#Security tag - Contrib.social

Comment 1 day ago →
System Message
Automatically closed - issue fixed for 2 weeks with no activity.
in Facets » Address sa-contrib-2024-047 in 3.0.x branch
Comment 1 day ago →
🇮🇳India rushiraval
This thread has been idle, in the needs work state with no activity for several months. Therefore, I am assuming that you are no longer pursuing this application. If you are no longer pursuing this application then I mark it as Closed (won't fix).

If this is incorrect, and you are still pursuing this application, then please feel free to set the issue status to Needs work or Needs review, depending on the current status of your code.
in Drupal.org security advisory coverage applications » [1.0.x] TFA Headless
Comment 2 days ago →
🇮🇳India bhanu951
Seems issue summary is good. Update the code against latest head.
in Drupal core » Config translation needs to be validated on input for XSS (like other t string input)
Comment 6 days ago →
🇬🇧United Kingdom sergiur London, UK
Thanks for the work on this! I was having the exact same issue with the Preview button showing even though it was disabled in the content type settings. Your change adding the #access fixes the issue
in Gin Admin Theme » gin_form_after_build does not transfer #access to sticky actions menu

#Security

Issues

Address sa-contrib-2024-047 in 3.0.x branchActiveFacets 3.0 Created about 1 month ago

[1.0.x] TFA HeadlessNeeds reviewDrupal.org security advisory coverage applications Created 6 months ago

Config translation needs to be validated on input for XSS (like other t string input)Needs workDrupal core 9.5 — config_translation.module Created over 9 years ago

gin_form_after_build does not transfer #access to sticky actions menuActiveGin Admin Theme 3.0 Created 9 days ago

Maintenance Pages leak sensitive environment information - pt2ActiveDrupal core 11.0 — base system Created about 2 months ago

"administer stop broken link in body" permission should have "restrict access"ActiveStop Broken Link In Body 2.0 Created 9 days ago

CSRF check always fails for users without a sessionNeeds workDrupal core 10.1 — request processing system Created over 8 years ago

Webp module allows image styles to be created with false IMAGE_DERIVATIVE_TOKEN.ActiveWebP Created 5 months ago

Allow users to login using either their username OR their e-mail addressActiveDrupal core 11.0 — user.module Created almost 18 years ago

Anonymous Link SecurityActiveWebform CiviCRM Integration 6.0 Created 17 days ago

security advosiryActiveHttp Client Logs 1.0 Created 6 months ago

[policy] Treat username enumerations as security bugs that require Security AdvisoriesActiveDrupal core 11.0 — documentation Created about 3 years ago

[DRAFT] [META] Drupal 7 policy on jQuery related vulnerabilitiesActiveDrupal core 7.0 — documentation Created about 2 months ago

Security review of secure signing components for package managerNeeds reviewDrupal core 11.0 — update.module Created over 1 year ago

Update 10.3.x to ckeditor5 41.3.2ActiveDrupal core 10.3 — ckeditor5.module Created about 1 month ago

[D7] Module and theme names are not filtered on output.ActiveDrupal core 7.0 — base system Created about 1 month ago

XSS attribute filtering is inconsistent and strips valid attributesNeeds workDrupal core 11.0 — base system Created over 9 years ago

[D7] Protect pager against [] for the pageActiveDrupal core 7.0 — system.module Created about 1 month ago

Contact form auto-reply message acts as a spam relayActiveDrupal core 11.0 — contact.module Created over 3 years ago

EntityAccessControlHandler::createAccess() and EntityAccessControlHandler::access() return false positive cache hits because it ignores contextNeeds workDrupal core 11.0 — entity system Created over 7 years ago

Unescaped regular expression input in autocomplete callbackActiveMonitoring 1.0 Created about 1 month ago

Make private file access handling respect the full entity reference chainPostponedDrupal core 10.1 — media system Created about 7 years ago

Maintenance pages leak sensitive environment information.Needs reviewDrupal core 11.0 — base system Created 5 months ago

