Hírolvasó
Drupal 8 Google Optimize Hide Page - Critical - Unsupported - SA-CONTRIB-2025-040
The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: https://www.drupal.org/node/251466#s-becoming-owner-maintainer-or-co-mai...
Solution:If you use this project, you should uninstall it. To take over maintainership, please read https://www.drupal.org/node/251466#s-becoming-owner-maintainer-or-co-mai...
Google Optimize - Critical - Unsupported - SA-CONTRIB-2025-039
The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: https://www.drupal.org/node/251466#s-becoming-owner-maintainer-or-co-mai...
Solution:If you use this project, you should uninstall it. To take over maintainership, please read https://www.drupal.org/node/251466#s-becoming-owner-maintainer-or-co-mai...
Google Maps: Store Locator - Critical - Unsupported - SA-CONTRIB-2025-038
The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: https://www.drupal.org/node/251466#s-becoming-owner-maintainer-or-co-mai...
Solution:If you use this project, you should uninstall it. To take over maintainership, please read https://www.drupal.org/node/251466#s-becoming-owner-maintainer-or-co-mai...
Simple GTM - Critical - Unsupported - SA-CONTRIB-2025-037
The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: https://www.drupal.org/node/251466#s-becoming-owner-maintainer-or-co-mai...
Solution:If you use this project, you should uninstall it. To take over maintainership, please read https://www.drupal.org/node/251466#s-becoming-owner-maintainer-or-co-mai...
Panelizer (obsolete) - Critical - Unsupported - SA-CONTRIB-2025-036
The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: https://www.drupal.org/node/251466#s-becoming-owner-maintainer-or-co-mai...
Solution:If you use this project, you should uninstall it. To take over maintainership, please read https://www.drupal.org/node/251466#s-becoming-owner-maintainer-or-co-mai...
Stage File Proxy - Moderately critical - Denial of Service - SA-CONTRIB-2025-035
Stage File Proxy is a general solution for getting production files on a development server on demand.
The module doesn't sufficiently validate the existence of remote files prior to attempting to download and create them. An attacker could send many requests and exhaust disk resources.
This vulnerability is mitigated by the fact it only affects sites where the Origin is configured with a trailing slash. Sites that cannot upgrade immediately can confirm they do not have a trailing slash or remove the trailing slash to mitigate the issue.
Solution:Install the latest version:
- If you use the Stage File Proxy module for Drupal, upgrade to Stage File Proxy 3.1.5
- Greg Knaddison (greggles) of the Drupal Security Team
- Juraj Nemec (poker10) of the Drupal Security Team
baguetteBox.js - Moderately critical - Cross Site Scripting - SA-CONTRIB-2025-034
The baguetteBox.js module provides integration with baguetteBox.js library.
The module doesn't sufficiently sanitize user-supplied text values leading to a cross site scripting vulnerability.
Solution:Install the latest version:
- If you use the baguetteBox.js module 3.0.x, upgrade to baguetteBox.js 3.0.1
- If you use the baguetteBox.js module 2.0.x, upgrade to baguetteBox.js 2.0.4
- Greg Knaddison (greggles) of the Drupal Security Team
- Juraj Nemec (poker10) of the Drupal Security Team
Panels - Critical - Access bypass - SA-CONTRIB-2025-033
Panels enables administrators to add page variants within page manager, panelizer, etc to create custom pages.
The module doesn't sufficiently protect sensitive routes, allowing an attacker to view and modify blocks within variants without requiring appropriate permission.
This vulnerability is mitigated by the fact that an attacker must know the machine name of the variant and underlying page, which is not available within the source code of a page. Additionally, only simple blocks can be added or edited, as a more complex block will trigger an error due to missing permissions.
Solution:Install the latest version:
- If you use the Panels module for Drupal 8.x, upgrade to Panels 8.x-4.9
- Greg Knaddison (greggles) of the Drupal Security Team
Gif Player Field - Moderately critical - Cross site scripting - SA-CONTRIB-2025-032
Gif Player Field creates a simple file field types that allows you to upload the GIF files and configure the output for this using the Field Formatters.
The module uses GifPlayer jQuery library to render the GIF according to configured setups for the Field Formatter. The external Gif Player Library doesn't satinize the attributes properly when rendering the widget, allowing a malicious user to run XSS attacks.
