Hírolvasó

Project: Two-factor Authentication (TFA)Date: 2025-July-02Security risk: Less critical 9 ∕ 25 AC:Basic/A:Admin/CI:Some/II:None/E:Theoretical/TD:DefaultVulnerability: Access bypassAffected versions: <1.11.0CVE IDs: CVE-2025-7030Description: 

This module enables you to allow and/or require a second authentication method in addition to password authentication.

The module does not sufficiently ensure that users with enhanced privileges are prevented from viewing recovery codes of other users.

This vulnerability is mitigated by the fact that an attacker must have a role with the Administer TFA for other users permission.

Solution: 

Install the latest version:

• If you use the Two-factor Authentication (TFA) module for Drupal 8.x, upgrade to Two-factor Authentication (TFA) 8.x-1.11.

Reported By: 

• Conrad Lara (cmlara)

Fixed By: 

• Conrad Lara (cmlara)

Coordinated By: 

• cilefen (cilefen) of the Drupal Security Team
• Dan Smith (galooph) of the Drupal Security Team
• Greg Knaddison (greggles) of the Drupal Security Team
• Jess (xjm) of the Drupal Security Team

Project: Klaro Cookie & Consent ManagementDate: 2025-June-25Security risk: Moderately critical 14 ∕ 25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:AllVulnerability: Cross-site ScriptingAffected versions: <3.0.7CVE IDs: CVE-2025-5682Description: 

Klaro Cookie & Consent Management module is used for consent management for cookies and external sources. It makes changes to the markup to enable or disable loading.

The module doesn't sufficiently sanitize some HTML attributes allowing persistent Cross-site Scripting (XSS) attacks.

This vulnerability is mitigated by the fact that an attacker must have a role with permission to enter HTML tags containing specific attributes.

Solution: 

Install the latest version:

• If you use the Klaro Cookie & Consent Management module for Drupal 10.x/11.x, upgrade to Klaro Cookie & Consent Management 3.0.7

Reported By: 

• Pierre Rudloff (prudloff) provisional member of the Drupal Security Team

Fixed By: 

• Jan Kellermann (jan kellermann)

Coordinated By: 

• Greg Knaddison (greggles) of the Drupal Security Team
• Juraj Nemec (poker10) of the Drupal Security Team
• Pierre Rudloff (prudloff) provisional member of the Drupal Security Team

Project: Open SocialDate: 2025-June-25Security risk: Moderately critical 13 ∕ 25 AC:None/A:User/CI:None/II:Some/E:Theoretical/TD:AllVulnerability: Cross Site Request ForgeryAffected versions: <12.3.14 || >=12.4.0 <12.4.13CVE IDs: CVE-2025-48921Description: 

Open Social is a Drupal distribution for online communities, which ships with a default module that allows users to enroll in events.

The module doesn't sufficiently protect certain routes from Cross Site Request Forgery (CSRF) attacks. Users can be tricked into accepting or rejecting these enrollments.

This issue only affects sites that have event enrollments enabled for an event.

Solution: 

Install the latest version:

• If you use Open Social 12.3.x upgrade to Open Social 12.3.14
• If you use Open Social 12.4.x upgrade to Open Social 12.4.13

Reported By: 

• Ivo Van Geertruyen (mr.baileys) of the Drupal Security Team

Fixed By: 

• Alexander Varwijk (kingdutch)
• Robert Ragas (robertragas)

Coordinated By: 

• Greg Knaddison (greggles) of the Drupal Security Team

Project: GLightboxDate: 2025-June-25Security risk: Moderately critical 13 ∕ 25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:DefaultVulnerability: Cross-site ScriptingAffected versions: <1.0.16CVE IDs: CVE-2025-48922Description: 

GLightbox module is a pure Javascript lightbox for CKEditor.

The module doesn't sufficiently filter user-supplied text for the GLightbox Javascript library leading to a Cross Site Scripting (XSS) vulnerability.

This vulnerability is mitigated by the fact that an attacker must have a role with the permissions to edit content that is configured to support the Glightbox module.

Solution: 

Install the latest version:

• If you use the GLightbox module, upgrade to GLightbox 1.0.16

Reported By: 

• Pierre Rudloff (prudloff) provisional member of the Drupal Security Team

Fixed By: 

• Ivan Abramenko (levmyshkin)

Coordinated By: 

• Greg Knaddison (greggles) of the Drupal Security Team
• Pierre Rudloff (prudloff) provisional member of the Drupal Security Team

Project: Toc.jsDate: 2025-June-25Security risk: Moderately critical 12 ∕ 25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:UncommonVulnerability: Cross-site ScriptingAffected versions: <3.2.1CVE IDs: CVE-2025-48923Description: 

This module enables you to generate Table of content of your pages given a configuration.

The module doesn't sufficiently sanitise data attributes allowing persistent Cross-site Scripting (XSS) attacks.

This vulnerability is mitigated by the fact that an attacker must have a role with permission to enter HTML tags containing specific data attributes using other modules.

Solution: 

Install the latest version:

• If you use the Toc JS module, upgrade to Toc Js 3.2.1

Reported By: 

• Pierre Rudloff (prudloff) provisional member of the Drupal Security Team

Fixed By: 

• Flocon de toile (flocondetoile)
• Frank Mably (mably)
• Pierre Rudloff (prudloff) provisional member of the Drupal Security Team

Coordinated By: 

• Greg Knaddison (greggles) of the Drupal Security Team
• Juraj Nemec (poker10) of the Drupal Security Team
• Pierre Rudloff (prudloff) provisional member of the Drupal Security Team