From security-news at drupal.org Wed May 7 17:06:18 2025
From: security-news at drupal.org (security-news at drupal.org)
Date: Wed, 7 May 2025 17:06:18 +0000 (UTC)
Subject: [Security-news] Restrict route by IP - Critical - Cross Site
Request Forgery - SA-CONTRIB-2025-047
Message-ID: <mailman.7412.1746637933.749.security-news@drupal.org>
View online: https://www.drupal.org/sa-contrib-2025-047
Project:?Restrict route by IP [1]
Date:?2025-May-07
Security risk:?*Critical* 16???25
AC:Basic/A:None/CI:Some/II:Some/E:Theoretical/TD:All [2]
Vulnerability:?Cross Site Request Forgery
Affected versions:?<1.3.0
CVE IDs:?CVE-2025-47701
Description:?
The Restrict route by IP module provides an interface to manage route
restriction by IP address.
The module doesn't sufficiently protect certain routes from CSRF attacks.
This vulnerability is mitigated by the fact that you need to know the route
machine name.
Solution:?
Install the latest version:
* If you use the restrict_route_by_ip module for Drupal 10.x or 11.x,
upgrade to restrict_route_by_ip 1.3.0 [3]
Reported By:?
* Juraj Nemec (poker10) [4] of the Drupal Security Team
Fixed By:?
* lozbes [5]
Coordinated By:?
* Greg Knaddison (greggles) [6] of the Drupal Security Team
* Juraj Nemec (poker10) [7] of the Drupal Security Team
[1] https://www.drupal.org/project/restrict_route_by_ip
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/restrict_route_by_ip/releases/1.3.0
[4] https://www.drupal.org/u/poker10
[5] https://www.drupal.org/u/lozbes
[6] https://www.drupal.org/u/greggles
[7] https://www.drupal.org/u/poker10
From security-news at drupal.org Wed May 7 17:06:27 2025
From: security-news at drupal.org (security-news at drupal.org)
Date: Wed, 7 May 2025 17:06:27 +0000 (UTC)
Subject: [Security-news] oEmbed Providers - Moderately critical - Cross Site
Scripting - SA-CONTRIB-2025-048
Message-ID: <mailman.7413.1746637933.749.security-news@drupal.org>
View online: https://www.drupal.org/sa-contrib-2025-048
Project:?oEmbed Providers [1]
Date:?2025-May-07
Security risk:?*Moderately critical* 10???25
AC:Complex/A:Admin/CI:Some/II:Some/E:Theoretical/TD:Uncommon [2]
Vulnerability:?Cross Site Scripting
Affected versions:?<2.2.2
CVE IDs:?CVE-2025-47702
Description:?
This module extends the core Media module and allows site creators to permit
oEmbed providers in addition to YouTube and Vimeo, which are deemed
trustworthy by the Drupal Security Team.
The module doesn't sufficiently mark its administrative permission as
restricted, creating the possibility for the permission to be granted too
broadly and to users without the ability to adequately vet providers. A
malicious provider could execute a Cross Site Scripting (XSS) attack.
This vulnerability is mitigated by the fact that an attacker must 1) have a
role with the permission "administer oembed providers", 2) have a role with
the ability to create or edit Media entities, and 3) have provisioned a
publicly-accessible, malicious provider.
Solution:?
Install the latest version:
* If you use oEmbed Providers module for Drupal, upgrade to oEmbed Providers
2.2.2 [3]
It is also recommended to review which roles are granted the "administer
oembed providers" permission.
Reported By:?
* Pierre Rudloff (prudloff) [4]
Fixed By:?
* Chris Burge (chris burge) [5]
Coordinated By:?
* Greg Knaddison (greggles) [6] of the Drupal Security Team
* Juraj Nemec (poker10) [7] of the Drupal Security Team
[1] https://www.drupal.org/project/oembed_providers
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/oembed_providers/releases/2.2.2
[4] https://www.drupal.org/u/prudloff
[5] https://www.drupal.org/u/chris-burge
[6] https://www.drupal.org/u/greggles
[7] https://www.drupal.org/u/poker10
From security-news at drupal.org Wed May 7 17:06:39 2025
From: security-news at drupal.org (security-news at drupal.org)
Date: Wed, 7 May 2025 17:06:39 +0000 (UTC)
Subject: [Security-news] COOKiES Consent Management - Moderately critical -
Cross Site Scripting - SA-CONTRIB-2025-049
Message-ID: <mailman.7414.1746637933.749.security-news@drupal.org>
View online: https://www.drupal.org/sa-contrib-2025-049
Project:?COOKiES Consent Management [1]
Date:?2025-May-07
Security risk:?*Moderately critical* 13???25
AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:Default [2]
Vulnerability:?Cross Site Scripting
Affected versions:?<1.2.14
CVE IDs:?CVE-2025-47703
Description:?
The COOKIES module protects users from executing JavaScript code provided by
third parties, e.g., to display ads or track user data without consent.
The cookies_asset_injector module (a sub-module of the COOKiES module) also
allows inline JavaScript to be included in consent management. However, this
does not adequately check whether the provided JavaScript code originates
from authorized users.
A potential attacker would at least need permission to create and publish
HTML (e.g. content or comments).
Solution:?
Install the latest version:
* If you use the COOKiES Consent Management module for Drupal 9 or above,
upgrade to COOKiES Consent Management 1.2.14 [3]
Reported By:?
* Pierre Rudloff (prudloff) [4]
Fixed By:?
* Joachim Feltkamp (jfeltkamp) [5]
Coordinated By:?
* Greg Knaddison (greggles) [6] of the Drupal Security Team
* Juraj Nemec (poker10) [7] of the Drupal Security Team
[1] https://www.drupal.org/project/cookies
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/cookies/releases/1.2.14
[4] https://www.drupal.org/u/prudloff
[5] https://www.drupal.org/u/jfeltkamp
[6] https://www.drupal.org/u/greggles
[7] https://www.drupal.org/u/poker10
From security-news at drupal.org Wed May 7 17:06:54 2025
From: security-news at drupal.org (security-news at drupal.org)
Date: Wed, 7 May 2025 17:06:54 +0000 (UTC)
Subject: [Security-news] Klaro Cookie & Consent Management - Moderately
critical - Cross Site Scripting - SA-CONTRIB-2025-050
Message-ID: <mailman.7415.1746637937.749.security-news@drupal.org>
View online: https://www.drupal.org/sa-contrib-2025-050
Project:?Klaro Cookie & Consent Management [1]
Date:?2025-May-07
Security risk:?*Moderately critical* 14???25
AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:All [2]
Vulnerability:?Cross Site Scripting
Affected versions:?<3.0.5
CVE IDs:?CVE-2025-47704
Description:?
Klaro Cookie & Consent Management module is used for consent management for
cookies and external sources. It makes changes to the markup to enable or
disable loading.
The module doesn't sufficiently sanitize data attributes allowing persistent
Cross Site Scripting (XSS) attacks.
This vulnerability is mitigated by the fact that an attacker must have a role
with permission to enter HTML tags containing specific data attributes.
Solution:?
Install the latest version:
* If you use the Klaro Cookie & Consent Management module for Drupal
10.x/11.x, upgrade to Klaro Cookie & Consent Management 3.0.5 [3]
Reported By:?
* Pierre Rudloff (prudloff) [4]
Fixed By:?
* Jan Kellermann (jan kellermann) [5]
Coordinated By:?