This vulnerability is mitigated by the fact that an attacker would need to have an account on the website and be able to create an image tag with a data-label element. There are no fields that allow that element on a default Drupal site for a user with user-level permissions.
Solution:There are multiple steps. First, install the latest version. Second, download and install the library. See details below.
- If you use the Gif Player module for Drupal ^10.3 || ^11, upgrade to Gif Player 2.0.4
- If you are still using the old Gif Player 8.x-1.4 module for Drupal 9/10, upgrade to Gif Player 8.x-1.5 (but it is suggested to to upgrade to the 2.0.4 version if possible, as the 8.x-1.x branch will be phased out soon)
Please notice that the GifPlayer library is not included in the module anymore (file js/gifplayer.js) and needs to be downloaded separately in the /libraries directory (see the README.md for more details).
Reported By: Fixed By: Coordinated By:- Greg Knaddison (greggles) of the Drupal Security Team
- Juraj Nemec (poker10) of the Drupal Security Team
ECA: Event - Condition - Action - Critical - Cross site request forgery - SA-CONTRIB-2025-031
This module enables you to define automations on your Drupal site.
The module doesn't sufficiently protect certain routes from CSRF attacks.
This vulnerability is mitigated by the fact that an attacker must get a user with the permission "administer eca" to follow to a given site. It can also be mitigated by disabling the "eca_ui" submodule, which leaves ECA functionality intact, but the vulnerable routes will no longer be available.
Solution:Install the latest version:
- If you use the ECA module for Drupal 10 or 11, upgrade to ECA 1.1.12 or ECA 2.0.16 or ECA 2.1.7
- Juraj Nemec (poker10) of the Drupal Security Team
- Benji Fisher (benjifisher) of the Drupal Security Team
- Jürgen Haas (jurgenhaas)
- Lee Rowlands (larowlan) of the Drupal Security Team
- Greg Knaddison (greggles) of the Drupal Security Team
- Juraj Nemec (poker10) of the Drupal Security Team
WEB-T - Moderately critical - Access bypass, Denial of service - SA-CONTRIB-2025-030
This module enables you to translate nodes, configuration, UI strings automatically.
The module doesn't sufficiently validate the incoming API response when using eTranslation integration, which has an asynchronous workflow. Specially crafted requests could overwrite entities and translations of entities with arbitrary content and create load on the system leading to a Denial of Service.
Solution:Install the latest version:
- If you use the WEB-T module with version < 1.1.0, upgrade to WEB-T 1.1.0
- Greg Knaddison (greggles) of the Drupal Security Team
- Juraj Nemec (poker10) of the Drupal Security Team
Obfuscate - Moderately critical - Cross Site Scripting - SA-CONTRIB-2025-029
This module enables you to obfuscate email addresses, to avoid them being easily available to spammers.
The module doesn't sufficiently sanitise input when ROT13 encoding is used.
This vulnerability is mitigated by the fact that an attacker must have a role with the ability to enter specific HTML tag attributes. In a default Drupal installation this would require the administrator role and use of the Full HTML text format. It also requires that the ROT13 encoding be enabled in Obfuscate settings.
Install the latest version:
- Upgrade to Obfuscate 2.0.1
- Greg Knaddison (greggles) of the Drupal Security Team
- Drew Webber (mcdruid) of the Drupal Security Team
Access code - Moderately critical - Access bypass - SA-CONTRIB-2025-028
This module enables users to log in using a short access code instead of providing a username/password combination.
The module doesn't sufficiently protect against brute force attacks to guess a user's access code.
This vulnerability is mitigated by the fact that access code based logins are off by default and only enabled for accounts that enable it. Sites could mitigate the issue without updating by:
- disabling the access code login method for critical accounts
- monitor and prevent brute force attacks in other ways (for example, with a Web Application Firewall)
Install the latest version:
- If you use the access_code module for Drupal 8.x or later, upgrade to access_code 2.0.4
- Greg Knaddison (greggles) of the Drupal Security Team
- Drew Webber (mcdruid) of the Drupal Security Team
- Juraj Nemec (poker10) of the Drupal Security Team
TacJS - Moderately critical - Cross Site Scripting - SA-CONTRIB-2025-027
This module enables sites to comply with the European cookie law using tarteaucitron.js.
