View online: https://www.drupal.org/sa-contrib-2025-026
Project: Formatter Suite [1]
Date: 2025-March-19
Security risk: *Moderately critical* 13 ∕ 25
AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:Default [2]
Vulnerability: Cross site scripting
Affected versions: <2.1.0
Description:
Formatter Suite provides a suite of field formatters to help present numbers,
dates, times, text, links, entity references, files, and images. The module
provides a custom formatter for link fields.
Drupal core does not sufficiently sanitize link element attributes, which can
lead to a Cross Site Scripting vulnerability (XSS).
A separate fix for Drupal core has been released but this module requires a
concurrent release to make use of the Drupal core fix.
This vulnerability is mitigated by that fact that an attacker would need to
have the ability to add specific attributes to a Link field, which typically
requires edit access via core web services, or a contrib or custom module.
Solution:
Install the latest version:
* If you use the Formatter Suite module for Drupal 10, upgrade to Formatter
Suite 2.1.0 [3]
* Upgrade to Drupal 10.3.14, 10.4.5, 11.0.13, or 11.1.5
Reported By:
* Daniel Wehner (dawehner) [4]
* Joseph Zhao (pandaski) [5] Provisional Member of the Drupal Security Team
Fixed By:
* Benji Fisher (benjifisher) [6] of the Drupal Security Team
* Bram Driesen (bramdriesen) [7] Provisional Member of the Drupal Security
Team
* cyoun [8]
* Lee Rowlands (larowlan) [9] of the Drupal Security Team
* Joseph Zhao (pandaski) [10] Provisional Member of the Drupal Security Team
Coordinated By:
* Greg Knaddison (greggles) [11] of the Drupal Security Team
* Drew Webber (mcdruid) [12] of the Drupal Security Team
* Juraj Nemec (poker10) [13] of the Drupal Security Team
[1] https://www.drupal.org/project/formatter_suite
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/formatter_suite/releases/2.1.0
[4] https://www.drupal.org/u/dawehner
[5] https://www.drupal.org/u/pandaski
[6] https://www.drupal.org/u/benjifisher
[7] https://www.drupal.org/u/bramdriesen
[8] https://www.drupal.org/u/cyoun
[9] https://www.drupal.org/u/larowlan
[10] https://www.drupal.org/u/pandaski
[11] https://www.drupal.org/u/greggles
[12] https://www.drupal.org/u/mcdruid
[13] https://www.drupal.org/u/poker10
View online: https://www.drupal.org/sa-contrib-2025-025
Project: RapiDoc OAS Field Formatter [1]
Date: 2025-March-19
Security risk: *Moderately critical* 13 ∕ 25
AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:Default [2]
Vulnerability: Cross site scripting
Affected versions: <1.0.1
Description:
This module can be used to render Open API Documentation using the RapiDoc
library. The module provides a custom formatter for link fields.
Drupal core does not sufficiently sanitize link element attributes, which can
lead to a Cross Site Scripting vulnerability (XSS).
A separate fix for Drupal core has been released but this module requires a
concurrent release to make use of the Drupal core fix.
This vulnerability is mitigated by that fact that an attacker would need to
have the ability to add specific attributes to a Link field, which typically
requires edit access via core web services, or a contrib or custom module.
