Security-news October 2025

security-news@drupal.org

1 participants
3 discussions

Simple OAuth (OAuth2) & OpenID Connect - Critical - Access bypass - SA-CONTRIB-2025-114
by security-news＠drupal.org 29 Oct '25

29 Oct '25

View online: https://www.drupal.org/sa-contrib-2025-114 Project: Simple OAuth (OAuth2) & OpenID Connect [1] Date: 2025-October-29 Security risk: *Critical* 15 ∕ 25 AC:Complex/A:None/CI:Some/II:Some/E:Theoretical/TD:All [2] Vulnerability: Access bypass Affected versions: <6.0.7 CVE IDs: CVE-2025-12466 Description: This module introduces an OAuth 2.0 authorization server, which can be configured to protect your Drupal instance with access tokens, or allow clients to request new access tokens and refresh them. The module doesn't sufficiently respect granted scopes, it affects all access checks that are based on roles. For example: routes that have the _role requirement, can be bypassed with an access token. This vulnerability is mitigated by the fact that an attacker must have the access token in possession and the user related to the token must have the associated (role requirement) roles assigned. Solution: Install the latest version: * If you use the "Simple OAuth (OAuth2) & OpenID Connect" module for Drupal, upgrade to Simple OAuth (OAuth2) & OpenID Connect 6.0.7 [3] Reported By: * coffeemakr [4] Fixed By: * Bojan Bogdanovic (bojan_dev) [5] * coffeemakr [6] * Juraj Nemec (poker10) [7] of the Drupal Security Team Coordinated By: * Greg Knaddison (greggles) [8] of the Drupal Security Team * Juraj Nemec (poker10) [9] of the Drupal Security Team ------------------------------------------------------------------------------ Contribution record [10] [1] https://www.drupal.org/project/simple_oauth [2] https://www.drupal.org/security-team/risk-levels [3] https://www.drupal.org/project/simple_oauth/releases/6.0.7 [4] https://www.drupal.org/u/coffeemakr [5] https://www.drupal.org/u/bojan_dev [6] https://www.drupal.org/u/coffeemakr [7] https://www.drupal.org/u/poker10 [8] https://www.drupal.org/u/greggles [9] https://www.drupal.org/u/poker10 [10] https://new.drupal.org/contribution-record?source_link=https%3A//www.drupal…

1 0

CivicTheme Design System - Moderately critical - Cross-site Scripting - SA-CONTRIB-2025-113
by security-news＠drupal.org 22 Oct '25

22 Oct '25

View online: https://www.drupal.org/sa-contrib-2025-113 Project: CivicTheme Design System [1] Date: 2025-October-22 Security risk: *Moderately critical* 14 ∕ 25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:All [2] Vulnerability: Cross-site Scripting Affected versions: <1.12.0 CVE IDs: CVE-2025-12083 Description: CivicTheme is a design system and theme framework used to build content-rich Drupal websites. It includes editorial workflows, structured content types, and flexible theming components. CivicTheme does not sufficiently filter field data before rendering them in Twig templates. This combined with multiple instances of the Twig raw filter throughout CivicTheme components, allows for the injection of malicious scripts in browser contexts. Additionally, CivicTheme fails to filter markup from SVGs embedded within the web page allowing potentially malicious scripts to be injected. This vulnerability is mitigated by an attacker needing permission to create or edit content within a CivicTheme site. CivicTheme with its default permissions restricts the creation of content to content author and content approver roles. Solution: Install the latest version: * If you use the CivicTheme theme, upgrade to CivicTheme 1.12 [3]. Reported By: * Adam Bramley (acbramley) [4] * Lee Rowlands (larowlan) [5] of the Drupal Security Team Fixed By: * Alan Cole (alan.cole) [6] * Daniel (danielgry) [7] * Fiona Morrison (fionamorrison23) [8] * Suchi Garg (gargsuchi) [9] * Lee Rowlands (larowlan) [10] of the Drupal Security Team * Richard Gaunt (richardgaunt) [11] Coordinated By: * Greg Knaddison (greggles) [12] of the Drupal Security Team * Lee Rowlands (larowlan) [13] of the Drupal Security Team * Drew Webber (mcdruid) [14] of the Drupal Security Team ------------------------------------------------------------------------------ Contribution record [15] [1] https://www.drupal.org/project/civictheme [2] https://www.drupal.org/security-team/risk-levels [3] https://www.drupal.org/project/civictheme/releases/1.12.0 [4] https://www.drupal.org/u/acbramley [5] https://www.drupal.org/u/larowlan [6] https://www.drupal.org/u/alancole [7] https://www.drupal.org/u/danielgry-0 [8] https://www.drupal.org/u/fionamorrison23 [9] https://www.drupal.org/u/gargsuchi [10] https://www.drupal.org/u/larowlan [11] https://www.drupal.org/u/richardgaunt [12] https://www.drupal.org/u/greggles [13] https://www.drupal.org/u/larowlan [14] https://www.drupal.org/u/mcdruid [15] https://new.drupal.org/contribution-record?source_link=https%3A//www.drupal…

