From security-news at drupal.org Wed Jun 25 18:41:07 2025 From: security-news at drupal.org (security-news at drupal.org) Date: Wed, 25 Jun 2025 18:41:07 +0000 (UTC) Subject: [Security-news] Toc.js - Moderately critical - Cross-site Scripting - SA-CONTRIB-2025-077 Message-ID: View online: https://www.drupal.org/sa-contrib-2025-077 Project:?Toc.js [1] Date:?2025-June-25 Security risk:?*Moderately critical* 12???25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:Uncommon [2] Vulnerability:?Cross-site Scripting Affected versions:?<3.2.1 CVE IDs:?CVE-2025-48923 Description:? This module enables you to generate Table of content of your pages given a configuration. The module doesn't sufficiently sanitise data attributes allowing persistent Cross-site Scripting (XSS) attacks. This vulnerability is mitigated by the fact that an attacker must have a role with permission to enter HTML tags containing specific data attributes using other modules. Solution:? Install the latest version: * If you use the Toc JS module, upgrade to Toc Js 3.2.1 [3] Reported By:? * Pierre Rudloff (prudloff) [4] provisional member of the Drupal Security Team Fixed By:? * Flocon de toile (flocondetoile) [5] * Frank Mably (mably) [6] * Pierre Rudloff (prudloff) [7] provisional member of the Drupal Security Team Coordinated By:? * Greg Knaddison (greggles) [8] of the Drupal Security Team * Juraj Nemec (poker10) [9] of the Drupal Security Team * Pierre Rudloff (prudloff) [10] provisional member of the Drupal Security Team [1] https://www.drupal.org/project/toc_js [2] https://www.drupal.org/security-team/risk-levels [3] https://www.drupal.org/project/toc_js/releases/3.2.1 [4] https://www.drupal.org/u/prudloff [5] https://www.drupal.org/u/flocondetoile [6] https://www.drupal.org/u/mably [7] https://www.drupal.org/u/prudloff [8] https://www.drupal.org/u/greggles [9] https://www.drupal.org/u/poker10 [10] https://www.drupal.org/u/prudloff From security-news at drupal.org Wed Jun 25 18:41:21 2025 From: security-news at drupal.org (security-news at drupal.org) Date: Wed, 25 Jun 2025 18:41:21 +0000 (UTC) Subject: [Security-news] GLightbox - Moderately critical - Cross-site Scripting - SA-CONTRIB-2025-078 Message-ID: View online: https://www.drupal.org/sa-contrib-2025-078 Project:?GLightbox [1] Date:?2025-June-25 Security risk:?*Moderately critical* 13???25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:Default [2] Vulnerability:?Cross-site Scripting Affected versions:?<1.0.16 CVE IDs:?CVE-2025-48922 Description:? GLightbox module is a pure Javascript lightbox for CKEditor. The module doesn't sufficiently filter user-supplied text for the GLightbox Javascript library leading to a Cross Site Scripting (XSS) vulnerability. This vulnerability is mitigated by the fact that an attacker must have a role with the permissions to edit content that is configured to support the Glightbox module. Solution:? Install the latest version: * If you use the GLightbox module, upgrade to GLightbox 1.0.16 [3] Reported By:? * Pierre Rudloff (prudloff) [4] provisional member of the Drupal Security Team Fixed By:? * Ivan Abramenko (levmyshkin) [5] Coordinated By:? * Greg Knaddison (greggles) [6] of the Drupal Security Team * Pierre Rudloff (prudloff) [7] provisional member of the Drupal Security Team [1] https://www.drupal.org/project/glightbox [2] https://www.drupal.org/security-team/risk-levels [3] https://www.drupal.org/node/3529736 [4] https://www.drupal.org/u/prudloff [5] https://www.drupal.org/u/levmyshkin [6] https://www.drupal.org/u/greggles [7] https://www.drupal.org/u/prudloff From security-news at drupal.org Wed Jun 25 18:41:35 2025 From: security-news at drupal.org (security-news at drupal.org) Date: Wed, 25 Jun 2025 18:41:35 +0000 (UTC) Subject: [Security-news] Open Social - Moderately critical - Cross Site Request Forgery - SA-CONTRIB-2025-079 Message-ID: View online: https://www.drupal.org/sa-contrib-2025-079 Project:?Open Social [1] Date:?2025-June-25 Security risk:?