View online: https://www.drupal.org/sa-contrib-2025-052
Project: Enterprise MFA - TFA for Drupal [1]
Date: 2025-May-07
Security risk: *Moderately critical* 14 ∕ 25
AC:Complex/A:None/CI:Some/II:Some/E:Theoretical/TD:Default [2]
Vulnerability: Access bypass
Affected versions: <4.7.0 || >=5.2.0 <5.2.0 || 5.0.*
CVE IDs: CVE-2025-47706
Description:
The module enables you to add second-factor authentication in addition to the
default Drupal login.
The module doesn't sufficiently check whether the TOTP token is already used
or not for authenticator-based second-factor methods.
This vulnerability is mitigated by the fact that an attacker must have a
username, password and TOTP token generated within the last 5 minutes.
Solution:
Install the latest version:
* If you use the Enterprise MFA - TFA for Drupal Drupal ^9.3, Drupal 10 and
Drupal 11 upgrade to miniorange_2fa 5.2.0 [3].
* If you use the Enterprise MFA - TFA for Drupal Drupal 8, Drupal 9 and
Drupal 10 upgrade to miniorange_2fa 8.x-4.7 [4].
Reported By:
* Conrad Lara (cmlara) [5]
Fixed By:
* Sudhanshu Dhage (sudhanshu0542) [6]
Coordinated By:
* Greg Knaddison (greggles) [7] of the Drupal Security Team
* Juraj Nemec (poker10) [8] of the Drupal Security Team
[1] https://www.drupal.org/project/miniorange_2fa
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/miniorange_2fa/releases/5.2.0
[4] https://www.drupal.org/project/miniorange_2fa/releases/8.x-4.7
[5] https://www.drupal.org/u/cmlara
[6] https://www.drupal.org/u/sudhanshu0542
[7] https://www.drupal.org/u/greggles
[8] https://www.drupal.org/u/poker10
View online: https://www.drupal.org/sa-contrib-2025-051
Project: IFrame Remove Filter [1]
Date: 2025-May-07
Security risk: *Moderately critical* 14 ∕ 25
AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:All [2]
Vulnerability: Cross site scripting
Affected versions: <2.0.5
CVE IDs: CVE-2025-47705
Description:
This module enables you to add a filter to text formats (Full HTML, Filtered
HTML), which will remove every iframe where the "src" is not on the
allowlist.
The module doesn't sufficiently filter these iframes in certain situations.
This vulnerability is mitigated by the fact that an attacker must be able to
edit content that allows iframes.
Solution:
Install the latest version:
* If you use the IFrame Remove Filter module for Drupal 10.x or 11.x,
upgrade to IFrame Remove Filter 2.0.5 [3]
Reported By:
* Pierre Rudloff (prudloff) [4]
Fixed By:
* Bálint Nagy (nagy.balint) [5]
Coordinated By:
* Greg Knaddison (greggles) [6] of the Drupal Security Team
* Drew Webber (mcdruid) [7] of the Drupal Security Team
* Juraj Nemec (poker10) [8] of the Drupal Security Team
[1] https://www.drupal.org/project/iframeremove
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/iframeremove/releases/2.0.5
[4] https://www.drupal.org/u/prudloff
[5] https://www.drupal.org/u/nagybalint
[6] https://www.drupal.org/u/greggles
[7] https://www.drupal.org/u/mcdruid
[8] https://www.drupal.org/u/poker10
View online: https://www.drupal.org/sa-contrib-2025-050
Project: Klaro Cookie & Consent Management [1]
Date: 2025-May-07
Security risk: *Moderately critical* 14 ∕ 25
AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:All [2]
Vulnerability: Cross Site Scripting
Affected versions: <3.0.5
CVE IDs: CVE-2025-47704
Description:
Klaro Cookie & Consent Management module is used for consent management for
cookies and external sources. It makes changes to the markup to enable or
disable loading.
The module doesn't sufficiently sanitize data attributes allowing persistent
Cross Site Scripting (XSS) attacks.
This vulnerability is mitigated by the fact that an attacker must have a role
with permission to enter HTML tags containing specific data attributes.
