Biztonsági figyelmeztetések

Project: Drupal 8 Google Optimize Hide PageDate: 2025-April-16Security risk: Critical 16 ∕ 25 AC:Complex/A:Admin/CI:All/II:All/E:Theoretical/TD:AllVulnerability: UnsupportedAffected versions: *CVE IDs: CVE-2025-3739Description: 

The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: https://www.drupal.org/node/251466#s-becoming-owner-maintainer-or-co-mai...

Solution: 

If you use this project, you should uninstall it. To take over maintainership, please read https://www.drupal.org/node/251466#s-becoming-owner-maintainer-or-co-mai...

Project: Google OptimizeDate: 2025-April-16Security risk: Critical 16 ∕ 25 AC:Complex/A:Admin/CI:All/II:All/E:Theoretical/TD:AllVulnerability: UnsupportedAffected versions: *CVE IDs: CVE-2025-3738Description: 

The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: https://www.drupal.org/node/251466#s-becoming-owner-maintainer-or-co-mai...

Solution: 

If you use this project, you should uninstall it. To take over maintainership, please read https://www.drupal.org/node/251466#s-becoming-owner-maintainer-or-co-mai...

Project: Google Maps: Store LocatorDate: 2025-April-16Security risk: Critical 16 ∕ 25 AC:Complex/A:Admin/CI:All/II:All/E:Theoretical/TD:AllVulnerability: UnsupportedAffected versions: *CVE IDs: CVE-2025-3737Description: 

The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: https://www.drupal.org/node/251466#s-becoming-owner-maintainer-or-co-mai...

Solution: 

If you use this project, you should uninstall it. To take over maintainership, please read https://www.drupal.org/node/251466#s-becoming-owner-maintainer-or-co-mai...

Project: Simple GTMDate: 2025-April-16Security risk: Critical 16 ∕ 25 AC:Complex/A:Admin/CI:All/II:All/E:Theoretical/TD:AllVulnerability: UnsupportedAffected versions: *CVE IDs: CVE-2025-3736Description: 

The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: https://www.drupal.org/node/251466#s-becoming-owner-maintainer-or-co-mai...

Solution: 

If you use this project, you should uninstall it. To take over maintainership, please read https://www.drupal.org/node/251466#s-becoming-owner-maintainer-or-co-mai...

Project: Panelizer (obsolete)Date: 2025-April-16Security risk: Critical 16 ∕ 25 AC:Complex/A:Admin/CI:All/II:All/E:Theoretical/TD:AllVulnerability: UnsupportedAffected versions: *CVE IDs: CVE-2025-3735Description: 

The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: https://www.drupal.org/node/251466#s-becoming-owner-maintainer-or-co-mai...

Solution: 

If you use this project, you should uninstall it. To take over maintainership, please read https://www.drupal.org/node/251466#s-becoming-owner-maintainer-or-co-mai...

Project: Stage File ProxyDate: 2025-April-16Security risk: Moderately critical 11 ∕ 25 AC:Complex/A:None/CI:None/II:Some/E:Theoretical/TD:DefaultVulnerability: Denial of ServiceAffected versions: <3.1.5CVE IDs: CVE-2025-3734Description: 

Stage File Proxy is a general solution for getting production files on a development server on demand.

The module doesn't sufficiently validate the existence of remote files prior to attempting to download and create them. An attacker could send many requests and exhaust disk resources.

This vulnerability is mitigated by the fact it only affects sites where the Origin is configured with a trailing slash. Sites that cannot upgrade immediately can confirm they do not have a trailing slash or remove the trailing slash to mitigate the issue.

Solution: 

Install the latest version:

• If you use the Stage File Proxy module for Drupal, upgrade to Stage File Proxy 3.1.5

Reported By: 

• Ide Braakman (idebr)

Fixed By: 

• Stephen Mustgrave (smustgrave)

Coordinated By: 

• Greg Knaddison (greggles) of the Drupal Security Team
• Juraj Nemec (poker10) of the Drupal Security Team

Project: baguetteBox.jsDate: 2025-April-16Security risk: Moderately critical 14 ∕ 25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:AllVulnerability: Cross Site ScriptingAffected versions: <2.0.4 || >=3.0.0 <3.0.1CVE IDs: CVE-2025-3733Description: 

The baguetteBox.js module provides integration with baguetteBox.js library.

The module doesn't sufficiently sanitize user-supplied text values leading to a cross site scripting vulnerability.

Solution: 

Install the latest version:

• If you use the baguetteBox.js module 3.0.x, upgrade to baguetteBox.js 3.0.1
• If you use the baguetteBox.js module 2.0.x, upgrade to baguetteBox.js 2.0.4

Reported By: 

• Pierre Rudloff (prudloff)

Fixed By: 

• Pierre Rudloff (prudloff)
• Stephen Mustgrave (smustgrave)

Coordinated By: 

• Greg Knaddison (greggles) of the Drupal Security Team
• Juraj Nemec (poker10) of the Drupal Security Team