*Moderately critical* 13???25 AC:None/A:User/CI:None/II:Some/E:Theoretical/TD:All [2] Vulnerability:?Cross Site Request Forgery Affected versions:?<12.3.14 || >=12.4.0 <12.4.13 CVE IDs:?CVE-2025-48921 Description:? Open Social is a Drupal distribution for online communities, which ships with a default module that allows users to enroll in events. The module doesn't sufficiently protect certain routes from Cross Site Request Forgery (CSRF) attacks. Users can be tricked into accepting or rejecting these enrollments. This issue only affects sites that have event enrollments enabled for an event. Solution:? Install the latest version: * If you use Open Social 12.3.x upgrade to Open Social 12.3.14 [3] * If you use Open Social 12.4.x upgrade to Open Social 12.4.13 [4] Reported By:? * Ivo Van Geertruyen (mr.baileys) [5] of the Drupal Security Team Fixed By:? * Alexander Varwijk (kingdutch) [6] * Robert Ragas (robertragas) [7] Coordinated By:? * Greg Knaddison (greggles) [8] of the Drupal Security Team [1] https://www.drupal.org/project/social [2] https://www.drupal.org/security-team/risk-levels [3] https://www.drupal.org/project/social/releases/12.3.14 [4] https://www.drupal.org/project/social/releases/12.4.13 [5] https://www.drupal.org/u/mrbaileys [6] https://www.drupal.org/u/kingdutch [7] https://www.drupal.org/u/robertragas [8] https://www.drupal.org/u/greggles From security-news at drupal.org Wed Jun 25 18:41:57 2025 From: security-news at drupal.org (security-news at drupal.org) Date: Wed, 25 Jun 2025 18:41:57 +0000 (UTC) Subject: [Security-news] Klaro Cookie & Consent Management - Moderately critical - Cross-site Scripting - SA-CONTRIB-2025-080 Message-ID: View online: https://www.drupal.org/sa-contrib-2025-080 Project:?Klaro Cookie & Consent Management [1] Date:?2025-June-25 Security risk:?*Moderately critical* 14???25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:All [2] Vulnerability:?Cross-site Scripting Affected versions:?<3.0.7 CVE IDs:?CVE-2025-5682 Description:? Klaro Cookie & Consent Management module is used for consent management for cookies and external sources. It makes changes to the markup to enable or disable loading. The module doesn't sufficiently sanitize some HTML attributes allowing persistent Cross-site Scripting (XSS) attacks. This vulnerability is mitigated by the fact that an attacker must have a role with permission to enter HTML tags containing specific attributes. Solution:? Install the latest version: * If you use the Klaro Cookie & Consent Management module for Drupal 10.x/11.x, upgrade to Klaro Cookie & Consent Management 3.0.7 [3] Reported By:? * Pierre Rudloff (prudloff) [4] provisional member of the Drupal Security Team Fixed By:? * Jan Kellermann (jan kellermann) [5] Coordinated By:? * Greg Knaddison (greggles) [6] of the Drupal Security Team * Juraj Nemec (poker10) [7] of the Drupal Security Team * Pierre Rudloff (prudloff) [8] provisional member of the Drupal Security Team [1] https://www.drupal.org/project/klaro [2] https://www.drupal.org/security-team/risk-levels [3] https://www.drupal.org/node/3532264 [4] https://www.drupal.org/u/prudloff [5] https://www.drupal.org/u/jan-kellermann [6] https://www.drupal.org/u/greggles [7] https://www.drupal.org/u/poker10 [8] https://www.drupal.org/u/prudloff From security-news at drupal.org Wed Jun 25 18:42:08 2025 From: security-news at drupal.org (security-news at drupal.org) Date: Wed, 25 Jun 2025 18:42:08 +0000 (UTC) Subject: [Security-news] CKEditor5 Youtube - Moderately critical - Cross-site Scripting - SA-CONTRIB-2025-081 Message-ID: View online: https://www.drupal.org/sa-contrib-2025-081 Project:?CKEditor5 Youtube [1] Date:?2025-June-25 Security risk:?