Hírolvasó

Enterprise MFA - TFA for Drupal - Critical - Access bypass - SA-CONTRIB-2025-056

Biztonsági figyelmeztetések (contrib) - 2025. május 7. 19.08
Project: Enterprise MFA - TFA for DrupalDate: 2025-May-07Security risk: Critical 15 ∕ 25 AC:Complex/A:None/CI:Some/II:Some/E:Theoretical/TD:AllVulnerability: Access bypassAffected versions: <4.7.0 || >=5.2.0 <5.2.0 || 5.0.*CVE IDs: CVE-2025-47710Description: 

The module enables you to add second-factor authentication in addition to the default Drupal login.

The module does not sufficiently ensure that known login routes are protected.

This vulnerability is mitigated by the fact that an attacker must obtain the user's username and password.

Solution: 

Install the latest version:

  • If you use the Enterprise MFA - TFA module version 5.x for Drupal 9.3 and above, upgrade to miniorange_2fa 5.2.0.
  • If you use the Enterprise MFA - TFA module version 4.x for Drupal 8, 9 or 10, upgrade to miniorange_2fa 8.x-4.7.
Reported By: Fixed By: Coordinated By: 

Enterprise MFA - TFA for Drupal - Critical - Access bypass - SA-CONTRIB-2025-055

Biztonsági figyelmeztetések (contrib) - 2025. május 7. 19.07
Project: Enterprise MFA - TFA for DrupalDate: 2025-May-07Security risk: Critical 18 ∕ 25 AC:None/A:None/CI:Some/II:Some/E:Theoretical/TD:AllVulnerability: Access bypassAffected versions: <4.7.0 || >=5.2.0 <5.2.0 || 5.0.*CVE IDs: CVE-2025-47709Description: 

The module enables you to add second-factor authentication in addition to the default Drupal login.

The module doesn't sufficiently protect certain sensitive routes, allowing an attacker to view or modify various TFA-related settings.

Solution: 

Install the latest version:

  • If you use the Enterprise MFA - TFA module version 5.x for Drupal 9.3 and above, upgrade to miniorange_2fa 5.2.0.
  • If you use the Enterprise MFA - TFA module version 4.x for Drupal 8, 9 or 10, upgrade to miniorange_2fa 8.x-4.7.
Reported By: Fixed By: Coordinated By: 

Enterprise MFA - TFA for Drupal - Critical - Cross Site Request Forgery - SA-CONTRIB-2025-054

Biztonsági figyelmeztetések (contrib) - 2025. május 7. 19.07
Project: Enterprise MFA - TFA for DrupalDate: 2025-May-07Security risk: Critical 18 ∕ 25 AC:None/A:None/CI:Some/II:Some/E:Theoretical/TD:AllVulnerability: Cross Site Request ForgeryAffected versions: <4.7.0 || >=5.2.0 <5.2.0 || 5.0.*CVE IDs: CVE-2025-47708Description: 

The module enables you to add second-factor authentication in addition to the default Drupal login.

The module doesn't sufficiently protect certain routes from Cross Site Request Forgery (CSRF) attacks.

Solution: 

Install the latest version:

  • If you use the Enterprise MFA - TFA module version 5.x for Drupal 9.3 and above, upgrade to miniorange_2fa 5.2.0.
  • If you use the Enterprise MFA - TFA module version 4.x for Drupal 8, 9 or 10, upgrade to miniorange_2fa 8.x-4.7.
Reported By: Fixed By: Coordinated By: 

Enterprise MFA - TFA for Drupal - Moderately critical - Access bypass - SA-CONTRIB-2025-053

Biztonsági figyelmeztetések (contrib) - 2025. május 7. 19.07
Project: Enterprise MFA - TFA for DrupalDate: 2025-May-07Security risk: Moderately critical 13 ∕ 25 AC:Complex/A:User/CI:Some/II:Some/E:Theoretical/TD:AllVulnerability: Access bypassAffected versions: <4.7.0 || >=5.2.0 <5.2.0 || 5.0.*CVE IDs: CVE-2025-47707Description: 

The module enables you to add second-factor authentication in addition to the default Drupal login.

The module doesn't invoke two factor authentication (2FA) for the password reset option.

This vulnerability is mitigated by the fact that an attacker must have access to the password reset link.

