Biztonsági figyelmeztetések

Project: Search API SolrDate: 2025-April-23Security risk: Moderately critical 13 ∕ 25 AC:Basic/A:None/CI:None/II:Some/E:Theoretical/TD:AllVulnerability: Cross Site Request ForgeryAffected versions: <4.3.9CVE IDs: CVE-2025-3907Description: 

This module provides support for creating searches using the Apache Solr search engine and the Search API Drupal module.

The module doesn't sufficiently protect certain routes from CSRF attacks.

This vulnerability is mitigated by the fact that a site admin would have to perform further steps after the attack for it to have any effect.

Solution: 

Install the latest version:

• If you use the Search API Solr module for Drupal 8+, upgrade to Search API Solr 4.3.10.

We also recommend checking your Solr configuration for any unintended changes.

Reported By: 

• Pierre Rudloff (prudloff)

Fixed By: 

• Thomas Seidl (drunken monkey)
• Markus Kalkbrenner (mkalkbrenner)

Coordinated By: 

• Greg Knaddison (greggles) of the Drupal Security Team
• Drew Webber (mcdruid) of the Drupal Security Team
• Juraj Nemec (poker10) of the Drupal Security Team

Project: SportsleagueDate: 2025-April-23Security risk: Critical 16 ∕ 25 AC:Complex/A:Admin/CI:All/II:All/E:Theoretical/TD:AllVulnerability: UnsupportedAffected versions: *CVE IDs: CVE-2025-3904Description: 

The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: https://www.drupal.org/node/251466#s-becoming-owner-maintainer-or-co-mai...

Solution: 

If you use this project, you should uninstall it. To take over maintainership, please read https://www.drupal.org/node/251466#s-becoming-owner-maintainer-or-co-mai...

Project: UEditor - 百度编辑器Date: 2025-April-23Security risk: Critical 16 ∕ 25 AC:Complex/A:Admin/CI:All/II:All/E:Theoretical/TD:AllVulnerability: UnsupportedAffected versions: *CVE IDs: CVE-2025-3903Description: 

The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: https://www.drupal.org/node/251466#s-becoming-owner-maintainer-or-co-mai...

Solution: 

If you use this project, you should uninstall it. To take over maintainership, please read https://www.drupal.org/node/251466#s-becoming-owner-maintainer-or-co-mai...

Project: Block ClassDate: 2025-April-23Security risk: Moderately critical 12 ∕ 25 AC:Basic/A:Admin/CI:Some/II:Some/E:Theoretical/TD:DefaultVulnerability: Cross Site ScriptingAffected versions: >=4.0.0 <4.0.1CVE IDs: CVE-2025-3902Description: 

Block Class enables you to add custom attributes to blocks.

The module did not sufficiently sanitize custom attribute input, allowing for potential XSS attacks when malicious JavaScript was injected as a custom attribute.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer block classes".

Solution: 

Install the latest version:

• If you use the Block Class on 4.0.x upgrade to Block Class 4.0.1

Reported By: 

• Ivo Van Geertruyen (mr.baileys) of the Drupal Security Team

Fixed By: 

• renatog

Coordinated By: 

• Greg Knaddison (greggles) of the Drupal Security Team
• Juraj Nemec (poker10) of the Drupal Security Team

Project: Bootstrap Site AlertDate: 2025-April-23Security risk: Moderately critical 13 ∕ 25 AC:Basic/A:Admin/CI:Some/II:Some/E:Theoretical/TD:AllVulnerability: Cross Site ScriptingAffected versions: <1.13.0 || >=3.0.0 <3.0.4CVE IDs: CVE-2025-3901Description: 

This module enables you to put a site wide bootstrap themed alert message on the top of every page.

The module doesn't sufficiently filter text input when leading to a possible XSS attacks.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer bootstrap site alerts".

Solution: 

Install the latest version:

• If you use the bootstrap_site_alert module 8.x-1.x, upgrade to bootstrap_site_alert 8.x-1.23.
• If you use the bootstrap_site_alerts module 3.0.x, upgrade to bootstrap_site_alert 3.0.4.

Reported By: 

• Mitch Portier (arkener)
• Elijah Byrd (elibyrd)

Fixed By: 

• Mitch Portier (arkener)
• Joseph Olstad (joseph.olstad)
• Ivo Van Geertruyen (mr.baileys) of the Drupal Security Team

Coordinated By: 

• Greg Knaddison (greggles) of the Drupal Security Team
• Juraj Nemec (poker10) of the Drupal Security Team

Project: ColorboxDate: 2025-April-23Security risk: Moderately critical 14 ∕ 25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:AllVulnerability: Cross Site ScriptingAffected versions: <2.1.3CVE IDs: CVE-2025-3900Description: 

Colorbox is a module that allows Images, and iframed or inline content to be displayed in a modal above the current page.

