Drupal Security Advisories

Project: Svg ImageDate: 2020-March-25Security risk: Critical 15∕25 AC:Basic/A:User/CI:Some/II:Some/E:Proof/TD:AllVulnerability: Cross site scriptingDescription: 

SVG Image module allows to upload SVG files.

The module did not sufficiently protect against malicious code inside SVG files leading to a Cross Site Scripting vulnerability.

This vulnerability is mitigated by the fact that an attacker must have permission to upload an SVG file.

Solution: 

Install the latest version:

Also see the Svg Image project page.

Reported By: Fixed By: Coordinated By: 
Project: CKEditor - WYSIWYG HTML editorDate: 2020-March-18Security risk: Moderately critical 11∕25 AC:Complex/A:User/CI:Some/II:Some/E:Theoretical/TD:UncommonVulnerability: Cross site scriptingDescription: 

The CKEditor module (and its predecessor, FCKeditor module) allows Drupal to replace textarea fields with CKEditor 3.x/4.x (FCKeditor 2.x in case of FCKeditor module) - a visual HTML editor, sometimes called WYSIWYG editor.

Due to the usage of the JavaScript `eval()` function on non-filtered data in admin section, it was possible for a user with permission to create content visible in the admin area to inject specially crafted malicious script which causes Cross Site Scripting (XSS).

The problem existed in CKEditor module for Drupal, not in JavaScript libraries with the same names.

Solution: 

Install the latest version:

Also see the CKEditor- WYSIWYG HTML editor project page

Reported By: Fixed By: Coordinated By: 
Project: Drupal coreVersion: 8.8.x-dev8.7.x-devDate: 2020-March-18Security risk: Moderately critical 13∕25 AC:Complex/A:User/CI:Some/II:Some/E:Proof/TD:DefaultVulnerability: Third-party libraryDescription: 

The Drupal project uses the third-party library CKEditor, which has released a security improvement that is needed to protect some Drupal configurations.

Vulnerabilities are possible if Drupal is configured to use the WYSIWYG CKEditor for your site’s users. When multiple people can edit content, the vulnerability can be used to execute XSS attacks against other people, including site admins with more access.

The latest versions of Drupal update CKEditor to 4.14 to mitigate the vulnerabilities.

Solution: 

Install the latest version:

Versions of Drupal 8 prior to 8.7.x have reached end-of-life and do not receive security coverage.

The CKEditor module can also be disabled to mitigate the vulnerability until the site is updated.

Note for Drupal 7 users

Drupal 7 core is not affected by this release; however, users who have installed the third-party CKEditor library (for example, with a contributed module) should ensure that the downloaded library is updated to CKEditor 4.14 or higher, or that CDN URLs point to a version of CKEditor 4.14 or higher. Disabling all WYSIWYG modules can mitigate the vulnerability until the site is updated.

Project: SAML Service ProviderDate: 2020-March-11Security risk: Critical 15∕25 AC:Basic/A:None/CI:Some/II:Some/E:Theoretical/TD:DefaultVulnerability: Access bypassDescription: 

This module enables you to authenticate Drupal users using an external SAML Identity Provider.

If the site is configured to allow visitors to register for user accounts but administrator approval is required, the module doesn't sufficiently enforce the administrative approval requirement, in the case where the requesting user has already authenticated through SAML.

This vulnerability is mitigated by the fact that user accounts created in this way have only default roles, which may not have access significantly beyond that of an anonymous user. To mitigate the vulnerability without upgrading sites could disable public registration.

Solution: 

Install the latest version:

Also see the SAML Service Provider project page.

Reported By: Fixed By: Coordinated By: 
Project: SVG FormatterDate: 2020-March-04Security risk: Critical 15∕25 AC:Basic/A:User/CI:Some/II:Some/E:Proof/TD:AllVulnerability: Cross site scriptingDescription: 

SVG Formatter module provides support for using SVG images on your website.

This security release fixes third-party dependencies included in or required by SVG Formatter. XSS bypass using entities and tab.

This vulnerability is mitigated by the fact that an attacker must be able to upload SVG files.

Solution: 

Install the latest version:

Also see the SVG Formatter project page.

Reported By: Fixed By: Coordinated By: 
Project: ProfileDate: 2020-February-19Security risk: Moderately critical 14∕25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:AllVulnerability: Access BypassDescription: 

The Profile module enables you to allow users to have configurable user profiles.

The module doesn't sufficiently check access when creating a user profile. Users with the "create profiles" permission could create profiles for any users.

Solution: 

Install the latest version:

Also see the Profile project page.

Reported By: Fixed By: Coordinated By: 
Project: Views Bulk Operations (VBO)Date: 2020-February-05Security risk: Moderately critical 12∕25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:UncommonVulnerability: Access bypassDescription: 

Views Bulk Operations provides enhancements to running bulk actions on views.

The module contains an access bypass vulnerability that might allow users to execute views actions that they should not have access to.

This vulnerability is mitigated by the fact that it only occurs in the case of customised action access (by means of hook_action_info_alter).

Solution: 

Install the latest version:

Also see the Views Bulk Operations (VBO) project page.

Reported By: Fixed By: Coordinated By: 

What our clients are saying

...creative, independent, responsive...
...very responsive to our questions and needs
I love directing our customers to our new site knowing that they are going to be able to find exactly what they are looking for...
" PDI provides us prompt, effective and efficient service in maintaining our Drupal based website."
... they also made suggestions which showed me that they fully understood what I wanted to accomplish.
...can do anything any other designer can do and generally quicker, cheaper and better.
I'm so happy we chose to work with PEERLESS Design.
...continued to monitor it closely and is still always available to help me if I have any questions
I have seen the first layouts and they are awesome...
I realized that I had picked the right company to work with soon after beginning a project with Peerless Design, Inc.
...your punctuality, your casual and open personalities, and both your hard copy and online portfolios speak very highly of you and your business as well
A great experience and a much improved website.
...dedicated, competent and driven to get the job done and done well.
...took my less than mediocre site and completely revamped it into a beautiful, professional, and easy-to-navigate site
...I have no doubt we will have the best site in the 2010 election of any PA candidate
...provided us with excellent, expert service in a professional and personable manner.
...we just want you to know that we are appreciative!
I had a very tight deadline and budget, and they met it, seemingly with ease.
...a pleasure to work with, combining patience (for my busy schedule and at times overwhelmed brain) with her strong motivation and energy to keep me going
...able to translate technical information in an accessible way...
...able to take my abstract ideas and add their expertise to bring them to life in a way that was better than I could have imagined!
Thanks so much for everything!
... incredibly impressed with what you brought to the table
I would highly recommend her for any position requiring IT design and development
I would highly recommend her for any position requiring IT design and development