* Greg Knaddison (greggles) [6] of the Drupal Security Team
* Juraj Nemec (poker10) [7] of the Drupal Security Team
[1] https://www.drupal.org/project/klaro
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/node/3523166
[4] https://www.drupal.org/u/prudloff
[5] https://www.drupal.org/u/jan-kellermann
[6] https://www.drupal.org/u/greggles
[7] https://www.drupal.org/u/poker10
From security-news at drupal.org Wed May 7 17:07:04 2025
From: security-news at drupal.org (security-news at drupal.org)
Date: Wed, 7 May 2025 17:07:04 +0000 (UTC)
Subject: [Security-news] IFrame Remove Filter - Moderately critical - Cross
site scripting - SA-CONTRIB-2025-051
Message-ID: <mailman.7416.1746637937.749.security-news@drupal.org>
View online: https://www.drupal.org/sa-contrib-2025-051
Project:?IFrame Remove Filter [1]
Date:?2025-May-07
Security risk:?*Moderately critical* 14???25
AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:All [2]
Vulnerability:?Cross site scripting
Affected versions:?<2.0.5
CVE IDs:?CVE-2025-47705
Description:?
This module enables you to add a filter to text formats (Full HTML, Filtered
HTML), which will remove every iframe where the "src" is not on the
allowlist.
The module doesn't sufficiently filter these iframes in certain situations.
This vulnerability is mitigated by the fact that an attacker must be able to
edit content that allows iframes.
Solution:?
Install the latest version:
* If you use the IFrame Remove Filter module for Drupal 10.x or 11.x,
upgrade to IFrame Remove Filter 2.0.5 [3]
Reported By:?
* Pierre Rudloff (prudloff) [4]
Fixed By:?
* B?lint Nagy (nagy.balint) [5]
Coordinated By:?
* Greg Knaddison (greggles) [6] of the Drupal Security Team
* Drew Webber (mcdruid) [7] of the Drupal Security Team
* Juraj Nemec (poker10) [8] of the Drupal Security Team
[1] https://www.drupal.org/project/iframeremove
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/iframeremove/releases/2.0.5
[4] https://www.drupal.org/u/prudloff
[5] https://www.drupal.org/u/nagybalint
[6] https://www.drupal.org/u/greggles
[7] https://www.drupal.org/u/mcdruid
[8] https://www.drupal.org/u/poker10
From security-news at drupal.org Wed May 7 17:07:15 2025
From: security-news at drupal.org (security-news at drupal.org)
Date: Wed, 7 May 2025 17:07:15 +0000 (UTC)
Subject: [Security-news] Enterprise MFA - TFA for Drupal - Moderately
critical - Access bypass - SA-CONTRIB-2025-052
Message-ID: <mailman.7417.1746637938.749.security-news@drupal.org>
View online: https://www.drupal.org/sa-contrib-2025-052
Project:?Enterprise MFA - TFA for Drupal [1]
Date:?2025-May-07
Security risk:?*Moderately critical* 14???25
AC:Complex/A:None/CI:Some/II:Some/E:Theoretical/TD:Default [2]
Vulnerability:?Access bypass
Affected versions:?<4.7.0 || >=5.2.0 <5.2.0 || 5.0.*
CVE IDs:?CVE-2025-47706
Description:?
The module enables you to add second-factor authentication in addition to the
default Drupal login.
The module doesn't sufficiently check whether the TOTP token is already used
or not for authenticator-based second-factor methods.
This vulnerability is mitigated by the fact that an attacker must have a
username, password and TOTP token generated within the last 5 minutes.
Solution:?
Install the latest version:
* If you use the Enterprise MFA - TFA for Drupal Drupal ^9.3, Drupal 10 and
Drupal 11 upgrade to miniorange_2fa 5.2.0 [3].
* If you use the Enterprise MFA - TFA for Drupal Drupal 8, Drupal 9 and
Drupal 10 upgrade to miniorange_2fa 8.x-4.7 [4].
Reported By:?
* Conrad Lara (cmlara) [5]
Fixed By:?
* Sudhanshu Dhage (sudhanshu0542) [6]
Coordinated By:?
* Greg Knaddison (greggles) [7] of the Drupal Security Team
* Juraj Nemec (poker10) [8] of the Drupal Security Team
[1] https://www.drupal.org/project/miniorange_2fa
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/miniorange_2fa/releases/5.2.0
[4] https://www.drupal.org/project/miniorange_2fa/releases/8.x-4.7
[5] https://www.drupal.org/u/cmlara
[6] https://www.drupal.org/u/sudhanshu0542
[7] https://www.drupal.org/u/greggles
[8] https://www.drupal.org/u/poker10
From security-news at drupal.org Wed May 7 17:07:33 2025
From: security-news at drupal.org (security-news at drupal.org)
Date: Wed, 7 May 2025 17:07:33 +0000 (UTC)
Subject: [Security-news] Enterprise MFA - TFA for Drupal - Critical - Cross
Site Request Forgery - SA-CONTRIB-2025-054
Message-ID: <mailman.7418.1746637960.749.security-news@drupal.org>
View online: https://www.drupal.org/sa-contrib-2025-054
Project:?Enterprise MFA - TFA for Drupal [1]
Date:?2025-May-07
Security risk:?*Critical* 18???25
AC:None/A:None/CI:Some/II:Some/E:Theoretical/TD:All [2]
Vulnerability:?Cross Site Request Forgery
Affected versions:?<4.7.0 || >=5.2.0 <5.2.0 || 5.0.*
CVE IDs:?CVE-2025-47708
Description:?
The module enables you to add second-factor authentication in addition to the
default Drupal login.
The module doesn't sufficiently protect certain routes from Cross Site
Request Forgery (CSRF) attacks.
Solution:?
Install the latest version:
* If you use the Enterprise MFA - TFA for Drupal Drupal ^9.3, Drupal 10 and
Drupal 11 upgrade to miniorange_2fa 5.2.0 [3].
* If you use the Enterprise MFA - TFA for Drupal Drupal 8, Drupal 9 and
Drupal 10 upgrade to miniorange_2fa 8.x-4.7 [4].
Reported By:?
* Juraj Nemec (poker10) [5] of the Drupal Security Team
Fixed By:?
* Sudhanshu Dhage (sudhanshu0542) [6]
Coordinated By:?
* Juraj Nemec (poker10) [7] of the Drupal Security Team
[1] https://www.drupal.org/project/miniorange_2fa
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/miniorange_2fa/releases/5.2.0
[4] https://www.drupal.org/project/miniorange_2fa/releases/8.x-4.7
[5] https://www.drupal.org/u/poker10
[6] https://www.drupal.org/u/sudhanshu0542
[7] https://www.drupal.org/u/poker10
From security-news at drupal.org Wed May 7 17:07:47 2025
From: security-news at drupal.org (security-news at drupal.org)
Date: Wed, 7 May 2025 17:07:47 +0000 (UTC)
Subject: [Security-news] Enterprise MFA - TFA for Drupal - Critical - Access
bypass - SA-CONTRIB-2025-055
Message-ID: <mailman.7419.1746637964.749.security-news@drupal.org>
View online: https://www.drupal.org/sa-contrib-2025-055
Project:?Enterprise MFA - TFA for Drupal [1]
Date:?2025-May-07
Security risk:?*Critical* 18???25
AC:None/A:None/CI:Some/II:Some/E:Theoretical/TD:All [2]
Vulnerability:?Access bypass
Affected versions:?<4.7.0 || >=5.2.0 <5.2.0 || 5.0.*
CVE IDs:?CVE-2025-47709
Description:?
The module enables you to add second-factor authentication in addition to the
default Drupal login.
The module doesn't sufficiently protect certain sensitive routes, allowing an
attacker to view or modify various TFA-related settings.
Solution:?
