The Media Library module does not properly check entity access in some circumstances. This may result in users with access to edit content seeing metadata about media items they are not authorized to access.
The vulnerability is mitigated by the fact that the inaccessible media will only be visible to users who can already edit content that includes a media reference field.
If you are using Drupal 10.0, update to Drupal 10.0.2.
If you are using Drupal 9.5, update to Drupal 9.5.2.
If you are using Drupal 9.4, update to Drupal 9.4.10.
A vulnerability classified as critical has been found in ale7714 sigeprosi. This affects an unknown part. The manipulation leads to sql injection. The name of the patch is 5291886f6c992316407c376145d331169c55f25b. It is recommended to apply a patch to fix this issue. The identifier VDB-218493 was assigned to this vulnerability.
A vulnerability was found in iamdroppy phoenixcf. It has been declared as critical. Affected by this vulnerability is an unknown functionality of the file content/2-Community/articles.cfm. The manipulation leads to sql injection. The name of the patch is d156faf8bc36cd49c3b10d3697ef14167ad451d8. It is recommended to apply a patch to fix this issue. The associated identifier of this vulnerability is VDB-218491.
Graham Cluley Security News is sponsored this week by the folks at SecurEnvoy. Thanks to the great team there for their support! We are often approached by organisations that depend on on-premise applications and data storage, who are looking for a multi-factor authentication solution, but are unable to move to a cloud-based solution for authentication. … Continue reading “Does your MFA solution secure access to your on-premise apps as well as those in the cloud?”
Threat protection company Perception Point has launched Advanced Threat Protection for Zendesk to provide detection and remediation services for Zendesk customers. Perception Point said that customers can now protect customer service software Zendesk a single, consolidated platform alongside their email, web browsers and other cloud collaboration apps. Advanced Threat Protection for Zendesk has been built to help secure vulnerable help desks and customer support teams from external threats such as malicious content within tickets, the firm stated.
Help desk, customer service teams key attack targets
In organizations, help desk and customer support staff often have access to workstations, mobile devices, routers, and servers, as well as the complete digital workplace system and the data associated with it. They also typically communicate regularly with people outside of the organization. These factors make them attractive attack targets and particularly vulnerable to external threats originating from malicious content. Content uploaded externally can potentially be used as a vehicle for cyberattacks, allowing malicious payloads to enter an organization’s system, Perception Point noted in its announcement.
Cybersecurity vendor Trustwave has announced the relaunch of its Advanced Continual Threat Hunting platform with new, patent-pending human-led threat hunting methodology. The firm claimed the enhancement will allow its SpiderLabs threat hunting teams to conduct increased human-led threat hunts and discover more behavior-based findings that could go undetected by traditional endpoint detection and response (EDR) tools.
New method hunts for behaviors associated with known threat actors
In a press release, Trustwave stated that its security teams regularly perform advanced threat hunting to study the tactics, techniques, and procedures (TTPs) of sophisticated threat actors. Trustwave’s new intellectual property (IP) goes beyond indicators of compromise (IoC) to uncover new or unknown threats by hunting for indicators of behavior (IoB) associated with specific attackers.
