Hírolvasó

Reverse Proxy Header - Less critical - Access bypass - SA-CONTRIB-2025-111

Biztonsági figyelmeztetések (contrib) - 2025. szeptember 24. 19.28
Project: Reverse Proxy HeaderDate: 2025-September-24Security risk: Less critical 8 ∕ 25 AC:Basic/A:None/CI:None/II:None/E:Theoretical/TD:UncommonVulnerability: Access bypassAffected versions: <1.1.2CVE IDs: CVE-2025-10929Description: 

This module allows you to specify an HTTP header name to determine the client's IP address.

The module doesn't sufficiently handle all cases under the scenario if Drupal Core settings $settings['reverse_proxy'] is set to TRUE and $settings['reverse_proxy_addresses'] is configured.

This vulnerability allows an attacker to spoof a request IP address (as Drupal sees it), potentially bypassing a variety of controls.

Solution: 

To resolve this issue, sites must both upgrade and confirm their settings.

Install the latest 1.1.2 version.

Check your settings:
- $settings['reverse_proxy'] (Drupal Core setting);
- $settings['reverse_proxy_addresses'] (Drupal Core setting);
- $settings['reverse_proxy_header'] (this module setting);
- $settings['reverse_proxy_header_trusted_addresses_ignore'] (this module setting introduced in this release).

This security release does not affect your Drupal instance if:
- or $settings['reverse_proxy'] is not set or set to FALSE;
- or $settings['reverse_proxy_header'] is not set or set to FALSE;
- or $settings['reverse_proxy_addresses'] is not set or set to an empty array.

This security release may affect your Drupal instance if:
- and $settings['reverse_proxy'] is set to TRUE;
- and $settings['reverse_proxy_header'] is set;
- and $settings['reverse_proxy_addresses'] is configured.
If your configuration meets all three criteria simultaneously, you need to verify how Drupal determines the client IP address.

How to verify:

It can be checked by sending a request from a non-trusted proxy/server like:
curl -I -H "X-REVERSE-PROXY-HEADER-NAME:8.8.8.8" your-hostname/some-path`

If Drupal detects the client IP address (for example, at the dblog report), everything works as expected.

If Drupal detects the client IP address as 8.8.8.8, you may need to check your $settings['reverse_proxy_addresses'] and/or review the documentation in the README file about $settings['reverse_proxy_header_trusted_addresses_ignore'].

Reccomendation:

Although it is not required to have $settings['reverse_proxy_addresses'] (Drupal Core setting) configured, it's always preferred to do so to improve security.

Reported By: Fixed By: Coordinated By: 
Kategóriák: Biztonsági figyelmeztetések

Currency - Moderately critical - Cross Site Request Forgery - SA-CONTRIB-2025-110

Biztonsági figyelmeztetések (contrib) - 2025. szeptember 24. 19.27
Project: CurrencyDate: 2025-September-24Security risk: Moderately critical 13 ∕ 25 AC:Basic/A:None/CI:None/II:Some/E:Theoretical/TD:AllVulnerability: Cross Site Request ForgeryAffected versions: <3.5.0CVE IDs: CVE-2025-10930Description: 

This module allows you to use different currencies on your website and do currency conversion.

The module doesn't sufficiently protect routes used to enable and disable currencies from Cross-Site Request Forgery (CSRF) attacks, potentially allowing an attacker to trick an admin into changing settings.

Solution: 

Install the latest version:

Reported By: Fixed By: Coordinated By: 
Kategóriák: Biztonsági figyelmeztetések

Umami Analytics - Moderately critical - Cross Site Scripting - SA-CONTRIB-2025-109

Biztonsági figyelmeztetések (contrib) - 2025. szeptember 24. 19.27
Project: Umami AnalyticsDate: 2025-September-24Security risk: Moderately critical 13 ∕ 25 AC:Basic/A:Admin/CI:Some/II:Some/E:Theoretical/TD:AllVulnerability: Cross Site ScriptingAffected versions: <1.0.1CVE IDs: CVE-2025-10931Description: 

This module enables you to add Umami Analytics web statistics tracking system to your website.

The "administer umami analytics" permission allows inserting an arbitrary JavaScript file on every page. While this is an expected feature, the permission lacks the "restrict access" flag, which should alert administrators that this permission is potentially dangerous and can lead to cross-site scripting (XSS) vulnerabilities.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission “administer umami analytics”.

