#Security tag - Contrib.social

Comment about 1 hour ago →
System Message
Automatically closed - issue fixed for 2 weeks with no activity.
in Paragraphs admin » CSRF on delete url
Comment 2 days ago →
🇧🇪Belgium msnassar
Test only patch to demonstrate the issue.
in User Fields Visibility » Field visibility access is not applied correctly due to caching
Issue created by @msnassar
in User Fields Visibility » Field visibility access is not applied correctly due to caching
Comment 3 days ago →
🇩🇪Germany Anybody Porta Westfalica
FYI: I closed 🐛 Disabled Content Rest API throws exception on REST Specification page Needs work as duplicate.
in OpenAPI for REST » Specification includes disabled resources
Comment 3 days ago →
🇩🇪Germany Anybody Porta Westfalica
Great work @kasperg! RTBC!

Any maintainers to finally review and merge this important fix?
in OpenAPI for REST » Specification includes disabled resources
Issue created by @mherchel
in Project Browser » Allow for Project Browser to surface existing permissions changes to user for Recipes
Comment 6 days ago →
System Message
Automatically closed - issue fixed for 2 weeks with no activity.
in Drupal core » HTTP_HOST header cannot be trusted

#Security

Issues

CSRF on delete urlFixedParagraphs admin 1.0 Created over 5 years ago

Field visibility access is not applied correctly due to cachingActiveUser Fields Visibility 1.0 Created 2 days ago

Specification includes disabled resourcesRTBCOpenAPI for REST 2.0 Created about 1 year ago

Allow for Project Browser to surface existing permissions changes to user for RecipesActiveProject Browser 1.0 Created 4 days ago

HTTP_HOST header cannot be trustedFixedDrupal core 8.0 — base system Created about 10 years ago

cmis.cmis_object_delete route is not protected against CSRF attacksActiveCMIS API Created 8 days ago

Security dependencies jsNeeds workEditor Advanced link 2.2 Created 8 months ago

Block access to .scss, .sass, .less, .pcss and .pcss.css filesNeeds workDrupal core 11.0 — asset library system Created over 3 years ago

Provide a tour which points to settings which are important when you publish a siteClosed: outdatedTour 1.0 Created over 9 years ago

CVE-2024-24815 ActiveCKEditor 4 - WYSIWYG HTML editor 1.0 Created 3 months ago

Allow sites to programmatically opt in to accept more image type uploads in CKEditor 5: TIFF, SVG…FixedDrupal core 10.3 — ckeditor5.module Created about 2 years ago

Should "iFrame domain" also set "X-Frame-Options" header Needs workDrupal core 11.0 — media system Created over 4 years ago

Basic Auth module conflicts with server-level "Site Lock" implementationsNeeds workDrupal core 11.0 — basic_auth.module Created over 7 years ago

[11.x] Remove the CKEditor 4 upgrade pathFixedDrupal core 11.0 — ckeditor5.module Created over 2 years ago

Convert tracker listings to a viewNeeds workActivity Tracker 1.0 Created about 11 years ago

Test files are publicly accessibleNeeds reviewDrupal core 7.0 — other Created 11 months ago

URL aliases can be used to override trusted urlsNeeds reviewDrupal core 7.0 — ajax system Created 9 months ago

Twig support in "Text area" fields just like "Custom text" fieldsActiveDrupal core 11.0 — views.module Created over 7 years ago

Events to validate JWT never called !FixedJSON Web Token Authentication (JWT) 2.0 Created 6 months ago

Review to confirm the old security issues are no longer presentFixedFalse Account Detector 2.0 Created about 2 months ago

Update module project updates will not update Composer dependencies for security updatesActiveDrupal core 11.0 — update.module Created 9 months ago

Use email verification when changing user email addressesNeeds workDrupal core 11.0 — user.module Created over 17 years ago

Security review of secure signing components for package managerNeeds workDrupal core 11.0 — update.module Created about 1 year ago

