View online: https://www.drupal.org/sa-contrib-2025-094
Project: GoogleTag Manager [1]
Date: 2025-July-30
Security risk: *Moderately critical* 11 ∕ 25
AC:Complex/A:Admin/CI:Some/II:Some/E:Theoretical/TD:Default [2]
Vulnerability: Cross-site scripting
Affected versions: <1.10.0
CVE IDs: CVE-2025-8362
Description:
This module enables you to integrate Google Tag Manager (GTM) into your
Drupal site by allowing administrators to configure and embed GTM container
snippets.
The module doesn't sufficiently sanitize the GTM container ID under the
scenario where a user with the /Administer gtm/ permission enters malicious
input into the /GTM-ID/ field. This value is directly inserted into a
tag, making the site vulnerable to Cross-site Scripting (XSS)
attacks.
This vulnerability is mitigated by the fact that an attacker must have a role
with the permission /Administer gtm/, and the input field is limited to 20
characters.
Solution:
Install the latest version:
If you use the Google Tag Manager module for Drupal 8.x, upgrade to Google
Tag Manager 8.x-1.10 [3].
The new version includes validation to prevent injection and restricts risky
inputs.
Additionally, site administrators should review which roles have the
/Administer gtm/ permission at /admin/people/permissions.
Reported By:
* Pierre Rudloff (prudloff) [4], provisional member of the Drupal Security
Team
Fixed By:
* Anatoly Politsin (apolitsin) [5]
* Pierre Rudloff (prudloff) [6], provisional member of the Drupal Security
Team
Coordinated By:
* Ivo Van Geertruyen (mr.baileys) [7] of the Drupal Security Team
* Juraj Nemec (poker10) [8] of the Drupal Security Team
* Jess (xjm) [9] of the Drupal Security Team
[1] https://www.drupal.org/project/gtm
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/gtm/releases/8.x-1.10
[4] https://www.drupal.org/u/prudloff
[5] https://www.drupal.org/u/apolitsin
[6] https://www.drupal.org/u/prudloff
[7] https://www.drupal.org/u/mrbaileys
[8] https://www.drupal.org/u/poker10
[9] https://www.drupal.org/u/xjm
View online: https://www.drupal.org/sa-contrib-2025-093
Project: Config Pages [1]
Date: 2025-July-30
Security risk: *Moderately critical* 12 ∕ 25
AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:Uncommon [2]
Vulnerability: Access bypass
Affected versions: <2.18.0
CVE IDs: CVE-2025-8361
Description:
This module enables you to access an edit page for a config page.
The module doesn't sufficiently check the access permissions
(hook_ENTITY_TYPE_access() wasn't taken into account).
This vulnerability is mitigated by the fact that an attacker must have a role
with the permission "edit ID config page" and that it only affects sites that
have access restricted via the hook_ENTITY_TYPE_access() hook.
Solution:
Install the latest version:
* If you use the Config Pages module, upgrade to Config Pages 8.x-2.18 [3].
Reported By:
* Pierre Rudloff (prudloff) [4], provisional member of the Drupal Security
Team
Fixed By:
* Pierre Rudloff (prudloff) [5], provisional member of the Drupal Security
Team
* Alexander Shumenko (shumer) [6]
Coordinated By:
* Greg Knaddison (greggles) [7] of the Drupal Security Team
* Heine Deelstra (heine) [8] of the Drupal Security Team
* Jess (xjm) [9] of the Drupal Security Team
[1] https://www.drupal.org/project/config_pages
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/config_pages/releases/8.x-2.18
[4] https://www.drupal.org/u/prudloff
[5] https://www.drupal.org/u/prudloff
[6] https://www.drupal.org/u/shumer
[7] https://www.drupal.org/u/greggles
[8] https://www.drupal.org/u/heine
[9] https://www.drupal.org/u/xjm
View online: https://www.drupal.org/sa-contrib-2025-092
Project: COOKiES Consent Management [1]
Date: 2025-July-23
Security risk: *Moderately critical* 12 ∕ 25
AC:Complex/A:Admin/CI:Some/II:Some/E:Theoretical/TD:All [2]
Vulnerability: Cross-site Scripting
Affected versions: <1.2.16
CVE IDs: CVE-2025-8092
Description:
This module allows you to manage video media items using the COOKiES module
(disabling external video elements). These elements will be enabled again,
once the COOKiES banner is accepted.
