Biztonsági figyelmeztetések

Project: Drupal coreDate: 2025-November-12Security risk: Moderately critical 10 ∕ 25 AC:Basic/A:None/CI:None/II:None/E:Theoretical/TD:AllVulnerability: DefacementAffected versions: >= 8.0.0 < 10.4.9 || >= 10.5.0 < 10.5.6 || >= 11.0.0 < 11.1.9 || >= 11.2.0 < 11.2.8CVE IDs: CVE-2025-13082Description: 

By generating and tricking a user into visiting a malicious URL, an attacker can perform site defacement.

The defacement is not stored and is only present when the URL has been crafted for that purpose. Only the defacement is present, so no other site content (such as branding) is rendered.

Solution: 

Install the latest version:

• If you are using Drupal 10.4, update to Drupal 10.4.9.
• If you are using Drupal 10.5, update to Drupal 10.5.6.
• If you are using Drupal 11.1, update to Drupal 11.1.9.
• If you are using Drupal 11.2, update to Drupal 11.2.8.

Drupal 11.0.x, Drupal 10.3.x, and below are end-of-life and do not receive security coverage. (Drupal 8 and Drupal 9 have both reached end-of-life.)

Reported By: 

• Kevin Quillen (kevinquillen)

Fixed By: 

• Benji Fisher (benjifisher) of the Drupal Security Team
• Neil Drumm (drumm) of the Drupal Security Team
• Greg Knaddison (greggles) of the Drupal Security Team
• Lee Rowlands (larowlan) of the Drupal Security Team
• Drew Webber (mcdruid) of the Drupal Security Team
• Mingsong (mingsong), provisional member of the Drupal Security Team
• Juraj Nemec (poker10) of the Drupal Security Team
• Ra Mänd (ram4nd), provisional member of the Drupal Security Team
• Jess (xjm) of the Drupal Security Team

Coordinated By: 

• catch (catch) of the Drupal Security Team
• Lee Rowlands (larowlan) of the Drupal Security Team
• Dave Long (longwave) of the Drupal Security Team
• Juraj Nemec (poker10) of the Drupal Security Team

Project: Drupal coreDate: 2025-November-12Security risk: Moderately critical 14 ∕ 25 AC:Complex/A:Admin/CI:All/II:All/E:Theoretical/TD:UncommonVulnerability: Gadget chainAffected versions: >= 8.0.0 < 10.4.9 || >= 10.5.0 < 10.5.6 || >= 11.0.0 < 11.1.9 || >= 11.2.0 < 11.2.8CVE IDs: CVE-2025-13081Description: 

Drupal core contains a chain of methods that is exploitable when an insecure deserialization vulnerability exists on the site. This so-called "gadget chain" presents no direct threat, but is a vector that can be used to achieve remote code execution if the application deserializes untrusted data due to another vulnerability.

It is not directly exploitable.

This issue is mitigated by the fact that in order for it to be exploitable, a separate vulnerability must be present to allow an attacker to pass unsafe input to unserialize(). There are no such known exploits in Drupal core.

Solution: 

Install the latest version:

• If you are using Drupal 10.4, update to Drupal 10.4.9.
• If you are using Drupal 10.5, update to Drupal 10.5.6.
• If you are using Drupal 11.1, update to Drupal 11.1.9.
• If you are using Drupal 11.2, update to Drupal 11.2.8.

Drupal 11.0.x, Drupal 10.3.x, and below are end-of-life and do not receive security coverage. (Drupal 8 and Drupal 9 have both reached end-of-life.)

Reported By: 

• anzuukino

Fixed By: 

• Anna Kalata (akalata), provisional member of the Drupal Security Team
• catch (catch) of the Drupal Security Team
• Neil Drumm (drumm) of the Drupal Security Team
• Greg Knaddison (greggles) of the Drupal Security Team
• Lee Rowlands (larowlan) of the Drupal Security Team
• Dave Long (longwave) of the Drupal Security Team
• Drew Webber (mcdruid) of the Drupal Security Team
• Juraj Nemec (poker10) of the Drupal Security Team
• Ra Mänd (ram4nd), provisional member of the Drupal Security Team
• Jess (xjm) of the Drupal Security Team

