Hírolvasó

Project: Acquia DAMDate: 2025-September-03Security risk: Moderately critical 12 ∕ 25 AC:Basic/A:None/CI:Some/II:None/E:Theoretical/TD:DefaultVulnerability: Access bypass, Information DisclosureAffected versions: <1.1.5CVE IDs: CVE-2025-9954Description: 

This module enables you to connect a Drupal site to the Acquia DAM service, which syncs media from the third party service to the site.

The module doesn't sufficiently validate authorization to a list of DAM assets currently synced to the website creating an access bypass vulnerability.

This vulnerability is mitigated by the fact that it only impacts sites where users having the “view media” permission accessing any DAM asset is undesirable.

CVSS risk score (experimental) 6.9 / Medium

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Solution: 

Install the latest version which will automatically reset three views to have permission-based access control based on the "access media overview" permission. If you have modified the view access in some other way you will need to redo that modification after upgrading the module.

• If you use the acquia_dam module for Drupal 8.x, upgrade to acquia_dam 1.1.5

Sites that cannot update to this code can mitigate the issue by modifying three views to be restricted to that permission: Acquia DAM Asset Library, Acquia DAM links, DAM Content Overview.

Reported By: 

• Brandon Goodwin (bgoodie)
• Chris Burge (chris burge)
• Todd Woofenden (toddwoof)

Fixed By: 

• Chris Burge (chris burge)
• Damien McKenna (damienmckenna) of the Drupal Security Team
• Jakob P (japerry)
• Todd Woofenden (toddwoof)

Coordinated By: 

• cilefen (cilefen) of the Drupal Security Team
• Greg Knaddison (greggles) of the Drupal Security Team
• Cathy Theys (yesct) of the Drupal Security Team

Project: Owl Carousel 2Date: 2025-August-27Security risk: Critical 16 ∕ 25 AC:Complex/A:Admin/CI:All/II:All/E:Theoretical/TD:AllVulnerability: UnsupportedAffected versions: *CVE IDs: CVE-2025-9554Description: 

The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: https://www.drupal.org/node/251466#s-becoming-owner-maintainer-or-co-mai...

Solution: 

If you use this project, you should uninstall it. To take over maintainership, please read https://www.drupal.org/node/251466#s-becoming-owner-maintainer-or-co-mai...

Project: API Key managerDate: 2025-August-27Security risk: Critical 16 ∕ 25 AC:Complex/A:Admin/CI:All/II:All/E:Theoretical/TD:AllVulnerability: UnsupportedAffected versions: *CVE IDs: CVE-2025-9553Description: 

The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: https://www.drupal.org/node/251466#s-becoming-owner-maintainer-or-co-mai...

Solution: 

If you use this project, you should uninstall it. To take over maintainership, please read https://www.drupal.org/node/251466#s-becoming-owner-maintainer-or-co-mai...

Project: Synchronize composer.json With Contrib ModulesDate: 2025-August-27Security risk: Critical 16 ∕ 25 AC:Complex/A:Admin/CI:All/II:All/E:Theoretical/TD:AllVulnerability: UnsupportedAffected versions: *CVE IDs: CVE-2025-9552Description: 

The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: https://www.drupal.org/node/251466#s-becoming-owner-maintainer-or-co-mai...

Solution: 

If you use this project, you should uninstall it. To take over maintainership, please read https://www.drupal.org/node/251466#s-becoming-owner-maintainer-or-co-mai...

Project: Protected PagesDate: 2025-August-27Security risk: Moderately critical 13 ∕ 25 AC:Basic/A:None/CI:Some/II:None/E:Theoretical/TD:AllVulnerability: Access bypassAffected versions: <1.8.0CVE IDs: CVE-2025-9551Description: 

This module enables you to protect individual pages with a password.

The module doesn't limit the number of password attempts, making it vulnerable to brute force attacks.

This vulnerability is mitigated by the fact that an attacker must know the protected page's URL.

