Category Archives: Advisories

Drupal core – Moderately critical – Cross Site Request Forgery – SA-CORE-2021-006

Read Time:1 Minute, 18 Second
Project: 
Date: 
2021-September-15
Vulnerability: 
Cross Site Request Forgery
CVE IDs: 
CVE-2020-13673
Description: 

The Drupal core Media module allows embedding internal and external media in content fields. In certain circumstances, the filter could allow an unprivileged user to inject HTML into a page when it is accessed by a trusted user with permission to embed media. In some cases, this could lead to cross-site scripting.

This advisory is not covered by Drupal Steward.

Also see Entity Embed – Moderately critical – Cross Site Request Forgery – SA-CONTRIB-2021-028 which addresses a similar vulnerability for that module.

Updated 18:15 UTC to clarify text.

Solution: 

Install the latest version:

If you are using Drupal 9.2, update to Drupal 9.2.6.
If you are using Drupal 9.1, update to Drupal 9.1.13.
If you are using Drupal 8.9, update to Drupal 8.9.19.

Versions of Drupal 8 prior to 8.9.x and versions of Drupal 9 prior to 9.1.x are end-of-life and do not receive security coverage.

Drupal 7 core is not affected.

Reported By: 
Fixed By: 
Aaron Zinck
Sean Blommaert
Alex Bronstein of the Drupal Security Team
Marcos Cano
Lee Rowlands of the Drupal Security Team
Adam G-H
Jess of the Drupal Security Team
Drew Webber of the Drupal Security Team
Neil Drumm of the Drupal Security Team
Brian Tofte-Schumacher

Read More

WordPress 5.8.1 Security and Maintenance Release

Read Time:2 Minute, 31 Second

WordPress 5.8.1 is now available!

This security and maintenance release features 60 bug fixes in addition to 3 security fixes. Because this is a security release, it is recommended that you update your sites immediately. All versions since WordPress 5.4 have also been updated.

WordPress 5.8.1 is a short-cycle security and maintenance release. The next major release will be version 5.9.

You can download WordPress 5.8.1 by downloading from WordPress.org, or visit your Dashboard → Updates and click Update Now.

If you have sites that support automatic background updates, they’ve already started the update process.

Security Updates

3 security issues affect WordPress versions between 5.4 and 5.8. If you haven’t yet updated to 5.8, all WordPress versions since 5.4 have also been updated to fix the following security issues:

Props @mdawaffe, member of the WordPress Security Team for their work fixing a data exposure vulnerability within the REST API.Props to Michał Bentkowski of Securitum for reporting a XSS vulnerability in the block editor.The Lodash library has been updated to version 4.17.21 in each branch to incorporate upstream security fixes.

In addition to these issues, the security team would like to thank the following people for reporting vulnerabilities during the WordPress 5.8 beta testing period, allowing them to be fixed prior to release:

Props Evan Ricafort for reporting a XSS vulnerability in the block editor discovered during the 5.8 release’s beta period.Props Steve Henty for reporting a privilege escalation issue in the block editor.

Thank you to all of the reporters for privately disclosing the vulnerabilities. This gave the WordPress security team time to fix the vulnerabilities before WordPress sites could be attacked.

For more information, browse the full list of changes on Trac, or check out the version 5.8.1 HelpHub documentation page.

Thanks and props!

The 5.8.1 release was led by Jonathan Desrosiers and Evan Mullins.

In addition to the security researchers and release squad members mentioned above, thank you to everyone who helped make WordPress 5.8.1 happen:

2linctools, Adam Zielinski, Alain Schlesser, Alex Lende, alexstine, AlGala, André, Andrei Draganescu, Andrew Ozz, Ankit Panchal, Anthony Burchell, Anton Vlasenko, Ari Stathopoulos, Bruno Ribaric, Carolina Nymark, Daisy Olsen, Daniel Richards, Daria, David Anderson, David Biňovec, David Herrera, Dominik Schilling, Ella van Durpe, Enchiridion, Evan Mullins, Gary Jones, George Mamadashvili, Greg Ziółkowski, Héctor Prieto, ianmjones, Jb Audras, Jeff Bowen, Joe Dolson, Joen A., John Blackbourn, Jonathan Desrosiers, JuanMa Garrido, Juliette Reinders Folmer, Kai Hao, Kapil Paul, Kerry Liu, Kevin Fodness, Marcus Kazmierczak, Mark-k, Matt, Michael Adams (mdawaffe), Mike Schroder, moch11, Mukesh Panchal, Nik Tsekouras, Paal Joachim Romdahl, Pascal Birchler, Paul Bearne, Paul Biron, Peter Wilson, Petter Walbø Johnsgård, Radixweb, Rahul Mehta, ramonopoly, ravipatel, Riad Benguella, Robert Anderson, Rodrigo Arias, Sanket Chodavadiya, Sergey Biryukov, Stephen Bernhardt, Stephen Edgar, Steve Henty, terraling, Timothy Jacobs, tmatsuur, TobiasBg, Tonya Mork, Toro_Unit (Hiroshi Urabe), Vlad T, wb1234, and WFMattR.

Read More

[R2] Tenable.sc 5.19.0 Fixes Multiple Third-party Vulnerabilities

Read Time:23 Second
Tenable.sc leverages third-party software to help provide underlying functionality. Multiple third-party components were found to contain vulnerabilities, and updated versions have been made available by the providers.

Out of caution, and in line with best practice, Tenable has upgraded the bundled components to address the potential impact of these issues. Tenable.sc 5.19.0 updates the following components:

1. Handlebars
CVE-2019-19919
Severity: Critical

2. Underscore
CVE-2021-23358
Severity: High

Read More