February 2025 - Security-news

OAuth2 Server - Moderately critical - Access bypass - SA-CONTRIB-2025-020
by security-news＠drupal.org 26 Feb '25

26 Feb '25

View online: https://www.drupal.org/sa-contrib-2025-020 Project: OAuth2 Server [1] Date: 2025-February-26 Security risk: *Moderately critical* 14 ∕ 25 AC:Basic/A:None/CI:Some/II:Some/E:Theoretical/TD:Uncommon [2] Vulnerability: Access bypass Affected versions: <2.1.0 Description: Provides OAuth2 server functionality based on the oauth2-server-php library. The module does not consistently enforce admin configurations allowing users on a disabled server to still authenticate. Solution: Install the latest version: * If you use the OAuth2 server module for Drupal 2.x, upgrade to OAuth2 server 2.1.0 [3] Reported By: * Pierre Rudloff (prudloff) [4] Fixed By: * cafuego [5] * Lee Rowlands (larowlan) [6] of the Drupal Security Team Coordinated By: * Greg Knaddison (greggles) [7] of the Drupal Security Team [1] https://www.drupal.org/project/oauth2_server [2] https://www.drupal.org/security-team/risk-levels [3] https://www.drupal.org/project/oauth2_server/releases/2.1.0 [4] https://www.drupal.org/u/prudloff [5] https://www.drupal.org/u/cafuego [6] https://www.drupal.org/u/larowlan [7] https://www.drupal.org/u/greggles

1 0

Cache Utility - Moderately critical - Cross Site Request Forgery - SA-CONTRIB-2025-019
by security-news＠drupal.org 26 Feb '25

26 Feb '25

View online: https://www.drupal.org/sa-contrib-2025-019 Project: Cache Utility [1] Date: 2025-February-26 Security risk: *Moderately critical* 13 ∕ 25 AC:Basic/A:None/CI:None/II:Some/E:Theoretical/TD:All [2] Vulnerability: Cross Site Request Forgery Affected versions: <1.2.1 || >=1.3.0 <1.3.0 Description: The Cache Utility module provides an ability to view status and flush various caches. The module doesn't sufficiently protect against Cross Site Request Forgery (CSRF) attacks by validating user identity and intent when flushing a cache. Solution: Install the latest version: * If you use the Cache Utility module for Drupal 1.2.x, upgrade to Cache Utility 1.2.1 [3] * If you use the Cache Utility module for Drupal 1.x, you can also upgrade to Cache Utility 1.3.0 [4] Reported By: * Pierre Rudloff (prudloff) [5] Fixed By: * cyoun [6] Coordinated By: * Greg Knaddison (greggles) [7] of the Drupal Security Team [1] https://www.drupal.org/project/cache_utility [2] https://www.drupal.org/security-team/risk-levels [3] https://www.drupal.org/project/cache_utility/releases/1.2.1 [4] https://www.drupal.org/project/cache_utility/releases/1.3.0 [5] https://www.drupal.org/u/prudloff [6] https://www.drupal.org/u/cyoun [7] https://www.drupal.org/u/greggles

1 0

General Data Protection Regulation - Moderately critical - Cross Site Request Forgery - SA-CONTRIB-2025-018
by security-news＠drupal.org 26 Feb '25

26 Feb '25

View online: https://www.drupal.org/sa-contrib-2025-018 Project: General Data Protection Regulation [1] Date: 2025-February-26 Security risk: *Moderately critical* 13 ∕ 25 AC:Basic/A:None/CI:None/II:Some/E:Theoretical/TD:All [2] Vulnerability: Cross Site Request Forgery Affected versions: <3.0.1 || >=3.1.0 <3.1.2 Description: The GDPR Task submodule enables you to create GDPR tasks. The module doesn't sufficiently protect against Cross Site Request Forgery (CSRF) attacks by validating user identity and intent when creating tasks. Solution: Install the latest version: * If you use the General Data Protection Regulation module 3.0.x, upgrade to 3.0.1 [3] * If you use the General Data Protection Regulation module 3.1.x, upgrade to 3.1.2 [4] Reported By: * Pierre Rudloff (prudloff) [5] Fixed By: * Peter Pónya (pedrop) [6] * szato [7] Coordinated By: * Greg Knaddison (greggles) [8] of the Drupal Security Team [1] https://www.drupal.org/project/gdpr [2] https://www.drupal.org/security-team/risk-levels [3] https://www.drupal.org/project/gdpr/releases/3.0.1 [4] https://www.drupal.org/project/gdpr/releases/3.1.2 [5] https://www.drupal.org/u/prudloff [6] https://www.drupal.org/u/pedrop [7] https://www.drupal.org/u/szato [8] https://www.drupal.org/u/greggles