Solution: 

Install the latest version:

  • If you use the Enterprise MFA - TFA module version 5.x for Drupal 9.3 and above, upgrade to miniorange_2fa 5.2.0.
  • If you use the Enterprise MFA - TFA module version 4.x for Drupal 8, 9 or 10, upgrade to miniorange_2fa 8.x-4.7.
Reported By: Fixed By: Coordinated By: 

Enterprise MFA - TFA for Drupal - Moderately critical - Access bypass - SA-CONTRIB-2025-052

Biztonsági figyelmeztetések (contrib) - 2025. május 7. 19.07
Project: Enterprise MFA - TFA for DrupalDate: 2025-May-07Security risk: Moderately critical 14 ∕ 25 AC:Complex/A:None/CI:Some/II:Some/E:Theoretical/TD:DefaultVulnerability: Access bypassAffected versions: <4.7.0 || >=5.2.0 <5.2.0 || 5.0.*CVE IDs: CVE-2025-47706Description: 

The module enables you to add second-factor authentication in addition to the default Drupal login.

The module doesn't sufficiently check whether the TOTP token is already used or not for authenticator-based second-factor methods.

This vulnerability is mitigated by the fact that an attacker must have a username, password and TOTP token generated within the last 5 minutes.

Solution: 

Install the latest version:

  • If you use the Enterprise MFA - TFA module version 5.x for Drupal 9.3 and above, upgrade to miniorange_2fa 5.2.0.
  • If you use the Enterprise MFA - TFA module version 4.x for Drupal 8, 9 or 10, upgrade to miniorange_2fa 8.x-4.7.
Reported By: Fixed By: Coordinated By: 

IFrame Remove Filter - Moderately critical - Cross site scripting - SA-CONTRIB-2025-051

Biztonsági figyelmeztetések (contrib) - 2025. május 7. 19.07
Project: IFrame Remove FilterDate: 2025-May-07Security risk: Moderately critical 14 ∕ 25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:AllVulnerability: Cross site scriptingAffected versions: <2.0.5CVE IDs: CVE-2025-47705Description: 

This module enables you to add a filter to text formats (Full HTML, Filtered HTML), which will remove every iframe where the "src" is not on the allowlist.

The module doesn't sufficiently filter these iframes in certain situations.

This vulnerability is mitigated by the fact that an attacker must be able to edit content that allows iframes.

Solution: 

Install the latest version:

Reported By: Fixed By: Coordinated By: 

Klaro Cookie & Consent Management - Moderately critical - Cross Site Scripting - SA-CONTRIB-2025-050

Biztonsági figyelmeztetések (contrib) - 2025. május 7. 19.06
Project: Klaro Cookie & Consent ManagementDate: 2025-May-07Security risk: Moderately critical 14 ∕ 25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:AllVulnerability: Cross Site ScriptingAffected versions: <3.0.5CVE IDs: CVE-2025-47704Description: 

Klaro Cookie & Consent Management module is used for consent management for cookies and external sources. It makes changes to the markup to enable or disable loading.

The module doesn't sufficiently sanitize data attributes allowing persistent Cross Site Scripting (XSS) attacks.

This vulnerability is mitigated by the fact that an attacker must have a role with permission to enter HTML tags containing specific data attributes.

Solution: 

Install the latest version:

Reported By: Fixed By: Coordinated By: 

COOKiES Consent Management - Moderately critical - Cross Site Scripting - SA-CONTRIB-2025-049

Biztonsági figyelmeztetések (contrib) - 2025. május 7. 19.06
Project: COOKiES Consent ManagementDate: 2025-May-07Security risk: Moderately critical 13 ∕ 25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:DefaultVulnerability: Cross Site ScriptingAffected versions: <1.2.14CVE IDs: CVE-2025-47703Description: 

The COOKIES module protects users from executing JavaScript code provided by third parties, e.g., to display ads or track user data without consent.

The cookies_asset_injector module (a sub-module of the COOKiES module) also allows inline JavaScript to be included in consent management. However, this does not adequately check whether the provided JavaScript code originates from authorized users.

A potential attacker would at least need permission to create and publish HTML (e.g. content or comments).

Solution: 

Install the latest version:

Reported By: Fixed By: Coordinated By: 

oEmbed Providers - Moderately critical - Cross Site Scripting - SA-CONTRIB-2025-048

Biztonsági figyelmeztetések (contrib) - 2025. május 7. 19.06
Project: oEmbed ProvidersDate: 2025-May-07Security risk: Moderately critical 10 ∕ 25 AC:Complex/A:Admin/CI:Some/II:Some/E:Theoretical/TD:UncommonVulnerability: Cross Site ScriptingAffected versions: <2.2.2CVE IDs: CVE-2025-47702Description: 

This module extends the core Media module and allows site creators to permit oEmbed providers in addition to YouTube and Vimeo, which are deemed trustworthy by the Drupal Security Team.

