Security-news April 2025

security-news@drupal.org

1 participants
20 discussions

Panelizer (obsolete) - Critical - Unsupported - SA-CONTRIB-2025-036
by security-news＠drupal.org 16 Apr '25

16 Apr '25

View online: https://www.drupal.org/sa-contrib-2025-036 Project: Panelizer (obsolete) [1] Date: 2025-April-16 Security risk: *Critical* 16 ∕ 25 AC:Complex/A:Admin/CI:All/II:All/E:Theoretical/TD:All [2] Vulnerability: Unsupported Affected versions: * CVE IDs: CVE-2025-3735 Description: The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: https://www.drupal.org/node/251466#s-becoming-owner-maintainer-or-co-mai... [3] Solution: If you use this project, you should uninstall it. To take over maintainership, please read https://www.drupal.org/node/251466#s-becoming-owner-maintainer-or-co-mai... [4] [1] https://www.drupal.org/project/panelizer [2] https://www.drupal.org/security-team/risk-levels [3] https://www.drupal.org/node/251466#s-becoming-owner-maintainer-or-co-mainta… [4] https://www.drupal.org/node/251466#s-becoming-owner-maintainer-or-co-mainta…

1 0

Stage File Proxy - Moderately critical - Denial of Service - SA-CONTRIB-2025-035
by security-news＠drupal.org 16 Apr '25

16 Apr '25

View online: https://www.drupal.org/sa-contrib-2025-035 Project: Stage File Proxy [1] Date: 2025-April-16 Security risk: *Moderately critical* 11 ∕ 25 AC:Complex/A:None/CI:None/II:Some/E:Theoretical/TD:Default [2] Vulnerability: Denial of Service Affected versions: <3.1.5 CVE IDs: CVE-2025-3734 Description: Stage File Proxy is a general solution for getting production files on a development server on demand. The module doesn't sufficiently validate the existence of remote files prior to attempting to download and create them. An attacker could send many requests and exhaust disk resources. This vulnerability is mitigated by the fact it only affects sites where the Origin is configured with a trailing slash. Sites that cannot upgrade immediately can confirm they do not have a trailing slash or remove the trailing slash to mitigate the issue. Solution: Install the latest version: * If you use the Stage File Proxy module for Drupal, upgrade to Stage File Proxy 3.1.5 [3] Reported By: * Ide Braakman (idebr) [4] Fixed By: * Stephen Mustgrave (smustgrave) [5] Coordinated By: * Greg Knaddison (greggles) [6] of the Drupal Security Team * Juraj Nemec (poker10) [7] of the Drupal Security Team [1] https://www.drupal.org/project/stage_file_proxy [2] https://www.drupal.org/security-team/risk-levels [3] https://www.drupal.org/project/stage_file_proxy/releases/3.1.5 [4] https://www.drupal.org/u/idebr [5] https://www.drupal.org/u/smustgrave [6] https://www.drupal.org/u/greggles [7] https://www.drupal.org/u/poker10

1 0

baguetteBox.js - Moderately critical - Cross Site Scripting - SA-CONTRIB-2025-034
by security-news＠drupal.org 16 Apr '25

16 Apr '25

View online: https://www.drupal.org/sa-contrib-2025-034 Project: baguetteBox.js [1] Date: 2025-April-16 Security risk: *Moderately critical* 14 ∕ 25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:All [2] Vulnerability: Cross Site Scripting Affected versions: <2.0.4 || >=3.0.0 <3.0.1 CVE IDs: CVE-2025-3733 Description: The baguetteBox.js module provides integration with baguetteBox.js library. The module doesn't sufficiently sanitize user-supplied text values leading to a cross site scripting vulnerability. Solution: Install the latest version: * If you use the baguetteBox.js module 3.0.x, upgrade to baguetteBox.js 3.0.1 [3] * If you use the baguetteBox.js module 2.0.x, upgrade to baguetteBox.js 2.0.4 [4] Reported By: * Pierre Rudloff (prudloff) [5] Fixed By: * Pierre Rudloff (prudloff) [6] * Stephen Mustgrave (smustgrave) [7] Coordinated By: * Greg Knaddison (greggles) [8] of the Drupal Security Team * Juraj Nemec (poker10) [9] of the Drupal Security Team [1] https://www.drupal.org/project/baguettebox [2] https://www.drupal.org/security-team/risk-levels [3] https://www.drupal.org/project/baguettebox/releases/3.0.1 [4] https://www.drupal.org/project/baguettebox/releases/2.0.4 [5] https://www.drupal.org/u/prudloff [6] https://www.drupal.org/u/prudloff [7] https://www.drupal.org/u/smustgrave [8] https://www.drupal.org/u/greggles [9] https://www.drupal.org/u/poker10