The module doesn't sufficiently filter user-supplied markup inside of content leading to a persistent Cross Site Scripting (XSS) vulnerability.
This vulnerability is mitigated by the fact that an attacker needs to be able to insert specific data attributes in the page.
Solution:Install the latest version:
- If you use the tacjs module for Drupal 8.x, upgrade to tacjs 8.x-6.7
- Greg Knaddison (greggles) of the Drupal Security Team
- Drew Webber (mcdruid) of the Drupal Security Team
- Juraj Nemec (poker10) of the Drupal Security Team
Drupal core - Moderately critical - Cross Site Scripting - SA-CORE-2025-004
Drupal core Link field attributes are not sufficiently sanitized, which can lead to a Cross Site Scripting vulnerability (XSS).
This vulnerability is mitigated by that fact that an attacker would need to have the ability to add specific attributes to a Link field, which typically requires edit access via core web services, or a contrib or custom module.
Sites with the Link module disabled or that do not use any link fields are not affected.
Solution:Install the latest version:
- If you use Drupal 10.3.x, update to Drupal 10.3.14
- If you use Drupal 10.4.x, update to Drupal 10.4.5
- If you use Drupal 11.0.x, update to Drupal 11.0.13
- If you use Drupal 11.1.x, update to Drupal 11.1.5
All versions of Drupal prior to 10.3 are end-of-life and do not receive security coverage from the Drupal Security Team.
Reported By: Fixed By:- Benji Fisher (benjifisher) of the Drupal Security Team
- Bram Driesen (bramdriesen) Provisional Member of the Drupal Security Team
- Alex Bronstein (effulgentsia)
- Jen Lampton (jenlampton) Provisional Member of the Drupal Security Team
- Lee Rowlands (larowlan) of the Drupal Security Team
- Dave Long (longwave) of the Drupal Security Team
- Drew Webber (mcdruid) of the Drupal Security Team
- Joseph Zhao (pandaski) Provisional Member of the Drupal Security Team
- Adam G-H (phenaproxima)
- Samuel Mortenson (samuel.mortenson)
- Jess (xjm) of the Drupal Security Team
Formatter Suite - Moderately critical - Cross site scripting - SA-CONTRIB-2025-026
Formatter Suite provides a suite of field formatters to help present numbers, dates, times, text, links, entity references, files, and images. The module provides a custom formatter for link fields.
Drupal core does not sufficiently sanitize link element attributes, which can lead to a Cross Site Scripting vulnerability (XSS).
A separate fix for Drupal core has been released but this module requires a concurrent release to make use of the Drupal core fix.
This vulnerability is mitigated by that fact that an attacker would need to have the ability to add specific attributes to a Link field, which typically requires edit access via core web services, or a contrib or custom module.
Solution:Install the latest version:
- If you use the Formatter Suite module for Drupal 10, upgrade to Formatter Suite 2.1.0
- Upgrade to Drupal 10.3.14, 10.4.5, 11.0.13, or 11.1.5
- Daniel Wehner (dawehner)
- Joseph Zhao (pandaski) Provisional Member of the Drupal Security Team
- Benji Fisher (benjifisher) of the Drupal Security Team
- Bram Driesen (bramdriesen) Provisional Member of the Drupal Security Team
- cyoun
- Lee Rowlands (larowlan) of the Drupal Security Team
- Joseph Zhao (pandaski) Provisional Member of the Drupal Security Team
- Greg Knaddison (greggles) of the Drupal Security Team
- Drew Webber (mcdruid) of the Drupal Security Team
- Juraj Nemec (poker10) of the Drupal Security Team
RapiDoc OAS Field Formatter - Moderately critical - Cross site scripting - SA-CONTRIB-2025-025
This module can be used to render Open API Documentation using the RapiDoc library. The module provides a custom formatter for link fields.
Drupal core does not sufficiently sanitize link element attributes, which can lead to a Cross Site Scripting vulnerability (XSS).
A separate fix for Drupal core has been released but this module requires a concurrent release to make use of the Drupal core fix.
This vulnerability is mitigated by that fact that an attacker would need to have the ability to add specific attributes to a Link field, which typically requires edit access via core web services, or a contrib or custom module.