1 0

Drupal core - Moderately critical - Gadget Chain - SA-CORE-2025-003
by security-news＠drupal.org 19 Feb '25

19 Feb '25

View online: https://www.drupal.org/sa-core-2025-003 Project: Drupal core [1] Date: 2025-February-19 Security risk: *Moderately critical* 14 ∕ 25 AC:Complex/A:Admin/CI:All/II:All/E:Theoretical/TD:Uncommon [2] Vulnerability: Gadget Chain Affected versions: >= 8.0.0 < 10.3.13 || >= 10.4.0 < 10.4.3 || >= 11.0.0 < 11.0.12 || >= 11.1.0 < 11.1.3 Description: Drupal core contains a potential PHP Object Injection vulnerability that (if combined with another exploit) could lead to Arbitrary File Inclusion. Techniques exist to escalate this attack to Remote Code Execution. It is not directly exploitable. This issue is mitigated by the fact that in order for it to be exploitable, a separate vulnerability must be present to allow an attacker to pass unsafe input to unserialize(). There are no such known exploits in Drupal core. Solution: Install the latest version: * If you use Drupal 10.3.x, update to Drupal 10.3.13 [3] * If you use Drupal 10.4.x, update to Drupal 10.4.3 [4] * If you use Drupal 11.0.x, update to Drupal 11.0.12 [5] * If you use Drupal 11.1.x, update to Drupal 11.1.3 [6] All versions of Drupal 10 prior to 10.3 are end-of-life and do not receive security coverage. (Drupal 8 [7] and Drupal 9 [8] have both reached end-of-life.) Reported By: * anzuukino [9] * shin24 [10] Fixed By: * ghost of drupal past [11] * Dave Long (longwave) [12] of the Drupal Security Team * Drew Webber (mcdruid) [13] of the Drupal Security Team * nicxvan [14] * shin24 [15] [1] https://www.drupal.org/project/drupal [2] https://www.drupal.org/security-team/risk-levels [3] https://www.drupal.org/project/drupal/releases/10.3.13 [4] https://www.drupal.org/project/drupal/releases/10.4.3 [5] https://www.drupal.org/project/drupal/releases/11.0.12 [6] https://www.drupal.org/project/drupal/releases/11.1.3 [7] https://www.drupal.org/psa-2021-06-29 [8] https://www.drupal.org/psa-2023-11-01 [9] https://www.drupal.org/u/anzuukino [10] https://www.drupal.org/u/shin24 [11] https://www.drupal.org/u/ghost-of-drupal-past [12] https://www.drupal.org/u/longwave [13] https://www.drupal.org/u/mcdruid [14] https://www.drupal.org/u/nicxvan [15] https://www.drupal.org/u/shin24

1 0

Drupal core - Moderately critical - Access bypass - SA-CORE-2025-002
by security-news＠drupal.org 19 Feb '25

