Drupal: Security update

create_user_permission 8.x-1.2

18 hours 34 minutes ago
Release notes

Fixes an issue where the module would prevent the setting "Who can register accounts? Visitors, but administrator approval is required try to register an account" to have an effect.

Fixes SA-CONTRIB-2019-066.

Download Size md5 hash create_user_permission-8.x-1.2.tar.gz 9.08 KB 15e4986d6b085d7e147deb620f2545a6 create_user_permission-8.x-1.2.zip 13.4 KB aab488f3439e95db8dd428541de10738 Last updated: 18 Sep 2019 at 06:08 UTCOfficial release from tag: 8.x-1.2Core compatibility: 8.xRelease type: Security updatePackaged Git sha1: 85c9faa17c6fcbfc69c16ec994403767dadfcd57
eiriksm

tablefield 8.x-2.1

1 day 8 hours ago
Release notes

This is a security update for tablefield.

Fixes SA-CONTRIB-2019-067.

Download Size md5 hash tablefield-8.x-2.1.tar.gz 21.46 KB 77068931e6040664afc538e4448bf0b5 tablefield-8.x-2.1.zip 33.74 KB beffd781a9163f32d7382fefdeeaecc8 Last updated: 17 Sep 2019 at 15:53 UTCOfficial release from tag: 8.x-2.1Core compatibility: 8.xRelease type: Security updatePackaged Git sha1: a0024035ed89fce3dfb171f5e64570a1ee612432
lolandese

imagecache_external 8.x-1.1

4 weeks 1 day ago
Release notes

Imagecache External - Critical - Insecure session token management - SA-CONTRIB-2019-065

Since the first release back in 2016, a lot of work has been done. This release also includes a security update.

Download Size md5 hash imagecache_external-8.x-1.1.tar.gz 17.76 KB 0e6c7677987f0d5fb21e55d7d8d1c966 imagecache_external-8.x-1.1.zip 25.05 KB 9a4463ba3a8fde8f4221e1572ba8284c Last updated: 20 Aug 2019 at 20:18 UTCOfficial release from tag: 8.x-1.1Core compatibility: 8.xRelease type: Security updateBug fixesNew featuresPackaged Git sha1: 1baf5ddf31d98d8d318735bc9833453a0c627e64
BarisW

scroll_to_top 7.x-2.2

1 month ago
Release notes

Fix XSS vulnerability from administration settings.

scroll to top - Moderately critical - Cross site scripting - SA-CONTRIB-2019-061

Download Size md5 hash scroll_to_top-7.x-2.2.tar.gz 10 KB 6b5c93242007381204e2d817b5520234 scroll_to_top-7.x-2.2.zip 11.48 KB 7e48570b6d13281cc4d0776a97c4df7e Last updated: 13 Aug 2019 at 20:08 UTCOfficial release from tag: 7.x-2.2Core compatibility: 7.xRelease type: Security updatePackaged Git sha1: e65960ab66b1e6f5af1dad6bab800339ef1e1192
tarekdj

super_login 8.x-1.3

1 month ago
Release notes

Fixes to prevent XXS on administrative input fields.

Super Login - Moderately critical - Cross site scripting - SA-CONTRIB-2019-062

Download Size md5 hash super_login-8.x-1.3.tar.gz 13.73 KB 0f7b7873b266f4c6ff152ed47ea1dc84 super_login-8.x-1.3.zip 19.14 KB 85170c70ddc200850460f2c1d289bba0 Last updated: 13 Aug 2019 at 17:23 UTCOfficial release from tag: 8.x-1.3Core compatibility: 8.xRelease type: Security updatePackaged Git sha1: 0721160fc8445bfb34f56f854e2171fa3551e910
3CWebDev

super_login 7.x-1.4

1 month ago
Release notes

Fixes to prevent XXS on administrative input fields.

Super Login - Moderately critical - Cross site scripting - SA-CONTRIB-2019-062

Download Size md5 hash super_login-7.x-1.4.tar.gz 21.23 KB f2a11bd9e417b3adb0f8bf778b914ef8 super_login-7.x-1.4.zip 24.26 KB d1738f50119f46704a0d4f1e6950c027 Last updated: 13 Aug 2019 at 16:48 UTCOfficial release from tag: 7.x-1.4Core compatibility: 7.xRelease type: Security updatePackaged Git sha1: 0cb08f5e8a4c4bca8b3e40836f14f696c1146c36
3CWebDev

elf 8.x-1.2

1 month ago
Release notes

Add a CSRF token that protects the redirect URL from the open use.

External Links Filter - Moderately critical - Open Redirect Vulnerability - SA-CONTRIB-2019-063

Download Size md5 hash elf-8.x-1.2.tar.gz 11.82 KB 4112998fdf769912941415c98a26df91 elf-8.x-1.2.zip 16.96 KB 21b621134885ead5c0a9f5d6c6f7b351 Last updated: 13 Aug 2019 at 14:58 UTCOfficial release from tag: 8.x-1.2Core compatibility: 8.xRelease type: Security updatePackaged Git sha1: 1c4453e6493d40fba1fcea8505a1f0f92173676b
ddrozdik

elf 7.x-3.1

1 month ago
Release notes

Add a CSRF token that protects the redirect URL from the open use.

