[Security-news] Facets - Moderately critical - Information Disclosure - SA-CONTRIB-2025-099
security-news at drupal.org
security-news at drupal.org
Wed Aug 27 17:19:25 UTC 2025
View online: https://www.drupal.org/sa-contrib-2025-099
Project: Facets [1]
Date: 2025-August-27
Security risk: *Moderately critical* 11 ∕ 25
AC:Complex/A:None/CI:Some/II:None/E:Theoretical/TD:Default [2]
Vulnerability: Information Disclosure
Affected versions: <2.0.10 || >=3.0.0 <3.0.1
CVE IDs: CVE-2025-9549
Description:
This module enables you to to easily create and manage faceted search
interfaces.
The module doesn't sufficiently check access to entities when they are
displayed as facets.
This vulnerability is mitigated by the fact that only sites that show facets
with entity labels (like taxonomy terms) are affected, and only if some of
those entities are unpublished or have other access restrictions.
*CVSS risk score (experimental [3]) 6.9 / Medium*
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N [4]
Solution:
Install the latest version:
* If you use the Facets module for Drupal 8.x or higher, upgrade to Facets
2.0.10 [5] or Facets 3.0.1 [6]
Reported By:
* Damien McKenna (damienmckenna) [7] of the Drupal Security Team
Fixed By:
* Benji Fisher (benjifisher) [8] of the Drupal Security Team
* Joris Vercammen (borisson_) [9]
* Damien McKenna (damienmckenna) [10] of the Drupal Security Team
* Thomas Seidl (drunken monkey) [11]
* Jimmy Henderickx (strykaizer) [12]
Coordinated By:
* Benji Fisher (benjifisher) [13] of the Drupal Security Team
* Damien McKenna (damienmckenna) [14] of the Drupal Security Team
* Greg Knaddison (greggles) [15] of the Drupal Security Team
* Drew Webber (mcdruid) [16] of the Drupal Security Team
* Cathy Theys (yesct) [17] of the Drupal Security Team
[1] https://www.drupal.org/project/facets
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/securitydrupalorg/issues/3442181
[4]
https://www.first.org/cvss/calculator/4-0#CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
[5] https://www.drupal.org/project/facets/releases/2.0.10
[6] https://www.drupal.org/project/facets/releases/3.0.1
[7] https://www.drupal.org/u/damienmckenna
[8] https://www.drupal.org/u/benjifisher
[9] https://www.drupal.org/u/borisson_
[10] https://www.drupal.org/u/damienmckenna
[11] https://www.drupal.org/u/drunken-monkey
[12] https://www.drupal.org/u/strykaizer
[13] https://www.drupal.org/u/benjifisher
[14] https://www.drupal.org/u/damienmckenna
[15] https://www.drupal.org/u/greggles
[16] https://www.drupal.org/u/mcdruid
[17] https://www.drupal.org/u/yesct
More information about the Security-news
mailing list