Coordinated By: 

• catch (catch) of the Drupal Security Team
• Lee Rowlands (larowlan) of the Drupal Security Team
• Dave Long (longwave) of the Drupal Security Team
• Drew Webber (mcdruid) of the Drupal Security Team
• Juraj Nemec (poker10) of the Drupal Security Team

Project: Drupal coreDate: 2025-November-12Security risk: Moderately critical 13 ∕ 25 AC:Basic/A:None/CI:None/II:Some/E:Theoretical/TD:AllVulnerability: Denial of ServiceAffected versions: >= 8.0.0 < 10.4.9 || >= 10.5.0 < 10.5.6 || >= 11.0.0 < 11.1.9 || >= 11.2.0 < 11.2.8CVE IDs: CVE-2025-13080Description: 

Drupal Core has a rarely used feature, provided by an underlying library, which allows certain attributes of incoming HTTP requests to be overridden.

This functionality can be abused in a way that may cause Drupal to cache response data that it should not. This can lead to legitimate requests receiving inappropriate cached responses (cache poisoning).

This could be exploited in various ways:

• Broken rendering of some pages
• Unstyled or malformatted pages
• Adverse impacts on client-side functionality

Changes are being made in the underlying library which will mitigate this problem, but in the meantime Drupal core has been hardened to protect against this vulnerability.

Solution: 

Install the latest version:

• If you are using Drupal 10.4, update to Drupal 10.4.9.
• If you are using Drupal 10.5, update to Drupal 10.5.6.
• If you are using Drupal 11.1, update to Drupal 11.1.9.
• If you are using Drupal 11.2, update to Drupal 11.2.8.

Drupal 11.0.x, Drupal 10.3.x, and below are end-of-life and do not receive security coverage. (Drupal 8 and Drupal 9 have both reached end-of-life.)

Reported By: 

• Dragos Dumitrescu (dragos-dumi)
• yasser ALLAM (inzo_)
• Nils Destoop (nils.destoop)
• Sven Decabooter (svendecabooter)
• zhero

Fixed By: 

• Alex Pott (alexpott) of the Drupal Security Team
• catch (catch) of the Drupal Security Team
• cilefen (cilefen) of the Drupal Security Team
• Jen Lampton (jenlampton), provisional member of the Drupal Security Team
• Lee Rowlands (larowlan) of the Drupal Security Team
• Dave Long (longwave) of the Drupal Security Team
• Drew Webber (mcdruid) of the Drupal Security Team
• Nils Destoop (nils.destoop)
• Juraj Nemec (poker10) of the Drupal Security Team
• Ra Mänd (ram4nd), provisional member of the Drupal Security Team
• Jess (xjm) of the Drupal Security Team

Coordinated By: 

• catch (catch) of the Drupal Security Team
• Greg Knaddison (greggles) of the Drupal Security Team
• Lee Rowlands (larowlan) of the Drupal Security Team
• Dave Long (longwave) of the Drupal Security Team
• Drew Webber (mcdruid) of the Drupal Security Team
• Juraj Nemec (poker10) of the Drupal Security Team
• Jess (xjm) of the Drupal Security Team

Project: Drupal coreDate: 2025-November-12Security risk: Moderately critical 10 ∕ 25 AC:Complex/A:None/CI:Some/II:None/E:Theoretical/TD:UncommonVulnerability: Information disclosureAffected versions: >= 8.0.0 < 10.4.9 || >= 10.5.0 < 10.5.6 || >= 11.0.0 < 11.1.9 || >= 11.2.0 < 11.2.8CVE IDs: CVE-2025-13083Description: 

The core system module handles downloads of private and temporary files. Contrib modules can define additional kinds of files (schemes) that may also be handled by the system module.

In some cases, files may be served with the HTTP header Cache-Control: public when they should be uncacheable. This can lead to some users getting cached versions of files with information they should not be able to access. For example, files may be cached by Varnish or a CDN.

This vulnerability is mitigated by the following:

1. Drupal must be configured to handle non-public files using a custom or contributed module providing an additional file scheme.
2. An attacker must know to request a file that has previously been
   requested by a more-privileged user, and that file must still be cached.