1 0

CivicTheme Design System - Moderately critical - Information disclosure - SA-CONTRIB-2025-112
by security-news＠drupal.org 22 Oct '25

22 Oct '25

View online: https://www.drupal.org/sa-contrib-2025-112 Project: CivicTheme Design System [1] Date: 2025-October-22 Security risk: *Moderately critical* 12 ∕ 25 AC:Basic/A:None/CI:Some/II:None/E:Theoretical/TD:Default [2] Vulnerability: Information disclosure Affected versions: <1.12.0 CVE IDs: CVE-2025-12082 Description: CivicTheme is a design system and theme framework used to build content-rich Drupal websites. It includes editorial workflows, structured content types, and flexible theming components. The theme doesn't sufficiently check access to entities when they are displayed as reference cards used in manual lists, which leads to an information disclosure vulnerability Specifically, when unpublished or archived nodes (CivicTheme Page and Event) are referenced via card components and placed into manually curated lists or blocks, a referenced card is rendered on the page for users who do not have permission to view unpublished content. The referenced node itself is correctly checked for permission, but the information in the card component (title, thumbnail, tags) discloses information that the user does not have access to view. This results in: * Draft or never-published Event node data being visible to anonymous users on cards. * Archived content persisting in curated content lists. This disclosure bypasses editorial expectations and may expose sensitive or internal-only content unintentionally. It does not require complex interaction or elevated permissions. It is triggered by standard reference configurations and view templates. Solution: Install the latest version: * If you use the CivicTheme theme for Drupal 10.x / 11.x, upgrade to CivicTheme-1.12.0 [3] Reported By: * Lee Rowlands (larowlan) [4] of the Drupal Security Team Fixed By: * Alan Cole (alan.cole) [5] * Daniel (danielgry) [6] * Fiona Morrison (fionamorrison23) [7] * Suchi Garg (gargsuchi) [8] * Joshua Fernandes (joshua1234511) [9] * Lee Rowlands (larowlan) [10] of the Drupal Security Team * Richard Gaunt (richardgaunt) [11] Coordinated By: * Greg Knaddison (greggles) [12] of the Drupal Security Team * Lee Rowlands (larowlan) [13] of the Drupal Security Team * Drew Webber (mcdruid) [14] of the Drupal Security Team ------------------------------------------------------------------------------ Contribution record [15] [1] https://www.drupal.org/project/civictheme [2] https://www.drupal.org/security-team/risk-levels [3] https://www.drupal.org/project/civictheme/releases/1.12.0 [4] https://www.drupal.org/u/larowlan [5] https://www.drupal.org/u/alancole [6] https://www.drupal.org/u/danielgry-0 [7] https://www.drupal.org/u/fionamorrison23 [8] https://www.drupal.org/u/gargsuchi [9] https://www.drupal.org/u/joshua1234511 [10] https://www.drupal.org/u/larowlan [11] https://www.drupal.org/u/richardgaunt [12] https://www.drupal.org/u/greggles [13] https://www.drupal.org/u/larowlan [14] https://www.drupal.org/u/mcdruid [15] https://new.drupal.org/contribution-record?source_link=https%3A//www.drupal…

1 0

2026

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

Security-news October 2025