Install the latest version:
* If you use the Enterprise MFA - TFA for Drupal Drupal ^9.3, Drupal 10 and
Drupal 11 upgrade to miniorange_2fa 5.2.0 [3].
* If you use the Enterprise MFA - TFA for Drupal Drupal 8, Drupal 9 and
Drupal 10 upgrade to miniorange_2fa 8.x-4.7 [4].
Reported By:?
* Juraj Nemec (poker10) [5] of the Drupal Security Team
Fixed By:?
* Sudhanshu Dhage (sudhanshu0542) [6]
Coordinated By:?
* Juraj Nemec (poker10) [7] of the Drupal Security Team
[1] https://www.drupal.org/project/miniorange_2fa
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/miniorange_2fa/releases/5.2.0
[4] https://www.drupal.org/project/miniorange_2fa/releases/8.x-4.7
[5] https://www.drupal.org/u/poker10
[6] https://www.drupal.org/u/sudhanshu0542
[7] https://www.drupal.org/u/poker10
From security-news at drupal.org Wed May 7 17:07:23 2025
From: security-news at drupal.org (security-news at drupal.org)
Date: Wed, 7 May 2025 17:07:23 +0000 (UTC)
Subject: [Security-news] Enterprise MFA - TFA for Drupal - Moderately
critical - Access bypass - SA-CONTRIB-2025-053
Message-ID: <mailman.7421.1746637969.749.security-news@drupal.org>
View online: https://www.drupal.org/sa-contrib-2025-053
Project:?Enterprise MFA - TFA for Drupal [1]
Date:?2025-May-07
Security risk:?*Moderately critical* 13???25
AC:Complex/A:User/CI:Some/II:Some/E:Theoretical/TD:All [2]
Vulnerability:?Access bypass
Affected versions:?<4.7.0 || >=5.2.0 <5.2.0 || 5.0.*
CVE IDs:?CVE-2025-47707
Description:?
The module enables you to add second-factor authentication in addition to the
default Drupal login.
The module doesn't invoke two factor authentication (2FA) for the password
reset option.
This vulnerability is mitigated by the fact that an attacker must have access
to the password reset link.
Solution:?
Install the latest version:
* If you use the Enterprise MFA - TFA for Drupal Drupal ^9.3, Drupal 10 and
Drupal 11 upgrade to miniorange_2fa 5.2.0 [3].
* If you use the Enterprise MFA - TFA for Drupal Drupal 8, Drupal 9 and
Drupal 10 upgrade to miniorange_2fa 8.x-4.7 [4].
Reported By:?
* Conrad Lara (cmlara) [5]
Fixed By:?
* Sudhanshu Dhage (sudhanshu0542) [6]
Coordinated By:?
* Greg Knaddison (greggles) [7] of the Drupal Security Team
* Juraj Nemec (poker10) [8] of the Drupal Security Team
[1] https://www.drupal.org/project/miniorange_2fa
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/miniorange_2fa/releases/5.2.0
[4] https://www.drupal.org/project/miniorange_2fa/releases/8.x-4.7
[5] https://www.drupal.org/u/cmlara
[6] https://www.drupal.org/u/sudhanshu0542
[7] https://www.drupal.org/u/greggles
[8] https://www.drupal.org/u/poker10
From security-news at drupal.org Wed May 7 17:08:32 2025
From: security-news at drupal.org (security-news at drupal.org)
Date: Wed, 7 May 2025 17:08:32 +0000 (UTC)
Subject: [Security-news] Enterprise MFA - TFA for Drupal - Critical - Access
bypass - SA-CONTRIB-2025-056
Message-ID: <mailman.7420.1746637968.749.security-news@drupal.org>
View online: https://www.drupal.org/sa-contrib-2025-056
Project:?Enterprise MFA - TFA for Drupal [1]
Date:?2025-May-07
Security risk:?*Critical* 15???25
AC:Complex/A:None/CI:Some/II:Some/E:Theoretical/TD:All [2]
Vulnerability:?Access bypass
Affected versions:?<4.7.0 || >=5.2.0 <5.2.0 || 5.0.*
CVE IDs:?CVE-2025-47710
Description:?
The module enables you to add second-factor authentication in addition to the
default Drupal login.
The module does not sufficiently ensure that known login routes are
protected.
This vulnerability is mitigated by the fact that an attacker must obtain the
user's username and password.
Solution:?
Install the latest version:
* If you use the Enterprise MFA - TFA for Drupal Drupal ^9.3, Drupal 10 and
Drupal 11 upgrade to miniorange_2fa 5.2.0 [3].
* If you use the Enterprise MFA - TFA for Drupal Drupal 8, Drupal 9 and
Drupal 10 upgrade to miniorange_2fa 8.x-4.7 [4].
Reported By:?
* Conrad Lara (cmlara) [5]
Fixed By:?
* Sudhanshu Dhage (sudhanshu0542) [6]
Coordinated By:?
* Greg Knaddison (greggles) [7] of the Drupal Security Team
* Juraj Nemec (poker10) [8] of the Drupal Security Team
[1] https://www.drupal.org/project/miniorange_2fa
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/miniorange_2fa/releases/5.2.0
[4] https://www.drupal.org/project/miniorange_2fa/releases/8.x-4.7
[5] https://www.drupal.org/u/cmlara
[6] https://www.drupal.org/u/sudhanshu0542
[7] https://www.drupal.org/u/greggles
[8] https://www.drupal.org/u/poker10
From security-news at drupal.org Wed May 14 18:04:32 2025
From: security-news at drupal.org (security-news at drupal.org)
Date: Wed, 14 May 2025 18:04:32 +0000 (UTC)
Subject: [Security-news] Advanced File Destination - Critical - Multiple
vulnerabilities - SA-CONTRIB-2025-057
Message-ID: <mailman.7690.1747246086.749.security-news@drupal.org>
View online: https://www.drupal.org/sa-contrib-2025-057
Project:?Advanced File Destination [1]
Date:?2025-May-14
Security risk:?*Critical* 15???25 Critical 16???25
AC:Complex/A:Admin/CI:All/II:All/E:Theoretical/TD:All [2]
Vulnerability:?Multiple vulnerabilities
Affected versions:?*
Description:?
The Advanced File Destination module enhances file upload management in
Drupal by allowing users to choose and create custom directories during file
uploads.
The module has multiple vulnerabilities that were reported through the Drupal
Security Team's coordinated vulnerability process. The project maintainer did
not follow the terms and conditions for hosting projects on drupal.org that
are opted into security coverage, so the module is losing its security
coverage. The private issues may be made public at the discretion of the
reporter and maintainer.
[1] https://www.drupal.org/project/advanced_file_destination
[2] https://www.drupal.org/security-team/risk-levels
From security-news at drupal.org Wed May 14 18:04:45 2025
From: security-news at drupal.org (security-news at drupal.org)
Date: Wed, 14 May 2025 18:04:45 +0000 (UTC)
Subject: [Security-news] Piwik PRO - Moderately critical - Cross Site
Scripting - SA-CONTRIB-2025-058
Message-ID: <mailman.7691.1747246087.749.security-news@drupal.org>
View online: https://www.drupal.org/sa-contrib-2025-058
Project:?Piwik PRO [1]
Date:?2025-May-14
Security risk:?*Moderately critical* 13???25
AC:Basic/A:Admin/CI:Some/II:Some/E:Theoretical/TD:All [2]
Vulnerability:?Cross Site Scripting
Affected versions:?<1.3.2
CVE IDs:?CVE-2025-4415
Description:?
This module enables you to add the Piwik Pro web statistics tracking system
to your website.
The module does not check the JS code that is loaded on the website. So a
user with the "Administer Piwik Pro" permission could configure the module to
load JS from a malicious website.