Solution: 

Install the latest version:

• If you are using Drupal 10.4, update to Drupal 10.4.9.
• If you are using Drupal 10.5, update to Drupal 10.5.6.
• If you are using Drupal 11.1, update to Drupal 11.1.9.
• If you are using Drupal 11.2, update to Drupal 11.2.8.

Drupal 11.0.x, Drupal 10.3.x, and below are end-of-life and do not receive security coverage. (Drupal 8 and Drupal 9 have both reached end-of-life.)

Reported By: 

• Damien McKenna (damienmckenna) of the Drupal Security Team
• tame4tex

Fixed By: 

• Benji Fisher (benjifisher) of the Drupal Security Team
• catch (catch) of the Drupal Security Team
• Neil Drumm (drumm) of the Drupal Security Team
• Lee Rowlands (larowlan) of the Drupal Security Team
• Mingsong (mingsong), provisional member of the Drupal Security Team
• Mohit Aghera (mohit_aghera)
• James Gilliland (neclimdul) of the Drupal Security Team
• Juraj Nemec (poker10) of the Drupal Security Team
• Jess (xjm) of the Drupal Security Team

Coordinated By: 

• catch (catch) of the Drupal Security Team
• Lee Rowlands (larowlan) of the Drupal Security Team
• Dave Long (longwave) of the Drupal Security Team
• Drew Webber (mcdruid) of the Drupal Security Team
• Juraj Nemec (poker10) of the Drupal Security Team

Project: Simple multi step formDate: 2025-November-05Security risk: Moderately critical 13 ∕ 25 AC:Basic/A:Admin/CI:Some/II:Some/E:Theoretical/TD:AllVulnerability: Cross-site ScriptingAffected versions: <2.0.0CVE IDs: CVE-2025-12761Description: 

This module provides the ability to convert any entity form into a simple multi-step form.

The module doesn’t sufficiently filter certain user-provided text leading to a cross-site scripting (XSS) vulnerability.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission “administer node form display”.

Solution: 

Install the latest version:

• If you use the Simple multi step form module for Drupal, upgrade to a release from the 2.x branch, as the 8.x-1.x branch is now unsupported

Reported By: 

• Ide Braakman (idebr)

Fixed By: 

• Diosbel Mezquía (dmezquia)
• Ide Braakman (idebr)
• Vitaliy Bogomazyuk (vitaliyb98)

Coordinated By: 

• Greg Knaddison (greggles) of the Drupal Security Team
• Ivo Van Geertruyen (mr.baileys) of the Drupal Security Team
• Juraj Nemec (poker10) of the Drupal Security Team

Project: Email TFADate: 2025-November-05Security risk: Moderately critical 13 ∕ 25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:DefaultVulnerability: Access bypassAffected versions: <2.0.6CVE IDs: CVE-2025-12760Description: 

The Email TFA module provides additional email-based two-factor authentication for Drupal logins.

In certain scenarios, the module does not fully protect all login mechanisms as expected.

This issue is mitigated by the fact that an attacker must already have valid user credentials (username and password) to take advantage of the weakness.

Solution: 

Install the latest version:

• If you use the Email TFA module for Drupal, upgrade to Email TFA 2.0.6

Reported By: 

• Pierre Rudloff (prudloff) provisional member of the Drupal Security Team

Fixed By: 

• abdulaziz zaid

Coordinated By: 

• Greg Knaddison (greggles) of the Drupal Security Team
• Juraj Nemec (poker10) of the Drupal Security Team
• Pierre Rudloff (prudloff)

Project: Simple OAuth (OAuth2) & OpenID ConnectDate: 2025-October-29Security risk: Critical 15 ∕ 25 AC:Complex/A:None/CI:Some/II:Some/E:Theoretical/TD:AllVulnerability: Access bypassAffected versions: >6.0.0 <6.0.7CVE IDs: CVE-2025-12466Description: 

This module introduces an OAuth 2.0 authorization server, which can be configured to protect your Drupal instance with access tokens, or allow clients to request new access tokens and refresh them.

The module doesn't sufficiently respect granted scopes, it affects all access checks that are based on roles. For example: routes that have the _role requirement, can be bypassed with an access token.