The module doesn't sufficiently mark its administrative permission as restricted, creating the possibility for the permission to be granted too broadly and to users without the ability to adequately vet providers. A malicious provider could execute a Cross Site Scripting (XSS) attack.

This vulnerability is mitigated by the fact that an attacker must 1) have a role with the permission "administer oembed providers", 2) have a role with the ability to create or edit Media entities, and 3) have provisioned a publicly-accessible, malicious provider.

Solution: 

Install the latest version:

It is also recommended to review which roles are granted the "administer oembed providers" permission.

Reported By: Fixed By: Coordinated By: 

Restrict route by IP - Critical - Cross Site Request Forgery - SA-CONTRIB-2025-047

Biztonsági figyelmeztetések (contrib) - 2025. május 7. 19.06
Project: Restrict route by IPDate: 2025-May-07Security risk: Critical 16 ∕ 25 AC:Basic/A:None/CI:Some/II:Some/E:Theoretical/TD:AllVulnerability: Cross Site Request ForgeryAffected versions: <1.3.0CVE IDs: CVE-2025-47701Description: 

The Restrict route by IP module provides an interface to manage route restriction by IP address.

The module doesn't sufficiently protect certain routes from CSRF attacks.

This vulnerability is mitigated by the fact that you need to know the route machine name.

Solution: 

Install the latest version:

Reported By: Fixed By: Coordinated By: 

Search API Solr - Moderately critical - Cross Site Request Forgery - SA-CONTRIB-2025-046

Biztonsági figyelmeztetések (contrib) - 2025. április 23. 18.59
Project: Search API SolrDate: 2025-April-23Security risk: Moderately critical 13 ∕ 25 AC:Basic/A:None/CI:None/II:Some/E:Theoretical/TD:AllVulnerability: Cross Site Request ForgeryAffected versions: <4.3.9CVE IDs: CVE-2025-3907Description: 

This module provides support for creating searches using the Apache Solr search engine and the Search API Drupal module.

The module doesn't sufficiently protect certain routes from CSRF attacks.

This vulnerability is mitigated by the fact that a site admin would have to perform further steps after the attack for it to have any effect.

Solution: 

Install the latest version:

We also recommend checking your Solr configuration for any unintended changes.

Reported By: Fixed By: Coordinated By: 

Sportsleague - Critical - Unsupported - SA-CONTRIB-2025-045

Biztonsági figyelmeztetések (contrib) - 2025. április 23. 18.59
Project: SportsleagueDate: 2025-April-23Security risk: Critical 16 ∕ 25 AC:Complex/A:Admin/CI:All/II:All/E:Theoretical/TD:AllVulnerability: UnsupportedAffected versions: *CVE IDs: CVE-2025-3904Description: 

The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: https://www.drupal.org/node/251466#s-becoming-owner-maintainer-or-co-mai...

Solution: 

If you use this project, you should uninstall it. To take over maintainership, please read https://www.drupal.org/node/251466#s-becoming-owner-maintainer-or-co-mai...

UEditor - 百度编辑器 - Critical - Unsupported - SA-CONTRIB-2025-044

Biztonsági figyelmeztetések (contrib) - 2025. április 23. 18.59
Project: UEditor - 百度编辑器Date: 2025-April-23Security risk: Critical 16 ∕ 25 AC:Complex/A:Admin/CI:All/II:All/E:Theoretical/TD:AllVulnerability: UnsupportedAffected versions: *CVE IDs: CVE-2025-3903Description: 

The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: https://www.drupal.org/node/251466#s-becoming-owner-maintainer-or-co-mai...

Solution: 

If you use this project, you should uninstall it. To take over maintainership, please read https://www.drupal.org/node/251466#s-becoming-owner-maintainer-or-co-mai...

Block Class - Moderately critical - Cross Site Scripting - SA-CONTRIB-2025-043

Biztonsági figyelmeztetések (contrib) - 2025. április 23. 18.59
Project: Block ClassDate: 2025-April-23Security risk: Moderately critical 12 ∕ 25 AC:Basic/A:Admin/CI:Some/II:Some/E:Theoretical/TD:DefaultVulnerability: Cross Site ScriptingAffected versions: >=4.0.0 <4.0.1CVE IDs: CVE-2025-3902Description: 

Block Class enables you to add custom attributes to blocks.

The module did not sufficiently sanitize custom attribute input, allowing for potential XSS attacks when malicious JavaScript was injected as a custom attribute.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer block classes".

