Multiple issues were reported in the latest drupal security advisory.
1. Content moderation - Moderately critical - Access bypass - Drupal 8
In some conditions, content moderation fails to check a users access to use certain transitions, leading to an access bypass.
2. External URL injection through URL aliases - Moderately Critical - Open Redirect - Drupal 7 and Drupal 8
The path module allows users with the 'administer paths' to create pretty URLs for content.
In certain circumstances the user can enter a particular path that triggers an open redirect to a malicious url.
3. Anonymous Open Redirect - Moderately Critical - Open Redirect - Drupal 8
Drupal core and contributed modules frequently use a "destination" query string parameter in URLs to redirect users to a new destination after completing an action on the current page. Under certain circumstances, malicious users can use this parameter to construct a URL that will trick users into being redirected to a 3rd party website, thereby exposing the users to potential social engineering attacks.
4. Injection in DefaultMailSystem::mail() - Critical - Remote Code Execution - Drupal 7 and Drupal 8
When sending email some variables were not being sanitized for shell arguments, which could lead to remote code execution.
5. Contextual Links validation - Critical - Remote Code Execution - Drupal 8
The Contextual Links module doesn't sufficiently validate the requested contextual links.
This vulnerability is mitigated by the fact that an attacker must have a role with the permission "access contextual links".
Created drupal7 tracking bugs for this issue:
Affects: epel-all [bug 1643124]
Affects: fedora-all [bug 1643122]
Created drupal8 tracking bugs for this issue:
Affects: fedora-all [bug 1643123]
drupal6-6.38-2.el6 has been pushed to the Fedora EPEL 6 stable repository. If problems still persist, please make note of it in this bug report.
All dependent bugs have been closed. Can this tracking bug be closed?