Figure out what to do about attribute filtering in TwigClosed: outdatedDrupal core 11.0 — theme system Created about 9 years ago

Module could be used for SSRF attacksActiveVideo Embed HTML5 2.0 Created about 1 month ago

Basic Auth module conflicts with server-level "Site Lock" implementationsPostponed: needs infoDrupal core 10.1 — basic_auth.module Created almost 8 years ago

Wrong usage of EntityQuery data producer can lead to SQL access bypassActiveGraphQL 4.0 Created 2 months ago

[PP-1] Validate alternate domain for oEmbed iFramePostponedDrupal core 10.1 — media system Created over 6 years ago

choices/choices 9.0.1 is affected by polyfill.ioActiveWebform 6.2 Created 5 months ago

Warn against repeating character classes in passwordsClosed: works as designedDrupal core 11.0 — user.module Created almost 16 years ago

Expose a way to suppress oEmbed security warningsRTBCDrupal core 11.0 — media system Created over 6 years ago

XSS vulnerability in facet resultsClosed: duplicateFacets autocomplete 2.2 Created 2 months ago

Core Login Block bypasses Email TFANeeds reviewEmail TFA 2.0 Created 2 months ago

twig/twig CVE-2024-45411 Closed: duplicateDrupal core 10.3 — markup Created 2 months ago

Forbid use of 'A-z' pattern in regular expressionsClosed: outdatedDrupal core 11.0 — other Created over 7 years ago

Allow rel noopenerNeeds reviewSocial Media Links Block and Field 2.0 Created over 6 years ago

Private file download returns access denied, when file attached to revision other than currentNeeds workDrupal core 11.0 — file.module Created over 12 years ago

File upload fields added to contact forms should upload to private:// by defaultNeeds workDrupal core 11.0 — contact.module Created almost 2 years ago

Allow inline style to certain html elements despite of "Limit allowed HTML tags and correct faulty HTML" filter turned on ActiveDrupal core 11.0 — filter.module Created almost 3 years ago

Taxonomy Index for unpublished entitiesNeeds workDrupal core 10.3 — taxonomy.module Created about 14 years ago

polyfill.io library is no longer considered safe to useFixedGOV.UK Theme 1.0 Created 5 months ago

Register symfony's mime guessers if they are supportedNeeds workDrupal core 11.0 — base system Created almost 10 years ago

Decompress files for aaa_update_testPostponedDrupal core 11.0 — phpunit Created 5 months ago

On some servers, the Update Manager allows administrators to directly execute arbitrary code even without the PHP moduleFixedDrupal core 11.0 — update.module Created about 14 years ago

polyfill.io Library is no longer considered safe to useFixedGeofield Map 3.0 Created 5 months ago

Decompress files for config_install testingFixedDrupal core 10.4 — phpunit Created 5 months ago

Security dependencies jsNeeds reviewEditor Advanced link 2.2 Created about 1 year ago

Rework database update tests so we don't have to ship database dumps in gitActiveDrupal core 11.0 — phpunit Created 12 months ago

Polyfill.io is no longer considered safe and should be removedFixedLeaflet 10.2 Created 9 months ago

Security issue because of unescaped field labelsActiveViews (for Drupal 7) 3.0 Created about 12 years ago

Potential risks using "Direct query" parse mode with views?ActiveSearch API Solr 4.0 Created 5 months ago

XSS vulnerability in facet resultsFixedFacets autocomplete 2.1 Created 9 months ago

Create new stable release for 6.2.3 to close security issueFixedWebform 6.2 Created 5 months ago

polyfill.io Library is no longer considered safe to useFixedQuicklink 2.0 Created 5 months ago

[META] Drupal should not commit compressed files, binaries, or databasesNeeds workDrupal core 11.0 — phpunit Created 5 months ago

polyfill.io Library is no longer considered safe to useFixedWebform prefill 1.2 Created 5 months ago

polyfill.io library is no longer considered safe to useFixedTest Suite 3.0 Created 5 months ago