The Colorbox module doesn't sufficiently sanitize data attributes before opening modals.

This vulnerability is mitigated by the fact that an attacker must have a role with permission to enter HTML tags containing specific data attributes.

Solution: 

Install the latest version:

• If you use the Colorbox module 2.1.x for Drupal 10 or above, upgrade to Colorbox 2.1.3
• If you use the Colorbox module 2.0.x, upgrade to Colorbox 2.1.3, as the 2.0.x branch becomes unsupported.

Reported By: 

• Pierre Rudloff (prudloff)

Fixed By: 

• Jen Lampton (jenlampton)
• Paul McKibben (paulmckibben)

Coordinated By: 

• Greg Knaddison (greggles) of the Drupal Security Team
• Juraj Nemec (poker10) of the Drupal Security Team

Project: Drupal 8 Google Optimize Hide PageDate: 2025-April-16Security risk: Critical 16 ∕ 25 AC:Complex/A:Admin/CI:All/II:All/E:Theoretical/TD:AllVulnerability: UnsupportedAffected versions: *CVE IDs: CVE-2025-3739Description: 

The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: https://www.drupal.org/node/251466#s-becoming-owner-maintainer-or-co-mai...

Solution: 

If you use this project, you should uninstall it. To take over maintainership, please read https://www.drupal.org/node/251466#s-becoming-owner-maintainer-or-co-mai...

Project: Google OptimizeDate: 2025-April-16Security risk: Critical 16 ∕ 25 AC:Complex/A:Admin/CI:All/II:All/E:Theoretical/TD:AllVulnerability: UnsupportedAffected versions: *CVE IDs: CVE-2025-3738Description: 

The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: https://www.drupal.org/node/251466#s-becoming-owner-maintainer-or-co-mai...

Solution: 

If you use this project, you should uninstall it. To take over maintainership, please read https://www.drupal.org/node/251466#s-becoming-owner-maintainer-or-co-mai...

Project: Google Maps: Store LocatorDate: 2025-April-16Security risk: Critical 16 ∕ 25 AC:Complex/A:Admin/CI:All/II:All/E:Theoretical/TD:AllVulnerability: UnsupportedAffected versions: *CVE IDs: CVE-2025-3737Description: 

The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: https://www.drupal.org/node/251466#s-becoming-owner-maintainer-or-co-mai...

Solution: 

If you use this project, you should uninstall it. To take over maintainership, please read https://www.drupal.org/node/251466#s-becoming-owner-maintainer-or-co-mai...

Project: Simple GTMDate: 2025-April-16Security risk: Critical 16 ∕ 25 AC:Complex/A:Admin/CI:All/II:All/E:Theoretical/TD:AllVulnerability: UnsupportedAffected versions: *CVE IDs: CVE-2025-3736Description: 

The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: https://www.drupal.org/node/251466#s-becoming-owner-maintainer-or-co-mai...

Solution: 

If you use this project, you should uninstall it. To take over maintainership, please read https://www.drupal.org/node/251466#s-becoming-owner-maintainer-or-co-mai...

Project: Panelizer (obsolete)Date: 2025-April-16Security risk: Critical 16 ∕ 25 AC:Complex/A:Admin/CI:All/II:All/E:Theoretical/TD:AllVulnerability: UnsupportedAffected versions: *CVE IDs: CVE-2025-3735Description: 

The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: https://www.drupal.org/node/251466#s-becoming-owner-maintainer-or-co-mai...

Solution: 

If you use this project, you should uninstall it. To take over maintainership, please read https://www.drupal.org/node/251466#s-becoming-owner-maintainer-or-co-mai...

Project: Stage File ProxyDate: 2025-April-16Security risk: Moderately critical 11 ∕ 25 AC:Complex/A:None/CI:None/II:Some/E:Theoretical/TD:DefaultVulnerability: Denial of ServiceAffected versions: <3.1.5CVE IDs: CVE-2025-3734Description: 

Stage File Proxy is a general solution for getting production files on a development server on demand.

The module doesn't sufficiently validate the existence of remote files prior to attempting to download and create them. An attacker could send many requests and exhaust disk resources.

This vulnerability is mitigated by the fact it only affects sites where the Origin is configured with a trailing slash. Sites that cannot upgrade immediately can confirm they do not have a trailing slash or remove the trailing slash to mitigate the issue.

