Security-news

security-news@drupal.org

1 participants
1782 discussions

JSON Field - Critical - Cross Site Scripting - SA-CONTRIB-2025-106
by security-news＠drupal.org 24 Sep '25

24 Sep '25

View online: https://www.drupal.org/sa-contrib-2025-106 Project: JSON Field [1] Date: 2025-September-24 Security risk: *Critical* 15 ∕ 25 AC:Basic/A:None/CI:Some/II:Some/E:Theoretical/TD:Default [2] Vulnerability: Cross Site Scripting Affected versions: <1.5 CVE IDs: CVE-2025-10926 Description: This module enables you to store and display JSON data using optional 3rd party libraries. The module doesn't sufficiently filter data using some of the included field formatters leading to a Cross-site Scripting (XSS) vulnerability. Solution: Install the latest version: * If you use the JSON Field module for Drupal 8.x, upgrade to JSON Field 8.x-1.5 [3]. Reported By: * Ivan (chi) [4] Fixed By: * Ivan (chi) [5] * Damien McKenna (damienmckenna) [6] of the Drupal Security Team Coordinated By: * Damien McKenna (damienmckenna) [7] of the Drupal Security Team * Greg Knaddison (greggles) [8] of the Drupal Security Team ------------------------------------------------------------------------------ Contribution record [9] [1] https://www.drupal.org/project/json_field [2] https://www.drupal.org/security-team/risk-levels [3] https://www.drupal.org/project/json_field/releases/8.x-1.5 [4] https://www.drupal.org/u/chi [5] https://www.drupal.org/u/chi [6] https://www.drupal.org/u/damienmckenna [7] https://www.drupal.org/u/damienmckenna [8] https://www.drupal.org/u/greggles [9] https://new.drupal.org/contribution-record?source_link=https%3A//www.drupal…

1 0

Third-Party Libraries and Supply Chains - PSA-2025-09-17
by security-news＠drupal.org 17 Sep '25

17 Sep '25

View online: https://www.drupal.org/psa-2025-09-17 Date: 2025-September-17 Description: .... Supply-chain attack via maintainer account takeover NPM [1] packages have been targeted in maintainer account takeover attacks. Attackers have deployed an automatic credential scanning tool. The scanning tool tries to find secret keys that may have been published to public systems like build automation and continuous integration (CI) systems and sends such credentials back to the attacker. From there, the vulnerable NPM packages are downloaded, modified to insert a trojan-like script bundle, and then republished. These maliciously modified packages can then be used to exploit any application that has installed these packages. Coverage and advice on remediation: * The Hacker News - 40 NPM Packages Compromised [2] * Socket.dev - Supply Chain Attack [3] * Aikido - S1ngularity/nx attackers strike again [4] * Aikido - npm debug and chalk packages compromised [5] * Wiz.io - Shai-Halud npm supply chain attack [6] While this attack has targeted NPM packages, the same strategy could be used to exploit other packages as well. .... Managing supply-chain security Website owners should actively manage their dependencies, potentially leveraging a Software Bill of Materials (SBOM) or scanner services. Other relevant tools include CSP [7] and SRI [8]. It is the policy of the Drupal Security Team that site owners are responsible for monitoring and maintaining the security of third-party libraries and any non-Drupal components of the stack. In rare cases, the Drupal Security Team will post an informational public service announcement [9] (PSA) such as this one, but the remit of the Drupal Security Team remains limited to code hosted on Drupal.org’s systems. Previous PSAs on third-party code in the Drupal ecosystem include: * External libraries and plugins - PSA-2011-002 [10] * Various Third-Party Vulnerabilities - PSA-2019-09-04 [11] * Third-Party Libraries and Supply Chains - PSA-2024-06-26 [12] .... Impact to the Drupal project itself Drupal's infrastructure maintainers, the Drupal Security Team, and Drupal core maintainers have received tips about this situation from several sources. Individuals in those groups have evaluated their exposure and we believe the Drupal project itself is not affected by this issue. If you have information about concerns that Drupal is affected please reach out to us [13]. /This post is likely to be be updated as the situation evolves and more information is available./ Reported By: * nicxvan [14] Coordinated By: * Greg Knaddison (greggles) [15] of the Drupal Security Team * Tim Hestenes Lehnen (hestenet) [16] * Dave Long (longwave) [17] of the Drupal Security Team * Drew Webber (mcdruid) [18] of the Drupal Security Team * Jess (xjm) [19] of the Drupal Security Team * cilefen [20] of the Drupal Security Team ------------------------------------------------------------------------------ Contribution record [21] [1] https://www.npmjs.com [2] https://thehackernews.com/2025/09/40-npm-packages-compromised-in-supply.html [3] https://socket.dev/blog/ongoing-supply-chain-attack-targets-crowdstrike-npm… [4] https://www.aikido.dev/blog/s1ngularity-nx-attackers-strike-again [5] https://www.aikido.dev/blog/npm-debug-and-chalk-packages-compromised [6] https://www.wiz.io/blog/shai-hulud-npm-supply-chain-attack [7] https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP [8] https://developer.mozilla.org/en-US/docs/Web/Security/Subresource_Integrity [9] https://www.drupal.org/security/psa [10] https://www.drupal.org/node/1189632 [11] https://www.drupal.org/psa-2019-09-04 [12] https://www.drupal.org/psa-2024-06-26 [13] https://www.drupal.org/docs/develop/issues/issue-procedures-and-etiquette/r… [14] https://www.drupal.org/u/nicxvan [15] https://www.drupal.org/u/greggles [16] https://www.drupal.org/u/hestenet [17] https://www.drupal.org/u/longwave [18] https://www.drupal.org/u/mcdruid [19] https://www.drupal.org/u/xjm [20] https://www.drupal.org/u/cilefen [21] https://new.drupal.org/contribution-record?source_link=https%3A//www.drupal…