CVSS risk score (experimental) 6.3 / Medium

CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Solution: 

Install the latest version:

• If you use the Protected Pages module for Drupal 8.x, upgrade to Protected Pages 8.x-1.8

Reported By: 

• Pierre Rudloff (prudloff)

Fixed By: 

• Oksana Cyrwus (oksana-c)
• Ra Mänd (ram4nd)

Coordinated By: 

• Benji Fisher (benjifisher) of the Drupal Security Team
• Damien McKenna (damienmckenna) of the Drupal Security Team
• Greg Knaddison (greggles) of the Drupal Security Team
• Drew Webber (mcdruid) of the Drupal Security Team
• Juraj Nemec (poker10) of the Drupal Security Team

Project: FacetsDate: 2025-August-27Security risk: Moderately critical 13 ∕ 25 AC:Basic/A:Admin/CI:Some/II:Some/E:Theoretical/TD:AllVulnerability: Cross Site ScriptingAffected versions: <2.0.10 || >=3.0.0 <3.0.1CVE IDs: CVE-2025-9550Description: 

This module enables you to to easily create and manage faceted search interfaces.

The module doesn’t sufficiently filter certain user-provided text leading to a cross site scripting (XSS) vulnerability.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission “administer facets”.

CVSS risk score (experimental) 4.8 / Medium

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:L/SI:N/SA:N

Solution: 

Install the latest version:

• If you use the Facets module for Drupal 8.x or higher, upgrade to Facets 2.0.10 or Facets 3.0.1

Reported By: 

• Pierre Rudloff (prudloff)

Fixed By: 

• Joris Vercammen (borisson_)
• Thomas Seidl (drunken monkey)
• Pierre Rudloff (prudloff), provisional member of the Drupal Security Team

Coordinated By: 

• Damien McKenna (damienmckenna) of the Drupal Security Team
• Ivo Van Geertruyen (mr.baileys) of the Drupal Security Team
• Pierre Rudloff (prudloff), provisional member of the Drupal Security Team
• Drew Webber (mcdruid) of the Drupal Security Team

Project: FacetsDate: 2025-August-27Security risk: Moderately critical 11 ∕ 25 AC:Complex/A:None/CI:Some/II:None/E:Theoretical/TD:DefaultVulnerability: Information DisclosureAffected versions: <2.0.10 || >=3.0.0 <3.0.1CVE IDs: CVE-2025-9549Description: 

This module enables you to to easily create and manage faceted search interfaces.

The module doesn't sufficiently check access to entities when they are displayed as facets.

This vulnerability is mitigated by the fact that only sites that show facets with entity labels (like taxonomy terms) are affected, and only if some of those entities are unpublished or have other access restrictions.

CVSS risk score (experimental) 6.9 / Medium

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Solution: 

Install the latest version:

• If you use the Facets module for Drupal 8.x or higher, upgrade to Facets 2.0.10 or Facets 3.0.1

Reported By: 

• Damien McKenna (damienmckenna) of the Drupal Security Team

Fixed By: 

• Benji Fisher (benjifisher) of the Drupal Security Team
• Joris Vercammen (borisson_)
• Damien McKenna (damienmckenna) of the Drupal Security Team
• Thomas Seidl (drunken monkey)
• Jimmy Henderickx (strykaizer)

Coordinated By: 

• Benji Fisher (benjifisher) of the Drupal Security Team
• Damien McKenna (damienmckenna) of the Drupal Security Team
• Greg Knaddison (greggles) of the Drupal Security Team
• Drew Webber (mcdruid) of the Drupal Security Team
• Cathy Theys (yesct) of the Drupal Security Team

Project: Authenticator LoginDate: 2025-August-27Security risk: Moderately critical 13 ∕ 25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:DefaultVulnerability: Access bypassAffected versions: <2.1.8CVE IDs: CVE-2025-8093Description: 

This module allows users to setup two-factor authentication (2FA) using authenticator apps for enhanced login security.

The module did not protect all possible login paths provided by core modules.

