View online: https://www.drupal.org/sa-contrib-2025-083
Project: Simple XML sitemap [1]
Date: 2025-June-25
Security risk: *Moderately critical* 13 ∕ 25
AC:Basic/A:Admin/CI:Some/II:Some/E:Theoretical/TD:All [2]
Vulnerability: Cross-site Scripting
Affected versions: < 4.2.2
CVE IDs: CVE-2025-6676
Description:
Simple XML sitemap [3] is a SEO module that allows creating various XML
sitemaps of the site's content and submitting them to search engines.
The module doesn't sufficiently sanitize input when administering it, which
leads to a Cross-site scripting (XSS) attack vector.
This vulnerability is mitigated by the fact that an attacker must have the
administrative permission 'administer sitemap settings'.
Solution:
This vulnerability requires 2 steps:
* If you use simple_sitemap upgrade to at least 4.2.2 [4] or a later,
supported version.
* For all versions, ensure your permissions are assigned to appropriate
roles and users with "administer sitemap settings" permission are trusted.
Reported By:
* Nick Vanpraet (grayle) [5]
Fixed By:
* David Rothstein (David_Rothstein) [6]
* Pawel Ginalski (gbyte) [7]
Coordinated By:
* Greg Knaddison (greggles) [8] of the Drupal Security Team
* Michael Hess (mlhess) [9] of the Drupal Security Team
* Juraj Nemec (poker10) [10] of the Drupal Security Team
[1] https://www.drupal.org/project/simple_sitemap
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/simple_sitemap
[4] https://www.drupal.org/project/simple_sitemap/releases/4.2.2
[5] https://www.drupal.org/u/grayle
[6] https://www.drupal.org/u/david_rothstein
[7] https://www.drupal.org/u/gbyte
[8] https://www.drupal.org/u/greggles
[9] https://www.drupal.org/u/mlhess
[10] https://www.drupal.org/u/poker10
View online: https://www.drupal.org/sa-contrib-2025-081
Project: CKEditor5 Youtube [1]
Date: 2025-June-25
Security risk: *Moderately critical* 14 ∕ 25
AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:All [2]
Vulnerability: Cross-site Scripting
Affected versions: <1.0.3
CVE IDs: CVE-2025-6674
Description:
The CKEditor5 Youtube module enhances content creation in Drupal by
seamlessly integrating YouTube video embedding into the CKEditor 5 text
editor.
The module doesn't sufficiently validate iframe sources under the scenario
where a user embeds a video using the CKEditor YouTube integration leading to
a Cross-site Scripting (XSS) vulnerabiity.
This vulnerability is mitigated by the fact that an attacker must have a role
with necessary permissions to use CKEditor Youtube embed button.
Solution:
Install the latest version:
* If you are using the CKEditor5 YouTube module on Drupal 9.x or higher, you
should upgrade to: CKEditor5 Youtube 1.0.3 [3]
Reported By:
* nico.b [4]
Fixed By:
* Brahim Khouy (b.khouy) [5]
* Abderrahim GHAZALI 🤘 (g.abderrahim) [6]
* nico.b [7]
Coordinated By:
* Greg Knaddison (greggles) [8] of the Drupal Security Team
[1] https://www.drupal.org/project/ckeditor5_youtube
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/ckeditor5_youtube/releases/1.0.3
[4] https://www.drupal.org/u/nicob
[5] https://www.drupal.org/u/bkhouy
[6] https://www.drupal.org/u/gabderrahim
[7] https://www.drupal.org/u/nicob
[8] https://www.drupal.org/u/greggles
View online: https://www.drupal.org/sa-contrib-2025-080
Project: Klaro Cookie & Consent Management [1]
Date: 2025-June-25
Security risk: *Moderately critical* 14 ∕ 25
AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:All [2]
Vulnerability: Cross-site Scripting
Affected versions: <3.0.7
CVE IDs: CVE-2025-5682
Description:
Klaro Cookie & Consent Management module is used for consent management for
cookies and external sources. It makes changes to the markup to enable or
disable loading.
The module doesn't sufficiently sanitize some HTML attributes allowing
persistent Cross-site Scripting (XSS) attacks.
This vulnerability is mitigated by the fact that an attacker must have a role
with permission to enter HTML tags containing specific attributes.