1 0

Acquia DAM - Moderately critical - Access bypass, Information Disclosure - SA-CONTRIB-2025-105
by security-news＠drupal.org 03 Sep '25

03 Sep '25

View online: https://www.drupal.org/sa-contrib-2025-105 Project: Acquia DAM [1] Date: 2025-September-03 Security risk: *Moderately critical* 12 ∕ 25 AC:Basic/A:None/CI:Some/II:None/E:Theoretical/TD:Default [2] Vulnerability: Access bypass, Information Disclosure Affected versions: <1.1.5 CVE IDs: CVE-2025-9954 Description: This module enables you to connect a Drupal site to the Acquia DAM service, which syncs media from the third party service to the site. The module doesn't sufficiently validate authorization to a list of DAM assets currently synced to the website creating an access bypass vulnerability. This vulnerability is mitigated by the fact that it only impacts sites where users having the “view media” permission accessing any DAM asset is undesirable. *CVSS risk score (experimental [3]) 6.9 / Medium* CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N [4] Solution: Install the latest version which will automatically reset three views to have permission-based access control based on the "access media overview" permission. If you have modified the view access in some other way you will need to redo that modification after upgrading the module. * If you use the acquia_dam module for Drupal 8.x, upgrade to acquia_dam 1.1.5 [5] Sites that cannot update to this code can mitigate the issue by modifying three views to be restricted to that permission: Acquia DAM Asset Library, Acquia DAM links, DAM Content Overview. Reported By: * Brandon Goodwin (bgoodie) [6] * Chris Burge (chris burge) [7] * Todd Woofenden (toddwoof) [8] Fixed By: * Chris Burge (chris burge) [9] * Damien McKenna (damienmckenna) [10] of the Drupal Security Team * Jakob P (japerry) [11] * Todd Woofenden (toddwoof) [12] Coordinated By: * cilefen (cilefen) [13] of the Drupal Security Team * Greg Knaddison (greggles) [14] of the Drupal Security Team * Cathy Theys (yesct) [15] of the Drupal Security Team ------------------------------------------------------------------------------ Contribution record [16] [1] https://www.drupal.org/project/acquia_dam [2] https://www.drupal.org/security-team/risk-levels [3] https://www.drupal.org/project/securitydrupalorg/issues/3442181 [4] https://www.first.org/cvss/calculator/4-0#CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N… [5] https://www.drupal.org/project/acquia_dam/releases/1.1.5 [6] https://www.drupal.org/u/bgoodie [7] https://www.drupal.org/u/chris-burge [8] https://www.drupal.org/u/toddwoof [9] https://www.drupal.org/u/chris-burge [10] https://www.drupal.org/u/damienmckenna [11] https://www.drupal.org/u/japerry [12] https://www.drupal.org/u/toddwoof [13] https://www.drupal.org/u/cilefen [14] https://www.drupal.org/u/greggles [15] https://www.drupal.org/u/yesct [16] https://new.drupal.org/contribution-record?source_link=https%3A//www.drupal…