This vulnerability is mitigated by the fact that an attacker must have a role
with the permission "administer piwik pro" to access the settings form where
this can be configured.
Solution:?
Install the latest version:
* If you use the Piwik Pro module, upgrade to Piwik Pro 1.3.2 [3]
Sites are encouraged to review which roles have that permission and which
users have that role, to ensure that only trusted users have that permission.
Reported By:?
* Pierre Rudloff (prudloff) [4]
Fixed By:?
* Hartsak (hartsak) [5]
* Josha Hubbers (joshahubbers) [6]
Coordinated By:?
* Juraj Nemec (poker10) [7] of the Drupal Security Team
* Pierre Rudloff (prudloff) [8]
[1] https://www.drupal.org/project/piwik_pro
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/piwik_pro/releases/1.3.2
[4] https://www.drupal.org/u/prudloff
[5] https://www.drupal.org/u/hartsak
[6] https://www.drupal.org/u/joshahubbers-0
[7] https://www.drupal.org/u/poker10
[8] https://www.drupal.org/u/prudloff
From security-news at drupal.org Wed May 14 18:04:53 2025
From: security-news at drupal.org (security-news at drupal.org)
Date: Wed, 14 May 2025 18:04:53 +0000 (UTC)
Subject: [Security-news] Events Log Track - Moderately critical - Denial of
Service - SA-CONTRIB-2025-059
Message-ID: <mailman.7692.1747246088.749.security-news@drupal.org>
View online: https://www.drupal.org/sa-contrib-2025-059
Project:?Events Log Track [1]
Date:?2025-May-14
Security risk:?*Moderately critical* 10???25
AC:Basic/A:None/CI:None/II:None/E:Theoretical/TD:All [2]
Vulnerability:?Denial of Service
Affected versions:?<3.1.11 || >=4.0.0 <4.0.2
CVE IDs:?CVE-2025-4416
Description:?
The Events Log Track module enables you to log specific events on a Drupal
site.
The module doesn't sufficiently mitigate resource consumption for certain
requests which allows a Denial of Service attack.
Solution:?
Install the latest version:
* If you use the event_log_track_auth_user_login_validate sub-module for
Drupal 10.x or 11.x, upgrade to events_log_track 4.0.2 [3] or
events_log_track 3.1.11 [4]
Reported By:?
* Scott Phillips (scottatdrake) [5]
Fixed By:?
* Mingsong (mingsong) [6]
* Stephen Mustgrave (smustgrave) [7]
Coordinated By:?
* Greg Knaddison (greggles) [8] of the Drupal Security Team
[1] https://www.drupal.org/project/events_log_track
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/events_log_track/releases/4.0.2
[4] https://www.drupal.org/project/events_log_track/releases/3.1.11
[5] https://www.drupal.org/u/scottatdrake
[6] https://www.drupal.org/u/mingsong
[7] https://www.drupal.org/u/smustgrave
[8] https://www.drupal.org/u/greggles
From security-news at drupal.org Wed May 14 18:05:04 2025
From: security-news at drupal.org (security-news at drupal.org)
Date: Wed, 14 May 2025 18:05:04 +0000 (UTC)
Subject: [Security-news] Single Content Sync - Moderately critical - Access
bypass - SA-CONTRIB-2025-060
Message-ID: <mailman.7693.1747246089.749.security-news@drupal.org>
View online: https://www.drupal.org/sa-contrib-2025-060
Project:?Single Content Sync [1]
Date:?2025-May-14
Security risk:?*Moderately critical* 10???25
AC:Complex/A:User/CI:Some/II:None/E:Theoretical/TD:All [2]
Vulnerability:?Access bypass
Affected versions:?<1.4.12
CVE IDs:?CVE-2025-48009
Description:?
This module enables you to seamlessly migrate and deploy content across
environments, eliminating manual steps. It simplifies the process by
exporting content to a YML file or a ZIP archive, which can be imported into
another environment effortlessly.
While the export feature rightfully bypasses implemented access controls,
enabling it to extract all entity data, including private and confidential
information, to the mentioned formats, it fails to adequately safeguard the
generated output.
This vulnerability is mitigated by the fact that an attacker must have a role
with the permission "export single content" or "Allow user to export all
content".
Solution:?
Install the latest version:
* If you use the Single Content Sync module for Drupal, upgrade to Single
Content Sync 1.4.12. [3]
Reported By:?
* Dezs? Bicz? (mxr576) [4]
Fixed By:?
* Dave Long (longwave) [5] of the Drupal Security Team
* Dezs? Bicz? (mxr576) [6]
* Oleksandr Kuzava (nginex) [7]
Coordinated By:?
* Greg Knaddison (greggles) [8] of the Drupal Security Team
* Juraj Nemec (poker10) [9] of the Drupal Security Team
[1] https://www.drupal.org/project/single_content_sync
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/single_content_sync/releases/1.4.12
[4] https://www.drupal.org/u/mxr576
[5] https://www.drupal.org/u/longwave
[6] https://www.drupal.org/u/mxr576
[7] https://www.drupal.org/u/nginex
[8] https://www.drupal.org/u/greggles
[9] https://www.drupal.org/u/poker10
From security-news at drupal.org Wed May 14 18:05:14 2025
From: security-news at drupal.org (security-news at drupal.org)
Date: Wed, 14 May 2025 18:05:14 +0000 (UTC)
Subject: [Security-news] One Time Password - Moderately critical - Access
bypass - SA-CONTRIB-2025-061
Message-ID: <mailman.7694.1747246090.749.security-news@drupal.org>
View online: https://www.drupal.org/sa-contrib-2025-061
Project:?One Time Password [1]
Date:?2025-May-14
Security risk:?*Moderately critical* 14???25
AC:Complex/A:None/CI:Some/II:Some/E:Theoretical/TD:Default [2]
Vulnerability:?Access bypass
Affected versions:?<1.3.0
CVE IDs:?CVE-2025-48010
Description:?
This module enables you to allow users to include a second authentication
method in addition to password authentication.
The module doesn't sufficiently prevent one time login links from bypassing
TFA.
This vulnerability is mitigated by the fact that an attacker must have access
to an email account attached to a user or a valid one time password link for
a user.
Solution:?
Install the latest version:
* If you use the One Time Password module for Drupal, upgrade to One Time
Password 8.x-1.3 [3]
Reported By:?
* Conrad Lara (cmlara) [4]
Fixed By:?
* danielveza [5]
* Kim Pepper (kim.pepper) [6]
* Lee Rowlands (larowlan) [7] of the Drupal Security Team
Coordinated By:?
* Greg Knaddison (greggles) [8] of the Drupal Security Team
* Juraj Nemec (poker10) [9] of the Drupal Security Team
[1] https://www.drupal.org/project/one_time_password
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/one_time_password/releases/8.x-1.3
[4] https://www.drupal.org/u/cmlara
[5] https://www.drupal.org/u/danielveza
[6] https://www.drupal.org/u/kimpepper
[7] https://www.drupal.org/u/larowlan
[8] https://www.drupal.org/u/greggles
[9] https://www.drupal.org/u/poker10
From security-news at drupal.org Wed May 14 18:05:22 2025
From: security-news at drupal.org (security-news at drupal.org)
Date: Wed, 14 May 2025 18:05:22 +0000 (UTC)
Subject: [Security-news] One Time Password - Moderately critical - Access
bypass - SA-CONTRIB-2025-062
Message-ID: <mailman.7695.1747246091.749.security-news@drupal.org>
View online: https://www.drupal.org/sa-contrib-2025-062
Project:?One Time Password [1]
Date:?2025-May-14
Security risk:?*Moderately critical* 14???25
AC:Complex/A:None/CI:Some/II:Some/E:Theoretical/TD:Default [2]
Vulnerability:?Access bypass
Affected versions:?<1.3.0
CVE IDs:?CVE-2025-48011
Description:?