1 0

Panels - Critical - Access bypass - SA-CONTRIB-2025-033
by security-news＠drupal.org 09 Apr '25

09 Apr '25

View online: https://www.drupal.org/sa-contrib-2025-033 Project: Panels [1] Date: 2025-April-09 Security risk: *Critical* 16 ∕ 25 AC:Basic/A:None/CI:Some/II:Some/E:Theoretical/TD:All [2] Vulnerability: Access bypass Affected versions: <4.9.0 CVE IDs: CVE-2025-3474 Description: Panels enables administrators to add page variants within page manager, panelizer, etc to create custom pages. The module doesn't sufficiently protect sensitive routes, allowing an attacker to view and modify blocks within variants without requiring appropriate permission. This vulnerability is mitigated by the fact that an attacker must know the machine name of the variant and underlying page, which is not available within the source code of a page. Additionally, only simple blocks can be added or edited, as a more complex block will trigger an error due to missing permissions. Solution: Install the latest version: * If you use the Panels module for Drupal 8.x, upgrade to Panels 8.x-4.9 [3] Reported By: * Manuel Adán (manuel.adan) [4] Fixed By: * Jakob P (japerry) [5] * Manuel Adán (manuel.adan) [6] Coordinated By: * Greg Knaddison (greggles) [7] of the Drupal Security Team [1] https://www.drupal.org/project/panels [2] https://www.drupal.org/security-team/risk-levels [3] https://www.drupal.org/project/panels/releases/8.x-4.9 [4] https://www.drupal.org/u/manueladan [5] https://www.drupal.org/u/japerry [6] https://www.drupal.org/u/manueladan [7] https://www.drupal.org/u/greggles

1 0

Gif Player Field - Moderately critical - Cross site scripting - SA-CONTRIB-2025-032
by security-news＠drupal.org 09 Apr '25

09 Apr '25

View online: https://www.drupal.org/sa-contrib-2025-032 Project: Gif Player Field [1] Date: 2025-April-09 Security risk: *Moderately critical* 12 ∕ 25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:Uncommon [2] Vulnerability: Cross site scripting Affected versions: <1.5.0 || >=2.0.0 <2.0.4 CVE IDs: CVE-2025-31128 Description: Gif Player Field creates a simple file field types that allows you to upload the GIF files and configure the output for this using the Field Formatters. The module uses GifPlayer jQuery library [3] to render the GIF according to configured setups for the Field Formatter. The external Gif Player Library doesn't satinize the attributes properly when rendering the widget, allowing a malicious user to run XSS attacks. This vulnerability is mitigated by the fact that an attacker would need to have an account on the website and be able to create an image tag with a data-label element. There are no fields that allow that element on a default Drupal site for a user with user-level permissions. Solution: There are multiple steps. First, install the latest version. Second, download and install the library. See details below. * If you use the Gif Player module for Drupal ^10.3 || ^11, upgrade to Gif Player 2.0.4 [4] * If you are still using the old Gif Player 8.x-1.4 module for Drupal 9/10, upgrade to Gif Player 8.x-1.5 [5] (but it is suggested to to upgrade to the 2.0.4 version if possible, as the 8.x-1.x branch will be phased out soon) Please notice that the GifPlayer library is not included in the module anymore (file js/gifplayer.js) and needs to be downloaded separately in the /libraries directory (see the README.md for more details). Reported By: * Pierre Rudloff (prudloff) [6] Fixed By: * Daniel Rodriguez (danrod) [7] Coordinated By: * Greg Knaddison (greggles) [8] of the Drupal Security Team * Juraj Nemec (poker10) [9] of the Drupal Security Team [1] https://www.drupal.org/project/gifplayer [2] https://www.drupal.org/security-team/risk-levels [3] https://github.com/rubentd/gifplayer [4] https://www.drupal.org/project/gifplayer/releases/2.0.4 [5] https://www.drupal.org/project/gifplayer/releases/8.x-1.5 [6] https://www.drupal.org/u/prudloff [7] https://www.drupal.org/u/danrod [8] https://www.drupal.org/u/greggles [9] https://www.drupal.org/u/poker10

1 0

ECA: Event - Condition - Action - Critical - Cross site request forgery - SA-CONTRIB-2025-030
by security-news＠drupal.org 09 Apr '25