1 0

Owl Carousel 2 - Critical - Unsupported - SA-CONTRIB-2025-104
by security-news＠drupal.org 27 Aug '25

27 Aug '25

View online: https://www.drupal.org/sa-contrib-2025-104 Project: Owl Carousel 2 [1] Date: 2025-August-27 Security risk: *Critical* 16 ∕ 25 AC:Complex/A:Admin/CI:All/II:All/E:Theoretical/TD:All [2] Vulnerability: Unsupported Affected versions: * CVE IDs: CVE-2025-9554 Description: The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: https://www.drupal.org/node/251466#s-becoming-owner-maintainer-or-co-mai... [3] Solution: If you use this project, you should uninstall it. To take over maintainership, please read https://www.drupal.org/node/251466#s-becoming-owner-maintainer-or-co-mai... [4] [1] https://www.drupal.org/project/owlcarousel2 [2] https://www.drupal.org/security-team/risk-levels [3] https://www.drupal.org/node/251466#s-becoming-owner-maintainer-or-co-mainta… [4] https://www.drupal.org/node/251466#s-becoming-owner-maintainer-or-co-mainta…

1 0

API Key manager - Critical - Unsupported - SA-CONTRIB-2025-103
by security-news＠drupal.org 27 Aug '25

27 Aug '25

View online: https://www.drupal.org/sa-contrib-2025-103 Project: API Key manager [1] Date: 2025-August-27 Security risk: *Critical* 16 ∕ 25 AC:Complex/A:Admin/CI:All/II:All/E:Theoretical/TD:All [2] Vulnerability: Unsupported Affected versions: * CVE IDs: CVE-2025-9553 Description: The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: https://www.drupal.org/node/251466#s-becoming-owner-maintainer-or-co-mai... [3] Solution: If you use this project, you should uninstall it. To take over maintainership, please read https://www.drupal.org/node/251466#s-becoming-owner-maintainer-or-co-mai... [4] [1] https://www.drupal.org/project/api_key_manager [2] https://www.drupal.org/security-team/risk-levels [3] https://www.drupal.org/node/251466#s-becoming-owner-maintainer-or-co-mainta… [4] https://www.drupal.org/node/251466#s-becoming-owner-maintainer-or-co-mainta…

1 0

Synchronize composer.json With Contrib Modules - Critical - Unsupported - SA-CONTRIB-2025-102
by security-news＠drupal.org 27 Aug '25

27 Aug '25

View online: https://www.drupal.org/sa-contrib-2025-102 Project: Synchronize composer.json With Contrib Modules [1] Date: 2025-August-27 Security risk: *Critical* 16 ∕ 25 AC:Complex/A:Admin/CI:All/II:All/E:Theoretical/TD:All [2] Vulnerability: Unsupported Affected versions: * CVE IDs: CVE-2025-9552 Description: The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: https://www.drupal.org/node/251466#s-becoming-owner-maintainer-or-co-mai... [3] Solution: If you use this project, you should uninstall it. To take over maintainership, please read https://www.drupal.org/node/251466#s-becoming-owner-maintainer-or-co-mai... [4] [1] https://www.drupal.org/project/sync_composer_with_contrib [2] https://www.drupal.org/security-team/risk-levels [3] https://www.drupal.org/node/251466#s-becoming-owner-maintainer-or-co-mainta… [4] https://www.drupal.org/node/251466#s-becoming-owner-maintainer-or-co-mainta…

1 0

Protected Pages - Moderately critical - Access bypass - SA-CONTRIB-2025-101
by security-news＠drupal.org 27 Aug '25