Solution:Install the latest version:
- If you use the RapiDoc OAS Field Formatter module for Drupal 10, upgrade to RapiDoc OAS Field Formatter 1.0.1
- Upgrade to Drupal 10.3.14, 10.4.5, 11.0.13, or 11.1.5
- Joseph Zhao (pandaski) Provisional Member of the Drupal Security Team
- Arlina Espinoza Rhoton (arlina)
- Benji Fisher (benjifisher) of the Drupal Security Team
- Lee Rowlands (larowlan) of the Drupal Security Team
- Bram Driesen (bramdriesen) Provisional Member of the Drupal Security Team
- Greg Knaddison (greggles) of the Drupal Security Team
- Drew Webber (mcdruid) of the Drupal Security Team
- Juraj Nemec (poker10) of the Drupal Security Team
Link field display mode formatter - Moderately critical - Cross site scripting - SA-CONTRIB-2025-024
This module adds a formatter for link fields that displays the current entity with another view mode inside the link.
Drupal core does not sufficiently sanitize link element attributes, which can lead to a Cross Site Scripting vulnerability (XSS).
A separate fix for Drupal core has been released but this module requires a concurrent release to make use of the Drupal core fix.
This vulnerability is mitigated by that fact that an attacker would need to have the ability to add specific attributes to a Link field, which typically requires edit access via core web services, or a contrib or custom module.
Solution:Install the latest version:
- If you use the Link field display mode formatter module for Drupal 10 or 11, upgrade to Link field display mode formatter 8.x-1.6
- Upgrade to Drupal 10.3.14, 10.4.5, 11.0.13, or 11.1.5
- Daniel Wehner (dawehner)
- Joseph Zhao (pandaski) Provisional Member of the Drupal Security Team
- Benji Fisher (benjifisher) of the Drupal Security Team
- Joseph Zhao (pandaski) Provisional Member of the Drupal Security Team
- Rodrigo Aguilera (rodrigoaguilera)
- Bram Driesen (bramdriesen) Provisional Member of the Drupal Security Team
- Greg Knaddison (greggles) of the Drupal Security Team
- Drew Webber (mcdruid) of the Drupal Security Team
- Juraj Nemec (poker10) of the Drupal Security Team
Two-factor Authentication (TFA) - Moderately critical - Access bypass - SA-CONTRIB-2025-023
This module enables you to allow and/or require users to use a second authentication method in addition to password authentication.
The module does not sufficiently ensure that known login routes are not overridden by third-party modules which can allow an access bypass to occur.
This vulnerability is mitigated by the fact that an attacker must obtain a first-factor login credential.
Solution:Install the latest version and run database updates:
- If you use the Two-factor Authentication (TFA) module for Drupal 8.x, upgrade to Two-factor Authentication (TFA) 8.x-1.10
- Run the database updates. See help documentation on how to run database updates.
TFA 8.x-1.10 will provide a status report error if it detects a known route is being bypassed.
Caution: TFA 8.x-1.10 will attempt to restore these routes to expected norms. This may disable routes added by other modules.
Reported By: Fixed By: Coordinated By:- Greg Knaddison (greggles) of the Drupal Security Team
AI (Artificial Intelligence) - Moderately critical - Gadget Chain - SA-CONTRIB-2025-022
The AI Automators module (a submodule of AI) enables you to create different automated tasks that fills out a field data using LLM outputs.
The module contains a potential PHP Object Injection vulnerability that (if combined with another exploit) could lead to Arbitrary File Deletion. It may be possible to escalate this attack to Remote Code Execution. It is not directly exploitable.
This issue is mitigated by the fact that for it to be exploitable, a separate vulnerability must be present to allow an attacker to pass unsafe input to unserialize(). The potential vulnerability exists in optional Automator Types which are part of the optional AI Automators (sub)module.
The AI module is included in Drupal CMS.
Solution:Install the latest version:
- If you use the AI module for Drupal, upgrade to AI 1.0.5
- Drew Webber (mcdruid) of the Drupal Security Team
- Marcus Johansson (marcus_johansson)
- Drew Webber (mcdruid) of the Drupal Security Team
- Drew Webber (mcdruid) of the Drupal Security Team