CVSS risk score (experimental) 6.3 / Medium

CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

Solution: 

Install the latest version:

• If you use the Alogin module for Drupal 10^, upgrade to Alogin 2.1.8

Reported By: 

• Pierre Rudloff (prudloff)

Fixed By: 

• Ahmed Raza (ahmed.raza)
• Pierre Rudloff (prudloff), provisional member of the Drupal Security Team

Coordinated By: 

• Damien McKenna (damienmckenna) of the Drupal Security Team
• Greg Knaddison (greggles) of the Drupal Security Team
• Drew Webber (mcdruid) of the Drupal Security Team
• Juraj Nemec (poker10) of the Drupal Security Team
• Cathy Theys (yesct) of the Drupal Security Team

Project: Layout Builder Advanced PermissionsDate: 2025-August-13Security risk: Moderately critical 10 ∕ 25 AC:Basic/A:User/CI:None/II:Some/E:Theoretical/TD:DefaultVulnerability: Access bypassAffected versions: 2.2.0CVE IDs: CVE-2025-8996Description: 

The Layout Builder Advanced Permissions module enables you to have fine grained control over who can do what in editing pages built with Layout Builder.

The module doesn't sufficiently control access for adding sections in the submodule.

This vulnerability is mitigated by the fact that an attacker must have a role with a specific set of permissions:

• Node: View published content
• Node: (Your content type): Create new content
• Node: (Your content type): Edit any content
• Layout builder: (Your content type): Configure layout overrides for content items that the user can edit
• Layout builder advanced permissions: Access Layout Builder page

Solution: 

Install the latest version:

• If you use the Layout Builder Advanced Permissions module, upgrade to Layout Builder Advanced Permissions 2.2.1

Reported By: 

• Eelke Blok (eelkeblok)
• Michael Whittaker (mrwhittaker)

Fixed By: 

• Eelke Blok (eelkeblok)
• Sorin Dediu (sdstyles)
• Sean Blommaert (seanb)

Coordinated By: 

• Anna Kalata (akalata)
• Damien McKenna (damienmckenna) of the Drupal Security Team
• Greg Knaddison (greggles) of the Drupal Security Team
• Juraj Nemec (poker10) of the Drupal Security Team
• Cathy Theys (yesct) of the Drupal Security Team

Project: Authenticator LoginDate: 2025-August-13Security risk: Highly critical 21 ∕ 25 AC:Basic/A:None/CI:All/II:All/E:Proof/TD:AllVulnerability: Access bypassAffected versions: <2.1.4CVE IDs: CVE-2025-8995Description: 

This module enables users to setup two-factor authentication (2FA) using authenticator apps for enhanced login security. The module alters the standard Drupal login form to use AJAX callbacks for handling authentication flow.

The module doesn't sufficiently validate authentication under specific conditions, allowing an attacker to log in as any account where they know the username.

This vulnerability is mitigated by the fact that an attacker must make a series of requests to trigger the necessary conditions that allow authentication byass. The series of requests could alert a site owner that they are being attacked; however, the number of requests necessary to trigger the conditions is usually quite small (the number depends on site configuration, by default it is 5).

Solution: 

Install the latest version:

• If you use the alogin module for Drupal 10^, upgrade to the latest version or at least Alogin 2.1.5

Note: the fix is in a tag in git for 2.1.4 however there is no release for that tag. The fix is also in 2.1.5 release.

Reported By: 

• Pierre Rudloff (prudloff)

Fixed By: 

• Ahmed Raza (ahmed.raza)

Coordinated By: 

• Damien McKenna (damienmckenna) of the Drupal Security Team
• Dan Smith (galooph) of the Drupal Security Team
• Greg Knaddison (greggles) of the Drupal Security Team
• Cathy Theys (yesct) of the Drupal Security Team

Project: AI SEO Link AdvisorDate: 2025-August-06Security risk: Less critical 8 ∕ 25 AC:Basic/A:User/CI:None/II:None/E:Theoretical/TD:AllVulnerability: Server-side Request ForgeryAffected versions: <1.0.6CVE IDs: CVE-2025-8675Description: 

This module enables you to provide SEO analysis and recommendations for a given URL.