Allows HTML with Plain text formatActiveReadmore 2.0 Created about 1 month ago

Relies on Dialog module, which is not covered by security advisory policyClosed: outdatedEntity Embed 2.0 Created over 5 years ago

Multiple errors in PasswordItem::preSave(), leads to data loss if field is translatableNeeds workDrupal core 11.0 — field system Created almost 9 years ago

Update ajax.js to match Drupal core updatesFixedDialog 2.0 Created over 5 years ago

XSS vulnerability in facet resultsNeeds reviewFacets autocomplete 2.1 Created 2 months ago

[PP-1] Validate alternate domain for oEmbed iFramePostponedDrupal core 11.0 — media system Created about 6 years ago

XSS via block settingsFixedTOAST UI Image Editor 1.0 Created over 1 year ago

Stable Release ConfirmationActiveGroup Forum 1.0 Created 2 months ago

XSS attribute filtering is inconsistent and strips valid attributesNeeds workDrupal core 11.0 — base system Created almost 9 years ago

Media Libray: buildInputElement on media library content view does not return the correct form element, bypasses checksActiveDrupal core 10.1 — media system Created 2 months ago

Deprecate user_roles() and user_role_names()FixedDrupal core 11.0 — user.module Created about 1 year ago

EntityAccessControlHandler::createAccess() and EntityAccessControlHandler::access() return false positive cache hits because it ignores contextNeeds workDrupal core 11.0 — entity system Created almost 7 years ago

Allow views base tables to define additional cache tags and max ageNeeds workDrupal core 11.0 — views.module Created over 7 years ago

Hide username from title tag for securityNeeds reviewAdminimal - Responsive Administration Theme 1.6 Created over 1 year ago

Link to the access bypass security advisory on module pageFixedSwift Mailer 2.0 Created 4 months ago

CSRF check always fails for users without a sessionNeeds workDrupal core 11.0 — request processing system Created almost 8 years ago

Taxonomy Index for unpublished entitiesNeeds workDrupal core 11.0 — taxonomy.module Created over 13 years ago

Page cache creates vast amounts of unneeded cache dataActiveDrupal core 11.0 — cache system Created over 5 years ago

[meta] Security audit the Authentication componentActiveDrupal core 11.0 — request processing system Created almost 10 years ago

Security: Bypassing the IP authentication is easy?Needs workIP Consumer Auth 2.0 Created 5 months ago

Change API keys from string to hashed passwordActiveKey auth 2.1 Created 8 months ago

basic auth get data when user blockedActiveDrupal REST & JSON API Authentication 2.0 Created 5 months ago

Views results do not respect Group permissionsActiveGroup 3.2 Created over 4 years ago

Private file download returns access denied, when file attached to revision other than currentNeeds workDrupal core 11.0 — file.module Created about 12 years ago

Allow inline style to certain html elements despite of "Limit allowed HTML tags and correct faulty HTML" filter turned on ActiveDrupal core 11.0 — filter.module Created over 2 years ago

Improve security of session ID against DB exposure or SQL injectionFixedDrupal core 7.0 — base system Created over 10 years ago

Exceptions printed to all usersFixedGraphQL Twig 4.0 Created almost 3 years ago

Changing roles does not affect the access tokenNeeds reviewSimple OAuth (OAuth2) & OpenID Connect 5.2 Created 7 months ago

.htaccess rules broken since yarn.lock got addedFixedDrupal core 10.1 — base system Created over 1 year ago

Inform users that media items don't inherit access control from parentsNeeds workDrupal core 10.1 — media system Created almost 6 years ago

Insecure temporary file handling on configuration exportActiveDrupal core 10.2 — configuration system Created 7 months ago

Webserver configuration file does not block access to compressed sql filesActiveDrupal core 10.2 — other Created 7 months ago

PSA: Potential multiple vulnerabilities with mod_mime_magic ActiveDrupal core 10.2 — other Created 7 months ago

security advisory policyClosed: won't fixAdvance Script Manager 1.0 Created 7 months ago