09 Apr '25

View online: https://www.drupal.org/sa-contrib-2025-030-0 Project: ECA: Event - Condition - Action [1] Date: 2025-April-09 Security risk: *Critical* 16 ∕ 25 AC:Basic/A:None/CI:Some/II:Some/E:Theoretical/TD:All [2] Vulnerability: Cross site request forgery Affected versions: <1.1.12 || >=2.0.0 <2.0.16 || >=2.1.0 <2.1.7 || 1.2.* CVE IDs: CVE-2025-3131 Description: This module enables you to define automations on your Drupal site. The module doesn't sufficiently protect certain routes from CSRF attacks. This vulnerability is mitigated by the fact that an attacker must get a user with the permission "administer eca" to follow to a given site. It can also be mitigated by disabling the "eca_ui" submodule, which leaves ECA functionality intact, but the vulnerable routes will no longer be available. Solution: Install the latest version: * If you use the ECA module for Drupal 10 or 11, upgrade to ECA 1.1.12 [3] or ECA 2.0.16 [4] or ECA 2.1.7 [5] Reported By: * Juraj Nemec (poker10) [6] of the Drupal Security Team Fixed By: * Benji Fisher (benjifisher) [7] of the Drupal Security Team * Jürgen Haas (jurgenhaas) [8] * Lee Rowlands (larowlan) [9] of the Drupal Security Team Coordinated By: * Greg Knaddison (greggles) [10] of the Drupal Security Team * Juraj Nemec (poker10) [11] of the Drupal Security Team Security issue: https://git.drupalcode.org/security/9-eca-security/-/issues/1 [12] [1] https://www.drupal.org/project/eca [2] https://www.drupal.org/security-team/risk-levels [3] https://www.drupal.org/project/eca/releases/1.1.12 [4] https://www.drupal.org/project/eca/releases/2.0.16 [5] https://www.drupal.org/project/eca/releases/2.1.7 [6] https://www.drupal.org/u/poker10 [7] https://www.drupal.org/u/benjifisher [8] https://www.drupal.org/u/jurgenhaas [9] https://www.drupal.org/u/larowlan [10] https://www.drupal.org/u/greggles [11] https://www.drupal.org/u/poker10 [12] https://git.drupalcode.org/security/9-eca-security/-/issues/1

1 0

WEB-T - Moderately critical - Access bypass, Denial of service - SA-CONTRIB-2025-030
by security-news＠drupal.org 09 Apr '25

09 Apr '25

View online: https://www.drupal.org/sa-contrib-2025-030 Project: WEB-T [1] Date: 2025-April-09 Security risk: *Moderately critical* 12 ∕ 25 AC:Basic/A:None/CI:None/II:Some/E:Theoretical/TD:Default [2] Vulnerability: Access bypass, Denial of service Affected versions: <1.1.0 CVE IDs: CVE-2025-3475 Description: This module enables you to translate nodes, configuration, UI strings automatically. The module doesn't sufficiently validate the incoming API response when using eTranslation integration, which has an asynchronous workflow. Specially crafted requests could overwrite entities and translations of entities with arbitrary content and create load on the system leading to a Denial of Service. Solution: Install the latest version: * If you use the WEB-T module with version < 1.1.0, upgrade to WEB-T 1.1.0 [3] Reported By: * Jan Kellermann (jan kellermann) [4] Fixed By: * dragels [5] * Jan Kellermann (jan kellermann) [6] Coordinated By: * Greg Knaddison (greggles) [7] of the Drupal Security Team * Juraj Nemec (poker10) [8] of the Drupal Security Team [1] https://www.drupal.org/project/webt [2] https://www.drupal.org/security-team/risk-levels [3] https://www.drupal.org/project/webt/releases/1.1.0 [4] https://www.drupal.org/u/jan-kellermann [5] https://www.drupal.org/u/dragels [6] https://www.drupal.org/u/jan-kellermann [7] https://www.drupal.org/u/greggles [8] https://www.drupal.org/u/poker10

1 0

Obfuscate - Moderately critical - Cross Site Scripting - SA-CONTRIB-2025-029
by security-news＠drupal.org 02 Apr '25

