Category Archives: Advisories

Drupal core – Moderately critical – Information disclosure – SA-CORE-2022-004

Read Time:1 Minute, 21 Second
Project: 
Date: 
2022-February-16
Vulnerability: 
Information disclosure
CVE IDs: 
CVE-2022-25270
Description: 

The Quick Edit module does not properly check entity access in some circumstances. This could result in users with the “access in-place editing” permission viewing some content they are are not authorized to access.

Sites are only affected if the QuickEdit module (which comes with the Standard profile) is installed.

Also see Quick Edit – Moderately critical – Information disclosure – SA-CONTRIB-2022-025 which addresses the same vulnerability for the contributed module.

This advisory is not covered by Drupal Steward.

Solution: 

Install the latest version:

If you are using Drupal 9.3, update to Drupal 9.3.6.
If you are using Drupal 9.2, update to Drupal 9.2.13.

All versions of Drupal 9 prior to 9.2.x are end-of-life and do not receive security coverage. Note that Drupal 8 has reached its end of life.

Drupal 7 core does not include the QuickEdit module and therefore is not affected.

Uninstalling the QuickEdit module will also mitigate the vulnerability. Site owners may wish to consider this option as the QuickEdit module will be removed from core in Drupal 10.

Reported By: 
Fixed By: 
Théodore Biadala
xjm of the Drupal Security Team
Alex Bronstein of the Drupal Security Team
Adam G-H
Drew Webber of the Drupal Security Team
Wim Leers
Ted Bowman
Dave Long
Derek Wright
Lee Rowlands of the Drupal Security Team
Samuel Mortenson
Joseph Zhao

Read More

Drupal core – Moderately critical – Improper input validation – SA-CORE-2022-003

Read Time:1 Minute, 3 Second
Project: 
Date: 
2022-February-16
Vulnerability: 
Improper input validation
CVE IDs: 
CVE-2022-25271
Description: 

Drupal core’s form API has a vulnerability where certain contributed or custom modules’ forms may be vulnerable to improper input validation. This could allow an attacker to inject disallowed values or overwrite data. Affected forms are uncommon, but in certain cases an attacker could alter critical or sensitive data.

This advisory is not covered by Drupal Steward.

Solution: 

Install the latest version:

If you are using Drupal 9.3, update to Drupal 9.3.6.
If you are using Drupal 9.2, update to Drupal 9.2.13.
If you are using Drupal 7, update to Drupal 7.88.

All versions of Drupal 9 prior to 9.2.x are end-of-life and do not receive security coverage. Note that Drupal 8 has reached its end of life.

Reported By: 
Fixed By: 
xjm of the Drupal Security Team
Lee Rowlands of the Drupal Security Team
Ben Dougherty of the Drupal Security Team
Drew Webber of the Drupal Security Team
Jen Lampton
Nate Lampton
Fabian Franz
Alex Bronstein of the Drupal Security Team

Read More

DSA-5078 zsh – security update

Read Time:15 Second

It was discovered that zsh, a powerful shell and scripting language,
did not prevent recursive prompt expansion. This would allow an
attacker to execute arbitrary commands into a user’s shell, for
instance by tricking a vcs_info user into checking out a git branch
with a specially crafted name.

Read More

A Vulnerability in Apple Products Could Allow for Arbitrary Code Execution

Read Time:39 Second

A vulnerability has been discovered in Apple Products, which could allow for arbitrary code execution if a user views a specially crafted web page.

iOS is a mobile operating system for mobile devices, including the iPhone, iPad, and iPod touch.
iPadOS is the successor to iOS 12 and is a mobile operating system for iPads.
macOS Monterey is the 18th and current major release of macOS.
Safari is a graphical web browser developed by Apple.

Successful exploitation of this vulnerability could result in arbitrary code execution within the context of the application, an attacker gaining the same privileges as the logged-on user, or the bypassing of security restrictions. Depending on the permission associated with the application running the exploit, an attacker could then install programs; view, change, or delete data.

Read More

Multiple Vulnerabilities in Google Chrome Could Allow for Arbitrary Code Execution

Read Time:31 Second

Multiple vulnerabilities have been discovered in Google Chrome, the most severe of which could allow for arbitrary code execution. Google Chrome is a web browser used to access the Internet. Successful exploitation of the most severe of these vulnerabilities could allow an attacker to execute arbitrary code in the context of the browser. Depending on the privileges associated with the application, an attacker could view, change, or delete data. If this application has been configured to have fewer user rights on the system, exploitation of the most severe of these vulnerabilities could have less impact than if it was configured with administrative rights

Read More

DSA-5076 h2database – security update

Read Time:26 Second

Security researchers of JFrog Security and Ismail Aydemir discovered two remote
code execution vulnerabilities in the H2 Java SQL database engine which can be
exploited through various attack vectors, most notably through the H2 Console
and by loading custom classes from remote servers through JNDI. The H2 console
is a developer tool and not required by any reverse-dependency in Debian. It
has been disabled in (old)stable releases. Database developers are advised to
use at least version 2.1.210-1, currently available in Debian unstable.

Read More

DSA-5075 minetest – security update

Read Time:23 Second

Several vulnerabilities have been discovered in Minetest, a sandbox video game
and game creation system. These issues may allow attackers to manipulate game
mods and grant them an unfair advantage over other players. These flaws could
also be abused for a denial of service attack against a Minetest server or if
user input is passed directly to minetest.deserialize without serializing it
first, then a malicious user could run Lua code in the server environment.

Read More