Solution:
Install the latest version:
* If you use the Klaro Cookie & Consent Management module for Drupal
10.x/11.x, upgrade to Klaro Cookie & Consent Management 3.0.5 [3]
Reported By:
* Pierre Rudloff (prudloff) [4]
Fixed By:
* Jan Kellermann (jan kellermann) [5]
Coordinated By:
* Greg Knaddison (greggles) [6] of the Drupal Security Team
* Juraj Nemec (poker10) [7] of the Drupal Security Team
[1] https://www.drupal.org/project/klaro
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/node/3523166
[4] https://www.drupal.org/u/prudloff
[5] https://www.drupal.org/u/jan-kellermann
[6] https://www.drupal.org/u/greggles
[7] https://www.drupal.org/u/poker10
View online: https://www.drupal.org/sa-contrib-2025-049
Project: COOKiES Consent Management [1]
Date: 2025-May-07
Security risk: *Moderately critical* 13 ∕ 25
AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:Default [2]
Vulnerability: Cross Site Scripting
Affected versions: <1.2.14
CVE IDs: CVE-2025-47703
Description:
The COOKIES module protects users from executing JavaScript code provided by
third parties, e.g., to display ads or track user data without consent.
The cookies_asset_injector module (a sub-module of the COOKiES module) also
allows inline JavaScript to be included in consent management. However, this
does not adequately check whether the provided JavaScript code originates
from authorized users.
A potential attacker would at least need permission to create and publish
HTML (e.g. content or comments).
Solution:
Install the latest version:
* If you use the COOKiES Consent Management module for Drupal 9 or above,
upgrade to COOKiES Consent Management 1.2.14 [3]
Reported By:
* Pierre Rudloff (prudloff) [4]
Fixed By:
* Joachim Feltkamp (jfeltkamp) [5]
Coordinated By:
* Greg Knaddison (greggles) [6] of the Drupal Security Team
* Juraj Nemec (poker10) [7] of the Drupal Security Team
[1] https://www.drupal.org/project/cookies
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/cookies/releases/1.2.14
[4] https://www.drupal.org/u/prudloff
[5] https://www.drupal.org/u/jfeltkamp
[6] https://www.drupal.org/u/greggles
[7] https://www.drupal.org/u/poker10
View online: https://www.drupal.org/sa-contrib-2025-048
Project: oEmbed Providers [1]
Date: 2025-May-07
Security risk: *Moderately critical* 10 ∕ 25
AC:Complex/A:Admin/CI:Some/II:Some/E:Theoretical/TD:Uncommon [2]
Vulnerability: Cross Site Scripting
Affected versions: <2.2.2
CVE IDs: CVE-2025-47702
Description:
This module extends the core Media module and allows site creators to permit
oEmbed providers in addition to YouTube and Vimeo, which are deemed
trustworthy by the Drupal Security Team.
The module doesn't sufficiently mark its administrative permission as
restricted, creating the possibility for the permission to be granted too
broadly and to users without the ability to adequately vet providers. A
malicious provider could execute a Cross Site Scripting (XSS) attack.
This vulnerability is mitigated by the fact that an attacker must 1) have a
role with the permission "administer oembed providers", 2) have a role with
the ability to create or edit Media entities, and 3) have provisioned a
publicly-accessible, malicious provider.
Solution:
Install the latest version:
* If you use oEmbed Providers module for Drupal, upgrade to oEmbed Providers
2.2.2 [3]
It is also recommended to review which roles are granted the "administer
oembed providers" permission.
Reported By:
* Pierre Rudloff (prudloff) [4]
Fixed By:
* Chris Burge (chris burge) [5]
Coordinated By:
* Greg Knaddison (greggles) [6] of the Drupal Security Team
* Juraj Nemec (poker10) [7] of the Drupal Security Team
[1] https://www.drupal.org/project/oembed_providers
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/oembed_providers/releases/2.2.2
[4] https://www.drupal.org/u/prudloff
[5] https://www.drupal.org/u/chris-burge
[6] https://www.drupal.org/u/greggles
[7] https://www.drupal.org/u/poker10