Consider using phpstorage for update moduleClosed: outdatedDrupal core 11.0 — update.module Created over 8 years ago

polyfill.io Library is no longer considered safe to useFixedWebform 6.2 Created 8 months ago

CVE-2024-24815 ActiveCKEditor 4 - WYSIWYG HTML editor 1.0 Created 9 months ago

polyfill.io library is no longer considered safe to useActiveDSFR 2.1 Created 5 months ago

polyfill.io library is no longer considered safe to useNeeds reviewJiGS- MMORPG and Trading game system Created 5 months ago

polyfill.io library is no longer considered safe to useNeeds reviewGOV.UK Design System 2.0 Created 5 months ago

Decompress files for update_test_new_moduleActiveDrupal core 11.0 — phpunit Created 5 months ago

Field visibility access is not applied correctly due to cachingActiveUser Fields Visibility 1.0 Created 6 months ago

Sort out why the OWASP dependency-check returns incorrect versionsPostponed: needs infoDrupal core 11.0 — other Created almost 2 years ago

Harden TwigSandbox methodsNeeds workDrupal core 11.0 — theme system Created about 3 years ago

XSS in Vimeo video IDRTBCVideo Embed Field 2.0 Created over 2 years ago

CSRF on delete urlFixedParagraphs admin 1.0 Created about 6 years ago

Specification includes disabled resourcesRTBCOpenAPI for REST 2.0 Created over 1 year ago

Allow for Project Browser to surface existing permissions changes to user for RecipesActiveProject Browser 1.0 Created 6 months ago

HTTP_HOST header cannot be trustedFixedDrupal core 8.0 — base system Created over 10 years ago

cmis.cmis_object_delete route is not protected against CSRF attacksActiveCMIS API Created 7 months ago

Block access to .scss, .sass, .less, .pcss and .pcss.css filesNeeds workDrupal core 11.0 — asset library system Created almost 4 years ago

Provide a tour which points to settings which are important when you publish a siteClosed: outdatedTour 1.0 Created almost 10 years ago

Allow sites to programmatically opt in to accept more image type uploads in CKEditor 5: TIFF, SVG…FixedDrupal core 10.3 — ckeditor5.module Created over 2 years ago

Should "iFrame domain" also set "X-Frame-Options" header Needs workDrupal core 11.0 — media system Created over 5 years ago

[11.x] Remove the CKEditor 4 upgrade pathFixedDrupal core 11.0 — ckeditor5.module Created about 3 years ago

Address sa-contrib-2024-047 in 3.0.x branch
Active
Facets 3.0
Created about 1 month ago

[1.0.x] TFA Headless
Needs review
Drupal.org security advisory coverage applications
Created 6 months ago

Config translation needs to be validated on input for XSS (like other t string input)
Needs work
Drupal core 9.5 — config_translation.module
Created over 9 years ago

gin_form_after_build does not transfer #access to sticky actions menu
Active
Gin Admin Theme 3.0
Created 9 days ago

Maintenance Pages leak sensitive environment information - pt2
Active
Drupal core 11.0 — base system
Created about 2 months ago

"administer stop broken link in body" permission should have "restrict access"
Active
Stop Broken Link In Body 2.0
Created 9 days ago

CSRF check always fails for users without a session
Needs work
Drupal core 10.1 — request processing system
Created over 8 years ago

Webp module allows image styles to be created with false IMAGE_DERIVATIVE_TOKEN.
Active
WebP
Created 5 months ago

Allow users to login using either their username OR their e-mail address
Active
Drupal core 11.0 — user.module
Created almost 18 years ago

Anonymous Link Security
Active
Webform CiviCRM Integration 6.0
Created 17 days ago

security advosiry
Active
Http Client Logs 1.0
Created 6 months ago

[policy] Treat username enumerations as security bugs that require Security Advisories
Active
Drupal core 11.0 — documentation
Created about 3 years ago

[DRAFT] [META] Drupal 7 policy on jQuery related vulnerabilities
Active
Drupal core 7.0 — documentation
Created about 2 months ago