The module doesn't sufficiently sanitize user-supplied URLs, leading to a Server-side request forgery (SSRF) vulnerability.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission "access seo analyzer".

Solution: 

Install the latest version:

• If you use the AI SEO Link Advisor module 1.0.x, upgrade to AI SEO Link Advisor 1.0.6

Reported By: 

• Alberto Cocchiara (bigbabert)
• Conrad Lara (cmlara)

Fixed By: 

• Alberto Cocchiara (bigbabert)
• Conrad Lara (cmlara)
• Vishal Kadam (vishal.kadam)

Coordinated By: 

• Benji Fisher (benjifisher) of the Drupal Security Team
• catch (catch) of the Drupal Security Team
• Damien McKenna (damienmckenna) of the Drupal Security Team
• Greg Knaddison (greggles) of the Drupal Security Team

Project: GoogleTag ManagerDate: 2025-July-30Security risk: Moderately critical 11 ∕ 25 AC:Complex/A:Admin/CI:Some/II:Some/E:Theoretical/TD:DefaultVulnerability: Cross-site scriptingAffected versions: <1.10.0CVE IDs: CVE-2025-8362Description: 

This module enables you to integrate Google Tag Manager (GTM) into your Drupal site by allowing administrators to configure and embed GTM container snippets.

The module doesn't sufficiently sanitize the GTM container ID under the scenario where a user with the Administer gtm permission enters malicious input into the GTM-ID field. This value is directly inserted into a <script> tag, making the site vulnerable to Cross-site Scripting (XSS) attacks.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission Administer gtm, and the input field is limited to 20 characters.

Solution: 

Install the latest version:

If you use the Google Tag Manager module for Drupal 8.x, upgrade to Google Tag Manager 8.x-1.10.

The new version includes validation to prevent injection and restricts risky inputs.

Additionally, site administrators should review which roles have the Administer gtm permission at /admin/people/permissions.

Reported By: 

• Pierre Rudloff (prudloff), provisional member of the Drupal Security Team

Fixed By: 

• Anatoly Politsin (apolitsin)
• Pierre Rudloff (prudloff), provisional member of the Drupal Security Team

Coordinated By: 

• Ivo Van Geertruyen (mr.baileys) of the Drupal Security Team
• Juraj Nemec (poker10) of the Drupal Security Team
• Jess (xjm) of the Drupal Security Team

Project: Config PagesDate: 2025-July-30Security risk: Moderately critical 12 ∕ 25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:UncommonVulnerability: Access bypassAffected versions: <2.18.0CVE IDs: CVE-2025-8361Description: 

This module enables you to access an edit page for a config page.

The module doesn't sufficiently check the access permissions (hook_ENTITY_TYPE_access() wasn't taken into account).

This vulnerability is mitigated by the fact that an attacker must have a role with the permission "edit ID config page" and that it only affects sites that have access restricted via the hook_ENTITY_TYPE_access() hook.

Solution: 

Install the latest version:

• If you use the Config Pages module, upgrade to Config Pages 8.x-2.18.

Reported By: 

• Pierre Rudloff (prudloff), provisional member of the Drupal Security Team

Fixed By: 

• Pierre Rudloff (prudloff), provisional member of the Drupal Security Team
• Alexander Shumenko (shumer)

Coordinated By: 

• Greg Knaddison (greggles) of the Drupal Security Team
• Heine Deelstra (heine) of the Drupal Security Team
• Jess (xjm) of the Drupal Security Team

Project: COOKiES Consent ManagementDate: 2025-July-23Security risk: Moderately critical 12 ∕ 25 AC:Complex/A:Admin/CI:Some/II:Some/E:Theoretical/TD:AllVulnerability: Cross-site ScriptingAffected versions: <1.2.16CVE IDs: CVE-2025-8092Description: 

This module allows you to manage video media items using the COOKiES module (disabling external video elements). These elements will be enabled again, once the COOKiES banner is accepted.

