Hírolvasó

Project: Simple multi step formDate: 2025-November-05Security risk: Moderately critical 13 ∕ 25 AC:Basic/A:Admin/CI:Some/II:Some/E:Theoretical/TD:AllVulnerability: Cross-site ScriptingAffected versions: <2.0.0CVE IDs: CVE-2025-12761Description: 

This module provides the ability to convert any entity form into a simple multi-step form.

The module doesn’t sufficiently filter certain user-provided text leading to a cross-site scripting (XSS) vulnerability.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission “administer node form display”.

Solution: 

Install the latest version:

• If you use the Simple multi step form module for Drupal, upgrade to a release from the 2.x branch, as the 8.x-1.x branch is now unsupported

Reported By: 

• Ide Braakman (idebr)

Fixed By: 

• Diosbel Mezquía (dmezquia)
• Ide Braakman (idebr)
• Vitaliy Bogomazyuk (vitaliyb98)

Coordinated By: 

• Greg Knaddison (greggles) of the Drupal Security Team
• Ivo Van Geertruyen (mr.baileys) of the Drupal Security Team
• Juraj Nemec (poker10) of the Drupal Security Team

Project: Email TFADate: 2025-November-05Security risk: Moderately critical 13 ∕ 25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:DefaultVulnerability: Access bypassAffected versions: <2.0.6CVE IDs: CVE-2025-12760Description: 

The Email TFA module provides additional email-based two-factor authentication for Drupal logins.

In certain scenarios, the module does not fully protect all login mechanisms as expected.

This issue is mitigated by the fact that an attacker must already have valid user credentials (username and password) to take advantage of the weakness.

Solution: 

Install the latest version:

• If you use the Email TFA module for Drupal, upgrade to Email TFA 2.0.6

Reported By: 

• Pierre Rudloff (prudloff) provisional member of the Drupal Security Team

Fixed By: 

• abdulaziz zaid

Coordinated By: 

• Greg Knaddison (greggles) of the Drupal Security Team
• Juraj Nemec (poker10) of the Drupal Security Team
• Pierre Rudloff (prudloff)

Project: Simple OAuth (OAuth2) & OpenID ConnectDate: 2025-October-29Security risk: Critical 15 ∕ 25 AC:Complex/A:None/CI:Some/II:Some/E:Theoretical/TD:AllVulnerability: Access bypassAffected versions: >6.0.0 <6.0.7CVE IDs: CVE-2025-12466Description: 

This module introduces an OAuth 2.0 authorization server, which can be configured to protect your Drupal instance with access tokens, or allow clients to request new access tokens and refresh them.

The module doesn't sufficiently respect granted scopes, it affects all access checks that are based on roles. For example: routes that have the _role requirement, can be bypassed with an access token.

This vulnerability is mitigated by the fact that an attacker must have the access token in possession and the user related to the token must have the associated (role requirement) roles assigned.

Solution: 

Install the latest version:

• If you use the "Simple OAuth (OAuth2) & OpenID Connect" module for Drupal, upgrade to Simple OAuth (OAuth2) & OpenID Connect 6.0.7

Reported By: 

• coffeemakr

Fixed By: 

• Bojan Bogdanovic (bojan_dev)
• coffeemakr
• Juraj Nemec (poker10) of the Drupal Security Team

Coordinated By: 

• Greg Knaddison (greggles) of the Drupal Security Team
• Juraj Nemec (poker10) of the Drupal Security Team

Project: CivicTheme Design SystemDate: 2025-October-22Security risk: Moderately critical 14 ∕ 25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:AllVulnerability: Cross-site ScriptingAffected versions: <1.12.0CVE IDs: CVE-2025-12083Description: 

CivicTheme is a design system and theme framework used to build content-rich Drupal websites. It includes editorial workflows, structured content types, and flexible theming components.

CivicTheme does not sufficiently filter field data before rendering them in Twig templates. This combined with multiple instances of the Twig raw filter throughout CivicTheme components, allows for the injection of malicious scripts in browser contexts.

Additionally, CivicTheme fails to filter markup from SVGs embedded within the web page allowing potentially malicious scripts to be injected.

This vulnerability is mitigated by an attacker needing permission to create or edit content within a CivicTheme site.