This module enables you to allow users to include a second authentication
method in addition to password authentication.
The module doesn't sufficiently prevent TFA from being bypassed when using
the REST login routes.
A new requirements check has been added to the status report so other
authentication providers can be assessed to check if they also allow for this
bypass.
This vulnerability is mitigated by the fact that an attacker must obtain a
valid username/password.
Solution:?
Install the latest version:
* If you use the One Time Password module for Drupal, upgrade to One Time
Password 8.x-1.3 [3]
Reported By:?
* Conrad Lara (cmlara) [4]
Fixed By:?
* danielveza [5]
* Kim Pepper (kim.pepper) [6]
* Lee Rowlands (larowlan) [7] of the Drupal Security Team
Coordinated By:?
* Greg Knaddison (greggles) [8] of the Drupal Security Team
* Juraj Nemec (poker10) [9] of the Drupal Security Team
[1] https://www.drupal.org/project/one_time_password
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/one_time_password/releases/8.x-1.3
[4] https://www.drupal.org/u/cmlara
[5] https://www.drupal.org/u/danielveza
[6] https://www.drupal.org/u/kimpepper
[7] https://www.drupal.org/u/larowlan
[8] https://www.drupal.org/u/greggles
[9] https://www.drupal.org/u/poker10
From security-news at drupal.org Wed May 14 18:05:33 2025
From: security-news at drupal.org (security-news at drupal.org)
Date: Wed, 14 May 2025 18:05:33 +0000 (UTC)
Subject: [Security-news] One Time Password - Moderately critical - Access
bypass - SA-CONTRIB-2025-063
Message-ID: <mailman.7696.1747246095.749.security-news@drupal.org>
View online: https://www.drupal.org/sa-contrib-2025-063
Project:?One Time Password [1]
Date:?2025-May-14
Security risk:?*Moderately critical* 14???25
AC:Complex/A:None/CI:Some/II:Some/E:Theoretical/TD:Default [2]
Vulnerability:?Access bypass
Affected versions:?<1.3.0
CVE IDs:?CVE-2025-48012
Description:?
This module enables you to allow users to include a second authentication
method in addition to password authentication.
The module doesn't sufficiently prevent the same TFA token within a 30 second
window.
This vulnerability is mitigated by the fact that an attacker must obtain a
valid username/password and second factor.
Solution:?
Install the latest version:
* If you use the One Time Password module for Drupal, upgrade to One Time
Password 8.x-1.3 [3]
Reported By:?
* Conrad Lara (cmlara) [4]
Fixed By:?
* danielveza [5]
* Lee Rowlands (larowlan) [6] of the Drupal Security Team
* Ivo Van Geertruyen (mr.baileys) [7] of the Drupal Security Team
Coordinated By:?
* Greg Knaddison (greggles) [8] of the Drupal Security Team
* Juraj Nemec (poker10) [9] of the Drupal Security Team
[1] https://www.drupal.org/project/one_time_password
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/one_time_password/releases/8.x-1.3
[4] https://www.drupal.org/u/cmlara
[5] https://www.drupal.org/u/danielveza
[6] https://www.drupal.org/u/larowlan
[7] https://www.drupal.org/u/mrbaileys
[8] https://www.drupal.org/u/greggles
[9] https://www.drupal.org/u/poker10
From security-news at drupal.org Wed May 21 17:28:12 2025
From: security-news at drupal.org (security-news at drupal.org)
Date: Wed, 21 May 2025 17:28:12 +0000 (UTC)
Subject: [Security-news] Quick Node Block - Moderately critical - Access
bypass - SA-CONTRIB-2025-064
Message-ID: <mailman.7905.1747848616.749.security-news@drupal.org>
View online: https://www.drupal.org/sa-contrib-2025-064
Project:?Quick Node Block [1]
Date:?2025-May-21
Security risk:?*Moderately critical* 11???25
AC:Basic/A:None/CI:Some/II:None/E:Theoretical/TD:Uncommon [2]
Vulnerability:?Access bypass
Affected versions:?<2.0.0
CVE IDs:?CVE-2025-48444
Description:?
This module provides a block to easily display a rendered node.
The module doesn't check access to content before displaying it to a visitor,
allowing unauthorized users to retrieve a list of labels of all nodes.
Solution:?
Update to the latest version.
* If you use the Quick Node Block module, update to Quick Node Block 2.0.1
[3]
Reported By:?
* Mitch Portier (arkener) [4]
Fixed By:?
* Mitch Portier (arkener) [5]
* Antonio S?nchez (saesa) [6]
Coordinated By:?
* Greg Knaddison (greggles) [7] of the Drupal Security Team
* Ivo Van Geertruyen (mr.baileys) [8] of the Drupal Security Team
* Juraj Nemec (poker10) [9] of the Drupal Security Team
[1] https://www.drupal.org/project/quick_node_block
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/quick_node_block/releases/2.0.1
[4] https://www.drupal.org/u/arkener
[5] https://www.drupal.org/u/arkener
[6] https://www.drupal.org/u/saesa
[7] https://www.drupal.org/u/greggles
[8] https://www.drupal.org/u/mrbaileys
[9] https://www.drupal.org/u/poker10
From security-news at drupal.org Wed May 21 17:28:32 2025
From: security-news at drupal.org (security-news at drupal.org)
Date: Wed, 21 May 2025 17:28:32 +0000 (UTC)
Subject: [Security-news] Quick Node Block - Moderately critical - Access
bypass - SA-CONTRIB-2025-065
Message-ID: <mailman.7906.1747848621.749.security-news@drupal.org>
View online: https://www.drupal.org/sa-contrib-2025-065
Project:?Quick Node Block [1]
Date:?2025-May-21
Security risk:?*Moderately critical* 13???25
AC:None/A:None/CI:Some/II:None/E:Theoretical/TD:Uncommon [2]
Vulnerability:?Access bypass
Affected versions:?<2.0.0
CVE IDs:?CVE-2025-48013
Description:?
This module provides a block to easily display a rendered node.
Access to the rendered node isn't validated before rendering the block.
Allowing access to node content for users that would normally not be allowed
to access the node.
Solution:?
Update to the latest version.
* If you use the Quick Node Block module, update to Quick Node Block 2.0.1
[3]
Reported By:?
* Mitch Portier (arkener) [4]
Fixed By:?
* Mitch Portier (arkener) [5]
* Antonio S?nchez (saesa) [6]
Coordinated By:?
* Greg Knaddison (greggles) [7] of the Drupal Security Team
* Ivo Van Geertruyen (mr.baileys) [8] of the Drupal Security Team
* Juraj Nemec (poker10) [9] of the Drupal Security Team
[1] https://www.drupal.org/project/quick_node_block
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/quick_node_block/releases/2.0.1
[4] https://www.drupal.org/u/arkener
[5] https://www.drupal.org/u/arkener
[6] https://www.drupal.org/u/saesa
[7] https://www.drupal.org/u/greggles
[8] https://www.drupal.org/u/mrbaileys
[9] https://www.drupal.org/u/poker10
From security-news at drupal.org Wed May 21 17:28:48 2025
From: security-news at drupal.org (security-news at drupal.org)
Date: Wed, 21 May 2025 17:28:48 +0000 (UTC)
Subject: [Security-news] Commerce Eurobank (Redirect) - Moderately critical
- Access bypass - SA-CONTRIB-2025-066
Message-ID: <mailman.7907.1747848621.749.security-news@drupal.org>
View online: https://www.drupal.org/sa-contrib-2025-066
Project:?Commerce Eurobank (Redirect) [1]
Date:?2025-May-21
Security risk:?*Moderately critical* 13???25
AC:Basic/A:None/CI:None/II:Some/E:Theoretical/TD:All [2]
Vulnerability:?Access bypass
Affected versions:?<2.1.1
CVE IDs:?CVE-2025-48445
Description:?
