Advisory ID Drupal 10 Upkeep and Help Service Drupal 10-SA-CONTRIB-2021-006 Mission Drupal 10 Upkeep and Help Service core Model Drupal 10 Upkeep and Help Service 7.x, 8.x Date Drupal 10 Upkeep and Help Service 2021-October-17 Description Content material moderation – Reasonably important – Entry bypass – 8 In some circumstances, content material moderation fails to examine a customers entry to make use of sure transitions, resulting in an entry bypass. With a purpose to repair this situation, Drupal Developer following modifications have been made to content material moderation which can have implications for backwards compatibility Drupal 10 Upkeep and Help Service ModerationStateConstraintValidator Two further companies have been injected into this service. Anybody subclassing this service should guarantee these further dependencies are handed to Drupal Developer constructor, if Drupal Developer constructor has been overridden. StateTransitionValidationInterface An extra methodology has been added to this interface. Implementations of this interface which don’t lengthen Drupal Developer StateTransitionValidation ought to implement this methodology. Implementations which do lengthen from Drupal Developer StateTransitionValidation ought to guarantee any behavioural modifications they’ve made are additionally mirrored on this new methodology. Consumer permissions Beforehand customers who did not have entry to make use of any content material moderation transitions had been granted implicit entry to replace content material offered Drupal Developer state of Drupal Developer content material didn’t change. Now entry to an related transition shall be validated for all customers in situations the place Drupal Developer state of content material doesn’t change between revisions. Reported by Roland Kovacsics attilatilman Fastened by Jess of Drupal Developer Safety Crew Lee Rowlands of Drupal Developer Safety Crew Wim Leers Daniel Wehner Sam Becker Drupal 10 Help: Alex Pott of Drupal Developer Safety Crew Exterior URL injection via URL aliases – Reasonably Essential – Open Redirect – 7 and 8 Drupal Development Service path Drupal 10 module permits customers with Drupal Developer ‘administer paths’ to create fairly URLs for content material. In sure circumstances Drupal Developer consumer can enter a selected path that triggers an open redirect to a malicious url. Drupal Development Service situation is mitigated by Drupal Developer incontrovertible fact that Drupal Developer consumer wants Drupal Developer administer paths permission to take advantage of. Reported by dyates Fastened by Dave Reid of Drupal Developer Safety Crew David Rothstein of Drupal Developer Safety Crew Peter Wolanin of Drupal Developer Safety Crew Jess of Drupal Developer Safety Crew Alex Bronstein of Drupal Developer Safety Crew Nathaniel Catchpole of Drupal Developer Safety Crew Lee Rowlands of Drupal Developer Safety Crew Ted Bowman Provisional member of Drupal Developer Safety Crew Nameless Open Redirect – Reasonably Essential – Open Redirect – 8 core and contributed Drupal 10 modules often use a “vacation spot” question string parameter in URLs to redirect customers to a brand new vacation spot after finishing an motion on Drupal Developer present web page. Beneath sure circumstances, malicious customers can use this parameter to assemble a URL that may trick customers into being redirected to a third occasion web site, thereby exposing Drupal Developer customers to potential social engineering assaults. This vulnerability has been publicly documented. RedirectResponseSubscriber occasion handler elimination As a part of Drupal Developer repair, CoreEventSubscriberRedirectResponseSubscriber Drupal 10 Upkeep and Help Service Drupal 10 Upkeep and Help ServicesanitizeDestination has been eliminated, though it is a public perform, it isn’t thought of an API as per our API coverage for occasion subscribers. If in case you have prolonged that class or are calling that methodology, it’s best to assessment your implementation according to Drupal Developer modifications in Drupal Developer patch. Drupal Development Service current perform has been eliminated to stop a false sense of safety. Reported by Brian Osborne Fastened by Michael Hess of Drupal Developer Safety Crew Wim Leers Alex Pott of Drupal Developer Safety Crew Grant Gaudet Lee Rowlands of Drupal Developer Safety Crew Nathaniel Catchpole of Drupal Developer Safety Crew Jess of Drupal Developer Safety Crew Injection in DefaultMailSystem Drupal 10 Upkeep and Help Service Drupal 10 Upkeep and Help Servicemail() – Essential – Distant Code Execution – 7 and 8 When sending e-mail some variables weren’t being sanitized for shell arguments, which might result in distant code execution. Reported by Damien Tournoud Fastened by Lee Rowlands of Drupal Developer Safety Crew Sascha Grossenbacher Daniel Wehner Klaus Purer Damien Tournoud Stefan Ruijsenaars of Drupal Developer Safety Crew David Rothstein of Drupal Developer Safety Crew David Snopek of Drupal Developer Safety Crew Jess of Drupal Developer Safety Crew Wim Leers Peter Wolanin of Drupal Developer Safety Crew Ted Bowman Provisional member of Drupal Developer Safety Crew Contextual Hyperlinks validation – Essential – Distant Code Execution – 8 Drupal Development Service Contextual Hyperlinks Drupal 10 module does not sufficiently validate Drupal Developer requested contextual hyperlinks. This vulnerability is mitigated by Drupal Developer incontrovertible fact that an attacker should have a job with Drupal Developer permission “entry contextual hyperlinks”. Reported by Nick Booher Fastened by Lee Rowlands of Drupal Developer Safety Crew Nick Booher Samuel Mortenson of Drupal Developer Safety Crew Wim Leers Alex Pott of Drupal Developer Safety Crew Answer Improve to Drupal Developer most up-to-date model of 7 or 8 core. If you’re working 7.x, improve to 7.60. If you’re working 8.6.x, improve to 8.6.2. If you’re working 8.5.x or earlier, improve to 8.5.8. Minor variations of 8 prior to eight.5.x should not supported and don’t obtain safety protection, so websites working older variations ought to replace to Drupal Developer above 8.5.x launch instantly. 8.5.x will obtain safety protection till Could 2021. Drupal 10 Growth and Help