This vulnerability is mitigated by the fact that an attacker must have the access token in possession and the user related to the token must have the associated (role requirement) roles assigned.

Solution: 

Install the latest version:

• If you use the "Simple OAuth (OAuth2) & OpenID Connect" module for Drupal, upgrade to Simple OAuth (OAuth2) & OpenID Connect 6.0.7

Reported By: 

• coffeemakr

Fixed By: 

• Bojan Bogdanovic (bojan_dev)
• coffeemakr
• Juraj Nemec (poker10) of the Drupal Security Team

Coordinated By: 

• Greg Knaddison (greggles) of the Drupal Security Team
• Juraj Nemec (poker10) of the Drupal Security Team

Project: CivicTheme Design SystemDate: 2025-October-22Security risk: Moderately critical 14 ∕ 25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:AllVulnerability: Cross-site ScriptingAffected versions: <1.12.0CVE IDs: CVE-2025-12083Description: 

CivicTheme is a design system and theme framework used to build content-rich Drupal websites. It includes editorial workflows, structured content types, and flexible theming components.

CivicTheme does not sufficiently filter field data before rendering them in Twig templates. This combined with multiple instances of the Twig raw filter throughout CivicTheme components, allows for the injection of malicious scripts in browser contexts.

Additionally, CivicTheme fails to filter markup from SVGs embedded within the web page allowing potentially malicious scripts to be injected.

This vulnerability is mitigated by an attacker needing permission to create or edit content within a CivicTheme site.

CivicTheme with its default permissions restricts the creation of content to content author and content approver roles.

Solution: 

Install the latest version:

• If you use the CivicTheme theme, upgrade to CivicTheme 1.12.

Reported By: 

• Adam Bramley (acbramley)
• Lee Rowlands (larowlan) of the Drupal Security Team

Fixed By: 

• Alan Cole (alan.cole)
• Daniel (danielgry)
• Fiona Morrison (fionamorrison23)
• Suchi Garg (gargsuchi)
• Lee Rowlands (larowlan) of the Drupal Security Team
• Richard Gaunt (richardgaunt)

Coordinated By: 

• Greg Knaddison (greggles) of the Drupal Security Team
• Lee Rowlands (larowlan) of the Drupal Security Team
• Drew Webber (mcdruid) of the Drupal Security Team

Project: CivicTheme Design SystemDate: 2025-October-22Security risk: Moderately critical 12 ∕ 25 AC:Basic/A:None/CI:Some/II:None/E:Theoretical/TD:DefaultVulnerability: Information disclosureAffected versions: <1.12.0CVE IDs: CVE-2025-12082Description: 

CivicTheme is a design system and theme framework used to build content-rich Drupal websites. It includes editorial workflows, structured content types, and flexible theming components.

The theme doesn't sufficiently check access to entities when they are displayed as reference cards used in manual lists, which leads to an information disclosure vulnerability

Specifically, when unpublished or archived nodes (CivicTheme Page and Event) are referenced via card components and placed into manually curated lists or blocks, a referenced card is rendered on the page for users who do not have permission to view unpublished content. The referenced node itself is correctly checked for permission, but the information in the card component (title, thumbnail, tags) discloses information that the user does not have access to view.

This results in:

• Draft or never-published Event node data being visible to anonymous users on cards.
• Archived content persisting in curated content lists.

This disclosure bypasses editorial expectations and may expose sensitive or internal-only content unintentionally. It does not require complex interaction or elevated permissions. It is triggered by standard reference configurations and view templates.

Solution: 

Install the latest version:

• If you use the CivicTheme theme for Drupal 10.x / 11.x, upgrade to CivicTheme-1.12.0

Reported By: 

• Lee Rowlands (larowlan) of the Drupal Security Team

Fixed By: 

• Alan Cole (alan.cole)
• Daniel (danielgry)
• Fiona Morrison (fionamorrison23)
• Suchi Garg (gargsuchi)
• Joshua Fernandes (joshua1234511)
• Lee Rowlands (larowlan) of the Drupal Security Team
• Richard Gaunt (richardgaunt)

Coordinated By: 

• Greg Knaddison (greggles) of the Drupal Security Team
• Lee Rowlands (larowlan) of the Drupal Security Team
• Drew Webber (mcdruid) of the Drupal Security Team

Project: Reverse Proxy HeaderDate: 2025-September-24Security risk: Less critical 8 ∕ 25 AC:Basic/A:None/CI:None/II:None/E:Theoretical/TD:UncommonVulnerability: Access bypassAffected versions: <1.1.2CVE IDs: CVE-2025-10929Description: 

This module allows you to specify an HTTP header name to determine the client's IP address.