Solution: 

Install the latest version:

  • If you use the Umami Analytics module upgrade to Umami Analytics 1.0.1 or 2.0.-beta3

Sites are encouraged to review which roles have that permission and which users have that role, to ensure that only trusted users have that permission.

Reported By: Fixed By: Coordinated By: 
Kategóriák: Biztonsági figyelmeztetések

Access code - Moderately critical - Access bypass - SA-CONTRIB-2025-108

Biztonsági figyelmeztetések (contrib) - 2025. szeptember 24. 19.27
Project: Access codeDate: 2025-September-24Security risk: Moderately critical 14 ∕ 25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:AllVulnerability: Access bypassAffected versions: <2.0.5CVE IDs: CVE-2025-10928Description: 

This module enables users to sign in with an access code instead of entering user names and passwords. When users are allowed to pick their own access codes, they can guess other users' access codes based on the fact that access codes need to be unique and the system warns if the code of their choice is taken.

This vulnerability is mitigated by the fact that an attacker must have a role with the "change own access code" permission.

Solution: 

Install the latest version:

Reported By: Fixed By: Coordinated By: 
Kategóriák: Biztonsági figyelmeztetések

Plausible tracking - Moderately critical - Cross Site Scripting - SA-CONTRIB-2025-107

Biztonsági figyelmeztetések (contrib) - 2025. szeptember 24. 19.18
Project: Plausible trackingDate: 2025-September-24Security risk: Moderately critical 13 ∕ 25 AC:Basic/A:Admin/CI:Some/II:Some/E:Theoretical/TD:AllVulnerability: Cross Site ScriptingAffected versions: <1.0.2CVE IDs: CVE-2025-10927Description: 

This module integrates Plausible Analytics on a site.

The module did not properly filter output in certain cases.

This vulnerability is mitigated by the fact that an attacker must have permission to add raw HTML to the website, such as an unfiltered WYSIWYG field on a public-facing comment.

Solution: 

Install the latest version:

Reported By: Fixed By: Coordinated By: 
Kategóriák: Biztonsági figyelmeztetések

JSON Field - Critical - Cross Site Scripting - SA-CONTRIB-2025-106

Biztonsági figyelmeztetések (contrib) - 2025. szeptember 24. 19.16
Project: JSON FieldDate: 2025-September-24Security risk: Critical 15 ∕ 25 AC:Basic/A:None/CI:Some/II:Some/E:Theoretical/TD:DefaultVulnerability: Cross Site ScriptingAffected versions: <1.5CVE IDs: CVE-2025-10926Description: 

This module enables you to store and display JSON data using optional 3rd party libraries.

The module doesn't sufficiently filter data using some of the included field formatters leading to a Cross-site Scripting (XSS) vulnerability.

Solution: 

Install the latest version:

Reported By: Fixed By: Coordinated By: 
Kategóriák: Biztonsági figyelmeztetések

Acquia DAM - Moderately critical - Access bypass, Information Disclosure - SA-CONTRIB-2025-105

Biztonsági figyelmeztetések (contrib) - 2025. szeptember 3. 18.15
Project: Acquia DAMDate: 2025-September-03Security risk: Moderately critical 12 ∕ 25 AC:Basic/A:None/CI:Some/II:None/E:Theoretical/TD:DefaultVulnerability: Access bypass, Information DisclosureAffected versions: <1.1.5CVE IDs: CVE-2025-9954Description: 

This module enables you to connect a Drupal site to the Acquia DAM service, which syncs media from the third party service to the site.

The module doesn't sufficiently validate authorization to a list of DAM assets currently synced to the website creating an access bypass vulnerability.

This vulnerability is mitigated by the fact that it only impacts sites where users having the “view media” permission accessing any DAM asset is undesirable.

CVSS risk score (experimental) 6.9 / Medium

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Solution: 

Install the latest version which will automatically reset three views to have permission-based access control based on the "access media overview" permission. If you have modified the view access in some other way you will need to redo that modification after upgrading the module.

Sites that cannot update to this code can mitigate the issue by modifying three views to be restricted to that permission: Acquia DAM Asset Library, Acquia DAM links, DAM Content Overview.