Solution: 

Install the latest version:

Reported By: Fixed By: Coordinated By: 

Bootstrap Site Alert - Moderately critical - Cross Site Scripting - SA-CONTRIB-2025-042

Biztonsági figyelmeztetések (contrib) - 2025. április 23. 18.58
Project: Bootstrap Site AlertDate: 2025-April-23Security risk: Moderately critical 13 ∕ 25 AC:Basic/A:Admin/CI:Some/II:Some/E:Theoretical/TD:AllVulnerability: Cross Site ScriptingAffected versions: <1.13.0 || >=3.0.0 <3.0.4CVE IDs: CVE-2025-3901Description: 

This module enables you to put a site wide bootstrap themed alert message on the top of every page.

The module doesn't sufficiently filter text input when leading to a possible XSS attacks.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer bootstrap site alerts".

Solution: 

Install the latest version:

Reported By: Fixed By: Coordinated By: 

Colorbox - Moderately critical - Cross Site Scripting - SA-CONTRIB-2025-041

Biztonsági figyelmeztetések (contrib) - 2025. április 23. 18.58
Project: ColorboxDate: 2025-April-23Security risk: Moderately critical 14 ∕ 25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:AllVulnerability: Cross Site ScriptingAffected versions: <2.1.3CVE IDs: CVE-2025-3900Description: 

Colorbox is a module that allows Images, and iframed or inline content to be displayed in a modal above the current page.

The Colorbox module doesn't sufficiently sanitize data attributes before opening modals.

This vulnerability is mitigated by the fact that an attacker must have a role with permission to enter HTML tags containing specific data attributes.

Solution: 

Install the latest version:

  • If you use the Colorbox module 2.1.x for Drupal 10 or above, upgrade to Colorbox 2.1.3
  • If you use the Colorbox module 2.0.x, upgrade to Colorbox 2.1.3, as the 2.0.x branch becomes unsupported.
Reported By: Fixed By: Coordinated By: 

Drupal 8 Google Optimize Hide Page - Critical - Unsupported - SA-CONTRIB-2025-040

Biztonsági figyelmeztetések (contrib) - 2025. április 16. 18.26
Project: Drupal 8 Google Optimize Hide PageDate: 2025-April-16Security risk: Critical 16 ∕ 25 AC:Complex/A:Admin/CI:All/II:All/E:Theoretical/TD:AllVulnerability: UnsupportedAffected versions: *CVE IDs: CVE-2025-3739Description: 

The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: https://www.drupal.org/node/251466#s-becoming-owner-maintainer-or-co-mai...

Solution: 

If you use this project, you should uninstall it. To take over maintainership, please read https://www.drupal.org/node/251466#s-becoming-owner-maintainer-or-co-mai...

Google Optimize - Critical - Unsupported - SA-CONTRIB-2025-039

Biztonsági figyelmeztetések (contrib) - 2025. április 16. 18.25
Project: Google OptimizeDate: 2025-April-16Security risk: Critical 16 ∕ 25 AC:Complex/A:Admin/CI:All/II:All/E:Theoretical/TD:AllVulnerability: UnsupportedAffected versions: *CVE IDs: CVE-2025-3738Description: 

The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: https://www.drupal.org/node/251466#s-becoming-owner-maintainer-or-co-mai...

Solution: 

If you use this project, you should uninstall it. To take over maintainership, please read https://www.drupal.org/node/251466#s-becoming-owner-maintainer-or-co-mai...

Google Maps: Store Locator - Critical - Unsupported - SA-CONTRIB-2025-038

Biztonsági figyelmeztetések (contrib) - 2025. április 16. 18.25
Project: Google Maps: Store LocatorDate: 2025-April-16Security risk: Critical 16 ∕ 25 AC:Complex/A:Admin/CI:All/II:All/E:Theoretical/TD:AllVulnerability: UnsupportedAffected versions: *CVE IDs: CVE-2025-3737Description: 

The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: https://www.drupal.org/node/251466#s-becoming-owner-maintainer-or-co-mai...

Solution: 

If you use this project, you should uninstall it. To take over maintainership, please read https://www.drupal.org/node/251466#s-becoming-owner-maintainer-or-co-mai...

Simple GTM - Critical - Unsupported - SA-CONTRIB-2025-037

Biztonsági figyelmeztetések (contrib) - 2025. április 16. 18.25
Project: Simple GTMDate: 2025-April-16Security risk: Critical 16 ∕ 25 AC:Complex/A:Admin/CI:All/II:All/E:Theoretical/TD:AllVulnerability: UnsupportedAffected versions: *CVE IDs: CVE-2025-3736Description: 

The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: https://www.drupal.org/node/251466#s-becoming-owner-maintainer-or-co-mai...

Solution: 

If you use this project, you should uninstall it. To take over maintainership, please read https://www.drupal.org/node/251466#s-becoming-owner-maintainer-or-co-mai...