Security review of secure signing components for package manager
Needs review
Drupal core 11.0 — update.module
Created over 1 year ago

Update 10.3.x to ckeditor5 41.3.2
Active
Drupal core 10.3 — ckeditor5.module
Created about 1 month ago

[D7] Module and theme names are not filtered on output.
Active
Drupal core 7.0 — base system
Created about 1 month ago

XSS attribute filtering is inconsistent and strips valid attributes
Needs work
Drupal core 11.0 — base system
Created over 9 years ago

[D7] Protect pager against [] for the page
Active
Drupal core 7.0 — system.module
Created about 1 month ago

Contact form auto-reply message acts as a spam relay
Active
Drupal core 11.0 — contact.module
Created over 3 years ago

EntityAccessControlHandler::createAccess() and EntityAccessControlHandler::access() return false positive cache hits because it ignores context
Needs work
Drupal core 11.0 — entity system
Created over 7 years ago

Unescaped regular expression input in autocomplete callback
Active
Monitoring 1.0
Created about 1 month ago

Make private file access handling respect the full entity reference chain
Postponed
Drupal core 10.1 — media system
Created about 7 years ago

Maintenance pages leak sensitive environment information.
Needs review
Drupal core 11.0 — base system
Created 5 months ago

Figure out what to do about attribute filtering in Twig
Closed: outdated
Drupal core 11.0 — theme system
Created about 9 years ago

Module could be used for SSRF attacks
Active
Video Embed HTML5 2.0
Created about 1 month ago

Basic Auth module conflicts with server-level "Site Lock" implementations
Postponed: needs info
Drupal core 10.1 — basic_auth.module
Created almost 8 years ago

Wrong usage of EntityQuery data producer can lead to SQL access bypass
Active
GraphQL 4.0
Created 2 months ago

[PP-1] Validate alternate domain for oEmbed iFrame
Postponed
Drupal core 10.1 — media system
Created over 6 years ago

choices/choices 9.0.1 is affected by polyfill.io
Active
Webform 6.2
Created 5 months ago

Warn against repeating character classes in passwords
Closed: works as designed
Drupal core 11.0 — user.module
Created almost 16 years ago

Expose a way to suppress oEmbed security warnings
RTBC
Drupal core 11.0 — media system
Created over 6 years ago

XSS vulnerability in facet results
Closed: duplicate
Facets autocomplete 2.2
Created 2 months ago

Core Login Block bypasses Email TFA
Needs review
Email TFA 2.0
Created 2 months ago

twig/twig CVE-2024-45411
Closed: duplicate
Drupal core 10.3 — markup
Created 2 months ago

Forbid use of 'A-z' pattern in regular expressions
Closed: outdated
Drupal core 11.0 — other
Created over 7 years ago

Allow rel noopener
Needs review
Social Media Links Block and Field 2.0
Created over 6 years ago

Private file download returns access denied, when file attached to revision other than current
Needs work
Drupal core 11.0 — file.module
Created over 12 years ago

File upload fields added to contact forms should upload to private:// by default
Needs work
Drupal core 11.0 — contact.module
Created almost 2 years ago

Allow inline style to certain html elements despite of "Limit allowed HTML tags and correct faulty HTML" filter turned on
Active
Drupal core 11.0 — filter.module
Created almost 3 years ago

Taxonomy Index for unpublished entities
Needs work
Drupal core 10.3 — taxonomy.module
Created about 14 years ago

polyfill.io library is no longer considered safe to use
Fixed
GOV.UK Theme 1.0
Created 5 months ago

Register symfony's mime guessers if they are supported
Needs work
Drupal core 11.0 — base system
Created almost 10 years ago

Decompress files for aaa_update_test
Postponed
Drupal core 11.0 — phpunit
Created 5 months ago

On some servers, the Update Manager allows administrators to directly execute arbitrary code even without the PHP module
Fixed
Drupal core 11.0 — update.module
Created about 14 years ago

polyfill.io Library is no longer considered safe to use
Fixed
Geofield Map 3.0
Created 5 months ago

