1. Hírolvasó
  2. Hírforrások
  3. Biztonsági figyelmeztetések (core)

Biztonsági figyelmeztetések (core)

Feliratkozás Biztonsági figyelmeztetések (core) hírcsatorna csatornájára
Webcím: https://www.drupal.org/security/core
Frissítve: 25 perc 30 másodperc

Drupal core - Moderately critical - Defacement - SA-CORE-2025-007

2025. november 12. 21.16
Project: Drupal coreDate: 2025-November-12Security risk: Moderately critical 10 ∕ 25 AC:Basic/A:None/CI:None/II:None/E:Theoretical/TD:AllVulnerability: DefacementAffected versions: >= 8.0.0 < 10.4.9 || >= 10.5.0 < 10.5.6 || >= 11.0.0 < 11.1.9 || >= 11.2.0 < 11.2.8CVE IDs: CVE-2025-13082Description: 

By generating and tricking a user into visiting a malicious URL, an attacker can perform site defacement.

The defacement is not stored and is only present when the URL has been crafted for that purpose. Only the defacement is present, so no other site content (such as branding) is rendered.

Solution: 

Install the latest version:

Drupal 11.0.x, Drupal 10.3.x, and below are end-of-life and do not receive security coverage. (Drupal 8 and Drupal 9 have both reached end-of-life.)

Reported By: Fixed By: Coordinated By: 
Kategóriák: Biztonsági figyelmeztetések

Drupal core - Moderately critical - Gadget chain - SA-CORE-2025-006

2025. november 12. 19.34
Project: Drupal coreDate: 2025-November-12Security risk: Moderately critical 14 ∕ 25 AC:Complex/A:Admin/CI:All/II:All/E:Theoretical/TD:UncommonVulnerability: Gadget chainAffected versions: >= 8.0.0 < 10.4.9 || >= 10.5.0 < 10.5.6 || >= 11.0.0 < 11.1.9 || >= 11.2.0 < 11.2.8CVE IDs: CVE-2025-13081Description: 

Drupal core contains a chain of methods that is exploitable when an insecure deserialization vulnerability exists on the site. This so-called "gadget chain" presents no direct threat, but is a vector that can be used to achieve remote code execution if the application deserializes untrusted data due to another vulnerability.

It is not directly exploitable.

This issue is mitigated by the fact that in order for it to be exploitable, a separate vulnerability must be present to allow an attacker to pass unsafe input to unserialize(). There are no such known exploits in Drupal core.

Solution: 

Install the latest version:

Drupal 11.0.x, Drupal 10.3.x, and below are end-of-life and do not receive security coverage. (Drupal 8 and Drupal 9 have both reached end-of-life.)

Reported By: Fixed By: Coordinated By: 
Kategóriák: Biztonsági figyelmeztetések

Drupal core - Moderately critical - Denial of Service - SA-CORE-2025-005

2025. november 12. 19.33
Project: Drupal coreDate: 2025-November-12Security risk: Moderately critical 13 ∕ 25 AC:Basic/A:None/CI:None/II:Some/E:Theoretical/TD:AllVulnerability: Denial of ServiceAffected versions: >= 8.0.0 < 10.4.9 || >= 10.5.0 < 10.5.6 || >= 11.0.0 < 11.1.9 || >= 11.2.0 < 11.2.8CVE IDs: CVE-2025-13080Description: 

Drupal Core has a rarely used feature, provided by an underlying library, which allows certain attributes of incoming HTTP requests to be overridden.

This functionality can be abused in a way that may cause Drupal to cache response data that it should not. This can lead to legitimate requests receiving inappropriate cached responses (cache poisoning).

This could be exploited in various ways:

  • Broken rendering of some pages
  • Unstyled or malformatted pages
  • Adverse impacts on client-side functionality

Changes are being made in the underlying library which will mitigate this problem, but in the meantime Drupal core has been hardened to protect against this vulnerability.

Solution: 

Install the latest version:

Drupal 11.0.x, Drupal 10.3.x, and below are end-of-life and do not receive security coverage. (Drupal 8 and Drupal 9 have both reached end-of-life.)

Reported By: Fixed By: Coordinated By: 
Kategóriák: Biztonsági figyelmeztetések

Drupal core - Moderately critical - Information disclosure - SA-CORE-2025-008

2025. november 12. 19.33
Project: Drupal coreDate: 2025-November-12Security risk: Moderately critical 10 ∕ 25 AC:Complex/A:None/CI:Some/II:None/E:Theoretical/TD:UncommonVulnerability: Information disclosureAffected versions: >= 8.0.0 < 10.4.9 || >= 10.5.0 < 10.5.6 || >= 11.0.0 < 11.1.9 || >= 11.2.0 < 11.2.8CVE IDs: CVE-2025-13083Description: 

The core system module handles downloads of private and temporary files. Contrib modules can define additional kinds of files (schemes) that may also be handled by the system module.

In some cases, files may be served with the HTTP header Cache-Control: public when they should be uncacheable. This can lead to some users getting cached versions of files with information they should not be able to access. For example, files may be cached by Varnish or a CDN.

This vulnerability is mitigated by the following:

  1. Drupal must be configured to handle non-public files using a custom or contributed module providing an additional file scheme.
  2. An attacker must know to request a file that has previously been
    requested by a more-privileged user, and that file must still be cached.
Solution: 

Install the latest version:

Drupal 11.0.x, Drupal 10.3.x, and below are end-of-life and do not receive security coverage. (Drupal 8 and Drupal 9 have both reached end-of-life.)

Reported By: Fixed By: Coordinated By: 
Kategóriák: Biztonsági figyelmeztetések