This module enables you to pay for Commerce order to an environment provided
and secured by the bank
The module doesn't sufficiently verify the payment status on canceled orders.
An attacker can issue a specially crafted request to update the order status
to completed.
Solution:?
Install the latest version:
* If you use the commerce_eurobank_redirect module for Drupal 8.x, upgrade
to commerce_eurobank_redirect 2.1.1 [3]
Reported By:?
* Marios Tsalkidis (silios) [4]
Fixed By:?
* Bill Seremetis (bserem) [5]
* Panagiotis Moutsopoulos (vensires) [6]
Coordinated By:?
* Greg Knaddison (greggles) [7] of the Drupal Security Team
* Juraj Nemec (poker10) [8] of the Drupal Security Team
[1] https://www.drupal.org/project/commerce_eurobank_redirect
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/commerce_eurobank_redirect/releases/2.1.1
[4] https://www.drupal.org/u/silios
[5] https://www.drupal.org/u/bserem
[6] https://www.drupal.org/u/vensires
[7] https://www.drupal.org/u/greggles
[8] https://www.drupal.org/u/poker10
From security-news at drupal.org Wed May 21 17:28:56 2025
From: security-news at drupal.org (security-news at drupal.org)
Date: Wed, 21 May 2025 17:28:56 +0000 (UTC)
Subject: [Security-news] Commerce Alphabank Redirect - Moderately critical -
Access bypass - SA-CONTRIB-2025-067
Message-ID: <mailman.7908.1747848621.749.security-news@drupal.org>
View online: https://www.drupal.org/sa-contrib-2025-067
Project:?Commerce Alphabank Redirect [1]
Date:?2025-May-21
Security risk:?*Moderately critical* 13???25
AC:Basic/A:None/CI:None/II:Some/E:Theoretical/TD:All [2]
Vulnerability:?Access bypass
Affected versions:?<1.0.3
CVE IDs:?CVE-2025-48446
Description:?
This module enables you to pay for Commerce order to an environment provided
and secured by the bank
The module doesn't sufficiently verify the payment status on canceled orders.
An attacker can issue a specially crafted request to update the order status
to completed.
Solution:?
Install the latest version:
* If you use the commerce_alphabank_redirect module for Drupal 8.x, upgrade
to commerce_alphabank_redirect 1.0.3 [3]
Reported By:?
* Marios Tsalkidis (silios) [4]
Fixed By:?
* Bill Seremetis (bserem) [5]
* Panagiotis Moutsopoulos (vensires) [6]
Coordinated By:?
* Greg Knaddison (greggles) [7] of the Drupal Security Team
* Juraj Nemec (poker10) [8] of the Drupal Security Team
[1] https://www.drupal.org/project/commerce_alphabank_redirect
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/commerce_alphabank_redirect/releases/1.0.3
[4] https://www.drupal.org/u/silios
[5] https://www.drupal.org/u/bserem
[6] https://www.drupal.org/u/vensires
[7] https://www.drupal.org/u/greggles
[8] https://www.drupal.org/u/poker10
From security-news at drupal.org Wed May 21 17:29:16 2025
From: security-news at drupal.org (security-news at drupal.org)
Date: Wed, 21 May 2025 17:29:16 +0000 (UTC)
Subject: [Security-news] Admin Audit Trail - Less critical - Denial of
Service - SA-CONTRIB-2025-068
Message-ID: <mailman.7909.1747848622.749.security-news@drupal.org>
View online: https://www.drupal.org/sa-contrib-2025-068
Project:?Admin Audit Trail [1]
Date:?2025-May-21
Security risk:?*Less critical* 9???25
AC:Basic/A:None/CI:None/II:None/E:Theoretical/TD:Default [2]
Vulnerability:?Denial of Service
Affected versions:?<1.0.5
CVE IDs:?CVE-2025-48448
Description:?
The Admin Audit Trail module tracks logs of specific events that you'd like
to review. When the submodule Admin Audit Trail: User Authentication is
enabled, it logs user authentication events (login, logout, and password
reset requests).
The module does not sufficiently limit some large values before logging the
data.
Solution:?
Install the latest version:
* If you use the Admin Audit Trail module for Drupal 9/10/11, upgrade to
Admin Audit Trail 1.0.5 [3]
Reported By:?
* Scott Phillips (scottatdrake) [4]
Fixed By:?
* Rajab Natshah (rajab natshah) [5]
Coordinated By:?
* Greg Knaddison (greggles) [6] of the Drupal Security Team
* Juraj Nemec (poker10) [7] of the Drupal Security Team
[1] https://www.drupal.org/project/admin_audit_trail
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/admin_audit_trail/releases/1.0.5
[4] https://www.drupal.org/u/scottatdrake
[5] https://www.drupal.org/u/rajab-natshah
[6] https://www.drupal.org/u/greggles
[7] https://www.drupal.org/u/poker10
From security-news at drupal.org Wed May 21 17:29:27 2025
From: security-news at drupal.org (security-news at drupal.org)
Date: Wed, 21 May 2025 17:29:27 +0000 (UTC)
Subject: [Security-news] Lightgallery - Moderately critical - Cross Site
Scripting - SA-CONTRIB-2025-069
Message-ID: <mailman.7910.1747848622.749.security-news@drupal.org>
View online: https://www.drupal.org/sa-contrib-2025-069
Project:?Lightgallery [1]
Date:?2025-May-21
Security risk:?*Moderately critical* 13???25
AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:Default [2]
Vulnerability:?Cross Site Scripting
Affected versions:?<1.6.0
CVE IDs:?CVE-2025-48447
Description:?
This module integrates Drupal with LightGallery, enabling the use of the
LightGallery library with any image field or view.
The module does not adequately sanitize user input in the image field?s
"alt" attribute, potentially allowing cross-site scripting (XSS) attacks when
tags or scripts are inserted.
This vulnerability is partially mitigated by the requirement that an attacker
must have permission to create content containing an image field configured
to use the LightGallery format.
Solution:?
Install the latest version:
* If you use the Lightgallery module, upgrade to Lightgallery 8.x-1.6 [3]
Reported By:?
* Pierre Rudloff (prudloff) [4]
Fixed By:?
* Murilo Henrique Pucci (murilohp) [5]
Coordinated By:?
* Greg Knaddison (greggles) [6] of the Drupal Security Team
* Juraj Nemec (poker10) [7] of the Drupal Security Team
* Pierre Rudloff (prudloff) [8]
[1] https://www.drupal.org/project/lightgallery
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/lightgallery/releases/8.x-1.6
[4] https://www.drupal.org/u/prudloff
[5] https://www.drupal.org/u/murilohp
[6] https://www.drupal.org/u/greggles
[7] https://www.drupal.org/u/poker10
[8] https://www.drupal.org/u/prudloff
From security-news at drupal.org Wed May 28 17:41:22 2025
From: security-news at drupal.org (security-news at drupal.org)
Date: Wed, 28 May 2025 17:41:22 +0000 (UTC)
Subject: [Security-news] Bookable Calendar - Less critical - Access bypass -
SA-CONTRIB-2025-070
Message-ID: <mailman.8158.1748459094.749.security-news@drupal.org>
View online: https://www.drupal.org/sa-contrib-2025-070
Project:?Bookable Calendar [1]
Date:?2025-May-28
Security risk:?*Less critical* 9???25
AC:Basic/A:User/CI:Some/II:None/E:Theoretical/TD:Uncommon [2]
Vulnerability:?Access bypass
Affected versions:?<2.2.13
CVE IDs:?CVE-2025-48916
Description:?
