Drupal Security Advisories

Project: RenderkitVersion: 7.x-1.x-devDate: 2020-July-01Security risk: Less critical 9∕25 AC:None/A:None/CI:Some/II:None/E:Theoretical/TD:UncommonVulnerability: Access bypassDescription: 

The renderkit module contains components which can transform the display of field items sent to it.

Some of these components do not respect the '#access' property on the field render element, and thus can make rendered field values visible to visitors who would otherwise not be allowed to see those field values.

This only occurs if all of the following conditions are true:

  • Your site has a field where viewing access is restricted on field level, e.g. using the "Field permissions" module.
  • The access-restricted field is displayed using the "Field with formatter" entity display from renderkit, in combination with one of the affected field display processor components.
Solution: 

If a site is affected there are 2 steps to fix this issue on a site:

Step 1: Install the latest version of renderkit: Step 2: Review your custom modules.

Look for classes that implement FieldDisplayProcessorInterface.
Consider to extend the FieldDisplayProcessorBase class instead of implementing the interface.

Also see the Renderkit project page.

Reported By: Fixed By: Coordinated By: 
Project: Drupal coreDate: 2020-June-17Security risk: Less critical 8∕25 AC:Complex/A:User/CI:None/II:Some/E:Theoretical/TD:UncommonVulnerability: Access bypassCVE IDs: CVE-2020-13665 Description: 

JSON:API PATCH requests may bypass validation for certain fields.

By default, JSON:API works in a read-only mode which makes it impossible to exploit the vulnerability. Only sites that have the read_only set to FALSE under jsonapi.settings config are vulnerable.

Solution: 

Install the latest version:

Versions of Drupal 8 prior to 8.8.x are end-of-life and do not receive security coverage. Sites on 8.7.x or earlier should update to 8.8.8.

Reported By: Fixed By: 
Project: Drupal coreDate: 2020-June-17Security risk: Critical 17∕25 AC:Complex/A:None/CI:All/II:All/E:Theoretical/TD:UncommonVulnerability: Arbitrary PHP code executionCVE IDs: CVE-2020-13664Description: 

Drupal 8 and 9 have a remote code execution vulnerability under certain circumstances.

An attacker could trick an administrator into visiting a malicious site that could result in creating a carefully named directory on the file system. With this directory in place, an attacker could attempt to brute force a remote code execution vulnerability.

Windows servers are most likely to be affected.

Solution: 

Install the latest version:

Versions of Drupal 8 prior to 8.8.x are end-of-life and do not receive security coverage. Sites on 8.7.x or earlier should update to 8.8.8.

Reported By: Fixed By: 
Project: Drupal coreDate: 2020-June-17Security risk: Critical 15∕25 AC:Complex/A:None/CI:Some/II:Some/E:Theoretical/TD:AllVulnerability: Cross Site Request ForgeryCVE IDs: CVE-2020-13663Description: 

The Drupal core Form API does not properly handle certain form input from cross-site requests, which can lead to other vulnerabilities.

Solution: 

Versions of Drupal 8 prior to 8.8.x are end-of-life and do not receive security coverage. Sites on 8.7.x or earlier should update to 8.8.8.

Reported By: Fixed By: 
Project: InternationalizationVersion: 7.x-1.x-devDate: 2020-June-17Security risk: Moderately critical 14∕25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:AllVulnerability: Cross site scriptingDescription: 

The Internationalization (i18n) module is a collection of modules to extend Drupal core multilingual capabilities and allows to build real life multilingual sites.

A value in the term translation module is displayed without being escaped leading to a Cross Site Scripting (XSS) vulnerability.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission "Edit terms in " on a taxonomy vocabulary with i18n term translation enabled and the victim uses the i18n term translation page.

Solution: 

Install the latest version:

Also see the Internationalization project page.

Reported By: Fixed By: Coordinated By: 
Project: Open ReadSpeakerVersion: 8.x-1.x-devDate: 2020-June-10Security risk: Moderately critical 13∕25 AC:Basic/A:Admin/CI:Some/II:Some/E:Theoretical/TD:AllVulnerability: Cross site scriptingDescription: 

This module enables you to add a configured ReadSpeaker button for text-to-speech for your site visitors.

The module doesn't sufficiently sanitize block configuration causing a Cross Site Scripting (XSS) vulnerability.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer blocks".

Solution: 

Install the latest version:

Also see the Open ReadSpeaker project page.