The module doesn't sufficiently handle all cases under the scenario if Drupal Core settings $settings['reverse_proxy'] is set to TRUE and $settings['reverse_proxy_addresses'] is configured.

This vulnerability allows an attacker to spoof a request IP address (as Drupal sees it), potentially bypassing a variety of controls.

Solution: 

To resolve this issue, sites must both upgrade and confirm their settings.

Install the latest 1.1.2 version.

Check your settings:
- $settings['reverse_proxy'] (Drupal Core setting);
- $settings['reverse_proxy_addresses'] (Drupal Core setting);
- $settings['reverse_proxy_header'] (this module setting);
- $settings['reverse_proxy_header_trusted_addresses_ignore'] (this module setting introduced in this release).

This security release does not affect your Drupal instance if:
- or $settings['reverse_proxy'] is not set or set to FALSE;
- or $settings['reverse_proxy_header'] is not set or set to FALSE;
- or $settings['reverse_proxy_addresses'] is not set or set to an empty array.

This security release may affect your Drupal instance if:
- and $settings['reverse_proxy'] is set to TRUE;
- and $settings['reverse_proxy_header'] is set;
- and $settings['reverse_proxy_addresses'] is configured.
If your configuration meets all three criteria simultaneously, you need to verify how Drupal determines the client IP address.

How to verify:

It can be checked by sending a request from a non-trusted proxy/server like:
curl -I -H "X-REVERSE-PROXY-HEADER-NAME:8.8.8.8" your-hostname/some-path`

If Drupal detects the client IP address (for example, at the dblog report), everything works as expected.

If Drupal detects the client IP address as 8.8.8.8, you may need to check your $settings['reverse_proxy_addresses'] and/or review the documentation in the README file about $settings['reverse_proxy_header_trusted_addresses_ignore'].

Reccomendation:

Although it is not required to have $settings['reverse_proxy_addresses'] (Drupal Core setting) configured, it's always preferred to do so to improve security.

Reported By: 

• Pierre Rudloff (prudloff) provisional member of the Drupal Security Team

Fixed By: 

• Bohdan Artemchuk (bohart)
• Drew Webber (mcdruid) of the Drupal Security Team
• Pierre Rudloff (prudloff) provisional member of the Drupal Security Team

Coordinated By: 

• Greg Knaddison (greggles) of the Drupal Security Team
• Juraj Nemec (poker10) of the Drupal Security Team
• Pierre Rudloff (prudloff) provisional member of the Drupal Security Team

Project: CurrencyDate: 2025-September-24Security risk: Moderately critical 13 ∕ 25 AC:Basic/A:None/CI:None/II:Some/E:Theoretical/TD:AllVulnerability: Cross Site Request ForgeryAffected versions: <3.5.0CVE IDs: CVE-2025-10930Description: 

This module allows you to use different currencies on your website and do currency conversion.

The module doesn't sufficiently protect routes used to enable and disable currencies from Cross-Site Request Forgery (CSRF) attacks, potentially allowing an attacker to trick an admin into changing settings.

Solution: 

Install the latest version:

• If you use the Currency module for Drupal, upgrade to Currency 8.x-3.5

Reported By: 

• Juraj Nemec (poker10) of the Drupal Security Team

Fixed By: 

• Sascha Grossenbacher (berdir)
• Pieter Frenssen (pfrenssen)

Coordinated By: 

• Juraj Nemec (poker10) of the Drupal Security Team

Project: Umami AnalyticsDate: 2025-September-24Security risk: Moderately critical 13 ∕ 25 AC:Basic/A:Admin/CI:Some/II:Some/E:Theoretical/TD:AllVulnerability: Cross Site ScriptingAffected versions: <1.0.1CVE IDs: CVE-2025-10931Description: 

This module enables you to add Umami Analytics web statistics tracking system to your website.