CivicTheme with its default permissions restricts the creation of content to content author and content approver roles.

Solution: 

Install the latest version:

• If you use the CivicTheme theme, upgrade to CivicTheme 1.12.

Reported By: 

• Adam Bramley (acbramley)
• Lee Rowlands (larowlan) of the Drupal Security Team

Fixed By: 

• Alan Cole (alan.cole)
• Daniel (danielgry)
• Fiona Morrison (fionamorrison23)
• Suchi Garg (gargsuchi)
• Lee Rowlands (larowlan) of the Drupal Security Team
• Richard Gaunt (richardgaunt)

Coordinated By: 

• Greg Knaddison (greggles) of the Drupal Security Team
• Lee Rowlands (larowlan) of the Drupal Security Team
• Drew Webber (mcdruid) of the Drupal Security Team

Project: CivicTheme Design SystemDate: 2025-October-22Security risk: Moderately critical 12 ∕ 25 AC:Basic/A:None/CI:Some/II:None/E:Theoretical/TD:DefaultVulnerability: Information disclosureAffected versions: <1.12.0CVE IDs: CVE-2025-12082Description: 

CivicTheme is a design system and theme framework used to build content-rich Drupal websites. It includes editorial workflows, structured content types, and flexible theming components.

The theme doesn't sufficiently check access to entities when they are displayed as reference cards used in manual lists, which leads to an information disclosure vulnerability

Specifically, when unpublished or archived nodes (CivicTheme Page and Event) are referenced via card components and placed into manually curated lists or blocks, a referenced card is rendered on the page for users who do not have permission to view unpublished content. The referenced node itself is correctly checked for permission, but the information in the card component (title, thumbnail, tags) discloses information that the user does not have access to view.

This results in:

• Draft or never-published Event node data being visible to anonymous users on cards.
• Archived content persisting in curated content lists.

This disclosure bypasses editorial expectations and may expose sensitive or internal-only content unintentionally. It does not require complex interaction or elevated permissions. It is triggered by standard reference configurations and view templates.

Solution: 

Install the latest version:

• If you use the CivicTheme theme for Drupal 10.x / 11.x, upgrade to CivicTheme-1.12.0

Reported By: 

• Lee Rowlands (larowlan) of the Drupal Security Team

Fixed By: 

• Alan Cole (alan.cole)
• Daniel (danielgry)
• Fiona Morrison (fionamorrison23)
• Suchi Garg (gargsuchi)
• Joshua Fernandes (joshua1234511)
• Lee Rowlands (larowlan) of the Drupal Security Team
• Richard Gaunt (richardgaunt)

Coordinated By: 

• Greg Knaddison (greggles) of the Drupal Security Team
• Lee Rowlands (larowlan) of the Drupal Security Team
• Drew Webber (mcdruid) of the Drupal Security Team

Project: Reverse Proxy HeaderDate: 2025-September-24Security risk: Less critical 8 ∕ 25 AC:Basic/A:None/CI:None/II:None/E:Theoretical/TD:UncommonVulnerability: Access bypassAffected versions: <1.1.2CVE IDs: CVE-2025-10929Description: 

This module allows you to specify an HTTP header name to determine the client's IP address.

The module doesn't sufficiently handle all cases under the scenario if Drupal Core settings $settings['reverse_proxy'] is set to TRUE and $settings['reverse_proxy_addresses'] is configured.

This vulnerability allows an attacker to spoof a request IP address (as Drupal sees it), potentially bypassing a variety of controls.

Solution: 

To resolve this issue, sites must both upgrade and confirm their settings.

Install the latest 1.1.2 version.

Check your settings:
- $settings['reverse_proxy'] (Drupal Core setting);
- $settings['reverse_proxy_addresses'] (Drupal Core setting);
- $settings['reverse_proxy_header'] (this module setting);
- $settings['reverse_proxy_header_trusted_addresses_ignore'] (this module setting introduced in this release).

This security release does not affect your Drupal instance if:
- or $settings['reverse_proxy'] is not set or set to FALSE;
- or $settings['reverse_proxy_header'] is not set or set to FALSE;
- or $settings['reverse_proxy_addresses'] is not set or set to an empty array.

