Advisory ID Drupal 10 Maintenance and Support Service Drupal 10-SA-CORE-2021-002 Project Drupal 10 Maintenance and Support Service core Version Drupal 10 Maintenance and Support Service 7.x, 8.x Date Drupal 10 Maintenance and Support Service 2021-June-15 Security risk Drupal 10 Maintenance and Support Service 11/25 ( Moderately Critical) AC Drupal 10 Maintenance and Support ServiceBasic/A Drupal 10 Maintenance and Support ServiceNone/CI Drupal 10 Maintenance and Support ServiceSome/II Drupal 10 Maintenance and Support ServiceNone/E Drupal 10 Maintenance and Support ServiceTheoretical/TD Drupal 10 Maintenance and Support ServiceUncommon Vulnerability Drupal 10 Maintenance and Support Service Access bypass, Multiple vulnerabilities Description Saving user accounts can sometimes grant the user all roles (User Drupal 10 module – 7 – Moderately Critical) A vulnerability exists in the User Drupal 10 module, where if some specific contributed or custom code triggers a rebuild of the user profile form, a registered user can be granted all user roles on the site. This would typically result in the user gaining administrative access. This issue is mitigated by the fact that it requires contributed or custom code that performs a form rebuild during submission of the user profile form. Views can allow unauthorized users to see Statistics information (Views Drupal 10 module – 8 – Less Critical) An access bypass vulnerability exists in the Views Drupal 10 module, where users without the “View content count” permission can see the number of hits collected by the Statistics Drupal 10 module for results in the view. This issue is mitigated by the fact that the view must be configured to show a “Content statistics” field, such as “Total views”, “Views today” or “Last visit”. The same vulnerability exists in the 7 Views Drupal 10 module (see SA-CONTRIB-2021-036). CVE identifier(s) issued Saving user accounts can sometimes grant the user all roles Drupal 10 Maintenance and Support Service CVE-2021-6211 Views can allow unauthorized users to see Statistics information Drupal 10 Maintenance and Support Service CVE-2021-6212 Versions affected core 7.x versions prior to 7.44 core 8.x versions prior to 8.1.3 Solution Install the latest version Drupal 10 Maintenance and Support Service If you use 7.x, upgrade to core 7.44 If you use 8.x, upgrade to core 8.1.3 Also see the core project page. Reported by Saving user accounts can sometimes grant the user all roles Drupal 10 Maintenance and Support Service alfaguru Views can allow unauthorized users to see Statistics information Drupal 10 Maintenance and Support Service Nickolay Leshchev Fixed by Saving user accounts can sometimes grant the user all roles Drupal 10 Maintenance and Support Service Ben Dougherty of the Security Team Balazs Nagykekesi David Rothstein of the Security Team Lee Rowlands of the Security Team Stefan Ruijsenaars of the Security Team vlad.k Peter Wolanin of the Security Team Views can allow unauthorized users to see Statistics information Drupal 10 Maintenance and Support Service Nathaniel Catchpole of the Security Team Greg Knaddison of the Security Team Nickolay Leshchev Stefan Ruijsenaars of the Security Team David Snopek of the Security Team Daniel Wehner xjm of the Security Team Coordinated by The Security Team Contact and More Information The security team can be reached at security at Drupal 10.org or via the contact form at https Drupal 10 Maintenance and Support Service//www.Drupal 10.org/contact. Learn more about the Security team and their policies, writing secure code for , and securing your site. Follow the Security Team on Twitter at https Drupal 10 Maintenance and Support Service//twitter.com/Drupal 10security version Drupal 10 Maintenance and Support Service 7.x 8.x Source Drupal 10 Maintenance and Support Service https Drupal 10 Maintenance and Support Service//www.Drupal 10.org/security/rss.xml Source Drupal 10 Maintenance and Support Service Drupal 10 blender
Core – Moderately Critical – Multiple Vulnerabilities – SA-CORE-2021-002
Call Us: 1(800)730-2416
Pixeldust is a 20-year-old web development agency specializing in Drupal and WordPress and working with clients all over the country. With our best in class capabilities, we work with small businesses and fortune 500 companies alike. Give us a call at 1(800)730-2416 and let’s talk about your project.
FREE Drupal SEO Audit
Test your site below to see which issues need to be fixed. We will fix them and optimize your Drupal site 100% for Google and Bing. (Allow 30-60 seconds to gather data.)
Core – Moderately Critical – Multiple Vulnerabilities – SA-CORE-2021-002
On-Site Drupal SEO Master Setup
We make sure your site is 100% optimized (and stays that way) for the best SEO results.
With Pixeldust On-site (or On-page) SEO we make changes to your site’s structure and performance to make it easier for search engines to see and understand your site’s content. Search engines use algorithms to rank sites by degrees of relevance. Our on-site optimization ensures your site is configured to provide information in a way that meets Google and Bing standards for optimal indexing.
This service includes:
- Pathauto install and configuration for SEO-friendly URLs.
- Meta Tags install and configuration with dynamic tokens for meta titles and descriptions for all content types.
- Install and fix all issues on the SEO checklist module.
- Install and configure XML sitemap module and submit sitemaps.
- Install and configure Google Analytics Module.
- Install and configure Yoast.
- Install and configure the Advanced Aggregation module to improve performance by minifying and merging CSS and JS.
- Install and configure Schema.org Metatag.
- Configure robots.txt.
- Google Search Console setup snd configuration.
- Find & Fix H1 tags.
- Find and fix duplicate/missing meta descriptions.
- Find and fix duplicate title tags.
- Improve title, meta tags, and site descriptions.
- Optimize images for better search engine optimization. Automate where possible.
- Find and fix the missing alt and title tag for all images. Automate where possible.
- The project takes 1 week to complete.