External Links Filter - Moderately critical - Open Redirect Vulnerability - SA-CONTRIB-2019-063

Download Size md5 hash elf-7.x-3.1.tar.gz 10.33 KB 87ebdd5b379cf196832b756936b86d44 elf-7.x-3.1.zip 12.12 KB 7dc961f0e46709bd5210e9b17bd83bd3 Last updated: 13 Aug 2019 at 14:53 UTCOfficial release from tag: 7.x-3.1Core compatibility: 7.xRelease type: Security updatePackaged Git sha1: 4830d33a328ccdd22bb006b649af6548dc348df3
ddrozdik

forms_steps 8.x-1.2

1 month 1 week ago
Release notes

Security release

Forms Steps allows the form to be displayed and the content to be edited through Forms Steps workflow entities. So even if a permission is set to the content type, users were able to use the Forms Steps workflow entities to access and create contents.

This vulnerability is mitigated by the fact that you have to know the Forms Steps URL to create a content linked to the workflow entity. Also, all created contents are very hard to edit through the same workflow as you have to know the URL and the linked hash to the content.
Finally the exposed contents are only the ones created through a Form Steps workflow.

This release fix this issue.

Forms Steps - Critical - Access bypass - SA-CONTRIB-2019-064

Download Size md5 hash forms_steps-8.x-1.2.tar.gz 39.71 KB a4992f74cc36f0eabb2f35a11510d332 forms_steps-8.x-1.2.zip 66.89 KB 2f6d41975573d7eed873c36d2fa64582 Last updated: 11 Aug 2019 at 08:33 UTCOfficial release from tag: 8.x-1.2Core compatibility: 8.xRelease type: Security updateShort description: This release fixes an access bypass vulnerabilityPackaged Git sha1: 63f00189f5bb59d16ec7f446f13a0dc4b9460168
nicoloye

metatag 8.x-1.9

1 month 3 weeks ago
Release notes

This contains a single change from 8.x-1.8 to resolve SA-CONTRIB-2019-058.

Note: because of the changes in this release, meta tags will no longer be displayed when the site is in maintenance mode.

Full changelog

Changes since v8.x-1.8:

By DamienMcKenna, anton.shloma: Improved maintenance mode identification.

Download Size md5 hash metatag-8.x-1.9.tar.gz 138.29 KB f090d110af1607b156efbdd62f62285d metatag-8.x-1.9.zip 392.05 KB 9402b9cfb1fdf18081c739c217acf779 Last updated: 24 Jul 2019 at 16:33 UTCOfficial release from tag: 8.x-1.9Core compatibility: 8.xRelease type: Security updateShort description: Resolves SA-CONTRIB-2019-058Packaged Git sha1: 7537c2b4408da3b785146b84639d7e1a5b53df96
DamienMcKenna

existing_values_autocomplete_widget 8.x-1.2

1 month 3 weeks ago
Release notes

Fixes security advisory Existing Values Autocomplete Widget - Critical - Access bypass - SA-CONTRIB-2019-060.

Download Size md5 hash existing_values_autocomplete_widget-8.x-1.2.tar.gz 9.63 KB fe0db1a5363c58030b83d9fb2b5d7df7 existing_values_autocomplete_widget-8.x-1.2.zip 14.29 KB 86a33c7ffcdce07924f81c418d9e117e Last updated: 23 Jul 2019 at 20:13 UTCOfficial release from tag: 8.x-1.2Core compatibility: 8.xRelease type: Security updateShort description: Fixes security advisoryPackaged Git sha1: 8b19eabfff3a492ff0af74091c3aab5847d9b967
artis

drupal 8.7.5

2 months ago
Release notes

Maintenance and security release of the Drupal 8 series.

This release fixes security vulnerabilities. Sites are urged to upgrade immediately after reading the notes below and the security announcement:

No other fixes are included.

Which release do I choose? Security coverage information
  • Drupal 8.7.x will receive security coverage until June 3, 2020 when Drupal 8.9.0 is released.
  • Sites on 8.6.x or earlier do not require an update for this release.
  • Versions of Drupal 8 prior to 8.6.x are end-of-life and do not receive security coverage.
Important update information
  • For sites with the Workspaces module enabled, update.php needs to run to ensure a required cache clear. If there is a reverse proxy cache or content delivery network (e.g. Varnish, CloudFlare) it is also advisable to clear these as well.

  • No changes have been made to the .htaccess, web.config, robots.txt, or default settings.php files in this release, so upgrading custom versions of those files is not necessary if your site is already on the previous release.