Decompress files for config_install testing
Fixed
Drupal core 10.4 — phpunit
Created 5 months ago

Security dependencies js
Needs review
Editor Advanced link 2.2
Created about 1 year ago

Rework database update tests so we don't have to ship database dumps in git
Active
Drupal core 11.0 — phpunit
Created 12 months ago

Polyfill.io is no longer considered safe and should be removed
Fixed
Leaflet 10.2
Created 9 months ago

Security issue because of unescaped field labels
Active
Views (for Drupal 7) 3.0
Created about 12 years ago

Potential risks using "Direct query" parse mode with views?
Active
Search API Solr 4.0
Created 5 months ago

XSS vulnerability in facet results
Fixed
Facets autocomplete 2.1
Created 9 months ago

Create new stable release for 6.2.3 to close security issue
Fixed
Webform 6.2
Created 5 months ago

polyfill.io Library is no longer considered safe to use
Fixed
Quicklink 2.0
Created 5 months ago

[META] Drupal should not commit compressed files, binaries, or databases
Needs work
Drupal core 11.0 — phpunit
Created 5 months ago

polyfill.io Library is no longer considered safe to use
Fixed
Webform prefill 1.2
Created 5 months ago

polyfill.io library is no longer considered safe to use
Fixed
Test Suite 3.0
Created 5 months ago

Consider using phpstorage for update module
Closed: outdated
Drupal core 11.0 — update.module
Created over 8 years ago

polyfill.io Library is no longer considered safe to use
Fixed
Webform 6.2
Created 8 months ago

CVE-2024-24815
Active
CKEditor 4 - WYSIWYG HTML editor 1.0
Created 9 months ago

polyfill.io library is no longer considered safe to use
Active
DSFR 2.1
Created 5 months ago

polyfill.io library is no longer considered safe to use
Needs review
JiGS- MMORPG and Trading game system
Created 5 months ago

polyfill.io library is no longer considered safe to use
Needs review
GOV.UK Design System 2.0
Created 5 months ago

Decompress files for update_test_new_module
Active
Drupal core 11.0 — phpunit
Created 5 months ago

Field visibility access is not applied correctly due to caching
Active
User Fields Visibility 1.0
Created 6 months ago

Sort out why the OWASP dependency-check returns incorrect versions
Postponed: needs info
Drupal core 11.0 — other
Created almost 2 years ago

Harden TwigSandbox methods
Needs work
Drupal core 11.0 — theme system
Created about 3 years ago

XSS in Vimeo video ID
RTBC
Video Embed Field 2.0
Created over 2 years ago

CSRF on delete url
Fixed
Paragraphs admin 1.0
Created about 6 years ago

Specification includes disabled resources
RTBC
OpenAPI for REST 2.0
Created over 1 year ago

Allow for Project Browser to surface existing permissions changes to user for Recipes
Active
Project Browser 1.0
Created 6 months ago

HTTP_HOST header cannot be trusted
Fixed
Drupal core 8.0 — base system
Created over 10 years ago

cmis.cmis_object_delete route is not protected against CSRF attacks
Active
CMIS API
Created 7 months ago

Block access to .scss, .sass, .less, .pcss and .pcss.css files
Needs work
Drupal core 11.0 — asset library system
Created almost 4 years ago

Provide a tour which points to settings which are important when you publish a site
Closed: outdated
Tour 1.0
Created almost 10 years ago

Allow sites to programmatically opt in to accept more image type uploads in CKEditor 5: TIFF, SVG…
Fixed
Drupal core 10.3 — ckeditor5.module
Created over 2 years ago

Should "iFrame domain" also set "X-Frame-Options" header
Needs work
Drupal core 11.0 — media system
Created over 5 years ago

[11.x] Remove the CKEditor 4 upgrade path
Fixed
Drupal core 11.0 — ckeditor5.module
Created about 3 years ago

Convert tracker listings to a view
Needs work
Activity Tracker 1.0
Created over 11 years ago

Test files are publicly accessible
Needs review
Drupal core 7.0 — other
Created over 1 year ago