View online: https://www.drupal.org/sa-core-2023-003
Project: Drupal core [1] Date: 2023-March-15 Security risk: *Moderately critical* 13∕25 AC:None/A:None/CI:Some/II:None/E:Theoretical/TD:Uncommon [2] Vulnerability: Information Disclosure
Affected versions: >=8.0.0 <9.4.12 || >=9.5.0 <9.5.5 || >=10.0.0 <10.0.5 Description: The language module provides a Language switcher block which can be placed to provide links to quickly switch between different languages.
The URL of unpublished translations may be disclosed. When used in conjunction with a module like Pathauto, this may reveal the title of unpublished content.
This advisory is not covered by Drupal Steward [3].
Solution: Install the latest version:
* If you are using Drupal 10.0, update to Drupal 10.0.5 [4]. * If you are using Drupal 9.5, update to Drupal 9.5.5 [5]. * If you are using Drupal 9.4, update to Drupal 9.4.12 [6].
All versions of Drupal 9 prior to 9.4.x are end-of-life and do not receive security coverage. Note that Drupal 8 has reached its end of life [7].
Drupal 7 core does not include the Language module and therefore is not affected. The contributed modules for translation do not have the same code for language-switching links, so they are not affected, either.
Reported By: * Jan Kellermann [8]
Fixed By: * Jan Kellermann [9] * Lee Rowlands [10] of the Drupal Security Team * Greg Knaddison [11] of the Drupal Security Team * Benji Fisher [12] of the Drupal Security Team * Jess [13] of the Drupal Security Team * Sascha Grossenbacher [14] * Neil Drumm [15] of the Drupal Security Team * Dave Long [16] of the Drupal Security Team
[1] https://www.drupal.org/project/drupal [2] https://www.drupal.org/security-team/risk-levels [3] https://www.drupal.org/steward [4] https://www.drupal.org/project/drupal/releases/10.0.5 [5] https://www.drupal.org/project/drupal/releases/9.5.5 [6] https://www.drupal.org/project/drupal/releases/9.4.12 [7] https://www.drupal.org/psa-2021-06-29 [8] https://www.drupal.org/user/371731 [9] https://www.drupal.org/user/371731 [10] https://www.drupal.org/user/395439 [11] https://www.drupal.org/user/36762 [12] https://www.drupal.org/user/683300 [13] https://www.drupal.org/user/65776 [14] https://www.drupal.org/user/214652 [15] https://www.drupal.org/user/3064 [16] https://www.drupal.org/user/246492