*Moderately critical* 14???25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:All [2] Vulnerability:?Cross-site Scripting Affected versions:?<1.0.3 CVE IDs:?CVE-2025-6674 Description:? The CKEditor5 Youtube module enhances content creation in Drupal by seamlessly integrating YouTube video embedding into the CKEditor 5 text editor. The module doesn't sufficiently validate iframe sources under the scenario where a user embeds a video using the CKEditor YouTube integration leading to a Cross-site Scripting (XSS) vulnerabiity. This vulnerability is mitigated by the fact that an attacker must have a role with necessary permissions to use CKEditor Youtube embed button. Solution:? Install the latest version: * If you are using the CKEditor5 YouTube module on Drupal 9.x or higher, you should upgrade to: CKEditor5 Youtube 1.0.3 [3] Reported By:? * nico.b [4] Fixed By:? * Brahim Khouy (b.khouy) [5] * Abderrahim GHAZALI ? (g.abderrahim) [6] * nico.b [7] Coordinated By:? * Greg Knaddison (greggles) [8] of the Drupal Security Team [1] https://www.drupal.org/project/ckeditor5_youtube [2] https://www.drupal.org/security-team/risk-levels [3] https://www.drupal.org/project/ckeditor5_youtube/releases/1.0.3 [4] https://www.drupal.org/u/nicob [5] https://www.drupal.org/u/bkhouy [6] https://www.drupal.org/u/gabderrahim [7] https://www.drupal.org/u/nicob [8] https://www.drupal.org/u/greggles From security-news at drupal.org Wed Jun 25 18:42:19 2025 From: security-news at drupal.org (security-news at drupal.org) Date: Wed, 25 Jun 2025 18:42:19 +0000 (UTC) Subject: [Security-news] Enterprise MFA - TFA for Drupal - Critical - Access bypass - SA-CONTRIB-2025-082 Message-ID: View online: https://www.drupal.org/sa-contrib-2025-082 Project:?Enterprise MFA - TFA for Drupal [1] Date:?2025-June-25 Security risk:?*Critical* 15???25 AC:Complex/A:None/CI:Some/II:Some/E:Theoretical/TD:All [2] Vulnerability:?Access bypass Affected versions:?<4.8.0 || >=5.2.0 <5.2.1 || 5.0.* || 5.1.* CVE IDs:?CVE-2025-6675 Description:? The module enables you to add second-factor authentication on top of the default Drupal login. The module does not sufficiently ensure that known authorization routes are protected. This vulnerability is mitigated by the fact that an attacker must obtain the user's username and password. Solution:? Install the latest version: * If you use the Enterprise MFA - TFA for Drupal ^9.3, Drupal 10 and Drupal 11 upgrade to miniorange_2fa 5.2.1. [3] * If you use the Enterprise MFA - TFA for Drupal 8, Drupal 9 and Drupal 10 upgrade to miniorange_2fa 8.x-4.8. [4] Reported By:? * Conrad Lara (cmlara) [5] Fixed By:? * Sudhanshu Dhage (sudhanshu0542) [6] Coordinated By:? * Greg Knaddison (greggles) [7] of the Drupal Security Team [1] https://www.drupal.org/project/miniorange_2fa [2] https://www.drupal.org/security-team/risk-levels [3] https://www.drupal.org/project/miniorange_2fa/releases/5.2.1 [4] https://www.drupal.org/project/miniorange_2fa/releases/8.x-4.8 [5] https://www.drupal.org/u/cmlara [6] https://www.drupal.org/u/sudhanshu0542 [7] https://www.drupal.org/u/greggles From security-news at drupal.org Wed Jun 25 18:42:38 2025 From: security-news at drupal.org (security-news at drupal.org) Date: Wed, 25 Jun 2025 18:42:38 +0000 (UTC) Subject: [Security-news] Simple XML sitemap - Moderately critical - Cross-site Scripting - SA-CONTRIB-2025-083 Message-ID: View online: https://www.drupal.org/sa-contrib-2025-083 Project:?Simple XML sitemap [1] Date:?2025-June-25 Security risk:?