27 Aug '25

View online: https://www.drupal.org/sa-contrib-2025-101 Project: Protected Pages [1] Date: 2025-August-27 Security risk: *Moderately critical* 13 ∕ 25 AC:Basic/A:None/CI:Some/II:None/E:Theoretical/TD:All [2] Vulnerability: Access bypass Affected versions: <1.8.0 CVE IDs: CVE-2025-9551 Description: This module enables you to protect individual pages with a password. The module doesn't limit the number of password attempts, making it vulnerable to brute force attacks. This vulnerability is mitigated by the fact that an attacker must know the protected page's URL. *CVSS risk score (experimental [3]) 6.3 / Medium* CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N [4] Solution: Install the latest version: * If you use the Protected Pages module for Drupal 8.x, upgrade to Protected Pages 8.x-1.8 [5] Reported By: * Pierre Rudloff (prudloff) [6] Fixed By: * Oksana Cyrwus (oksana-c) [7] * Ra Mänd (ram4nd) [8] Coordinated By: * Benji Fisher (benjifisher) [9] of the Drupal Security Team * Damien McKenna (damienmckenna) [10] of the Drupal Security Team * Greg Knaddison (greggles) [11] of the Drupal Security Team * Drew Webber (mcdruid) [12] of the Drupal Security Team * Juraj Nemec (poker10) [13] of the Drupal Security Team [1] https://www.drupal.org/project/protected_pages [2] https://www.drupal.org/security-team/risk-levels [3] https://www.drupal.org/project/securitydrupalorg/issues/3442181 [4] https://www.first.org/cvss/calculator/4-0#CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N… [5] https://www.drupal.org/project/protected_pages/releases/8.x-1.8 [6] https://www.drupal.org/u/prudloff [7] https://www.drupal.org/u/oksana-c [8] https://www.drupal.org/u/ram4nd [9] https://www.drupal.org/u/benjifisher [10] https://www.drupal.org/u/damienmckenna [11] https://www.drupal.org/u/greggles [12] https://www.drupal.org/u/mcdruid [13] https://www.drupal.org/u/poker10

1 0

Facets - Moderately critical - Cross Site Scripting - SA-CONTRIB-2025-100
by security-news＠drupal.org 27 Aug '25

27 Aug '25

View online: https://www.drupal.org/sa-contrib-2025-100 Project: Facets [1] Date: 2025-August-27 Security risk: *Moderately critical* 13 ∕ 25 AC:Basic/A:Admin/CI:Some/II:Some/E:Theoretical/TD:All [2] Vulnerability: Cross Site Scripting Affected versions: <2.0.10 || >=3.0.0 <3.0.1 CVE IDs: CVE-2025-9549 Description: This module enables you to to easily create and manage faceted search interfaces. The module doesn’t sufficiently filter certain user-provided text leading to a cross site scripting (XSS) vulnerability. This vulnerability is mitigated by the fact that an attacker must have a role with the permission “administer facets”. *CVSS risk score (experimental [3]) 4.8 / Medium* CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:L/SI:N/SA:N [4] Solution: Install the latest version: * If you use the Facets module for Drupal 8.x or higher, upgrade to Facets 2.0.10 [5] or Facets 3.0.1 [6] Reported By: * Pierre Rudloff (prudloff) [7] Fixed By: * Joris Vercammen (borisson_) [8] * Thomas Seidl (drunken monkey) [9] * Pierre Rudloff (prudloff) [10], provisional member of the Drupal Security Team Coordinated By: * Damien McKenna (damienmckenna) [11] of the Drupal Security Team * Ivo Van Geertruyen (mr.baileys) [12] of the Drupal Security Team * Pierre Rudloff (prudloff) [13], provisional member of the Drupal Security Team * Drew Webber (mcdruid) [14] of the Drupal Security Team [1] https://www.drupal.org/project/facets [2] https://www.drupal.org/security-team/risk-levels [3] https://www.drupal.org/project/securitydrupalorg/issues/3442181 [4] https://www.first.org/cvss/calculator/4-0#CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P… [5] https://www.drupal.org/project/facets/releases/2.0.10 [6] https://www.drupal.org/project/facets/releases/3.0.1 [7] https://www.drupal.org/u/prudloff [8] https://www.drupal.org/u/borisson_ [9] https://www.drupal.org/u/drunken-monkey [10] https://www.drupal.org/u/prudloff [11] https://www.drupal.org/u/damienmckenna [12] https://www.drupal.org/u/mrbaileys [13] https://www.drupal.org/u/prudloff [14] https://www.drupal.org/u/mcdruid

1 0

Facets - Moderately critical - Information Disclosure - SA-CONTRIB-2025-099
by security-news＠drupal.org 27 Aug '25