The module doesn't sufficiently check whether to convert "data-src"
attributes to "src" when their value might contain malicious content under
the scenario, that module specific classes are set on the HTML element.
This vulnerability is mitigated by the fact that an attacker must have the
correct permissions to have a specific HTML element display for all users,
and this HTML element needs to have a specific class set.
Solution:
Install the latest version:
* If you use the COOKiES Video submodule for Drupal upgrade to COOKiES
1.2.16 [3]
Reported By:
* Pierre Rudloff (prudloff) [4] provisional member of the Drupal Security
Team
Fixed By:
* Joshua Sedler (grevil) [5]
* Joachim Feltkamp (jfeltkamp) [6]
Coordinated By:
* Greg Knaddison (greggles) [7] of the Drupal Security Team
* Juraj Nemec (poker10) [8] of the Drupal Security Team
* Pierre Rudloff (prudloff) [9] provisional member of the Drupal Security
Team
* Cathy Theys (yesct) [10] of the Drupal Security Team
[1] https://www.drupal.org/project/cookies
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/cookies/releases/1.2.16
[4] https://www.drupal.org/u/prudloff
[5] https://www.drupal.org/u/grevil
[6] https://www.drupal.org/u/jfeltkamp
[7] https://www.drupal.org/u/greggles
[8] https://www.drupal.org/u/poker10
[9] https://www.drupal.org/u/prudloff
[10] https://www.drupal.org/u/yesct
View online: https://www.drupal.org/sa-contrib-2025-091
Project: Real-time SEO for Drupal [1]
Date: 2025-July-16
Security risk: *Moderately critical* 14 ∕ 25
AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:All [2]
Vulnerability: Cross Site Scripting
Affected versions: <2.2.0
CVE IDs: CVE-2025-7716
Description:
This module enables you to analyze the content that you're authoring for a
website. It shows you a preview of what a search result might look like.
The module doesn't sufficiently escape the metadata from content while
rendering the preview, opening up the possibility of a XSS attack.
This vulnerability is mitigated by the fact that an attacker must be able to
author content that is analyzed by the Real-Time SEO module.
Solution:
Install the latest version:
* Upgrade to yoast_seo 8.x-2.2 [3].
Reported By:
* Pierre Rudloff (prudloff) [4], provisional member of the Drupal Security
Team.
Fixed By:
* Alexander Varwijk (kingdutch) [5]
* Pierre Rudloff (prudloff) [6], provisional member of the Drupal Security
Team.
Coordinated By:
* Damien McKenna (damienmckenna) [7] of the Drupal Security Team
* Greg Knaddison (greggles) [8] of the Drupal Security Team
* Pierre Rudloff (prudloff), provisional member of the Drupal Security Team
[9]
* Jess (xjm) [10] of the Drupal Security Team
[1] https://www.drupal.org/project/yoast_seo
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/yoast_seo/releases/8.x-2.2
[4] https://www.drupal.org/u/prudloff
[5] https://www.drupal.org/u/kingdutch
[6] https://www.drupal.org/u/prudloff
[7] https://www.drupal.org/u/damienmckenna
[8] https://www.drupal.org/u/greggles
[9] https://www.drupal.org/u/prudloff
[10] https://www.drupal.org/u/xjm
View online: https://www.drupal.org/sa-contrib-2025-090
Project: Block Attributes [1]
Date: 2025-July-16
Security risk: *Moderately critical* 14 ∕ 25
AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:All [2]
Vulnerability: Cross-site Scripting
Affected versions: <1.1.0 || >=2.0.0 <2.0.1
CVE IDs: CVE-2025-7715
Description:
This module allows you to define custom attributes for a block. You can
specify an attribute name to be added to the block in a predefined format.
The module does not sufficiently validate the provided attributes, which
makes it possible to insert JavaScript event attributes such as onmouseover,
onkeyup, etc. These attributes can execute JavaScript code when the page is
rendered, leading to cross-site scripting (XSS) vulnerabilities.
This vulnerability is partially mitigated by the requirement to manually add
the specific attributes and corresponding JavaScript code to the form after
the attribute has been created.
Solution:
Install the latest version:
* If you use the Block Attributes module for Drupal, upgrade to Block
Attributes 8.x-1.1 [3] or Block Attributes 2.0.1 [4].
