In Drupal 8.7.4, when the experimental Workspaces module is enabled, an access bypass condition is created.
Tag: Drupal
ASA-2019-00153 – Drupal: Upload of a file can trigger a Cross-Site Scripting (XSS) vulnerability
Under certain circumstances the File module/subsystem allows a malicious user to upload a file that can trigger a cross-site scripting (XSS) vulnerability.
ASA-2019-00108 – Drupal: Remote code execution if REST module is enabled
Some field types do not properly sanitize data from non-form sources. This can lead to arbitrary PHP code execution in some cases. A site is only affected by this if one of the following conditions is met: The site has the Drupal 8 core RESTful Web Services (rest) module enabled and allows GET, PATCH or POST requests, or the site has another web services module enabled, like JSON:API in Drupal 8, or Services or RESTful Web Services in Drupal 7.
ASA-2019-00015 – Drupal: Arbitrary PHP code execution
A remote code execution vulnerability exists in PHP's built-in phar stream wrapper when performing file operations on an untrusted phar:// URI. Some Drupal code (core, contrib, and custom) may be performing file operations on insufficiently validated user input, thereby being exposed to this vulnerability.
ASA-2019-00014 – Drupal: Remote code execution through phar:// file in Archive_Tar package
Drupal core uses the third-party PEAR Archive_Tar library. This library has released a security update which impacts some Drupal configurations. Refer to CVE-2018-1000888 for details.