27 Aug '25

View online: https://www.drupal.org/sa-contrib-2025-099 Project: Facets [1] Date: 2025-August-27 Security risk: *Moderately critical* 11 ∕ 25 AC:Complex/A:None/CI:Some/II:None/E:Theoretical/TD:Default [2] Vulnerability: Information Disclosure Affected versions: <2.0.10 || >=3.0.0 <3.0.1 CVE IDs: CVE-2025-9549 Description: This module enables you to to easily create and manage faceted search interfaces. The module doesn't sufficiently check access to entities when they are displayed as facets. This vulnerability is mitigated by the fact that only sites that show facets with entity labels (like taxonomy terms) are affected, and only if some of those entities are unpublished or have other access restrictions. *CVSS risk score (experimental [3]) 6.9 / Medium* CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N [4] Solution: Install the latest version: * If you use the Facets module for Drupal 8.x or higher, upgrade to Facets 2.0.10 [5] or Facets 3.0.1 [6] Reported By: * Damien McKenna (damienmckenna) [7] of the Drupal Security Team Fixed By: * Benji Fisher (benjifisher) [8] of the Drupal Security Team * Joris Vercammen (borisson_) [9] * Damien McKenna (damienmckenna) [10] of the Drupal Security Team * Thomas Seidl (drunken monkey) [11] * Jimmy Henderickx (strykaizer) [12] Coordinated By: * Benji Fisher (benjifisher) [13] of the Drupal Security Team * Damien McKenna (damienmckenna) [14] of the Drupal Security Team * Greg Knaddison (greggles) [15] of the Drupal Security Team * Drew Webber (mcdruid) [16] of the Drupal Security Team * Cathy Theys (yesct) [17] of the Drupal Security Team [1] https://www.drupal.org/project/facets [2] https://www.drupal.org/security-team/risk-levels [3] https://www.drupal.org/project/securitydrupalorg/issues/3442181 [4] https://www.first.org/cvss/calculator/4-0#CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N… [5] https://www.drupal.org/project/facets/releases/2.0.10 [6] https://www.drupal.org/project/facets/releases/3.0.1 [7] https://www.drupal.org/u/damienmckenna [8] https://www.drupal.org/u/benjifisher [9] https://www.drupal.org/u/borisson_ [10] https://www.drupal.org/u/damienmckenna [11] https://www.drupal.org/u/drunken-monkey [12] https://www.drupal.org/u/strykaizer [13] https://www.drupal.org/u/benjifisher [14] https://www.drupal.org/u/damienmckenna [15] https://www.drupal.org/u/greggles [16] https://www.drupal.org/u/mcdruid [17] https://www.drupal.org/u/yesct

1 0

Authenticator Login - Moderately critical - Access bypass - SA-CONTRIB-2025-098
by security-news＠drupal.org 27 Aug '25

27 Aug '25

View online: https://www.drupal.org/sa-contrib-2025-098 Project: Authenticator Login [1] Date: 2025-August-27 Security risk: *Moderately critical* 13 ∕ 25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:Default [2] Vulnerability: Access bypass Affected versions: <2.1.8 CVE IDs: CVE-2025-8093 Description: This module allows users to setup two-factor authentication (2FA) using authenticator apps for enhanced login security. The module did not protect all possible login paths provided by core modules. *CVSS risk score (experimental [3]) 6.3 / Medium* CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N [4] Solution: Install the latest version: * If you use the Alogin module for Drupal 10^, upgrade to Alogin 2.1.8 [5] Reported By: * Pierre Rudloff (prudloff) [6] Fixed By: * Ahmed Raza (ahmed.raza) [7] * Pierre Rudloff (prudloff) [8], provisional member of the Drupal Security Team Coordinated By: * Damien McKenna (damienmckenna) [9] of the Drupal Security Team * Greg Knaddison (greggles) [10] of the Drupal Security Team * Drew Webber (mcdruid) [11] of the Drupal Security Team * Juraj Nemec (poker10) [12] of the Drupal Security Team * Cathy Theys (yesct) [13] of the Drupal Security Team [1] https://www.drupal.org/project/alogin [2] https://www.drupal.org/security-team/risk-levels [3] https://www.drupal.org/project/securitydrupalorg/issues/3442181 [4] https://www.first.org/cvss/calculator/4-0#CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N… [5] https://www.drupal.org/project/alogin/releases/2.1.8 [6] https://www.drupal.org/u/prudloff [7] https://www.drupal.org/u/ahmedraza [8] https://www.drupal.org/u/prudloff [9] https://www.drupal.org/u/damienmckenna [10] https://www.drupal.org/u/greggles [11] https://www.drupal.org/u/mcdruid [12] https://www.drupal.org/u/poker10 [13] https://www.drupal.org/u/yesct

1 0

← Newer
1
...
4
5
6
7
8
9
10
...
179
Older →

Jump to page:

2026

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

Security-news