Solution: 

Install the latest version:

• If you use the Stage File Proxy module for Drupal, upgrade to Stage File Proxy 3.1.5

Reported By: 

• Ide Braakman (idebr)

Fixed By: 

• Stephen Mustgrave (smustgrave)

Coordinated By: 

• Greg Knaddison (greggles) of the Drupal Security Team
• Juraj Nemec (poker10) of the Drupal Security Team

Project: baguetteBox.jsDate: 2025-April-16Security risk: Moderately critical 14 ∕ 25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:AllVulnerability: Cross Site ScriptingAffected versions: <2.0.4 || >=3.0.0 <3.0.1CVE IDs: CVE-2025-3733Description: 

The baguetteBox.js module provides integration with baguetteBox.js library.

The module doesn't sufficiently sanitize user-supplied text values leading to a cross site scripting vulnerability.

Solution: 

Install the latest version:

• If you use the baguetteBox.js module 3.0.x, upgrade to baguetteBox.js 3.0.1
• If you use the baguetteBox.js module 2.0.x, upgrade to baguetteBox.js 2.0.4

Reported By: 

• Pierre Rudloff (prudloff)

Fixed By: 

• Pierre Rudloff (prudloff)
• Stephen Mustgrave (smustgrave)

Coordinated By: 

• Greg Knaddison (greggles) of the Drupal Security Team
• Juraj Nemec (poker10) of the Drupal Security Team

Project: PanelsDate: 2025-April-09Security risk: Critical 16 ∕ 25 AC:Basic/A:None/CI:Some/II:Some/E:Theoretical/TD:AllVulnerability: Access bypassAffected versions: <4.9.0CVE IDs: CVE-2025-3474Description: 

Panels enables administrators to add page variants within page manager, panelizer, etc to create custom pages.

The module doesn't sufficiently protect sensitive routes, allowing an attacker to view and modify blocks within variants without requiring appropriate permission.

This vulnerability is mitigated by the fact that an attacker must know the machine name of the variant and underlying page, which is not available within the source code of a page. Additionally, only simple blocks can be added or edited, as a more complex block will trigger an error due to missing permissions.

Solution: 

Install the latest version:

• If you use the Panels module for Drupal 8.x, upgrade to Panels 8.x-4.9

Reported By: 

• Manuel Adán (manuel.adan)

Fixed By: 

• Jakob P (japerry)
• Manuel Adán (manuel.adan)

Coordinated By: 

• Greg Knaddison (greggles) of the Drupal Security Team

Project: Gif Player FieldDate: 2025-April-09Security risk: Moderately critical 12 ∕ 25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:UncommonVulnerability: Cross site scriptingAffected versions: <1.5.0 || >=2.0.0 <2.0.4CVE IDs: CVE-2025-31128Description: 

Gif Player Field creates a simple file field types that allows you to upload the GIF files and configure the output for this using the Field Formatters.

The module uses GifPlayer jQuery library to render the GIF according to configured setups for the Field Formatter. The external Gif Player Library doesn't satinize the attributes properly when rendering the widget, allowing a malicious user to run XSS attacks.

This vulnerability is mitigated by the fact that an attacker would need to have an account on the website and be able to create an image tag with a data-label element. There are no fields that allow that element on a default Drupal site for a user with user-level permissions.

Solution: 

There are multiple steps. First, install the latest version. Second, download and install the library. See details below.

• If you use the Gif Player module for Drupal ^10.3 || ^11, upgrade to Gif Player 2.0.4
• If you are still using the old Gif Player 8.x-1.4 module for Drupal 9/10, upgrade to Gif Player 8.x-1.5 (but it is suggested to to upgrade to the 2.0.4 version if possible, as the 8.x-1.x branch will be phased out soon)

Please notice that the GifPlayer library is not included in the module anymore (file js/gifplayer.js) and needs to be downloaded separately in the /libraries directory (see the README.md for more details).

Reported By: 

• Pierre Rudloff (prudloff)

Fixed By: 

• Daniel Rodriguez (danrod)

Coordinated By: 

• Greg Knaddison (greggles) of the Drupal Security Team
• Juraj Nemec (poker10) of the Drupal Security Team

Project: ECA: Event - Condition - ActionDate: 2025-April-09Security risk: Critical 16 ∕ 25 AC:Basic/A:None/CI:Some/II:Some/E:Theoretical/TD:AllVulnerability: Cross site request forgeryAffected versions: <1.1.12 || >=2.0.0 <2.0.16 || >=2.1.0 <2.1.7 || 1.2.*CVE IDs: CVE-2025-3131Description: 

This module enables you to define automations on your Drupal site.

The module doesn't sufficiently protect certain routes from CSRF attacks.

This vulnerability is mitigated by the fact that an attacker must get a user with the permission "administer eca" to follow to a given site. It can also be mitigated by disabling the "eca_ui" submodule, which leaves ECA functionality intact, but the vulnerable routes will no longer be available.