User without publish permissions can use entity-clone to publish nodesNeeds reviewEntity Clone 2.0 Created 10 months ago

Require the php module for the php eval, use php_eval from php.moduleActiveAutomatic User Names 1.0 Created over 9 years ago

SA-CORE-2023-005 might apply to avif moduleClosed: outdatedAVIF 1.0 Created 11 months ago

Module names on the Available Updates page are double-escapedNeeds reviewProject 2.0 Created almost 5 years ago

Media Fails to Enforce oEmbed Allowed Providers SettingActiveDrupal core 10.1 — media system Created 8 months ago

XSS vulnerability in textsFixedTarte au Citron 1.0 Created 11 months ago

XSS vulnerability in readmoreLink settingFixedTarte au Citron 1.0 Created 11 months ago

XSS vulnerability in drupal_youtube serviceFixedTarte au Citron 1.0 Created 10 months ago

Entity forms skip validation of fields that are not in the EntityFormDisplayFixedDrupal core 8.0 — entity system Created over 9 years ago

The starterkit theme NPM dependencies contain many security vulnerabilitiesNeeds workCog 1.0 Created about 1 year ago

All menu items are displayed without regard to access rightsFixedDrupal Mega Menu 1.16 Created over 5 years ago

Users could bypass custom field access for specific translationsActiveDrupal core 10.1 — entity system Created 9 months ago

Possible issue with ajax_page_stateActiveDrupal core 10.1 — ajax system Created 9 months ago

Race-condition in reset password can allow the reuse of a tokenActiveDrupal core 10.0 — user system Created 11 months ago

Original/unchanged entity inconsistently present for validationActiveDrupal core 10.1 — jsonapi.module Created 11 months ago

Node's "base_table" metatag is a nightmare for generic entity query accessActiveDrupal core 10.1 — node system Created 11 months ago

Image uploads causing information disclosureActiveDrupal core 10.1 — file system Created 11 months ago

The whole node grants system sets a bad example and many modules can become insecure as a resultActiveDrupal core 9.5 — node system Created about 1 year ago

Avoid redirect to install.php on production environmentsActiveDrupal core 11.0 — install system Created over 4 years ago

SA-CORE-2023-005 fix probably needs to be applied similarly on WebP module's codeNeeds reviewWebP 1.0 Created about 1 year ago

Text formats should throw an error and refuse to process if a plugin goes missingClosed: outdatedDrupal core 11.0 — filter.module Created over 14 years ago

CSRF on delete url
Fixed
Paragraphs admin 1.0
Created over 5 years ago

Field visibility access is not applied correctly due to caching
Active
User Fields Visibility 1.0
Created 2 days ago

Specification includes disabled resources
RTBC
OpenAPI for REST 2.0
Created about 1 year ago

Allow for Project Browser to surface existing permissions changes to user for Recipes
Active
Project Browser 1.0
Created 4 days ago

HTTP_HOST header cannot be trusted
Fixed
Drupal core 8.0 — base system
Created about 10 years ago

cmis.cmis_object_delete route is not protected against CSRF attacks
Active
CMIS API
Created 8 days ago

Security dependencies js
Needs work
Editor Advanced link 2.2
Created 8 months ago

Block access to .scss, .sass, .less, .pcss and .pcss.css files
Needs work
Drupal core 11.0 — asset library system
Created over 3 years ago

Provide a tour which points to settings which are important when you publish a site
Closed: outdated
Tour 1.0
Created over 9 years ago

CVE-2024-24815
Active
CKEditor 4 - WYSIWYG HTML editor 1.0
Created 3 months ago

Allow sites to programmatically opt in to accept more image type uploads in CKEditor 5: TIFF, SVG…
Fixed
Drupal core 10.3 — ckeditor5.module
Created about 2 years ago

Should "iFrame domain" also set "X-Frame-Options" header
Needs work
Drupal core 11.0 — media system
Created over 4 years ago

Basic Auth module conflicts with server-level "Site Lock" implementations
Needs work
Drupal core 11.0 — basic_auth.module
Created over 7 years ago