This security release may affect your Drupal instance if:
- and $settings['reverse_proxy'] is set to TRUE;
- and $settings['reverse_proxy_header'] is set;
- and $settings['reverse_proxy_addresses'] is configured.
If your configuration meets all three criteria simultaneously, you need to verify how Drupal determines the client IP address.

How to verify:

It can be checked by sending a request from a non-trusted proxy/server like:
curl -I -H "X-REVERSE-PROXY-HEADER-NAME:8.8.8.8" your-hostname/some-path`

If Drupal detects the client IP address (for example, at the dblog report), everything works as expected.

If Drupal detects the client IP address as 8.8.8.8, you may need to check your $settings['reverse_proxy_addresses'] and/or review the documentation in the README file about $settings['reverse_proxy_header_trusted_addresses_ignore'].

Reccomendation:

Although it is not required to have $settings['reverse_proxy_addresses'] (Drupal Core setting) configured, it's always preferred to do so to improve security.

Reported By: 

• Pierre Rudloff (prudloff) provisional member of the Drupal Security Team

Fixed By: 

• Bohdan Artemchuk (bohart)
• Drew Webber (mcdruid) of the Drupal Security Team
• Pierre Rudloff (prudloff) provisional member of the Drupal Security Team

Coordinated By: 

• Greg Knaddison (greggles) of the Drupal Security Team
• Juraj Nemec (poker10) of the Drupal Security Team
• Pierre Rudloff (prudloff) provisional member of the Drupal Security Team

Project: CurrencyDate: 2025-September-24Security risk: Moderately critical 13 ∕ 25 AC:Basic/A:None/CI:None/II:Some/E:Theoretical/TD:AllVulnerability: Cross Site Request ForgeryAffected versions: <3.5.0CVE IDs: CVE-2025-10930Description: 

This module allows you to use different currencies on your website and do currency conversion.

The module doesn't sufficiently protect routes used to enable and disable currencies from Cross-Site Request Forgery (CSRF) attacks, potentially allowing an attacker to trick an admin into changing settings.

Solution: 

Install the latest version:

• If you use the Currency module for Drupal, upgrade to Currency 8.x-3.5

Reported By: 

• Juraj Nemec (poker10) of the Drupal Security Team

Fixed By: 

• Sascha Grossenbacher (berdir)
• Pieter Frenssen (pfrenssen)

Coordinated By: 

• Juraj Nemec (poker10) of the Drupal Security Team

Project: Umami AnalyticsDate: 2025-September-24Security risk: Moderately critical 13 ∕ 25 AC:Basic/A:Admin/CI:Some/II:Some/E:Theoretical/TD:AllVulnerability: Cross Site ScriptingAffected versions: <1.0.1CVE IDs: CVE-2025-10931Description: 

This module enables you to add Umami Analytics web statistics tracking system to your website.

The "administer umami analytics" permission allows inserting an arbitrary JavaScript file on every page. While this is an expected feature, the permission lacks the "restrict access" flag, which should alert administrators that this permission is potentially dangerous and can lead to cross-site scripting (XSS) vulnerabilities.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission “administer umami analytics”.

Solution: 

Install the latest version:

• If you use the Umami Analytics module upgrade to Umami Analytics 1.0.1 or 2.0.-beta3

Sites are encouraged to review which roles have that permission and which users have that role, to ensure that only trusted users have that permission.

Reported By: 

• Pierre Rudloff (prudloff)

Fixed By: 

• Ivica Puljic (pivica)

Coordinated By: 

• Damien McKenna (damienmckenna) of the Drupal Security Team
• Juraj Nemec (poker10) of the Drupal Security Team
• Pierre Rudloff (prudloff) provisional member of Drupal Security Team

Project: Access codeDate: 2025-September-24Security risk: Moderately critical 14 ∕ 25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:AllVulnerability: Access bypassAffected versions: <2.0.5CVE IDs: CVE-2025-10928Description: 

This module enables users to sign in with an access code instead of entering user names and passwords. When users are allowed to pick their own access codes, they can guess other users' access codes based on the fact that access codes need to be unique and the system warns if the code of their choice is taken.

