Bible - Critical - Multiple Vulnerabilities - SA-CONTRIB-2018-003

Project: Bible
Date: 2018-January-17
Security risk: *Critical* 17∕25
Vulnerability: Multiple Vulnerabilities


This module enables you to display a Bible on your website. Users can
associate notes with a Bible version.

This module has a vulnerability that would allow an attacker to wipe out,
update or read notes from other users with a carefully crafted title.

WordPress 4.9.2 Security and Maintenance Release

WordPress 4.9.2 is now available. This is a security and maintenance release for all versions since WordPress 3.7. We strongly encourage you to update your sites immediately.

An XSS vulnerability was discovered in the Flash fallback files in MediaElement, a library that is included with WordPress. Because the Flash files are no longer needed for most use cases, they have been removed from WordPress.

Node View Permissions - Moderately critical - Access Bypass - SA-CONTRIB-2018-002

Project: Node View Permissions
Version: 8.x-1.x-dev7.x-1.x-dev
Date: 2018-January-10
Security risk: *Moderately critical* 14∕25
Vulnerability: Access Bypass


The Node view permissions module enables the "View own content" and "View any
content" permissions for each content type on the permissions page.

This module has a vulnerability that allows users with these permissions to
view unpublished content that they are not otherwise authorized to view.


Install the latest version:

Link Click Count - Critical - Unsupported - SA-CONTRIB-2017-094

Project: Link Click Count
Date: 2017-December-20
Security risk: *Critical* 18∕25
Vulnerability: Unsupported


The Link Click Count module helps you to monitor the traffic to your website
by creating link fields. These link fields can be individual links or
internal/external links that can be added to the content type.

me aliases - Highly critical - Arbitrary code execution - SA-CONTRIB-2017-097

Project: me aliases
Date: 2017-December-20
Security risk: *Highly critical* 20∕25
Vulnerability: Arbitrary code execution


'me' module provides shortcut paths to current user's pages, eg user/me, blog/me, user/me/edit, tracker/me etc.

The way 'me' module handles URL arguments allows an attacker to execute arbitrary code strings.


Install the latest version:

Directory based organizational layer - Critical - Unsupported - SA-CONTRIB-2017-096

Project: Directory based organizational layer
Date: 2017-December-20
Security risk: *Critical* 18∕25
Vulnerability: Unsupported


This module adds a new organizational layer to Drupal, making it easy for
managing large numbers of files and nodes.

Panopoly Core - Moderately critical - Cross Site Scripting - SA-CONTRIB-2017-093

Project: Panopoly Core
Version: 7.x-1.x-dev
Date: 2017-December-13
Security risk: *Moderately critical* 13∕25
Vulnerability: Cross Site Scripting


This module provides common functionality used by other modules in the
Panopoly distribution and child distributions, like, Open Atrium.

The module doesn't sufficiently filter node titles used in breadcrumbs when
the "Append Page Title to Site Breadcrumb" setting is enabled.

Node feedback - Moderately critical - Access Bypass - SA-CONTRIB-2017-092

Project: Node feedback
Version: 7.x-1.2
Date: 2017-December-06
Security risk: *Moderately critical* 12∕25
Vulnerability: Access Bypass


This module enables you to set nodes to send feedbacks by personal/site wide contact forms.

The module doesn't sufficiently handle the access to nodes whose titles will be shown on contact forms.


Subscribe to Advisories