Reported By: Fixed By: Coordinated By: 
Kategóriák: Biztonsági figyelmeztetések

Owl Carousel 2 - Critical - Unsupported - SA-CONTRIB-2025-104

Biztonsági figyelmeztetések (contrib) - 2025. augusztus 27. 19.20
Project: Owl Carousel 2Date: 2025-August-27Security risk: Critical 16 ∕ 25 AC:Complex/A:Admin/CI:All/II:All/E:Theoretical/TD:AllVulnerability: UnsupportedAffected versions: *CVE IDs: CVE-2025-9554Description: 

The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: https://www.drupal.org/node/251466#s-becoming-owner-maintainer-or-co-mai...

Solution: 

If you use this project, you should uninstall it. To take over maintainership, please read https://www.drupal.org/node/251466#s-becoming-owner-maintainer-or-co-mai...

Kategóriák: Biztonsági figyelmeztetések

API Key manager - Critical - Unsupported - SA-CONTRIB-2025-103

Biztonsági figyelmeztetések (contrib) - 2025. augusztus 27. 19.20
Project: API Key managerDate: 2025-August-27Security risk: Critical 16 ∕ 25 AC:Complex/A:Admin/CI:All/II:All/E:Theoretical/TD:AllVulnerability: UnsupportedAffected versions: *CVE IDs: CVE-2025-9553Description: 

The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: https://www.drupal.org/node/251466#s-becoming-owner-maintainer-or-co-mai...

Solution: 

If you use this project, you should uninstall it. To take over maintainership, please read https://www.drupal.org/node/251466#s-becoming-owner-maintainer-or-co-mai...

Kategóriák: Biztonsági figyelmeztetések

Synchronize composer.json With Contrib Modules - Critical - Unsupported - SA-CONTRIB-2025-102

Biztonsági figyelmeztetések (contrib) - 2025. augusztus 27. 19.20
Project: Synchronize composer.json With Contrib ModulesDate: 2025-August-27Security risk: Critical 16 ∕ 25 AC:Complex/A:Admin/CI:All/II:All/E:Theoretical/TD:AllVulnerability: UnsupportedAffected versions: *CVE IDs: CVE-2025-9552Description: 

The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: https://www.drupal.org/node/251466#s-becoming-owner-maintainer-or-co-mai...

Solution: 

If you use this project, you should uninstall it. To take over maintainership, please read https://www.drupal.org/node/251466#s-becoming-owner-maintainer-or-co-mai...

Kategóriák: Biztonsági figyelmeztetések

Protected Pages - Moderately critical - Access bypass - SA-CONTRIB-2025-101

Biztonsági figyelmeztetések (contrib) - 2025. augusztus 27. 19.19
Project: Protected PagesDate: 2025-August-27Security risk: Moderately critical 13 ∕ 25 AC:Basic/A:None/CI:Some/II:None/E:Theoretical/TD:AllVulnerability: Access bypassAffected versions: <1.8.0CVE IDs: CVE-2025-9551Description: 

This module enables you to protect individual pages with a password.

The module doesn't limit the number of password attempts, making it vulnerable to brute force attacks.

This vulnerability is mitigated by the fact that an attacker must know the protected page's URL.

CVSS risk score (experimental) 6.3 / Medium

CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Solution: 

Install the latest version:

Reported By: Fixed By: Coordinated By: 
Kategóriák: Biztonsági figyelmeztetések

Facets - Moderately critical - Cross Site Scripting - SA-CONTRIB-2025-100

Biztonsági figyelmeztetések (contrib) - 2025. augusztus 27. 19.19
Project: FacetsDate: 2025-August-27Security risk: Moderately critical 13 ∕ 25 AC:Basic/A:Admin/CI:Some/II:Some/E:Theoretical/TD:AllVulnerability: Cross Site ScriptingAffected versions: <2.0.10 || >=3.0.0 <3.0.1CVE IDs: CVE-2025-9550Description: 

This module enables you to to easily create and manage faceted search interfaces.

The module doesn’t sufficiently filter certain user-provided text leading to a cross site scripting (XSS) vulnerability.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission “administer facets”.

