Drupal Core Security Updates of September 15, 2021

Nisha Oommen

Latest 'TheWeeklyDrop' reported quite a few Drupal security advisory updates. These security updates are for the Core and are of moderately critical level. The issues range from Cross Site Request forgery (SA-CORE-2021-006 & 007) and Access Bypass update (SA-CORE-2021-008 to 010).

The 006 issue is about how in some cases, an unauthorized user could bypass the filter to inject HTML into a page. This can happen when a trusted user with permission to embed media, accesses the site leading to cross site scripting.

The Entity Embed had a similar vulnerability as reported in SA-CONTRIB-2021-028.

The SA-CORE-2021-007 and 009 issues both are about the QuickEdit module. In 007, it does not properly validate access to routes causing Cross Site Scripting vulnerability and possible data integrity concerns. In 009, the module does not properly check access to fields in some circumstances which can unwittingly result in disclosure of field data. These two issues affect only those sites which have QuickEdit module installed which come with the standard profile.

The 007 vulnerability cannot be solved fully by removing the “access-in-place editing” permission. On the contrary uninstalling the QuickEdit module does solve these issues. Another reason why uninstallation can be considered seriously is because QuickEdit module is not being considered in Drupal 10 Core.

The 008 and 010 issues are both about not validating properly the 'all file' validation. This causes an access bypass vulnerability as Drupal JSON: API and REST/File modules allow file uploads through their HTTP APIs. This vulnerability can be solved by three factors:

Enabling the JSON: API or REST File upload module on the site
Allowing access to a file upload only via JSON:API or REST
Site should have file validation module

The solution offered otherwise for all these issues is to upgrade to the latest version D9.2.6 (if in D9.2) or to D9.1.13 if in D9.1 and to D8.9.19 if in D8.9 version respectively. All D8 and D9 versions prior to 9.1 and 8.9 have reached their EOL and do not receive security coverage so are not taken into consideration.

Drupal 7 Core has not been affected by any of these issues.

Click here to follow us on LinkedIn

Comment

Note: The vision of this web portal is to help promote news and stories around the Drupal community and promote and celebrate the people and organizations in the community. We strive to create and distribute our content based on these content policy. If you see any omission/variation on this please let us know in the comments below and we will try to address the issue as best we can.

Drupal 8