The "administer umami analytics" permission allows inserting an arbitrary JavaScript file on every page. While this is an expected feature, the permission lacks the "restrict access" flag, which should alert administrators that this permission is potentially dangerous and can lead to cross-site scripting (XSS) vulnerabilities.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission “administer umami analytics”.

Solution: 

Install the latest version:

• If you use the Umami Analytics module upgrade to Umami Analytics 1.0.1 or 2.0.-beta3

Sites are encouraged to review which roles have that permission and which users have that role, to ensure that only trusted users have that permission.

Reported By: 

• Pierre Rudloff (prudloff)

Fixed By: 

• Ivica Puljic (pivica)

Coordinated By: 

• Damien McKenna (damienmckenna) of the Drupal Security Team
• Juraj Nemec (poker10) of the Drupal Security Team
• Pierre Rudloff (prudloff) provisional member of Drupal Security Team

Project: Access codeDate: 2025-September-24Security risk: Moderately critical 14 ∕ 25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:AllVulnerability: Access bypassAffected versions: <2.0.5CVE IDs: CVE-2025-10928Description: 

This module enables users to sign in with an access code instead of entering user names and passwords. When users are allowed to pick their own access codes, they can guess other users' access codes based on the fact that access codes need to be unique and the system warns if the code of their choice is taken.

This vulnerability is mitigated by the fact that an attacker must have a role with the "change own access code" permission.

Solution: 

Install the latest version:

• If you use access_code module for Drupal, upgrade to access_code 2.0.5

Reported By: 

• Pierre Rudloff (prudloff)

Fixed By: 

• Gergely Lekli (glekli)
• Pierre Rudloff (prudloff)

Coordinated By: 

• Greg Knaddison (greggles) of the Drupal Security Team
• Pierre Rudloff (prudloff) provisional member of the Drupal Security Team

Project: Plausible trackingDate: 2025-September-24Security risk: Moderately critical 13 ∕ 25 AC:Basic/A:Admin/CI:Some/II:Some/E:Theoretical/TD:AllVulnerability: Cross Site ScriptingAffected versions: <1.0.2CVE IDs: CVE-2025-10927Description: 

This module integrates Plausible Analytics on a site.

The module did not properly filter output in certain cases.

This vulnerability is mitigated by the fact that an attacker must have permission to add raw HTML to the website, such as an unfiltered WYSIWYG field on a public-facing comment.

Solution: 

Install the latest version:

• If you use the Plausible Analytics module for Drupal, upgrade to Plausible Analytics v1.0.2

Reported By: 

• Pierre Rudloff (prudloff)

Fixed By: 

• Pierre Rudloff (prudloff)
• Benjamin Rasmussen (ras-ben)

Coordinated By: 

• Damien McKenna (damienmckenna) of the Drupal Security Team

Project: JSON FieldDate: 2025-September-24Security risk: Critical 15 ∕ 25 AC:Basic/A:None/CI:Some/II:Some/E:Theoretical/TD:DefaultVulnerability: Cross Site ScriptingAffected versions: <1.5CVE IDs: CVE-2025-10926Description: 

This module enables you to store and display JSON data using optional 3rd party libraries.

The module doesn't sufficiently filter data using some of the included field formatters leading to a Cross-site Scripting (XSS) vulnerability.

Solution: 

Install the latest version:

• If you use the JSON Field module for Drupal 8.x, upgrade to JSON Field 8.x-1.5.

Reported By: 

• Ivan (chi)

Fixed By: 

• Ivan (chi)
• Damien McKenna (damienmckenna) of the Drupal Security Team

Coordinated By: 

• Damien McKenna (damienmckenna) of the Drupal Security Team
• Greg Knaddison (greggles) of the Drupal Security Team

Project: Acquia DAMDate: 2025-September-03Security risk: Moderately critical 12 ∕ 25 AC:Basic/A:None/CI:Some/II:None/E:Theoretical/TD:DefaultVulnerability: Access bypass, Information DisclosureAffected versions: <1.1.5CVE IDs: CVE-2025-9954Description: 

This module enables you to connect a Drupal site to the Acquia DAM service, which syncs media from the third party service to the site.