Solution:
Install the latest version:
* If you use the RapiDoc OAS Field Formatter module for Drupal 10, upgrade
to RapiDoc OAS Field Formatter 1.0.1 [3]
* Upgrade to Drupal 10.3.14, 10.4.5, 11.0.13, or 11.1.5
Reported By:
* Joseph Zhao (pandaski) [4] Provisional Member of the Drupal Security Team
Fixed By:
* Arlina Espinoza Rhoton (arlina) [5]
* Benji Fisher (benjifisher) [6] of the Drupal Security Team
* Lee Rowlands (larowlan) [7] of the Drupal Security Team
Coordinated By:
* Bram Driesen (bramdriesen) [8] Provisional Member of the Drupal Security
Team
* Greg Knaddison (greggles) [9] of the Drupal Security Team
* Drew Webber (mcdruid) [10] of the Drupal Security Team
* Juraj Nemec (poker10) [11] of the Drupal Security Team
[1] https://www.drupal.org/project/rapidoc_elements_field_formatter
[2] https://www.drupal.org/security-team/risk-levels
[3]
https://www.drupal.org/project/rapidoc_elements_field_formatter/releases/1.…
[4] https://www.drupal.org/u/pandaski
[5] https://www.drupal.org/u/arlina
[6] https://www.drupal.org/u/benjifisher
[7] https://www.drupal.org/u/larowlan
[8] https://www.drupal.org/u/bramdriesen
[9] https://www.drupal.org/u/greggles
[10] https://www.drupal.org/u/mcdruid
[11] https://www.drupal.org/u/poker10
View online: https://www.drupal.org/sa-contrib-2025-024
Project: Link field display mode formatter [1]
Date: 2025-March-19
Security risk: *Moderately critical* 13 ∕ 25
AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:Default [2]
Vulnerability: Cross site scripting
Affected versions: <1.6.0
Description:
This module adds a formatter for link fields that displays the current entity
with another view mode inside the link.
Drupal core does not sufficiently sanitize link element attributes, which can
lead to a Cross Site Scripting vulnerability (XSS).
A separate fix for Drupal core has been released but this module requires a
concurrent release to make use of the Drupal core fix.
This vulnerability is mitigated by that fact that an attacker would need to
have the ability to add specific attributes to a Link field, which typically
requires edit access via core web services, or a contrib or custom module.
Solution:
Install the latest version:
* If you use the Link field display mode formatter module for Drupal 10 or
11, upgrade to Link field display mode formatter 8.x-1.6 [3]
* Upgrade to Drupal 10.3.14, 10.4.5, 11.0.13, or 11.1.5
Reported By:
* Daniel Wehner (dawehner) [4]
* Joseph Zhao (pandaski) [5] Provisional Member of the Drupal Security Team
Fixed By:
* Benji Fisher (benjifisher) [6] of the Drupal Security Team
* Joseph Zhao (pandaski) [7] Provisional Member of the Drupal Security Team
* Rodrigo Aguilera (rodrigoaguilera) [8]
Coordinated By:
* Bram Driesen (bramdriesen) [9] Provisional Member of the Drupal Security
Team
* Greg Knaddison (greggles) [10] of the Drupal Security Team
* Drew Webber (mcdruid) [11] of the Drupal Security Team
* Juraj Nemec (poker10) [12] of the Drupal Security Team
[1] https://www.drupal.org/project/link_field_display_mode_formatter
[2] https://www.drupal.org/security-team/risk-levels
[3]
https://www.drupal.org/project/link_field_display_mode_formatter/releases/8…
[4] https://www.drupal.org/u/dawehner
[5] https://www.drupal.org/u/pandaski
[6] https://www.drupal.org/u/benjifisher
[7] https://www.drupal.org/u/pandaski
[8] https://www.drupal.org/u/rodrigoaguilera
[9] https://www.drupal.org/u/bramdriesen
[10] https://www.drupal.org/u/greggles
[11] https://www.drupal.org/u/mcdruid
[12] https://www.drupal.org/u/poker10
View online: https://www.drupal.org/sa-contrib-2025-023
Project: Two-factor Authentication (TFA) [1]
Date: 2025-March-05
Security risk: *Moderately critical* 13 ∕ 25
AC:Complex/A:None/CI:Some/II:Some/E:Theoretical/TD:Uncommon [2]
Vulnerability: Access bypass
Affected versions: <1.10.0
Description:
This module enables you to allow and/or require users to use a second
authentication method in addition to password authentication.
The module does not sufficiently ensure that known login routes are not
overridden by third-party modules which can allow an access bypass to occur.
This vulnerability is mitigated by the fact that an attacker must obtain a
first-factor login credential.
Solution:
Install the latest version and run database updates:
1) If you use the Two-factor Authentication (TFA) module for Drupal 8.x,
upgrade to Two-factor Authentication (TFA) 8.x-1.10 [3]
2) Run the database updates. See help documentation [4] on how to run
database updates.