This module enables you to setup a repeating date rule that users can "book"
different dates, allowing you to let users register for a variety of
different things like conference rooms or guitar lessons.
This module has a permission of "view booking" and "view booking contact"
which allows you to view them regardless of whether you own them or not. Due
to bad naming of the permissions it's likely admins have configured those to
users that shouldn't have them.
This vulnerability is mitigated by the fact that an attacker must have a role
with the permission "view booking" or "view booking contact".
Solution:?
Install the latest version:
* If you use the Bookable Calendar module for Drupal 8.x, upgrade to
Bookable Calendar 2.2.13 [3]
.. Manual Steps to patch issue
This fix requires a View update to resolve the issue. The full view config
can be found in: config/install/views.view.booking_contant.yml. If you
haven't customised this view yourself, you can just re-import the view
config, either through the Config Sync UI or through drush like this: drush
cim --partial --source=modules/contrib/bookable_calendar/config/install. The
Drush config import will import all View changes to the whole module, not
just this one view.
If you want to manually update the view through the Views UI, go to
admin/structure/views/view/booking_contact and edit both the User Bookings
and Past Bookings display on the view. The only change required is in the
Contextual Filter, add a Validation Criteria under the section (when the
filter is in the URL or a default is provided) and set the Action to "Display
'Access Denied'".
Reported By:?
* Ludo Hartzema (absoludo) [4]
Fixed By:?
* Ludo Hartzema (absoludo) [5]
* Josh Fabean (josh.fabean) [6]
Coordinated By:?
* Bram Driesen (bramdriesen) [7]
* Greg Knaddison (greggles) [8] of the Drupal Security Team
* Juraj Nemec (poker10) [9] of the Drupal Security Team
* Cathy Theys (yesct) [10] of the Drupal Security Team
[1] https://www.drupal.org/project/bookable_calendar
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/bookable_calendar/releases/2.2.13
[4] https://www.drupal.org/u/absoludo
[5] https://www.drupal.org/u/absoludo
[6] https://www.drupal.org/u/joshfabean
[7] https://www.drupal.org/u/bramdriesen
[8] https://www.drupal.org/u/greggles
[9] https://www.drupal.org/u/poker10
[10] https://www.drupal.org/u/yesct
From security-news at drupal.org Wed May 28 17:43:25 2025
From: security-news at drupal.org (security-news at drupal.org)
Date: Wed, 28 May 2025 17:43:25 +0000 (UTC)
Subject: [Security-news] Simple Klaro - Moderately critical - Cross Site
Scripting - SA-CONTRIB-2025-071
Message-ID: <mailman.8159.1748459095.749.security-news@drupal.org>
View online: https://www.drupal.org/sa-contrib-2025-071
Project:?Simple Klaro [1]
Date:?2025-May-28
Security risk:?*Moderately critical* 13???25
AC:Complex/A:User/CI:Some/II:Some/E:Theoretical/TD:All [2]
Vulnerability:?Cross Site Scripting
Affected versions:?<1.10.0
CVE IDs:?CVE-2025-48918
Description:?
The "Simple Klaro" module adds the "Klaro! A Simple Consent Manager" to your
website and allows you to configure it according to your needs in the Drupal
backend.
The module doesn't sufficiently mark its administrative permission as
restricted, creating the possibility for the permission to be granted too
broadly. A malicious admin could execute a Cross Site Scripting (XSS) attack.
This vulnerability is mitigated by the fact that an attacker must have a role
with the "administer simple klaro" permission.
Solution:?
Install the latest version:
* If you use the "Simple Klaro" module for Drupal 9.x/10.x/11.x, upgrade to
Simple Klaro 1.10.0 [3]
Reported By:?
* Pierre Rudloff (prudloff) [4]
Fixed By:?
* Norman K?mper-Leymann (norman.lol) [5]
Coordinated By:?
* Juraj Nemec (poker10) [6] of the Drupal Security Team
* Pierre Rudloff (prudloff) [7]
* Cathy Theys (yesct) [8] of the Drupal Security Team
[1] https://www.drupal.org/project/simple_klaro
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/simple_klaro/releases/1.10.0
[4] https://www.drupal.org/u/prudloff
[5] https://www.drupal.org/u/normanlol
[6] https://www.drupal.org/u/poker10
[7] https://www.drupal.org/u/prudloff
[8] https://www.drupal.org/u/yesct
From security-news at drupal.org Wed May 28 17:43:45 2025
From: security-news at drupal.org (security-news at drupal.org)
Date: Wed, 28 May 2025 17:43:45 +0000 (UTC)
Subject: [Security-news] EU Cookie Compliance (GDPR Compliance) - Moderately
critical - Cross Site Scripting - SA-CONTRIB-2025-072
Message-ID: <mailman.8160.1748459096.749.security-news@drupal.org>
View online: https://www.drupal.org/sa-contrib-2025-072
Project:?EU Cookie Compliance (GDPR Compliance) [1]
Date:?2025-May-28
Security risk:?*Moderately critical* 13???25
AC:Complex/A:User/CI:Some/II:Some/E:Theoretical/TD:All [2]
Vulnerability:?Cross Site Scripting
Affected versions:?<1.26.0
CVE IDs:?CVE-2025-48917
Description:?
This module addresses the General Data Protection Regulation (GDPR) and the
EU Directive on Privacy and Electronic Communications.
The module doesn't sufficiently verify whether "disabled JavaScript" entries
are valid or correspond to actual scripts on the page. As a result, an
attacker could inject and execute arbitrary JavaScript by adding invalid or
non-existent entries, which the module then attempts to process.
This vulnerability is mitigated by the fact that an attacker must have a role
with the permission "Administer EU Cookie Compliance banner".
Solution:?
Install the latest version:
* If you use EU Cookie Compliance (GDPR Compliance) module for Drupal 10+,
upgrade to EU Cookie Compliance (GDPR Compliance) 8.x-1.26 [3]
Reported By:?
* Pierre Rudloff (prudloff) [4]
Fixed By:?
* Grant McEwan (atowl) [5]
Coordinated By:?
* Greg Knaddison (greggles) [6] of the Drupal Security Team
* Juraj Nemec (poker10) [7] of the Drupal Security Team
* Cathy Theys (yesct) [8] of the Drupal Security Team
[1] https://www.drupal.org/project/eu_cookie_compliance
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/eu_cookie_compliance/releases/8.x-1.26
[4] https://www.drupal.org/u/prudloff
[5] https://www.drupal.org/u/atowl
[6] https://www.drupal.org/u/greggles
[7] https://www.drupal.org/u/poker10
[8] https://www.drupal.org/u/yesct
From security-news at drupal.org Wed May 28 17:44:14 2025
From: security-news at drupal.org (security-news at drupal.org)
Date: Wed, 28 May 2025 17:44:14 +0000 (UTC)
Subject: [Security-news] Simple Klaro - Moderately critical - Cross Site
Scripting - SA-CONTRIB-2025-073
Message-ID: <mailman.8161.1748459096.749.security-news@drupal.org>
View online: https://www.drupal.org/sa-contrib-2025-073
Project:?Simple Klaro [1]
Date:?2025-May-28
Security risk:?*Moderately critical* 13???25
AC:Complex/A:User/CI:Some/II:Some/E:Theoretical/TD:All [2]
Vulnerability:?Cross Site Scripting
Affected versions:?<1.10.0
CVE IDs:?CVE-2025-48919
Description:?