Solution: 

Install the latest version:

• If you use the ECA module for Drupal 10 or 11, upgrade to ECA 1.1.12 or ECA 2.0.16 or ECA 2.1.7

Reported By: 

• Juraj Nemec (poker10) of the Drupal Security Team

Fixed By: 

• Benji Fisher (benjifisher) of the Drupal Security Team
• Jürgen Haas (jurgenhaas)
• Lee Rowlands (larowlan) of the Drupal Security Team

Coordinated By: 

• Greg Knaddison (greggles) of the Drupal Security Team
• Juraj Nemec (poker10) of the Drupal Security Team

Project: WEB-TDate: 2025-April-09Security risk: Moderately critical 12 ∕ 25 AC:Basic/A:None/CI:None/II:Some/E:Theoretical/TD:DefaultVulnerability: Access bypass, Denial of serviceAffected versions: <1.1.0CVE IDs: CVE-2025-3475Description: 

This module enables you to translate nodes, configuration, UI strings automatically.

The module doesn't sufficiently validate the incoming API response when using eTranslation integration, which has an asynchronous workflow. Specially crafted requests could overwrite entities and translations of entities with arbitrary content and create load on the system leading to a Denial of Service.

Solution: 

Install the latest version:

• If you use the WEB-T module with version < 1.1.0, upgrade to WEB-T 1.1.0

Reported By: 

• Jan Kellermann (jan kellermann)

Fixed By: 

• dragels
• Jan Kellermann (jan kellermann)

Coordinated By: 

• Greg Knaddison (greggles) of the Drupal Security Team
• Juraj Nemec (poker10) of the Drupal Security Team

Project: ObfuscateDate: 2025-April-02Security risk: Moderately critical 12 ∕ 25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:UncommonVulnerability: Cross Site ScriptingAffected versions: <2.0.1CVE IDs: CVE-2025-3130Description: 

This module enables you to obfuscate email addresses, to avoid them being easily available to spammers.

The module doesn't sufficiently sanitise input when ROT13 encoding is used.
This vulnerability is mitigated by the fact that an attacker must have a role with the ability to enter specific HTML tag attributes. In a default Drupal installation this would require the administrator role and use of the Full HTML text format. It also requires that the ROT13 encoding be enabled in Obfuscate settings.

Solution: 

Install the latest version:

• Upgrade to Obfuscate 2.0.1

Reported By: 

• Pierre Rudloff (prudloff)

Fixed By: 

• Nigel Cunningham (nigelcunningham)
• Pierre Rudloff (prudloff)

Coordinated By: 

• Greg Knaddison (greggles) of the Drupal Security Team
• Drew Webber (mcdruid) of the Drupal Security Team

Project: Access codeDate: 2025-April-02Security risk: Moderately critical 14 ∕ 25 AC:Complex/A:None/CI:Some/II:Some/E:Theoretical/TD:DefaultVulnerability: Access bypassAffected versions: <2.0.4CVE IDs: CVE-2025-3129Description: 

This module enables users to log in using a short access code instead of providing a username/password combination.

The module doesn't sufficiently protect against brute force attacks to guess a user's access code.

This vulnerability is mitigated by the fact that access code based logins are off by default and only enabled for accounts that enable it. Sites could mitigate the issue without updating by:

1. disabling the access code login method for critical accounts
2. monitor and prevent brute force attacks in other ways (for example, with a Web Application Firewall)

Solution: 

Install the latest version:

• If you use the access_code module for Drupal 8.x or later, upgrade to access_code 2.0.4

Reported By: 

• Marcin Maruszewski (marcin maruszewski)

Fixed By: 

• Gergely Lekli (glekli)

Coordinated By: 

• Greg Knaddison (greggles) of the Drupal Security Team
• Drew Webber (mcdruid) of the Drupal Security Team
• Juraj Nemec (poker10) of the Drupal Security Team

Project: TacJSDate: 2025-April-02Security risk: Moderately critical 13 ∕ 25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:DefaultVulnerability: Cross Site ScriptingAffected versions: <6.7.0CVE IDs: CVE-2025-31476Description: 

This module enables sites to comply with the European cookie law using tarteaucitron.js.

The module doesn't sufficiently filter user-supplied markup inside of content leading to a persistent Cross Site Scripting (XSS) vulnerability.

This vulnerability is mitigated by the fact that an attacker needs to be able to insert specific data attributes in the page.

Solution: 

Install the latest version:

• If you use the tacjs module for Drupal 8.x, upgrade to tacjs 8.x-6.7

Reported By: 

• Pierre Rudloff (prudloff)

Fixed By: 

• Frank Mably (mably)
• Pierre Rudloff (prudloff)

Coordinated By: 

• Greg Knaddison (greggles) of the Drupal Security Team
• Drew Webber (mcdruid) of the Drupal Security Team
• Juraj Nemec (poker10) of the Drupal Security Team