The module doesn't sufficiently check whether to convert "data-src" attributes to "src" when their value might contain malicious content under the scenario, that module specific classes are set on the HTML element.

This vulnerability is mitigated by the fact that an attacker must have the correct permissions to have a specific HTML element display for all users, and this HTML element needs to have a specific class set.

Solution: 

Install the latest version:

• If you use the COOKiES Video submodule for Drupal upgrade to COOKiES 1.2.16

Reported By: 

• Pierre Rudloff (prudloff) provisional member of the Drupal Security Team

Fixed By: 

• Joshua Sedler (grevil)
• Joachim Feltkamp (jfeltkamp)

Coordinated By: 

• Greg Knaddison (greggles) of the Drupal Security Team
• Juraj Nemec (poker10) of the Drupal Security Team
• Pierre Rudloff (prudloff) provisional member of the Drupal Security Team
• Cathy Theys (yesct) of the Drupal Security Team

Project: Real-time SEO for DrupalDate: 2025-July-16Security risk: Moderately critical 14 ∕ 25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:AllVulnerability: Cross-site ScriptingAffected versions: >=2.0.0 <2.2.0CVE IDs: CVE-2025-7716Description: 

This module enables you to analyze the content that you're authoring for a website. It shows you a preview of what a search result might look like.

The module doesn't sufficiently escape the metadata from content while rendering the preview, opening up the possibility of a XSS attack.

This vulnerability is mitigated by the fact that an attacker must be able to author content that is analyzed by the Real-Time SEO module.

Solution: 

Install the latest version:

• Upgrade to yoast_seo 8.x-2.2.

Reported By: 

• Pierre Rudloff (prudloff), provisional member of the Drupal Security Team.

Fixed By: 

• Alexander Varwijk (kingdutch)
• Pierre Rudloff (prudloff), provisional member of the Drupal Security Team.

Coordinated By: 

• Damien McKenna (damienmckenna) of the Drupal Security Team
• Greg Knaddison (greggles) of the Drupal Security Team
• Pierre Rudloff (prudloff), provisional member of the Drupal Security Team
• Jess (xjm) of the Drupal Security Team

Project: Block AttributesDate: 2025-July-16Security risk: Moderately critical 14 ∕ 25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:AllVulnerability: Cross-site ScriptingAffected versions: <1.1.0 || >=2.0.0 <2.0.1CVE IDs: CVE-2025-7715Description: 

This module allows you to define custom attributes for a block. You can specify an attribute name to be added to the block in a predefined format.

The module does not sufficiently validate the provided attributes, which makes it possible to insert JavaScript event attributes such as onmouseover, onkeyup, etc. These attributes can execute JavaScript code when the page is rendered, leading to cross-site scripting (XSS) vulnerabilities.

This vulnerability is partially mitigated by the requirement to manually add the specific attributes and corresponding JavaScript code to the form after the attribute has been created.

Solution: 

Install the latest version:

• If you use the Block Attributes module for Drupal, upgrade to Block Attributes 8.x-1.1 or Block Attributes 2.0.1.

Reported By: 

• Pierre Rudloff (prudloff) provisional member of the Drupal Security Team

Fixed By: 

• Kostia Bohach (_shy)

Coordinated By: 

• Greg Knaddison (greggles) of the Drupal Security Team
• Juraj Nemec (poker10) of the Drupal Security Team
• Pierre Rudloff (prudloff), provisional member of the Drupal Security Team
• Jess (xjm) of the Drupal Security Team

Project: File DownloadDate: 2025-July-16Security risk: Moderately critical 13 ∕ 25 AC:Basic/A:None/CI:Some/II:None/E:Theoretical/TD:AllVulnerability: Access bypassAffected versions: <1.9.0 || >=2.0.0 <2.0.1CVE IDs: CVE-2025-7717Description: 

The File Download enables you to allow users to download file and image entities directly using a custom field formatter. It also provides an optional submodule to count and display file downloads in Views, similar to how the core statistics module tracks content views.