19 Feb '25

View online: https://www.drupal.org/sa-core-2025-002 Project: Drupal core [1] Date: 2025-February-19 Security risk: *Moderately critical* 13 ∕ 25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:Default [2] Vulnerability: Access bypass Affected versions: >= 8.0.0 < 10.3.13 || >= 10.4.0 < 10.4.3 || >= 11.0.0 < 11.0.12 || >= 11.1.0 < 11.1.3 Description: Bulk operations allow authorized users to modify several nodes at once from the Content page (/admin/content). A site builder can also add bulk operations to other pages using Views. A bug in the core Actions system allows some users to modify some fields using bulk actions that they do not have permission to modify on individual nodes. This vulnerability is mitigated by the fact that an attacker must have permission to access /admin/content or other, custom views and to edit nodes. In particular, the bulk operations * Make content sticky * Make content unsticky * Promote content to front page * Publish content * Remove content from front page * Unpublish content now require the "Administer content" permission. Solution: Install the latest version: * If you are using Drupal 10.3, update to Drupal 10.3.13 [3]. * If you are using Drupal 10.4, update to Drupal 10.4.3 [4]. * If you are using Drupal 11.0, update to Drupal 11.0.12 [5]. * If you are using Drupal 11.1, update to Drupal 11.1.3 [6]. All versions of Drupal 10 prior to 10.3 are end-of-life and do not receive security coverage. (Drupal 8 [7] and Drupal 9 [8] have both reached end-of-life.) Reported By: * jeff cardwell [9] Fixed By: * Benji Fisher (benjifisher) [10] of the Drupal Security Team * jeff cardwell [11] * Mingsong (mingsong) [12] Provisional Member of the Drupal Security Team * Juraj Nemec (poker10) [13] of the Drupal Security Team [1] https://www.drupal.org/project/drupal [2] https://www.drupal.org/security-team/risk-levels [3] https://www.drupal.org/project/drupal/releases/10.3.13 [4] https://www.drupal.org/project/drupal/releases/10.4.3 [5] https://www.drupal.org/project/drupal/releases/11.0.12 [6] https://www.drupal.org/project/drupal/releases/11.1.3 [7] https://www.drupal.org/psa-2021-06-29 [8] https://www.drupal.org/psa-2023-11-01 [9] https://www.drupal.org/u/jeff-cardwell [10] https://www.drupal.org/u/benjifisher [11] https://www.drupal.org/u/jeff-cardwell [12] https://www.drupal.org/u/mingsong [13] https://www.drupal.org/u/poker10

1 0

Drupal core - Critical - Cross site scripting - SA-CORE-2025-001
by security-news＠drupal.org 19 Feb '25

19 Feb '25

View online: https://www.drupal.org/sa-core-2025-001 Project: Drupal core [1] Date: 2025-February-19 Security risk: *Critical* 17 ∕ 25 AC:Basic/A:None/CI:Some/II:Some/E:Proof/TD:All [2] Vulnerability: Cross site scripting Affected versions: >= 8.0.0 < 10.3.13 || >= 10.4.0 < 10.4.3 || >= 11.0.0 < 11.0.12 || >= 11.1.0 < 11.1.3 Description: Drupal core doesn't sufficiently filter error messages under certain circumstances, leading to a reflected Cross Site Scripting vulnerability (XSS). Sites are encouraged to update. There are not yet public documented steps to exploit this, but there may be soon given the nature of this issue. This issue is being protected by Drupal Steward [3]. Sites that use Drupal Steward are already protected, but are still encouraged to upgrade in the near future. Solution: Install the latest version: * If you use Drupal 10.3.x, update to Drupal 10.3.13 [4] * If you use Drupal 10.4.x, update to Drupal 10.4.3 [5] * If you use Drupal 11.0.x, update to Drupal 11.0.12 [6] * If you use Drupal 11.1.x, update to Drupal 11.1.3 [7] All versions of Drupal 10 prior to 10.3 are end-of-life and do not receive security coverage. (Drupal 8 [8] and Drupal 9 [9] have both reached end-of-life.) Reported By: * Arne (arkepp) [10] * bdanin [11] * Douglas Groene (dgroene) [12] * Dragos Dumitrescu (dragos-dumi) [13] * Flo Kosiol (flokosiol) [14] * Gerardo Cadau (juanramonperez) [15] * Justin Christoffersen (larsdesigns) [16] * nuwans [17] * Sven Decabooter (svendecabooter) [18] * Will Gunn (wgunn_e) [19] Fixed By: * catch (catch) [20] of the Drupal Security Team * Drew Webber (mcdruid) [21] of the Drupal Security Team [1] https://www.drupal.org/project/drupal [2] https://www.drupal.org/security-team/risk-levels [3] https://www.drupal.org/steward [4] https://www.drupal.org/project/drupal/releases/10.3.13 [5] https://www.drupal.org/project/drupal/releases/10.4.3 [6] https://www.drupal.org/project/drupal/releases/11.0.12 [7] https://www.drupal.org/project/drupal/releases/11.1.3 [8] https://www.drupal.org/psa-2021-06-29 [9] https://www.drupal.org/psa-2023-11-01 [10] https://www.drupal.org/u/arkepp [11] https://www.drupal.org/u/bdanin [12] https://www.drupal.org/u/dgroene [13] https://www.drupal.org/u/dragos-dumi [14] https://www.drupal.org/u/flokosiol [15] https://www.drupal.org/u/juanramonperez [16] https://www.drupal.org/u/larsdesigns [17] https://www.drupal.org/u/nuwans [18] https://www.drupal.org/u/svendecabooter [19] https://www.drupal.org/u/wgunn_e [20] https://www.drupal.org/u/catch [21] https://www.drupal.org/u/mcdruid