CVSS risk score (experimental) 4.8 / Medium

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:L/SI:N/SA:N

Solution: 

Install the latest version:

Reported By: Fixed By: Coordinated By: 
Kategóriák: Biztonsági figyelmeztetések

Facets - Moderately critical - Information Disclosure - SA-CONTRIB-2025-099

Biztonsági figyelmeztetések (contrib) - 2025. augusztus 27. 19.19
Project: FacetsDate: 2025-August-27Security risk: Moderately critical 11 ∕ 25 AC:Complex/A:None/CI:Some/II:None/E:Theoretical/TD:DefaultVulnerability: Information DisclosureAffected versions: <2.0.10 || >=3.0.0 <3.0.1CVE IDs: CVE-2025-9549Description: 

This module enables you to to easily create and manage faceted search interfaces.

The module doesn't sufficiently check access to entities when they are displayed as facets.

This vulnerability is mitigated by the fact that only sites that show facets with entity labels (like taxonomy terms) are affected, and only if some of those entities are unpublished or have other access restrictions.

CVSS risk score (experimental) 6.9 / Medium

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Solution: 

Install the latest version:

Reported By: Fixed By: Coordinated By: 
Kategóriák: Biztonsági figyelmeztetések

Authenticator Login - Moderately critical - Access bypass - SA-CONTRIB-2025-098

Biztonsági figyelmeztetések (contrib) - 2025. augusztus 27. 19.19
Project: Authenticator LoginDate: 2025-August-27Security risk: Moderately critical 13 ∕ 25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:DefaultVulnerability: Access bypassAffected versions: <2.1.8CVE IDs: CVE-2025-8093Description: 

This module allows users to setup two-factor authentication (2FA) using authenticator apps for enhanced login security.

The module did not protect all possible login paths provided by core modules.

CVSS risk score (experimental) 6.3 / Medium

CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

Solution: 

Install the latest version:

  • If you use the Alogin module for Drupal 10^, upgrade to Alogin 2.1.8
Reported By: Fixed By: Coordinated By: 
Kategóriák: Biztonsági figyelmeztetések

Layout Builder Advanced Permissions - Moderately critical - Access bypass - SA-CONTRIB-2025-097

Biztonsági figyelmeztetések (contrib) - 2025. augusztus 13. 19.33
Project: Layout Builder Advanced PermissionsDate: 2025-August-13Security risk: Moderately critical 10 ∕ 25 AC:Basic/A:User/CI:None/II:Some/E:Theoretical/TD:DefaultVulnerability: Access bypassAffected versions: 2.2.0CVE IDs: CVE-2025-8996Description: 

The Layout Builder Advanced Permissions module enables you to have fine grained control over who can do what in editing pages built with Layout Builder.

The module doesn't sufficiently control access for adding sections in the submodule.

This vulnerability is mitigated by the fact that an attacker must have a role with a specific set of permissions:

  • Node: View published content
  • Node: (Your content type): Create new content
  • Node: (Your content type): Edit any content
  • Layout builder: (Your content type): Configure layout overrides for content items that the user can edit
  • Layout builder advanced permissions: Access Layout Builder page
Solution: 

Install the latest version:

Reported By: Fixed By: Coordinated By: 
Kategóriák: Biztonsági figyelmeztetések

Authenticator Login - Highly critical - Access bypass - SA-CONTRIB-2025-096

Biztonsági figyelmeztetések (contrib) - 2025. augusztus 13. 19.33
Project: Authenticator LoginDate: 2025-August-13Security risk: Highly critical 21 ∕ 25 AC:Basic/A:None/CI:All/II:All/E:Proof/TD:AllVulnerability: Access bypassAffected versions: <2.1.4CVE IDs: CVE-2025-8995Description: 

This module enables users to setup two-factor authentication (2FA) using authenticator apps for enhanced login security. The module alters the standard Drupal login form to use AJAX callbacks for handling authentication flow.

The module doesn't sufficiently validate authentication under specific conditions, allowing an attacker to log in as any account where they know the username.

This vulnerability is mitigated by the fact that an attacker must make a series of requests to trigger the necessary conditions that allow authentication byass. The series of requests could alert a site owner that they are being attacked; however, the number of requests necessary to trigger the conditions is usually quite small (the number depends on site configuration, by default it is 5).

Solution: 

Install the latest version:

  • If you use the alogin module for Drupal 10^, upgrade to the latest version or at least Alogin 2.1.5

Note: the fix is in a tag in git for 2.1.4 however there is no release for that tag. The fix is also in 2.1.5 release.