The "Simple Klaro" module adds the "Klaro! A Simple Consent Manager" to your
website and allows you to configure it according to your needs in the Drupal
backend.
The module doesn't sufficiently sanitise data attributes allowing persistent
Cross Site Scripting (XSS) attacks.
This vulnerability is mitigated by the fact that an attacker must have a role
with permission to enter HTML tags containing specific data attributes.
Solution:?
Install the latest version:
* If you use the "Simple Klaro" module for Drupal 9.x/10.x/11.x, upgrade to
Simple Klaro 1.10.0 [3]
Reported By:?
* Pierre Rudloff (prudloff) [4]
Fixed By:?
* Norman K?mper-Leymann (norman.lol) [5]
Coordinated By:?
* Juraj Nemec (poker10) [6] of the Drupal Security Team
* Pierre Rudloff (prudloff) [7]
* Cathy Theys (yesct) [8] of the Drupal Security Team
[1] https://www.drupal.org/project/simple_klaro
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/simple_klaro/releases/1.10.0
[4] https://www.drupal.org/u/prudloff
[5] https://www.drupal.org/u/normanlol
[6] https://www.drupal.org/u/poker10
[7] https://www.drupal.org/u/prudloff
[8] https://www.drupal.org/u/yesct
From security-news at drupal.org Wed May 28 17:44:34 2025
From: security-news at drupal.org (security-news at drupal.org)
Date: Wed, 28 May 2025 17:44:34 +0000 (UTC)
Subject: [Security-news] etracker - Moderately critical - Cross Site
Scripting - SA-CONTRIB-2025-074
Message-ID: <mailman.8162.1748459097.749.security-news@drupal.org>
View online: https://www.drupal.org/sa-contrib-2025-074
Project:?etracker [1]
Date:?2025-May-28
Security risk:?*Moderately critical* 13???25
AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:Default [2]
Vulnerability:?Cross Site Scripting
Affected versions:?<3.1.0
CVE IDs:?CVE-2025-48920
Description:?
The module adds the etracker web statistics tracking system to your website.
The cookies_etracker submodule allows the inline JavaScript to be included in
consent management. However, this does not adequately check whether the
provided JavaScript code originates from authorized users.
A potential attacker would at least need permission to create and publish
HTML (e.g. content or comments).
Solution:?
Install the latest version:
* If you use the etracker module for Drupal 9 and above, upgrade to etracker
8.x-3.1 [3]
Reported By:?
* Pierre Rudloff (prudloff) [4]
Fixed By:?
* Julian Pustkuchen (anybody) [5]
* Sven Sch?ring (sunlix) [6]
Coordinated By:?
* Juraj Nemec (poker10) [7] of the Drupal Security Team
* Pierre Rudloff (prudloff) [8]
* Cathy Theys (yesct) [9] of the Drupal Security Team
[1] https://www.drupal.org/project/etracker
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/etracker/releases/8.x-3.1
[4] https://www.drupal.org/u/prudloff
[5] https://www.drupal.org/u/anybody
[6] https://www.drupal.org/u/sunlix
[7] https://www.drupal.org/u/poker10
[8] https://www.drupal.org/u/prudloff
[9] https://www.drupal.org/u/yesct
From security-news at drupal.org Wed May 28 17:45:38 2025
From: security-news at drupal.org (security-news at drupal.org)
Date: Wed, 28 May 2025 17:45:38 +0000 (UTC)
Subject: [Security-news] COOKiES Consent Management - Moderately critical -
Cross Site Scripting - SA-CONTRIB-2025-075
Message-ID: <mailman.8163.1748459098.749.security-news@drupal.org>
View online: https://www.drupal.org/sa-contrib-2025-075
Project:?COOKiES Consent Management [1]
Date:?2025-May-28
Security risk:?*Moderately critical* 12???25
AC:Complex/A:Admin/CI:Some/II:Some/E:Theoretical/TD:All [2]
Vulnerability:?Cross Site Scripting
Affected versions:?<1.2.15
CVE IDs:?CVE-2025-48914
Description:?
This module provides a format filter, which allows you to "disable" certain
HTML elements (e.g. remove their src attribute) specified by the user. These
elements will be enabled again, once the COOKiES banner is accepted.
The module doesn't sufficiently check whether to convert "data-src"
attributes to "src" when their value might contain malicious content under
the scenario, that module specific classes are set on the HTML element.
This vulnerability is mitigated by the fact that the site must have the
COOKiES filter submodule enabled and an attacker must have the correct
permissions to have a specific HTML element display for all users, and this
HTML element needs to have three concise classes set.
Solution:?
Install the latest version:
* If you use the COOKiES Consent Management module for Drupal 9 or above,
upgrade to COOKiES Consent Management 1.2.15 [3]
Reported By:?
* Pierre Rudloff (prudloff) [4]
Fixed By:?
* Julian Pustkuchen (anybody) [5]
* Joshua Sedler (grevil) [6]
* Joachim Feltkamp (jfeltkamp) [7]
Coordinated By:?
* Juraj Nemec (poker10) [8] of the Drupal Security Team
* Cathy Theys (yesct) [9] of the Drupal Security Team
[1] https://www.drupal.org/project/cookies
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/cookies/releases/1.2.15
[4] https://www.drupal.org/u/prudloff
[5] https://www.drupal.org/u/anybody
[6] https://www.drupal.org/u/grevil
[7] https://www.drupal.org/u/jfeltkamp
[8] https://www.drupal.org/u/poker10
[9] https://www.drupal.org/u/yesct
From security-news at drupal.org Wed May 28 17:46:10 2025
From: security-news at drupal.org (security-news at drupal.org)
Date: Wed, 28 May 2025 17:46:10 +0000 (UTC)
Subject: [Security-news] COOKiES Consent Management - Moderately critical -
Cross Site Scripting - SA-CONTRIB-2025-076
Message-ID: <mailman.8164.1748459100.749.security-news@drupal.org>
View online: https://www.drupal.org/sa-contrib-2025-076
Project:?COOKiES Consent Management [1]
Date:?2025-May-28
Security risk:?*Moderately critical* 13???25
AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:Default [2]
Vulnerability:?Cross Site Scripting
Affected versions:?<1.2.15
CVE IDs:?CVE-2025-48915
Description:?
The COOKIES module protects users from executing JavaScript code provided by
third parties, e.g., to display ads or track user data without consent.
Each sub-module allows to include a specific third party service in the
consent management, by controlling the execution of javascript. However, this
does not adequately check whether the provided JavaScript code originates
from authorized users.
A potential attacker would at least need permission to create and publish
HTML (e.g. content or comments).
Solution:?
Install the latest version:
* If you use the COOKiES Consent Management module for Drupal 9 or above,
upgrade to COOKiES Consent Management 1.2.15 [3]
Reported By:?
* Pierre Rudloff (prudloff) [4]
Fixed By:?
* Joachim Feltkamp (jfeltkamp) [5]
Coordinated By:?
* Greg Knaddison (greggles) [6] of the Drupal Security Team
* Juraj Nemec (poker10) [7] of the Drupal Security Team
* Cathy Theys (yesct) [8] of the Drupal Security Team
[1] https://www.drupal.org/project/cookies
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/cookies/releases/1.2.15
[4] https://www.drupal.org/u/prudloff
[5] https://www.drupal.org/u/jfeltkamp
[6] https://www.drupal.org/u/greggles
[7] https://www.drupal.org/u/poker10
[8] https://www.drupal.org/u/yesct