1 0

Configuration Split - Moderately critical - Cross Site Request Forgery - SA-CONTRIB-2025-017
by security-news＠drupal.org 12 Feb '25

12 Feb '25

View online: https://www.drupal.org/sa-contrib-2025-017 Project: Configuration Split [1] Date: 2025-February-12 Security risk: *Moderately critical* 12 ∕ 25 AC:Complex/A:None/CI:None/II:Some/E:Theoretical/TD:All [2] Vulnerability: Cross Site Request Forgery Affected versions: <1.10.0 || >=2.0.0 <2.0.2 Description: This module enables you to create super sets of configuration and enable them conditionally, for example have some modules installed only in some environments. The module does not use Cross Site Request Forgery (CSRF) tokens to protect routes for enabling or disabling a split. This vulnerability is mitigated by the fact that an attacker must know the machine name of a split and deceive a user with the permission to modify it. The status only takes effect when exporting the configuration (1.x and 2.x) or importing the configuration (1.x only) and the status is not fixed via configuration override, which is the typical setup. Solution: Install the latest version: * If you use the Config Split module 8.x-1.x, upgrade to Config Split 8.x-1.10 [3] * If you use the Config Split module 2.0.x, upgrade to Config Split 2.0.2 [4] Reported By: * Eric Smith (ericgsmith) [5] Fixed By: * Fabian Bircher (bircher) [6] Coordinated By: * Greg Knaddison (greggles) [7] of the Drupal Security Team [1] https://www.drupal.org/project/config_split [2] https://www.drupal.org/security-team/risk-levels [3] https://www.drupal.org/node/3506063 [4] https://www.drupal.org/node/3506064 [5] https://www.drupal.org/u/ericgsmith [6] https://www.drupal.org/u/bircher [7] https://www.drupal.org/u/greggles

1 0

SpamSpan filter - Moderately critical - Cross Site Scripting - SA-CONTRIB-2025-016
by security-news＠drupal.org 12 Feb '25

12 Feb '25

View online: https://www.drupal.org/sa-contrib-2025-016 Project: SpamSpan filter [1] Date: 2025-February-12 Security risk: *Moderately critical* 13 ∕ 25 AC:Complex/A:User/CI:Some/II:Some/E:Theoretical/TD:All [2] Vulnerability: Cross Site Scripting Affected versions: <3.2.1 Description: This module enables your site to obfuscate Email addresses and prevent spambots to collect them. The module doesn't sanitize HTML data attributes when an email address link is transformed to separate span HTML elements and then transformed back by JavaScript leading to a Cross Site Scripting (XSS) vulnerability. This is mitigated by the fact an attacker must be able to insert span HTML elements with data attributes in the page. Solution: Install the latest version: * If you use the Spamspan filter module for Drupal 10.x, upgrade to Spamspan filter 3.2.1 [3] Reported By: * Pierre Rudloff (prudloff) [4] Fixed By: * Julian Pustkuchen (anybody) [5] * Joshua Sedler (grevil) [6] * Adam Nagy (joevagyok) [7] * Pierre Rudloff (prudloff) [8] Coordinated By: * Greg Knaddison (greggles) [9] of the Drupal Security Team [1] https://www.drupal.org/project/spamspan [2] https://www.drupal.org/security-team/risk-levels [3] https://www.drupal.org/project/spamspan/releases/3.2.1 [4] https://www.drupal.org/u/prudloff [5] https://www.drupal.org/u/anybody [6] https://www.drupal.org/u/grevil [7] https://www.drupal.org/u/joevagyok [8] https://www.drupal.org/u/prudloff [9] https://www.drupal.org/u/greggles