The module doesn't sufficiently validate authorization to a list of DAM assets currently synced to the website creating an access bypass vulnerability.

This vulnerability is mitigated by the fact that it only impacts sites where users having the “view media” permission accessing any DAM asset is undesirable.

CVSS risk score (experimental) 6.9 / Medium

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Solution: 

Install the latest version which will automatically reset three views to have permission-based access control based on the "access media overview" permission. If you have modified the view access in some other way you will need to redo that modification after upgrading the module.

• If you use the acquia_dam module for Drupal 8.x, upgrade to acquia_dam 1.1.5

Sites that cannot update to this code can mitigate the issue by modifying three views to be restricted to that permission: Acquia DAM Asset Library, Acquia DAM links, DAM Content Overview.

Reported By: 

• Brandon Goodwin (bgoodie)
• Chris Burge (chris burge)
• Todd Woofenden (toddwoof)

Fixed By: 

• Chris Burge (chris burge)
• Damien McKenna (damienmckenna) of the Drupal Security Team
• Jakob P (japerry)
• Todd Woofenden (toddwoof)

Coordinated By: 

• cilefen (cilefen) of the Drupal Security Team
• Greg Knaddison (greggles) of the Drupal Security Team
• Cathy Theys (yesct) of the Drupal Security Team

Project: Owl Carousel 2Date: 2025-August-27Security risk: Critical 16 ∕ 25 AC:Complex/A:Admin/CI:All/II:All/E:Theoretical/TD:AllVulnerability: UnsupportedAffected versions: *CVE IDs: CVE-2025-9554Description: 

The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: https://www.drupal.org/node/251466#s-becoming-owner-maintainer-or-co-mai...

Solution: 

If you use this project, you should uninstall it. To take over maintainership, please read https://www.drupal.org/node/251466#s-becoming-owner-maintainer-or-co-mai...

Project: API Key managerDate: 2025-August-27Security risk: Critical 16 ∕ 25 AC:Complex/A:Admin/CI:All/II:All/E:Theoretical/TD:AllVulnerability: UnsupportedAffected versions: *CVE IDs: CVE-2025-9553Description: 

The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: https://www.drupal.org/node/251466#s-becoming-owner-maintainer-or-co-mai...

Solution: 

If you use this project, you should uninstall it. To take over maintainership, please read https://www.drupal.org/node/251466#s-becoming-owner-maintainer-or-co-mai...

Project: Synchronize composer.json With Contrib ModulesDate: 2025-August-27Security risk: Critical 16 ∕ 25 AC:Complex/A:Admin/CI:All/II:All/E:Theoretical/TD:AllVulnerability: UnsupportedAffected versions: *CVE IDs: CVE-2025-9552Description: 

The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: https://www.drupal.org/node/251466#s-becoming-owner-maintainer-or-co-mai...

Solution: 

If you use this project, you should uninstall it. To take over maintainership, please read https://www.drupal.org/node/251466#s-becoming-owner-maintainer-or-co-mai...

Project: Protected PagesDate: 2025-August-27Security risk: Moderately critical 13 ∕ 25 AC:Basic/A:None/CI:Some/II:None/E:Theoretical/TD:AllVulnerability: Access bypassAffected versions: <1.8.0CVE IDs: CVE-2025-9551Description: 

This module enables you to protect individual pages with a password.

The module doesn't limit the number of password attempts, making it vulnerable to brute force attacks.

This vulnerability is mitigated by the fact that an attacker must know the protected page's URL.

CVSS risk score (experimental) 6.3 / Medium

CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Solution: 

Install the latest version:

• If you use the Protected Pages module for Drupal 8.x, upgrade to Protected Pages 8.x-1.8

Reported By: 

• Pierre Rudloff (prudloff)

Fixed By: 

• Oksana Cyrwus (oksana-c)
• Ra Mänd (ram4nd)

Coordinated By: 

• Benji Fisher (benjifisher) of the Drupal Security Team
• Damien McKenna (damienmckenna) of the Drupal Security Team
• Greg Knaddison (greggles) of the Drupal Security Team
• Drew Webber (mcdruid) of the Drupal Security Team
• Juraj Nemec (poker10) of the Drupal Security Team