Solution:
Install the latest version:
* If you use the Klaro Cookie & Consent Management module for Drupal
10.x/11.x, upgrade to Klaro Cookie & Consent Management 3.0.7 [3]
Reported By:
* Pierre Rudloff (prudloff) [4] provisional member of the Drupal Security
Team
Fixed By:
* Jan Kellermann (jan kellermann) [5]
Coordinated By:
* Greg Knaddison (greggles) [6] of the Drupal Security Team
* Juraj Nemec (poker10) [7] of the Drupal Security Team
* Pierre Rudloff (prudloff) [8] provisional member of the Drupal Security
Team
[1] https://www.drupal.org/project/klaro
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/node/3532264
[4] https://www.drupal.org/u/prudloff
[5] https://www.drupal.org/u/jan-kellermann
[6] https://www.drupal.org/u/greggles
[7] https://www.drupal.org/u/poker10
[8] https://www.drupal.org/u/prudloff
View online: https://www.drupal.org/sa-contrib-2025-079
Project: Open Social [1]
Date: 2025-June-25
Security risk: *Moderately critical* 13 ∕ 25
AC:None/A:User/CI:None/II:Some/E:Theoretical/TD:All [2]
Vulnerability: Cross Site Request Forgery
Affected versions: <12.3.14 || >=12.4.0 <12.4.13
CVE IDs: CVE-2025-48921
Description:
Open Social is a Drupal distribution for online communities, which ships with
a default module that allows users to enroll in events.
The module doesn't sufficiently protect certain routes from Cross Site
Request Forgery (CSRF) attacks. Users can be tricked into accepting or
rejecting these enrollments.
This issue only affects sites that have event enrollments enabled for an
event.
Solution:
Install the latest version:
* If you use Open Social 12.3.x upgrade to Open Social 12.3.14 [3]
* If you use Open Social 12.4.x upgrade to Open Social 12.4.13 [4]
Reported By:
* Ivo Van Geertruyen (mr.baileys) [5] of the Drupal Security Team
Fixed By:
* Alexander Varwijk (kingdutch) [6]
* Robert Ragas (robertragas) [7]
Coordinated By:
* Greg Knaddison (greggles) [8] of the Drupal Security Team
[1] https://www.drupal.org/project/social
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/social/releases/12.3.14
[4] https://www.drupal.org/project/social/releases/12.4.13
[5] https://www.drupal.org/u/mrbaileys
[6] https://www.drupal.org/u/kingdutch
[7] https://www.drupal.org/u/robertragas
[8] https://www.drupal.org/u/greggles
View online: https://www.drupal.org/sa-contrib-2025-078
Project: GLightbox [1]
Date: 2025-June-25
Security risk: *Moderately critical* 13 ∕ 25
AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:Default [2]
Vulnerability: Cross-site Scripting
Affected versions: <1.0.16
CVE IDs: CVE-2025-48922
Description:
GLightbox module is a pure Javascript lightbox for CKEditor.
The module doesn't sufficiently filter user-supplied text for the GLightbox
Javascript library leading to a Cross Site Scripting (XSS) vulnerability.
This vulnerability is mitigated by the fact that an attacker must have a role
with the permissions to edit content that is configured to support the
Glightbox module.
Solution:
Install the latest version:
* If you use the GLightbox module, upgrade to GLightbox 1.0.16 [3]
Reported By:
* Pierre Rudloff (prudloff) [4] provisional member of the Drupal Security
Team
Fixed By:
* Ivan Abramenko (levmyshkin) [5]
Coordinated By:
* Greg Knaddison (greggles) [6] of the Drupal Security Team
* Pierre Rudloff (prudloff) [7] provisional member of the Drupal Security
Team
[1] https://www.drupal.org/project/glightbox
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/node/3529736
[4] https://www.drupal.org/u/prudloff
[5] https://www.drupal.org/u/levmyshkin
[6] https://www.drupal.org/u/greggles
[7] https://www.drupal.org/u/prudloff
View online: https://www.drupal.org/sa-contrib-2025-077
Project: Toc.js [1]
Date: 2025-June-25
Security risk: *Moderately critical* 12 ∕ 25
AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:Uncommon [2]
Vulnerability: Cross-site Scripting
Affected versions: <3.2.1
CVE IDs: CVE-2025-48923
Description:
This module enables you to generate Table of content of your pages given a
configuration.
The module doesn't sufficiently sanitise data attributes allowing persistent
Cross-site Scripting (XSS) attacks.
This vulnerability is mitigated by the fact that an attacker must have a role
with permission to enter HTML tags containing specific data attributes using
other modules.
Solution:
Install the latest version:
* If you use the Toc JS module, upgrade to Toc Js 3.2.1 [3]
Reported By:
* Pierre Rudloff (prudloff) [4] provisional member of the Drupal Security
Team
Fixed By:
* Flocon de toile (flocondetoile) [5]
* Frank Mably (mably) [6]
* Pierre Rudloff (prudloff) [7] provisional member of the Drupal Security
Team
Coordinated By:
* Greg Knaddison (greggles) [8] of the Drupal Security Team
* Juraj Nemec (poker10) [9] of the Drupal Security Team
* Pierre Rudloff (prudloff) [10] provisional member of the Drupal Security
Team
[1] https://www.drupal.org/project/toc_js
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/toc_js/releases/3.2.1
[4] https://www.drupal.org/u/prudloff
[5] https://www.drupal.org/u/flocondetoile
[6] https://www.drupal.org/u/mably
[7] https://www.drupal.org/u/prudloff
[8] https://www.drupal.org/u/greggles
[9] https://www.drupal.org/u/poker10
[10] https://www.drupal.org/u/prudloff