[11.x] Remove the CKEditor 4 upgrade path
Fixed
Drupal core 11.0 — ckeditor5.module
Created over 2 years ago

Convert tracker listings to a view
Needs work
Activity Tracker 1.0
Created about 11 years ago

Test files are publicly accessible
Needs review
Drupal core 7.0 — other
Created 11 months ago

URL aliases can be used to override trusted urls
Needs review
Drupal core 7.0 — ajax system
Created 9 months ago

Twig support in "Text area" fields just like "Custom text" fields
Active
Drupal core 11.0 — views.module
Created over 7 years ago

Events to validate JWT never called !
Fixed
JSON Web Token Authentication (JWT) 2.0
Created 6 months ago

Review to confirm the old security issues are no longer present
Fixed
False Account Detector 2.0
Created about 2 months ago

Update module project updates will not update Composer dependencies for security updates
Active
Drupal core 11.0 — update.module
Created 9 months ago

Use email verification when changing user email addresses
Needs work
Drupal core 11.0 — user.module
Created over 17 years ago

Security review of secure signing components for package manager
Needs work
Drupal core 11.0 — update.module
Created about 1 year ago

Allows HTML with Plain text format
Active
Readmore 2.0
Created about 1 month ago

Relies on Dialog module, which is not covered by security advisory policy
Closed: outdated
Entity Embed 2.0
Created over 5 years ago

Multiple errors in PasswordItem::preSave(), leads to data loss if field is translatable
Needs work
Drupal core 11.0 — field system
Created almost 9 years ago

Update ajax.js to match Drupal core updates
Fixed
Dialog 2.0
Created over 5 years ago

XSS vulnerability in facet results
Needs review
Facets autocomplete 2.1
Created 2 months ago

[PP-1] Validate alternate domain for oEmbed iFrame
Postponed
Drupal core 11.0 — media system
Created about 6 years ago

XSS via block settings
Fixed
TOAST UI Image Editor 1.0
Created over 1 year ago

Stable Release Confirmation
Active
Group Forum 1.0
Created 2 months ago

XSS attribute filtering is inconsistent and strips valid attributes
Needs work
Drupal core 11.0 — base system
Created almost 9 years ago

Media Libray: buildInputElement on media library content view does not return the correct form element, bypasses checks
Active
Drupal core 10.1 — media system
Created 2 months ago

Deprecate user_roles() and user_role_names()
Fixed
Drupal core 11.0 — user.module
Created about 1 year ago

EntityAccessControlHandler::createAccess() and EntityAccessControlHandler::access() return false positive cache hits because it ignores context
Needs work
Drupal core 11.0 — entity system
Created almost 7 years ago

Allow views base tables to define additional cache tags and max age
Needs work
Drupal core 11.0 — views.module
Created over 7 years ago

Hide username from title tag for security
Needs review
Adminimal - Responsive Administration Theme 1.6
Created over 1 year ago

Link to the access bypass security advisory on module page
Fixed
Swift Mailer 2.0
Created 4 months ago

CSRF check always fails for users without a session
Needs work
Drupal core 11.0 — request processing system
Created almost 8 years ago

Taxonomy Index for unpublished entities
Needs work
Drupal core 11.0 — taxonomy.module
Created over 13 years ago

Page cache creates vast amounts of unneeded cache data
Active
Drupal core 11.0 — cache system
Created over 5 years ago

[meta] Security audit the Authentication component
Active
Drupal core 11.0 — request processing system
Created almost 10 years ago

Security: Bypassing the IP authentication is easy?
Needs work
IP Consumer Auth 2.0
Created 5 months ago

Change API keys from string to hashed password
Active
Key auth 2.1
Created 8 months ago

basic auth get data when user blocked
Active
Drupal REST & JSON API Authentication 2.0
Created 5 months ago

Views results do not respect Group permissions
Active
Group 3.2
Created over 4 years ago

Private file download returns access denied, when file attached to revision other than current
Needs work
Drupal core 11.0 — file.module
Created about 12 years ago