This vulnerability is mitigated by the fact that an attacker must have a role with the "change own access code" permission.

Solution: 

Install the latest version:

• If you use access_code module for Drupal, upgrade to access_code 2.0.5

Reported By: 

• Pierre Rudloff (prudloff)

Fixed By: 

• Gergely Lekli (glekli)
• Pierre Rudloff (prudloff)

Coordinated By: 

• Greg Knaddison (greggles) of the Drupal Security Team
• Pierre Rudloff (prudloff) provisional member of the Drupal Security Team

Project: Plausible trackingDate: 2025-September-24Security risk: Moderately critical 13 ∕ 25 AC:Basic/A:Admin/CI:Some/II:Some/E:Theoretical/TD:AllVulnerability: Cross Site ScriptingAffected versions: <1.0.2CVE IDs: CVE-2025-10927Description: 

This module integrates Plausible Analytics on a site.

The module did not properly filter output in certain cases.

This vulnerability is mitigated by the fact that an attacker must have permission to add raw HTML to the website, such as an unfiltered WYSIWYG field on a public-facing comment.

Solution: 

Install the latest version:

• If you use the Plausible Analytics module for Drupal, upgrade to Plausible Analytics v1.0.2

Reported By: 

• Pierre Rudloff (prudloff)

Fixed By: 

• Pierre Rudloff (prudloff)
• Benjamin Rasmussen (ras-ben)

Coordinated By: 

• Damien McKenna (damienmckenna) of the Drupal Security Team

Project: JSON FieldDate: 2025-September-24Security risk: Critical 15 ∕ 25 AC:Basic/A:None/CI:Some/II:Some/E:Theoretical/TD:DefaultVulnerability: Cross Site ScriptingAffected versions: <1.5CVE IDs: CVE-2025-10926Description: 

This module enables you to store and display JSON data using optional 3rd party libraries.

The module doesn't sufficiently filter data using some of the included field formatters leading to a Cross-site Scripting (XSS) vulnerability.

Solution: 

Install the latest version:

• If you use the JSON Field module for Drupal 8.x, upgrade to JSON Field 8.x-1.5.

Reported By: 

• Ivan (chi)

Fixed By: 

• Ivan (chi)
• Damien McKenna (damienmckenna) of the Drupal Security Team

Coordinated By: 

• Damien McKenna (damienmckenna) of the Drupal Security Team
• Greg Knaddison (greggles) of the Drupal Security Team

Project: Acquia DAMDate: 2025-September-03Security risk: Moderately critical 12 ∕ 25 AC:Basic/A:None/CI:Some/II:None/E:Theoretical/TD:DefaultVulnerability: Access bypass, Information DisclosureAffected versions: <1.1.5CVE IDs: CVE-2025-9954Description: 

This module enables you to connect a Drupal site to the Acquia DAM service, which syncs media from the third party service to the site.

The module doesn't sufficiently validate authorization to a list of DAM assets currently synced to the website creating an access bypass vulnerability.

This vulnerability is mitigated by the fact that it only impacts sites where users having the “view media” permission accessing any DAM asset is undesirable.

CVSS risk score (experimental) 6.9 / Medium

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Solution: 

Install the latest version which will automatically reset three views to have permission-based access control based on the "access media overview" permission. If you have modified the view access in some other way you will need to redo that modification after upgrading the module.

• If you use the acquia_dam module for Drupal 8.x, upgrade to acquia_dam 1.1.5

Sites that cannot update to this code can mitigate the issue by modifying three views to be restricted to that permission: Acquia DAM Asset Library, Acquia DAM links, DAM Content Overview.

Reported By: 

• Brandon Goodwin (bgoodie)
• Chris Burge (chris burge)
• Todd Woofenden (toddwoof)

Fixed By: 

• Chris Burge (chris burge)
• Damien McKenna (damienmckenna) of the Drupal Security Team
• Jakob P (japerry)
• Todd Woofenden (toddwoof)

Coordinated By: 

• cilefen (cilefen) of the Drupal Security Team
• Greg Knaddison (greggles) of the Drupal Security Team
• Cathy Theys (yesct) of the Drupal Security Team

Project: Owl Carousel 2Date: 2025-August-27Security risk: Critical 16 ∕ 25 AC:Complex/A:Admin/CI:All/II:All/E:Theoretical/TD:AllVulnerability: UnsupportedAffected versions: *CVE IDs: CVE-2025-9554Description: 

The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: https://www.drupal.org/node/251466#s-becoming-owner-maintainer-or-co-mai...

