Drupal Security Advisories

Project: Drupal coreDate: 2020-September-16Security risk: Moderately critical 12∕25 AC:None/A:User/CI:Some/II:None/E:Theoretical/TD:DefaultVulnerability: Information disclosureCVE IDs: CVE-2020-13670Description: 

A vulnerability exists in the File module which allows an attacker to gain access to the file metadata of a permanent private file that they do not have access to by guessing the ID of the file.

Solution: 

Install the latest version:

Versions of Drupal 8 prior to 8.8.x are end-of-life and do not receive security coverage. Sites on 8.7.x or earlier should update to 8.8.10.

Reported By: Fixed By: 
Project: Drupal coreDate: 2020-September-16Security risk: Moderately critical 12∕25 AC:Basic/A:None/CI:Some/II:None/E:Theoretical/TD:DefaultVulnerability: Access bypassCVE IDs: CVE-2020-13667Description: 

The experimental Workspaces module allows you to create multiple workspaces on your site in which draft content can be edited before being published to the live workspace.

The Workspaces module doesn't sufficiently check access permissions when switching workspaces, leading to an access bypass vulnerability. An attacker might be able to see content before the site owner intends people to see the content.

This vulnerability is mitigated by the fact that sites are only vulnerable if they have installed the experimental Workspaces module.

Solution: 

Install the latest version:

Versions of Drupal 8 prior to 8.8.x are end-of-life and do not receive security coverage. Sites on 8.7.x or earlier should update to 8.8.10.

Once a site running Workspaces is upgraded, authenticated users may continue to see unauthorized workspace content that they accessed previously until they are logged out.

If it is important for the unintended access to stop immediately, you may wish to end all active user sessions on your site (for example, by truncating the sessions table). Be aware that this will immediately log all users out and can cause side effects like lost user input.

Reported By: Fixed By: 
Project: Drupal coreDate: 2020-September-16Security risk: Moderately critical 13∕25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:DefaultVulnerability: Cross-site scriptingCVE IDs: CVE-2020-13669Description: 

Drupal core's built-in CKEditor image caption functionality is vulnerable to XSS.

Solution: 

Install the latest version:

Versions of Drupal 8 prior to 8.8.x are end-of-life and do not receive security coverage. Sites on 8.7.x or earlier should update to 8.8.10.

Reported By: Fixed By: 
Project: Drupal coreDate: 2020-September-16Security risk: Critical 15∕25 AC:Basic/A:None/CI:Some/II:Some/E:Theoretical/TD:DefaultVulnerability: Cross-site scriptingCVE IDs: CVE-2020-13668Description: 

Drupal 8 and 9 have a reflected cross-site scripting (XSS) vulnerability under certain circumstances.

An attacker could leverage the way that HTML is rendered for affected forms in order to exploit the vulnerability.

Solution: 

Install the latest version:

Versions of Drupal 8 prior to 8.8.x are end-of-life and do not receive security coverage. Sites on 8.7.x or earlier should update to 8.8.10.

In addition to updating Drupal core, sites that override \Drupal\Core\Form\FormBuilder's renderPlaceholderFormAction() and/or buildFormAction() methods in contrib and/or custom code should ensure that appropriate sanitization is applied for URLs.

Reported By: Fixed By: 
Project: Drupal coreDate: 2020-September-16Security risk: Moderately critical 14∕25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:AllVulnerability: Cross-site scriptingCVE IDs: CVE-2020-13666Description: 

The Drupal AJAX API does not disable JSONP by default, which can lead to cross-site scripting.

Solution: 

Install the latest version:

Versions of Drupal 8 prior to 8.8.x are end-of-life and do not receive security coverage. Sites on 8.7.x or earlier should update to 8.8.10.

If you were previously relying on Drupal's AJAX API to perform trusted JSONP requests, you'll either need to override the AJAX options to set "jsonp: true", or you'll need to use the jQuery AJAX API directly.

If you are using jQuery's AJAX API for user-provided URLs in a contrib or custom module, you should review your code and set "jsonp: false" where this is appropriate.

Drupal 7 sites should also pass such URLs through the new Drupal.sanitizeAjaxUrl() function.

Reported By: Fixed By: 
Project: GroupVersion: 8.x-1.x-devDate: 2020-August-05Security risk: Moderately critical 11∕25 AC:None/A:User/CI:Some/II:None/E:Theoretical/TD:UncommonVulnerability: Information disclosureDescription: 

The Group module enables you to hand out permissions on a smaller subset, section or community of your website.

Under very specific circumstances, where two group types support the same content, yet hand out different permissions, non-members of the first group type may use the set of permissions of the 2nd group type for the grouped content.

This vulnerability is mitigated by the fact that you must already have a rare set-up and the two group types are configured in a way where one is more permissive than the other over the same type of content.

Solution: 

Install the latest version:

  • If you are using 8.x-1.0 or later, you should upgrade to 8.x-1.2.
  • If you are using 8.x-1.0-rc5, that version is not affected by this issue. You can also consider upgrading to 8.x-1.2.
Reported By: Fixed By: 

What our clients are saying

I would highly recommend her for any position requiring IT design and development
Thanks so much for everything!
A great experience and a much improved website.
...a pleasure to work with, combining patience (for my busy schedule and at times overwhelmed brain) with her strong motivation and energy to keep me going
...continued to monitor it closely and is still always available to help me if I have any questions
I love directing our customers to our new site knowing that they are going to be able to find exactly what they are looking for...
... incredibly impressed with what you brought to the table
... they also made suggestions which showed me that they fully understood what I wanted to accomplish.
...creative, independent, responsive...
...I have no doubt we will have the best site in the 2010 election of any PA candidate
I realized that I had picked the right company to work with soon after beginning a project with Peerless Design, Inc.
...provided us with excellent, expert service in a professional and personable manner.
I have seen the first layouts and they are awesome...
I would highly recommend her for any position requiring IT design and development
I had a very tight deadline and budget, and they met it, seemingly with ease.
" PDI provides us prompt, effective and efficient service in maintaining our Drupal based website."
...can do anything any other designer can do and generally quicker, cheaper and better.
...able to take my abstract ideas and add their expertise to bring them to life in a way that was better than I could have imagined!
...able to translate technical information in an accessible way...
...very responsive to our questions and needs
...we just want you to know that we are appreciative!
...your punctuality, your casual and open personalities, and both your hard copy and online portfolios speak very highly of you and your business as well
...took my less than mediocre site and completely revamped it into a beautiful, professional, and easy-to-navigate site
I'm so happy we chose to work with PEERLESS Design.
...dedicated, competent and driven to get the job done and done well.