Download Size md5 hash drupal-8.7.5.tar.gz 17.02 MB 39cc326d9db1b4acce9b8716193189fd drupal-8.7.5.zip 27.17 MB 6ce957e2ff480db3e2f3eb84c01078e0 Last updated: 17 Jul 2019 at 16:28 UTCOfficial release from tag: 8.7.5Core compatibility: 8.xRelease type: Security updateShort description: Actively maintained with new features and backwards-compatible improvements every six months. Use this version for the best compatibility with future releases.Packaged Git sha1: 7861b6b23996134c5e44bf287e5431db1ddd0cda
xjm

imagecache_actions 7.x-1.10

2 months ago
Release notes

Fixes: ImageCache Actions - Critical - Multiple Vulnerabilities - SA-CONTRIB-2019-056

  • Use json for exporting image styles.
  • Introduce new permission for importing image styles marked as having security implications.
Download Size md5 hash imagecache_actions-7.x-1.10.tar.gz 2.01 MB 6d9bb9c19a9a9bf6a2f63596e3210140 imagecache_actions-7.x-1.10.zip 2.05 MB 8479cc9a2805cf3a5ddf5ca8af52f07c Last updated: 17 Jul 2019 at 06:48 UTCOfficial release from tag: 7.x-1.10Core compatibility: 7.xRelease type: Security updatePackaged Git sha1: ce4e1f53013a3bb28e161eab8ad06ecdf8b129d0
fietserwin

metatags_quick 7.x-2.10

2 months ago
Release notes

Fixes: Meta tags quick - Moderately critical - Cross Site Scripting - SA-CONTRIB-2019-057

Download Size md5 hash metatags_quick-7.x-2.10.tar.gz 28.08 KB 21fd5578584a9c5ae391333769b3bc07 metatags_quick-7.x-2.10.zip 36.19 KB f86e23e184ef8a895e0627508d63c1a5 Last updated: 16 Jul 2019 at 14:18 UTCOfficial release from tag: 7.x-2.10Core compatibility: 7.xRelease type: Security updatePackaged Git sha1: 1c9ee5c3d076f40463a0ece02e9bafaadf53174a
valthebald

config_perms 8.x-1.2

2 months 1 week ago
Release notes

Also fixes Custom Permissions - Critical - Access bypass - SA-CONTRIB-2019-055.

Contributors (3)

alonaoneill, volkswagenchick, Pavan B S

Changelog

Issues: 2 issues resolved.

Changes since 8.x-1.1:

Task Download Size md5 hash config_perms-8.x-1.2.tar.gz 12.89 KB 3ae9c3f37346096ee4795be72337694c config_perms-8.x-1.2.zip 21.22 KB 1cbf8279d91727ff6d2660ed768d33ff Last updated: 10 Jul 2019 at 16:23 UTCOfficial release from tag: 8.x-1.2Core compatibility: 8.xRelease type: Security updatePackaged Git sha1: 5ad12408b245077be9b4df2c59ad063409ce64ad
gnuget

advanced_forum 7.x-2.8

2 months 3 weeks ago
Release notes

Fixes Advanced Forum - Critical - Cross Site Scripting - SA-CONTRIB-2019-054

Changes since 7.x-2.6:

  • Tweaks to preprocessing.
  • #2745251 by Michelle: Empty text should not assume filtered_html format exists
  • #2612528 by Елин Й.: "Quick reply" link doesn't work if the comment form gets an id like "comment-form--2"
  • Add gitignore
  • #2612528 by pc-wurm: "Quick reply" link doesn't work if the comment form gets an id like "comment-form--2"
  • #2599500 by eugene.ilyin, podarok: Opportunity to use fields from taxonomy term on the forum form

(Note that there was no 7.x-2.7 as 7.x-2.7-rc0 didn't progress to a full release.)

Download Size md5 hash advanced_forum-7.x-2.8.tar.gz 165.02 KB 8a3f97ca4a4821b6a8ebb1853d3a0e37 advanced_forum-7.x-2.8.zip 239.2 KB aa6982277b7e1577b052e340367e1486 Last updated: 26 Jun 2019 at 11:18 UTCOfficial release from tag: 7.x-2.8Core compatibility: 7.xRelease type: Security updatePackaged Git sha1: b22fdfe2ffc3b1d3f12e9cc2be0ecdb8d088f2d1
mcdruid

easy_breadcrumb 7.x-2.17

2 months 4 weeks ago
Release notes

Fixes Easy Breadcrumb - Moderately critical - Cross Site Scripting - SA-CONTRIB-2019-053

Changes since 7.x-2.16:

Special thanks to jgarlan and pkaur for the original report and mcdruid from the Drupal Security Team to resolve the issue.

Download Size md5 hash easy_breadcrumb-7.x-2.17.tar.gz 17.57 KB 9c1ff08419ec6450215ae88375d32fb0 easy_breadcrumb-7.x-2.17.zip 21.58 KB 1aa368a23c0a86f6808956b1133ebe91 Last updated: 19 Jun 2019 at 12:03 UTCOfficial release from tag: 7.x-2.17Core compatibility: 7.xRelease type: Security updateShort description: Release has a major improvement to handling texts.Packaged Git sha1: 92ffa3ceefe6631ec60a43a63c0dca4fd1203fa3
tatarbj
Checked
2 hours 18 minutes ago
Subscribe to Drupal: Security update feed