Reported By:
* Pierre Rudloff (prudloff) [5] provisional member of the Drupal Security
Team
Fixed By:
* Kostia Bohach (_shy) [6]
Coordinated By:
* Greg Knaddison (greggles) [7] of the Drupal Security Team
* Juraj Nemec (poker10) [8] of the Drupal Security Team
* Pierre Rudloff (prudloff), provisional member of the Drupal Security Team
[9]
* Jess (xjm) [10] of the Drupal Security Team
[1] https://www.drupal.org/project/block_attributes
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/block_attributes/releases/8.x-1.1
[4] https://www.drupal.org/project/block_attributes/releases/2.0.1
[5] https://www.drupal.org/u/prudloff
[6] https://www.drupal.org/u/_shy
[7] https://www.drupal.org/u/greggles
[8] https://www.drupal.org/u/poker10
[9] https://www.drupal.org/u/prudloff
[10] https://www.drupal.org/u/xjm
View online: https://www.drupal.org/sa-contrib-2025-087
Project: Cookies Addons [1]
Date: 2025-July-09
Security risk: *Moderately critical* 13 ∕ 25
AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:Default [2]
Vulnerability: Cross-site Scripting
Affected versions: >1.0.0 < 1.2.4
CVE IDs: CVE-2025-7392
Description:
This module provides a format filter, which allows you to "disable" iframes
(e.g. remove their src attribute) specified by the user. These elements will
be enabled again, once the Cookies banner is accepted.
The module doesn't sufficiently filter user-supplied content when their value
might contain malicious content leading to a Cross-site Scripting (XSS)
vulnerability.
This vulnerability is mitigated by the fact that the site must have the
Cookies Addons Embed Iframe submodule enabled and an attacker must have the
correct permissions to use a text field with a text format that allows
iframes to be used.
Solution:
Install the latest version:
* Upgrade to Cookies Addons 1.2.4 [3]
Reported By:
* Pierre Rudloff (prudloff) [4] provisional member of the Drupal Security
Team
Fixed By:
* Guido Schmitz (guido_s) [5]
* Kostia Bohach (_shy) [6]
Coordinated By:
* Greg Knaddison (greggles) [7] of the Drupal Security Team
* Pierre Rudloff (prudloff) [8] provisional member of the Drupal Security
Team
[1] https://www.drupal.org/project/cookies_addons
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/cookies_addons/releases/1.2.4
[4] https://www.drupal.org/u/prudloff
[5] https://www.drupal.org/u/guido_s
[6] https://www.drupal.org/u/_shy
[7] https://www.drupal.org/u/greggles
[8] https://www.drupal.org/u/prudloff
View online: https://www.drupal.org/sa-contrib-2025-085
Project: Two-factor Authentication (TFA) [1]
Date: 2025-July-02
Security risk: *Less critical* 9 ∕ 25
AC:Basic/A:Admin/CI:Some/II:None/E:Theoretical/TD:Default [2]
Vulnerability: Access bypass
Affected versions: <1.11.0
CVE IDs: CVE-2025-7030
Description:
This module enables you to allow and/or require a second authentication
method in addition to password authentication.
The module does not sufficiently ensure that users with enhanced privileges
are prevented from viewing recovery codes of other users.
This vulnerability is mitigated by the fact that an attacker must have a role
with the /Administer TFA for other users/ permission.
Solution:
Install the latest version:
* If you use the Two-factor Authentication (TFA) module for Drupal 8.x,
upgrade to Two-factor Authentication (TFA) 8.x-1.11 [3].
Reported By:
* Conrad Lara (cmlara) [4]
Fixed By:
* Conrad Lara (cmlara) [5]
Coordinated By:
* cilefen (cilefen) [6] of the Drupal Security Team
* Dan Smith (galooph) [7] of the Drupal Security Team
* Greg Knaddison (greggles) [8] of the Drupal Security Team
* Jess (xjm) [9] of the Drupal Security Team
[1] https://www.drupal.org/project/tfa
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/tfa/releases/8.x-1.11
[4] https://www.drupal.org/u/cmlara
[5] https://www.drupal.org/u/cmlara
[6] https://www.drupal.org/u/cilefen
[7] https://www.drupal.org/u/galooph
[8] https://www.drupal.org/u/greggles
[9] https://www.drupal.org/u/xjm