Reported By: Fixed By: Coordinated By: 
Project: YubiKeyVersion: 7.x-2.x-devDate: 2020-June-10Security risk: Less critical 9∕25 AC:Complex/A:None/CI:None/II:None/E:Theoretical/TD:AllVulnerability: Access bypassDescription: 

This module enables you to use a Yubikey device to protect your Drupal user account. YubiKey is a secure method for logging into many websites using a cryptographically secure USB token.

The module doesn't sufficiently implement login flood control when the module is configured for YubiKey OTP only. This allows an attacker to attempt many YubiKey OTP codes. However, a brute force attack on this code is not practical in most situations given the length and randomness of the OTP codes.

Solution: 

Install the latest version:

Also see the YubiKey project page.

Reported By: Fixed By: Coordinated By: 
Project: ServicesVersion: 7.x-3.x-devDate: 2020-June-03Security risk: Moderately critical 11∕25 AC:Basic/A:User/CI:Some/II:None/E:Theoretical/TD:AllVulnerability: Access bypassDescription: 

This module provides a standardized solution for building API's so that external clients can communicate with Drupal.

The module's taxonomy term index resource doesn't take into consideration certain access control tags provided (but unused) by core, that certain contrib modules depend on.

This vulnerability is mitigated by the fact your site must have the taxonomy term index resource enabled, your site must have a contributed module enabled which utilizes taxonomy term access control, and an attacker must know your api endpoint's path.

Solution: 

Install the latest version:

Also see the Services project page.

Reported By: Fixed By: Coordinated By: 
Project: Password Reset Landing Page (PRLP)Date: 2020-May-27Security risk: Highly critical 20∕25 AC:Basic/A:None/CI:All/II:All/E:Theoretical/TD:AllVulnerability: Access bypassDescription: 

This module enables you to force a password update when using password reset link.
The module doesn't sufficiently validate the login URL allowing a malicious user to use a specially crafted URL to log in as another user.

Solution: 

Install the latest version:

  • If you use the PRLP module for Drupal 8.x, upgrade to PRLP 8.x-1.5

Also see the Password Reset Landing Page (PRLP) project page.

Reported By: Fixed By: Coordinated By: 
Project: Drupal CommerceDate: 2020-May-27Security risk: Moderately critical 12∕25 AC:Basic/A:None/CI:Some/II:None/E:Theoretical/TD:DefaultVulnerability: Access bypassDescription: 

Drupal Commerce is used to build eCommerce websites and applications. It's possible to configure commerce to permit orders by anonymous users. In this configuration, customers who do not choose to create an account upon checkout completion remain anonymous, and the resulting orders are never assigned an owner.

When anonymous users are granted the "View own orders" permission, they are able to see any such anonymous order via direct navigation to its view page. The module does not include extra access control necessary to ensure anonymous users are only able to view their own previously placed orders.

This vulnerability is mitigated by the fact that a site must be configured to permit anonymous checkout and an attacker must be an anonymous user with the permission "View own orders".

Solution: 

Install the latest version:

Also see the Drupal Commerce project page.

Reported By: Fixed By: Coordinated By: 

What our clients are saying

...creative, independent, responsive...
I had a very tight deadline and budget, and they met it, seemingly with ease.
I love directing our customers to our new site knowing that they are going to be able to find exactly what they are looking for...
I have seen the first layouts and they are awesome...
...we just want you to know that we are appreciative!
...your punctuality, your casual and open personalities, and both your hard copy and online portfolios speak very highly of you and your business as well
...I have no doubt we will have the best site in the 2010 election of any PA candidate
...dedicated, competent and driven to get the job done and done well.
I would highly recommend her for any position requiring IT design and development
...able to take my abstract ideas and add their expertise to bring them to life in a way that was better than I could have imagined!
I realized that I had picked the right company to work with soon after beginning a project with Peerless Design, Inc.
...a pleasure to work with, combining patience (for my busy schedule and at times overwhelmed brain) with her strong motivation and energy to keep me going
...able to translate technical information in an accessible way...
A great experience and a much improved website.
" PDI provides us prompt, effective and efficient service in maintaining our Drupal based website."
I'm so happy we chose to work with PEERLESS Design.
... incredibly impressed with what you brought to the table
...took my less than mediocre site and completely revamped it into a beautiful, professional, and easy-to-navigate site
I would highly recommend her for any position requiring IT design and development
...very responsive to our questions and needs
...can do anything any other designer can do and generally quicker, cheaper and better.
... they also made suggestions which showed me that they fully understood what I wanted to accomplish.
...provided us with excellent, expert service in a professional and personable manner.
Thanks so much for everything!
...continued to monitor it closely and is still always available to help me if I have any questions