02 Apr '25

View online: https://www.drupal.org/sa-contrib-2025-029 Project: Obfuscate [1] Date: 2025-April-02 Security risk: *Moderately critical* 12 ∕ 25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:Uncommon [2] Vulnerability: Cross Site Scripting Affected versions: <2.0.1 CVE IDs: CVE-2025-3130 Description: This module enables you to obfuscate email addresses, to avoid them being easily available to spammers. The module doesn't sufficiently sanitise input when ROT13 encoding is used. This vulnerability is mitigated by the fact that an attacker must have a role with the ability to enter specific HTML tag attributes. In a default Drupal installation this would require the administrator role and use of the Full HTML text format. It also requires that the ROT13 encoding be enabled in Obfuscate settings. Solution: Install the latest version: * Upgrade to Obfuscate 2.0.1 [3] Reported By: * Pierre Rudloff (prudloff) [4] Fixed By: * Nigel Cunningham (nigelcunningham) [5] * Pierre Rudloff (prudloff) [6] Coordinated By: * Greg Knaddison (greggles) [7] of the Drupal Security Team * Drew Webber (mcdruid) [8] of the Drupal Security Team [1] https://www.drupal.org/project/obfuscate [2] https://www.drupal.org/security-team/risk-levels [3] https://www.drupal.org/project/obfuscate/releases/2.0.1 [4] https://www.drupal.org/u/prudloff [5] https://www.drupal.org/u/nigelcunningham [6] https://www.drupal.org/u/prudloff [7] https://www.drupal.org/u/greggles [8] https://www.drupal.org/u/mcdruid

1 0

Access code - Moderately critical - Access bypass - SA-CONTRIB-2025-028
by security-news＠drupal.org 02 Apr '25

02 Apr '25

View online: https://www.drupal.org/sa-contrib-2025-028 Project: Access code [1] Date: 2025-April-02 Security risk: *Moderately critical* 14 ∕ 25 AC:Complex/A:None/CI:Some/II:Some/E:Theoretical/TD:Default [2] Vulnerability: Access bypass Affected versions: <2.0.4 CVE IDs: CVE-2025-3129 Description: This module enables users to log in using a short access code instead of providing a username/password combination. The module doesn't sufficiently protect against brute force attacks to guess a user's access code. This vulnerability is mitigated by the fact that access code based logins are off by default and only enabled for accounts that enable it. Sites could mitigate the issue without updating by: 1) disabling the access code login method for critical accounts 2) monitor and prevent brute force attacks in other ways (for example, with a Web Application Firewall) Solution: Install the latest version: * If you use the access_code module for Drupal 8.x or later, upgrade to access_code 2.0.4 [3] Reported By: * Marcin Maruszewski (marcin maruszewski) [4] Fixed By: * Gergely Lekli (glekli) [5] Coordinated By: * Greg Knaddison (greggles) [6] of the Drupal Security Team * Drew Webber (mcdruid) [7] of the Drupal Security Team * Juraj Nemec (poker10) [8] of the Drupal Security Team [1] https://www.drupal.org/project/access_code [2] https://www.drupal.org/security-team/risk-levels [3] https://www.drupal.org/project/access_code/releases/2.0.4 [4] https://www.drupal.org/u/marcin-maruszewski [5] https://www.drupal.org/u/glekli [6] https://www.drupal.org/u/greggles [7] https://www.drupal.org/u/mcdruid [8] https://www.drupal.org/u/poker10

1 0

TacJS - Moderately critical - Cross Site Scripting - SA-CONTRIB-2025-027
by security-news＠drupal.org 02 Apr '25

02 Apr '25

View online: https://www.drupal.org/sa-contrib-2025-027 Project: TacJS [1] Date: 2025-April-02 Security risk: *Moderately critical* 13 ∕ 25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:Default [2] Vulnerability: Cross Site Scripting Affected versions: <6.7.0 CVE IDs: CVE-2025-31476 Description: This module enables sites to comply with the European cookie law using tarteaucitron.js. The module doesn't sufficiently filter user-supplied markup inside of content leading to a persistent Cross Site Scripting (XSS) vulnerability. This vulnerability is mitigated by the fact that an attacker needs to be able to insert specific data attributes in the page. Solution: Install the latest version: * If you use the tacjs module for Drupal 8.x, upgrade to tacjs 8.x-6.7 [3] Reported By: * Pierre Rudloff (prudloff) [4] Fixed By: * Frank Mably (mably) [5] * Pierre Rudloff (prudloff) [6] Coordinated By: * Greg Knaddison (greggles) [7] of the Drupal Security Team * Drew Webber (mcdruid) [8] of the Drupal Security Team * Juraj Nemec (poker10) [9] of the Drupal Security Team Security issue: https://git.drupalcode.org/security/8-tacjs-security/-/issues/1 [10] [1] https://www.drupal.org/project/tacjs [2] https://www.drupal.org/security-team/risk-levels [3] https://www.drupal.org/node/3516872 [4] https://www.drupal.org/u/prudloff [5] https://www.drupal.org/u/mably [6] https://www.drupal.org/u/prudloff [7] https://www.drupal.org/u/greggles [8] https://www.drupal.org/u/mcdruid [9] https://www.drupal.org/u/poker10 [10] https://git.drupalcode.org/security/8-tacjs-security/-/issues/1

1 0

2026

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

Security-news April 2025