Solution: 

If you use this project, you should uninstall it. To take over maintainership, please read https://www.drupal.org/node/251466#s-becoming-owner-maintainer-or-co-mai...

Project: API Key managerDate: 2025-August-27Security risk: Critical 16 ∕ 25 AC:Complex/A:Admin/CI:All/II:All/E:Theoretical/TD:AllVulnerability: UnsupportedAffected versions: *CVE IDs: CVE-2025-9553Description: 

The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: https://www.drupal.org/node/251466#s-becoming-owner-maintainer-or-co-mai...

Solution: 

If you use this project, you should uninstall it. To take over maintainership, please read https://www.drupal.org/node/251466#s-becoming-owner-maintainer-or-co-mai...

Project: Synchronize composer.json With Contrib ModulesDate: 2025-August-27Security risk: Critical 16 ∕ 25 AC:Complex/A:Admin/CI:All/II:All/E:Theoretical/TD:AllVulnerability: UnsupportedAffected versions: *CVE IDs: CVE-2025-9552Description: 

The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: https://www.drupal.org/node/251466#s-becoming-owner-maintainer-or-co-mai...

Solution: 

If you use this project, you should uninstall it. To take over maintainership, please read https://www.drupal.org/node/251466#s-becoming-owner-maintainer-or-co-mai...

Project: Protected PagesDate: 2025-August-27Security risk: Moderately critical 13 ∕ 25 AC:Basic/A:None/CI:Some/II:None/E:Theoretical/TD:AllVulnerability: Access bypassAffected versions: <1.8.0CVE IDs: CVE-2025-9551Description: 

This module enables you to protect individual pages with a password.

The module doesn't limit the number of password attempts, making it vulnerable to brute force attacks.

This vulnerability is mitigated by the fact that an attacker must know the protected page's URL.

CVSS risk score (experimental) 6.3 / Medium

CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Solution: 

Install the latest version:

• If you use the Protected Pages module for Drupal 8.x, upgrade to Protected Pages 8.x-1.8

Reported By: 

• Pierre Rudloff (prudloff)

Fixed By: 

• Oksana Cyrwus (oksana-c)
• Ra Mänd (ram4nd)

Coordinated By: 

• Benji Fisher (benjifisher) of the Drupal Security Team
• Damien McKenna (damienmckenna) of the Drupal Security Team
• Greg Knaddison (greggles) of the Drupal Security Team
• Drew Webber (mcdruid) of the Drupal Security Team
• Juraj Nemec (poker10) of the Drupal Security Team

Project: FacetsDate: 2025-August-27Security risk: Moderately critical 13 ∕ 25 AC:Basic/A:Admin/CI:Some/II:Some/E:Theoretical/TD:AllVulnerability: Cross Site ScriptingAffected versions: <2.0.10 || >=3.0.0 <3.0.1CVE IDs: CVE-2025-9550Description: 

This module enables you to to easily create and manage faceted search interfaces.

The module doesn’t sufficiently filter certain user-provided text leading to a cross site scripting (XSS) vulnerability.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission “administer facets”.

CVSS risk score (experimental) 4.8 / Medium

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:L/SI:N/SA:N

Solution: 

Install the latest version:

• If you use the Facets module for Drupal 8.x or higher, upgrade to Facets 2.0.10 or Facets 3.0.1

Reported By: 

• Pierre Rudloff (prudloff)

Fixed By: 

• Joris Vercammen (borisson_)
• Thomas Seidl (drunken monkey)
• Pierre Rudloff (prudloff), provisional member of the Drupal Security Team

Coordinated By: 

• Damien McKenna (damienmckenna) of the Drupal Security Team
• Ivo Van Geertruyen (mr.baileys) of the Drupal Security Team
• Pierre Rudloff (prudloff), provisional member of the Drupal Security Team
• Drew Webber (mcdruid) of the Drupal Security Team

Project: FacetsDate: 2025-August-27Security risk: Moderately critical 11 ∕ 25 AC:Complex/A:None/CI:Some/II:None/E:Theoretical/TD:DefaultVulnerability: Information DisclosureAffected versions: <2.0.10 || >=3.0.0 <3.0.1CVE IDs: CVE-2025-9549Description: 

This module enables you to to easily create and manage faceted search interfaces.