Reported By: Fixed By: Coordinated By: 
Kategóriák: Biztonsági figyelmeztetések

AI SEO Link Advisor - Less critical - Server-side Request Forgery - SA-CONTRIB-2025-095

Biztonsági figyelmeztetések (contrib) - 2025. augusztus 6. 18.50
Project: AI SEO Link AdvisorDate: 2025-August-06Security risk: Less critical 8 ∕ 25 AC:Basic/A:User/CI:None/II:None/E:Theoretical/TD:AllVulnerability: Server-side Request ForgeryAffected versions: <1.0.6CVE IDs: CVE-2025-8675Description: 

This module enables you to provide SEO analysis and recommendations for a given URL.

The module doesn't sufficiently sanitize user-supplied URLs, leading to a Server-side request forgery (SSRF) vulnerability.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission "access seo analyzer".

Solution: 

Install the latest version:

Reported By: Fixed By: Coordinated By: 
Kategóriák: Biztonsági figyelmeztetések

GoogleTag Manager - Moderately critical - Cross-site scripting - SA-CONTRIB-2025-094

Biztonsági figyelmeztetések (contrib) - 2025. július 30. 18.31
Project: GoogleTag ManagerDate: 2025-July-30Security risk: Moderately critical 11 ∕ 25 AC:Complex/A:Admin/CI:Some/II:Some/E:Theoretical/TD:DefaultVulnerability: Cross-site scriptingAffected versions: <1.10.0CVE IDs: CVE-2025-8362Description: 

This module enables you to integrate Google Tag Manager (GTM) into your Drupal site by allowing administrators to configure and embed GTM container snippets.

The module doesn't sufficiently sanitize the GTM container ID under the scenario where a user with the Administer gtm permission enters malicious input into the GTM-ID field. This value is directly inserted into a <script> tag, making the site vulnerable to Cross-site Scripting (XSS) attacks.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission Administer gtm, and the input field is limited to 20 characters.

Solution: 

Install the latest version:

If you use the Google Tag Manager module for Drupal 8.x, upgrade to Google Tag Manager 8.x-1.10.

The new version includes validation to prevent injection and restricts risky inputs.

Additionally, site administrators should review which roles have the Administer gtm permission at /admin/people/permissions.

Reported By: Fixed By: Coordinated By: 
Kategóriák: Biztonsági figyelmeztetések

Config Pages - Moderately critical - Access bypass - SA-CONTRIB-2025-093

Biztonsági figyelmeztetések (contrib) - 2025. július 30. 18.30
Project: Config PagesDate: 2025-July-30Security risk: Moderately critical 12 ∕ 25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:UncommonVulnerability: Access bypassAffected versions: <2.18.0CVE IDs: CVE-2025-8361Description: 

This module enables you to access an edit page for a config page.

The module doesn't sufficiently check the access permissions (hook_ENTITY_TYPE_access() wasn't taken into account).

This vulnerability is mitigated by the fact that an attacker must have a role with the permission "edit ID config page" and that it only affects sites that have access restricted via the hook_ENTITY_TYPE_access() hook.

Solution: 

Install the latest version:

Reported By: Fixed By: Coordinated By: 
Kategóriák: Biztonsági figyelmeztetések

COOKiES Consent Management - Moderately critical - Cross-site Scripting - SA-CONTRIB-2025-092

Biztonsági figyelmeztetések (contrib) - 2025. július 23. 19.10
Project: COOKiES Consent ManagementDate: 2025-July-23Security risk: Moderately critical 12 ∕ 25 AC:Complex/A:Admin/CI:Some/II:Some/E:Theoretical/TD:AllVulnerability: Cross-site ScriptingAffected versions: <1.2.16CVE IDs: CVE-2025-8092Description: 

This module allows you to manage video media items using the COOKiES module (disabling external video elements). These elements will be enabled again, once the COOKiES banner is accepted.

The module doesn't sufficiently check whether to convert "data-src" attributes to "src" when their value might contain malicious content under the scenario, that module specific classes are set on the HTML element.

This vulnerability is mitigated by the fact that an attacker must have the correct permissions to have a specific HTML element display for all users, and this HTML element needs to have a specific class set.

Solution: 

Install the latest version:

  • If you use the COOKiES Video submodule for Drupal upgrade to COOKiES 1.2.16
Reported By: Fixed By: Coordinated By: 
Kategóriák: Biztonsági figyelmeztetések