TFA 8.x-1.10 will provide a status report error if it detects a known route
is being bypassed.
Caution: TFA 8.x-1.10 will attempt to restore these routes to expected norms.
This may disable routes added by other modules.
Reported By:
* Conrad Lara (cmlara) [5]
* Elaman Imashov (elaman) [6]
Fixed By:
* Conrad Lara (cmlara) [7]
Coordinated By:
* Greg Knaddison (greggles) [8] of the Drupal Security Team
[1] https://www.drupal.org/project/tfa
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/tfa/releases/8.x-1.10
[4]
https://www.drupal.org/docs/updating-drupal/updating-drupal-core-via-compos…
[5] https://www.drupal.org/u/cmlara
[6] https://www.drupal.org/u/elaman
[7] https://www.drupal.org/u/cmlara
[8] https://www.drupal.org/u/greggles
View online: https://www.drupal.org/sa-contrib-2025-022
Project: AI (Artificial Intelligence) [1]
Date: 2025-March-05
Security risk: *Moderately critical* 14 ∕ 25
AC:Complex/A:Admin/CI:All/II:All/E:Theoretical/TD:Uncommon [2]
Vulnerability: Gadget Chain
Affected versions: <1.0.5
Description:
The AI Automators module (a submodule of AI) enables you to create different
automated tasks that fills out a field data using LLM outputs.
The module contains a potential PHP Object Injection vulnerability that (if
combined with another exploit) could lead to Arbitrary File Deletion. It may
be possible to escalate this attack to Remote Code Execution. It is not
directly exploitable.
This issue is mitigated by the fact that for it to be exploitable, a separate
vulnerability must be present to allow an attacker to pass unsafe input to
unserialize(). The potential vulnerability exists in optional Automator Types
which are part of the optional AI Automators (sub)module.
The AI module is included in Drupal CMS.
Solution:
Install the latest version:
* If you use the AI module for Drupal, upgrade to AI 1.0.5 [3]
Reported By:
* Drew Webber (mcdruid) [4] of the Drupal Security Team
Fixed By:
* Marcus Johansson (marcus_johansson) [5]
* Drew Webber (mcdruid) [6] of the Drupal Security Team
Coordinated By:
* Drew Webber (mcdruid) [7] of the Drupal Security Team
[1] https://www.drupal.org/project/ai
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/ai/releases/1.0.5
[4] https://www.drupal.org/u/mcdruid
[5] https://www.drupal.org/u/marcus_johansson
[6] https://www.drupal.org/u/mcdruid
[7] https://www.drupal.org/u/mcdruid
View online: https://www.drupal.org/sa-contrib-2025-021
Project: AI (Artificial Intelligence) [1]
Date: 2025-March-05
Security risk: *Critical* 15 ∕ 25
AC:Complex/A:User/CI:All/II:All/E:Theoretical/TD:Uncommon [2]
Vulnerability: Remote Code Execution
Affected versions: <1.0.5
Description:
The AI Automators module (a submodule of AI) enables you to create different
automated tasks that fills out field data using LLM outputs.
The module doesn't sufficiently sanitize input before passing it to the
underlying shell as part of a command for execution, allowing an attacker to
run arbitrary commands.
The vulnerability exists in optional Automator Types which are part of the
optional AI Automators (sub)module.
The AI module is included in Drupal CMS.
Solution:
Install the latest version:
* If you use the AI module for Drupal, upgrade to AI 1.0.5 [3]
Reported By:
* Drew Webber (mcdruid) [4] of the Drupal Security Team
Fixed By:
* Marcus Johansson (marcus_johansson) [5]
* Drew Webber (mcdruid) [6] of the Drupal Security Team
* Michal Gow (seogow) [7]
Coordinated By:
* Drew Webber (mcdruid) [8] of the Drupal Security Team
[1] https://www.drupal.org/project/ai
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/ai/releases/1.0.5
[4] https://www.drupal.org/u/mcdruid
[5] https://www.drupal.org/u/marcus_johansson
[6] https://www.drupal.org/u/mcdruid
[7] https://www.drupal.org/u/seogow
[8] https://www.drupal.org/u/mcdruid