The module doesn't sufficiently check access to entities when they are displayed as facets.

This vulnerability is mitigated by the fact that only sites that show facets with entity labels (like taxonomy terms) are affected, and only if some of those entities are unpublished or have other access restrictions.

CVSS risk score (experimental) 6.9 / Medium

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Solution: 

Install the latest version:

• If you use the Facets module for Drupal 8.x or higher, upgrade to Facets 2.0.10 or Facets 3.0.1

Reported By: 

• Damien McKenna (damienmckenna) of the Drupal Security Team

Fixed By: 

• Benji Fisher (benjifisher) of the Drupal Security Team
• Joris Vercammen (borisson_)
• Damien McKenna (damienmckenna) of the Drupal Security Team
• Thomas Seidl (drunken monkey)
• Jimmy Henderickx (strykaizer)

Coordinated By: 

• Benji Fisher (benjifisher) of the Drupal Security Team
• Damien McKenna (damienmckenna) of the Drupal Security Team
• Greg Knaddison (greggles) of the Drupal Security Team
• Drew Webber (mcdruid) of the Drupal Security Team
• Cathy Theys (yesct) of the Drupal Security Team

Project: Authenticator LoginDate: 2025-August-27Security risk: Moderately critical 13 ∕ 25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:DefaultVulnerability: Access bypassAffected versions: <2.1.8CVE IDs: CVE-2025-8093Description: 

This module allows users to setup two-factor authentication (2FA) using authenticator apps for enhanced login security.

The module did not protect all possible login paths provided by core modules.

CVSS risk score (experimental) 6.3 / Medium

CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

Solution: 

Install the latest version:

• If you use the Alogin module for Drupal 10^, upgrade to Alogin 2.1.8

Reported By: 

• Pierre Rudloff (prudloff)

Fixed By: 

• Ahmed Raza (ahmed.raza)
• Pierre Rudloff (prudloff), provisional member of the Drupal Security Team

Coordinated By: 

• Damien McKenna (damienmckenna) of the Drupal Security Team
• Greg Knaddison (greggles) of the Drupal Security Team
• Drew Webber (mcdruid) of the Drupal Security Team
• Juraj Nemec (poker10) of the Drupal Security Team
• Cathy Theys (yesct) of the Drupal Security Team

Project: Layout Builder Advanced PermissionsDate: 2025-August-13Security risk: Moderately critical 10 ∕ 25 AC:Basic/A:User/CI:None/II:Some/E:Theoretical/TD:DefaultVulnerability: Access bypassAffected versions: 2.2.0CVE IDs: CVE-2025-8996Description: 

The Layout Builder Advanced Permissions module enables you to have fine grained control over who can do what in editing pages built with Layout Builder.

The module doesn't sufficiently control access for adding sections in the submodule.

This vulnerability is mitigated by the fact that an attacker must have a role with a specific set of permissions:

• Node: View published content
• Node: (Your content type): Create new content
• Node: (Your content type): Edit any content
• Layout builder: (Your content type): Configure layout overrides for content items that the user can edit
• Layout builder advanced permissions: Access Layout Builder page

Solution: 

Install the latest version:

• If you use the Layout Builder Advanced Permissions module, upgrade to Layout Builder Advanced Permissions 2.2.1

Reported By: 

• Eelke Blok (eelkeblok)
• Michael Whittaker (mrwhittaker)

Fixed By: 

• Eelke Blok (eelkeblok)
• Sorin Dediu (sdstyles)
• Sean Blommaert (seanb)

Coordinated By: 

• Anna Kalata (akalata)
• Damien McKenna (damienmckenna) of the Drupal Security Team
• Greg Knaddison (greggles) of the Drupal Security Team
• Juraj Nemec (poker10) of the Drupal Security Team
• Cathy Theys (yesct) of the Drupal Security Team