Allow inline style to certain html elements despite of "Limit allowed HTML tags and correct faulty HTML" filter turned on
Active
Drupal core 11.0 — filter.module
Created over 2 years ago

Improve security of session ID against DB exposure or SQL injection
Fixed
Drupal core 7.0 — base system
Created over 10 years ago

Exceptions printed to all users
Fixed
GraphQL Twig 4.0
Created almost 3 years ago

Changing roles does not affect the access token
Needs review
Simple OAuth (OAuth2) & OpenID Connect 5.2
Created 7 months ago

.htaccess rules broken since yarn.lock got added
Fixed
Drupal core 10.1 — base system
Created over 1 year ago

Inform users that media items don't inherit access control from parents
Needs work
Drupal core 10.1 — media system
Created almost 6 years ago

Insecure temporary file handling on configuration export
Active
Drupal core 10.2 — configuration system
Created 7 months ago

Webserver configuration file does not block access to compressed sql files
Active
Drupal core 10.2 — other
Created 7 months ago

PSA: Potential multiple vulnerabilities with mod_mime_magic
Active
Drupal core 10.2 — other
Created 7 months ago

security advisory policy
Closed: won't fix
Advance Script Manager 1.0
Created 7 months ago

User without publish permissions can use entity-clone to publish nodes
Needs review
Entity Clone 2.0
Created 10 months ago

Require the php module for the php eval, use php_eval from php.module
Active
Automatic User Names 1.0
Created over 9 years ago

SA-CORE-2023-005 might apply to avif module
Closed: outdated
AVIF 1.0
Created 11 months ago

Module names on the Available Updates page are double-escaped
Needs review
Project 2.0
Created almost 5 years ago

Media Fails to Enforce oEmbed Allowed Providers Setting
Active
Drupal core 10.1 — media system
Created 8 months ago

XSS vulnerability in texts
Fixed
Tarte au Citron 1.0
Created 11 months ago

XSS vulnerability in readmoreLink setting
Fixed
Tarte au Citron 1.0
Created 11 months ago

XSS vulnerability in drupal_youtube service
Fixed
Tarte au Citron 1.0
Created 10 months ago

Entity forms skip validation of fields that are not in the EntityFormDisplay
Fixed
Drupal core 8.0 — entity system
Created over 9 years ago

The starterkit theme NPM dependencies contain many security vulnerabilities
Needs work
Cog 1.0
Created about 1 year ago

All menu items are displayed without regard to access rights
Fixed
Drupal Mega Menu 1.16
Created over 5 years ago

Users could bypass custom field access for specific translations
Active
Drupal core 10.1 — entity system
Created 9 months ago

Possible issue with ajax_page_state
Active
Drupal core 10.1 — ajax system
Created 9 months ago

Race-condition in reset password can allow the reuse of a token
Active
Drupal core 10.0 — user system
Created 11 months ago

Original/unchanged entity inconsistently present for validation
Active
Drupal core 10.1 — jsonapi.module
Created 11 months ago

Node's "base_table" metatag is a nightmare for generic entity query access
Active
Drupal core 10.1 — node system
Created 11 months ago

Image uploads causing information disclosure
Active
Drupal core 10.1 — file system
Created 11 months ago

The whole node grants system sets a bad example and many modules can become insecure as a result
Active
Drupal core 9.5 — node system
Created about 1 year ago

Avoid redirect to install.php on production environments
Active
Drupal core 11.0 — install system
Created over 4 years ago

SA-CORE-2023-005 fix probably needs to be applied similarly on WebP module's code
Needs review
WebP 1.0
Created about 1 year ago

Text formats should throw an error and refuse to process if a plugin goes missing
Closed: outdated
Drupal core 11.0 — filter.module
Created over 14 years ago

Termination of addthis.com services
Active
AddThis
Created 9 months ago

Add Assert Active to Status Report
Closed: outdated
Drupal core 9.5 — base system
Created over 8 years ago