Multiple security updates have been released today for contributed modules on drupal.org. 
If you use the REST Views or Advanced Progressive Web App (PWA) modules, you should update as soon as possible to ensure your site's security.
The REST Views module had a moderately critical information disclosure vulnerability. 
Versions prior to 3.0.1 did not properly check access, potentially exposing paths to unpublished content and entities referenced from REST exports. 
Updating to REST Views 3.0.1 will remedy the issue. 
Sites using the unsupported REST Views 8.x-1.x branch or REST Views 2.x should also update to 3.0.1.

The Advanced PWA module had a critical access bypass vulnerability. 
For versions lower than 1.5.0, unauthorized users could view and modify the module's configuration. 
If you use Advanced PWA 8.x-1.x, update to version 1.5 to secure your settings.

These vulnerabilities underscore the importance of keeping Drupal sites up-to-date and tracking security advisories. 
Site owners should have processes in place to promptly test and install security updates.
If you have any of the affected module versions installed, update immediately. 
If you need assistance with updates or have questions about the security of your Drupal site, consult with your development team or a Drupal security expert.

 

About Module: REST Views

This module enhances the REST export functionality in Views to solve the following use cases:

  • Your field has multiple values. You want to render each item, but export them as an array instead of a single string.
  • Your field contains data that is a JSON primitive (ie. a boolean or number). You want to export this value as the correct type, instead of a string.
  • Your field is an entity reference. You want to export the target entity as a nested object, instead of a single string.

 

About Module: Advanced PWA

What is a progressive web app?
Progressive web applications are web applications that load like regular web pages or websites but can offer the user functionality such as working offline, push notifications, and device hardware access traditionally available only to native applications.

Features

  • Make your website installable on mobile devices by clicking on "add to home screen". 
    This prompt is triggered when a visitor returns frequently to your website
  • Use Service Worker for caching and using your website offline
  • User can choose to subscribe or not to subscribe to push notifications
  • Notifications will be sent to subscribed users on publish of specific content types. Site admin can choose such content types using this module
  • Site admin can send generic notifications to all subscribed users
  • Site admin can set background color and theme color of progressive web app
  • Site admin can set public / private keys that will be used to sign Push API requests
  • Site admin can view subscribed users (User id and subscription endpoint)

 

REST Views - Moderately critical - Information Disclosure - SA-CONTRIB-2024-018
REST Views
Advanced PWA - Critical - Access bypass - SA-CONTRIB-2024-017
Advanced PWA