reached end-of-life and do not receive security coverage.

    The CKEditor module can also be disabled to mitigate the vulnerability until the site is updated.

    Note for Drupal 7 users

    Drupal 7 core is not affected by this release; however, users who have installed the third-party CKEditor library (for example, with a contributed module) should ensure that the downloaded library is updated to CKEditor 4.14 or higher, or that CDN URLs point to a version of CKEditor 4.14 or higher. Disabling all WYSIWYG modules can mitigate the vulnerability until the site is updated.

  2. Project: 
    Version: 
    8.8.x-dev
    8.7.x-dev
    7.x-dev
    Date: 
    2019-December-18
    Vulnerability: 
    Multiple vulnerabilities
    Description: 

    The Drupal project uses the third-party library Archive_Tar, which has released a security improvement that is needed to protect some Drupal configurations.

    Multiple vulnerabilities are possible if Drupal is configured to allow .tar, .tar.gz, .bz2 or .tlz file uploads and processes them.

    The latest versions of Drupal update Archive_Tar to 1.4.9 to mitigate the file processing vulnerabilities.

    Edited to clarify the nature of the upstream release.

    Solution: 

    Install the latest version:

    Versions of Drupal 8 prior to 8.7.x are end-of-life and do not receive security coverage.

    Additional information

    All advisories released today:

    Updating to the latest Drupal core release will apply the fixes for all the above advisories.

    (Note that this SA is the only one in the list that applies to Drupal 7.x)

    Reported By: 
    Fixed By: 
  3. Project: 
    Version: 
    8.8.x-dev
    8.7.x-dev
    Date: 
    2019-December-18
    Vulnerability: 
    Access bypass
    Description: 

    The Media Library module has a security vulnerability whereby it doesn't sufficiently restrict access to media items in certain configurations.

    Solution: 
    • If you are using Drupal 8.7.x, you should upgrade to Drupal 8.7.11.
    • If you are using Drupal 8.8.x, you should upgrade to Drupal 8.8.1.

    Versions of Drupal 8 prior to 8.7.x are end-of-life and do not receive security coverage.

    Alternatively, you may mitigate this vulnerability by unchecking the "Enable advanced UI" checkbox on /admin/config/media/media-library. (This mitigation is not available in 8.7.x.)

    Additional information

    All advisories released today:

    Updating to the latest Drupal core release will apply the fixes for all the above advisories.

    Reported By: 
    Fixed By: 
  4. Project: 
    Version: 
    8.8.x-dev
    8.7.x-dev
    Date: 
    2019-December-18
    Vulnerability: 
    Multiple vulnerabilities
    Description: 

    Drupal 8 core's file_save_upload() function does not strip the leading and trailing dot ('.') from filenames, like Drupal 7 did.

    Users with the ability to upload files with any extension in conjunction with contributed modules may be able to use this to upload system files such as .htaccess in order to bypass protections afforded by Drupal's default .htaccess file.

    After this fix, file_save_upload() now trims leading and trailing dots from filenames.

    Solution: 

    Install the latest version:

    • If you use Drupal core 8.7.x: 8.7.11
    • If you use Drupal core 8.8.x: 8.8.1

    Versions of Drupal 8 prior to 8.7.x are end-of-life and do not receive security coverage.

    Additional information

    All advisories released today:

    Updating to the latest Drupal core release will apply the fixes for all the above advisories.

    Fixed By: 
  5. Project: 
    Version: 
    8.8.x-dev
    8.7.x-dev
    Date: 
    2019-December-18
    Vulnerability: 
    Denial of Service
    Description: 

    A visit to install.php can cause cached data to become corrupted. This could cause a site to be impaired until caches are rebuilt.

    Solution: 

    Install the latest version:

    Versions of Drupal 8 prior to 8.7.x are end-of-life and do not receive security coverage.

    To mitigate this issue in any version of Drupal 8, you can also block access to install.php if it's not required.

    Additional information

    All advisories released today:

    Updating to the latest Drupal core release will apply the fixes for all the above advisories.

    Reported By: 
    Fixed By: 

Customer Login

We recommend the use of Google Authenticator to all of our users for two factor authentication. To find out more about this click here.