*Moderately critical* 13???25 AC:Basic/A:Admin/CI:Some/II:Some/E:Theoretical/TD:All [2] Vulnerability:?Cross-site Scripting Affected versions:?< 4.2.2 CVE IDs:?CVE-2025-6676 Description:? Simple XML sitemap [3] is a SEO module that allows creating various XML sitemaps of the site's content and submitting them to search engines. The module doesn't sufficiently sanitize input when administering it, which leads to a Cross-site scripting (XSS) attack vector. This vulnerability is mitigated by the fact that an attacker must have the administrative permission 'administer sitemap settings'. Solution:? This vulnerability requires 2 steps: * If you use simple_sitemap upgrade to at least 4.2.2 [4] or a later, supported version. * For all versions, ensure your permissions are assigned to appropriate roles and users with "administer sitemap settings" permission are trusted. Reported By:? * Nick Vanpraet (grayle) [5] Fixed By:? * David Rothstein (David_Rothstein) [6] * Pawel Ginalski (gbyte) [7] Coordinated By:? * Greg Knaddison (greggles) [8] of the Drupal Security Team * Michael Hess (mlhess) [9] of the Drupal Security Team * Juraj Nemec (poker10) [10] of the Drupal Security Team [1] https://www.drupal.org/project/simple_sitemap [2] https://www.drupal.org/security-team/risk-levels [3] https://www.drupal.org/project/simple_sitemap [4] https://www.drupal.org/project/simple_sitemap/releases/4.2.2 [5] https://www.drupal.org/u/grayle [6] https://www.drupal.org/u/david_rothstein [7] https://www.drupal.org/u/gbyte [8] https://www.drupal.org/u/greggles [9] https://www.drupal.org/u/mlhess [10] https://www.drupal.org/u/poker10 From security-news at drupal.org Wed Jun 25 18:43:02 2025 From: security-news at drupal.org (security-news at drupal.org) Date: Wed, 25 Jun 2025 18:43:02 +0000 (UTC) Subject: [Security-news] Paragraphs table - Moderately critical - Cross Site Scripting - SA-CONTRIB-2025-084 Message-ID: View online: https://www.drupal.org/sa-contrib-2025-084 Project:?Paragraphs table [1] Date:?2025-June-25 Security risk:?*Moderately critical* 13???25 AC:None/A:Admin/CI:Some/II:Some/E:Theoretical/TD:Uncommon [2] Vulnerability:?Cross Site Scripting Affected versions:?>=2.0.0 <2.0.5 CVE IDs:?CVE-2025-6677 Description:? Project Paragraphs table provides a field for a collection table. The module doesn't sufficiently sanitise certain data attributes allowing Cross Site Scripting (XSS) attacks. This vulnerability is mitigated by the fact that an attacker must have a role with permission to enter HTML tags containing specific data attributes. Solution:? Install the latest version: * If you use the Paragraphs table module 2.x for Drupal 10 or above, please upgrade to paragraphs table 2.0.5 [3] Reported By:? * Pierre Rudloff (prudloff) [4] Fixed By:? * Joseph Olstad (joseph.olstad) [5] * NGUYEN Bao (lazzyvn) [6] Coordinated By:? * Greg Knaddison (greggles) [7] of the Drupal Security Team * Juraj Nemec (poker10) [8] of the Drupal Security Team [1] https://www.drupal.org/project/paragraphs_table [2] https://www.drupal.org/security-team/risk-levels [3] https://www.drupal.org/project/paragraphs_table/releases/2.0.5 [4] https://www.drupal.org/u/prudloff [5] https://www.drupal.org/u/josepholstad [6] https://www.drupal.org/u/lazzyvn [7] https://www.drupal.org/u/greggles [8] https://www.drupal.org/u/poker10