1 0

Open Social - Less critical - Access bypass, Information Disclosure - SA-CONTRIB-2025-015
by security-news＠drupal.org 12 Feb '25

12 Feb '25

View online: https://www.drupal.org/sa-contrib-2025-015 Project: Open Social [1] Date: 2025-February-12 Security risk: *Less critical* 9 ∕ 25 AC:Complex/A:User/CI:Some/II:None/E:Theoretical/TD:Default [2] Vulnerability: Access bypass, Information Disclosure Affected versions: <12.3.11 || >=12.4.0 <12.4.10 Description: Open Social is a Drupal distribution for online communities, which ships with a default module to invite users to groups and events. Invites for a specific user can be seen under certain conditions. The issue is mitigated for events by the fact that social_event_max_enroll has to be enabled. Solution: Install the latest version: * If you use Open Social 12.3.x upgrade to Open Social 12.3.11 [3] * If you use Open Social 12.4.x upgrade to Open Social 12.4.10 [4] Reported By: * Robert Ragas (robertragas) [5] * zanvidmar [6] Fixed By: * Denis Kolmerschlag (uber_denis) [7] * zanvidmar [8] Coordinated By: * Greg Knaddison (greggles) [9] of the Drupal Security Team [1] https://www.drupal.org/project/social [2] https://www.drupal.org/security-team/risk-levels [3] https://www.drupal.org/project/social/releases/12.3.11 [4] https://www.drupal.org/project/social/releases/12.4.10 [5] https://www.drupal.org/u/robertragas [6] https://www.drupal.org/u/zanvidmar [7] https://www.drupal.org/u/uber_denis [8] https://www.drupal.org/u/zanvidmar [9] https://www.drupal.org/u/greggles

1 0

Open Social - Moderately critical - Access bypass - SA-CONTRIB-2025-014
by security-news＠drupal.org 12 Feb '25

12 Feb '25

View online: https://www.drupal.org/sa-contrib-2025-014 Project: Open Social [1] Date: 2025-February-12 Security risk: *Moderately critical* 12 ∕ 25 AC:Basic/A:None/CI:None/II:Some/E:Theoretical/TD:Default [2] Vulnerability: Access bypass Affected versions: <12.3.11 || >=12.4.0 <12.4.10 Description: Open Social is a Drupal distribution for online communities, which ships with a default (optional) module social_language to make your platform multilingual. Some site administration configuration does not correctly check access when trying to translate allowing unauthorised people to translate these parts. The issue is mitigated by the fact that social_language needs to be enabled with more than 1 language. Solution: Install the latest version: * If you use Open Social 12.3.x upgrade to Open Social 12.3.11 [3] * If you use Open Social 12.4.x upgrade to Open Social 12.4.10 [4] Reported By: * Robert Ragas (robertragas) [5] * zanvidmar [6] Fixed By: * Denis Kolmerschlag (uber_denis) [7] * zanvidmar [8] Coordinated By: * Greg Knaddison (greggles) [9] of the Drupal Security Team [1] https://www.drupal.org/project/social [2] https://www.drupal.org/security-team/risk-levels [3] https://www.drupal.org/project/social/releases/12.3.11 [4] https://www.drupal.org/project/social/releases/12.4.10 [5] https://www.drupal.org/u/robertragas [6] https://www.drupal.org/u/zanvidmar [7] https://www.drupal.org/u/uber_denis [8] https://www.drupal.org/u/zanvidmar [9] https://www.drupal.org/u/greggles

1 0