The File Download module does not properly validate input when handling file access requests. This can allow users to bypass protections and access private files that should not be publicly available.

Solution: 

Install the latest version:

• If you use the File Download module for Drupal 8.x, upgrade to File Download 2.0.1 or File Download 8.x-1.9.

Reported By: 

• Willem Drupal enthousiast (willempje2)

Fixed By: 

• Shelane French (shelane)
• Willem Drupal enthousiast (willempje2)

Coordinated By: 

• Greg Knaddison (greggles) of the Drupal Security Team
• Juraj Nemec (poker10) of the Drupal Security Team
• Jess (xjm) of the Drupal Security Team

Project: Mail LoginDate: 2025-July-09Security risk: Critical 15 ∕ 25 AC:Complex/A:None/CI:Some/II:Some/E:Theoretical/TD:AllVulnerability: Access bypassAffected versions: >3.0.0 <3.2.0 || >=4.0.0 <4.2.0CVE IDs: CVE-2025-7393Description: 

This module enables users to login by email address with the minimal configurations.

The module included some protection against brute force attacks on the login form, however they were incomplete. An attacker could bypass the brute force protection allowing them to potentially gain access to an account.

Solution: 

Install the latest version:

• If you use the mail_login 3.x, upgrade to Mail Login 3.2.0
• If you use the mail_login 4.x, upgrade to Mail Login 4.2.0

Reported By: 

• Ryugo Kinoshita (dc-kinoshita)

Fixed By: 

• Damien McKenna (damienmckenna) of the Drupal Security Team
• Mohammad AlQanneh (mqanneh)

Coordinated By: 

• Greg Knaddison (greggles) of the Drupal Security Team

Project: Cookies AddonsDate: 2025-July-09Security risk: Moderately critical 13 ∕ 25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:DefaultVulnerability: Cross-site ScriptingAffected versions: >1.0.0 < 1.2.4CVE IDs: CVE-2025-7392Description: 

This module provides a format filter, which allows you to "disable" iframes (e.g. remove their src attribute) specified by the user. These elements will be enabled again, once the Cookies banner is accepted.

The module doesn't sufficiently filter user-supplied content when their value might contain malicious content leading to a Cross-site Scripting (XSS) vulnerability.

This vulnerability is mitigated by the fact that the site must have the Cookies Addons Embed Iframe submodule enabled and an attacker must have the correct permissions to use a text field with a text format that allows iframes to be used.

Solution: 

Install the latest version:

• Upgrade to Cookies Addons 1.2.4

Reported By: 

• Pierre Rudloff (prudloff) provisional member of the Drupal Security Team

Fixed By: 

• Guido Schmitz (guido_s)
• Kostia Bohach (_shy)

Coordinated By: 

• Greg Knaddison (greggles) of the Drupal Security Team
• Pierre Rudloff (prudloff) provisional member of the Drupal Security Team

Project: Config Pages ViewerDate: 2025-July-02Security risk: Critical 15 ∕ 25 AC:None/A:None/CI:Some/II:None/E:Theoretical/TD:AllVulnerability: Access bypassAffected versions: <1.0.4CVE IDs: CVE-2025-7031Description: 

This module enables you to use config_pages as a content entity.

The module doesn't check permission or entity access before rendering config_pages content.

Solution: 

Install the latest version:

• If you use the Config Pages Viewer module at version 1.0.3 and lesser, upgrade to Config Pages Viewer 1.0.4.

Reported By: 

• Pierre Rudloff (prudloff)

Fixed By: 

• drdam
• Pierre Rudloff (prudloff)

Coordinated By: 

• Greg Knaddison (greggles) of the Drupal Security Team
• Juraj Nemec (poker10) of the Drupal Security Team
• Jess (xjm) of the Drupal Security Team