Biztonsági figyelmeztetések

Project: FacetsDate: 2025-August-27Security risk: Moderately critical 13 ∕ 25 AC:Basic/A:Admin/CI:Some/II:Some/E:Theoretical/TD:AllVulnerability: Cross Site ScriptingAffected versions: <2.0.10 || >=3.0.0 <3.0.1CVE IDs: CVE-2025-9550Description: 

This module enables you to to easily create and manage faceted search interfaces.

The module doesn’t sufficiently filter certain user-provided text leading to a cross site scripting (XSS) vulnerability.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission “administer facets”.

CVSS risk score (experimental) 4.8 / Medium

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:L/SI:N/SA:N

Solution: 

Install the latest version:

• If you use the Facets module for Drupal 8.x or higher, upgrade to Facets 2.0.10 or Facets 3.0.1

Reported By: 

• Pierre Rudloff (prudloff)

Fixed By: 

• Joris Vercammen (borisson_)
• Thomas Seidl (drunken monkey)
• Pierre Rudloff (prudloff), provisional member of the Drupal Security Team

Coordinated By: 

• Damien McKenna (damienmckenna) of the Drupal Security Team
• Ivo Van Geertruyen (mr.baileys) of the Drupal Security Team
• Pierre Rudloff (prudloff), provisional member of the Drupal Security Team
• Drew Webber (mcdruid) of the Drupal Security Team

Project: FacetsDate: 2025-August-27Security risk: Moderately critical 11 ∕ 25 AC:Complex/A:None/CI:Some/II:None/E:Theoretical/TD:DefaultVulnerability: Information DisclosureAffected versions: <2.0.10 || >=3.0.0 <3.0.1CVE IDs: CVE-2025-9549Description: 

This module enables you to to easily create and manage faceted search interfaces.

The module doesn't sufficiently check access to entities when they are displayed as facets.

This vulnerability is mitigated by the fact that only sites that show facets with entity labels (like taxonomy terms) are affected, and only if some of those entities are unpublished or have other access restrictions.

CVSS risk score (experimental) 6.9 / Medium

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Solution: 

Install the latest version:

• If you use the Facets module for Drupal 8.x or higher, upgrade to Facets 2.0.10 or Facets 3.0.1

Reported By: 

• Damien McKenna (damienmckenna) of the Drupal Security Team

Fixed By: 

• Benji Fisher (benjifisher) of the Drupal Security Team
• Joris Vercammen (borisson_)
• Damien McKenna (damienmckenna) of the Drupal Security Team
• Thomas Seidl (drunken monkey)
• Jimmy Henderickx (strykaizer)

Coordinated By: 

• Benji Fisher (benjifisher) of the Drupal Security Team
• Damien McKenna (damienmckenna) of the Drupal Security Team
• Greg Knaddison (greggles) of the Drupal Security Team
• Drew Webber (mcdruid) of the Drupal Security Team
• Cathy Theys (yesct) of the Drupal Security Team

Project: Authenticator LoginDate: 2025-August-27Security risk: Moderately critical 13 ∕ 25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:DefaultVulnerability: Access bypassAffected versions: <2.1.8CVE IDs: CVE-2025-8093Description: 

This module allows users to setup two-factor authentication (2FA) using authenticator apps for enhanced login security.

The module did not protect all possible login paths provided by core modules.

CVSS risk score (experimental) 6.3 / Medium

CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

Solution: 

Install the latest version:

• If you use the Alogin module for Drupal 10^, upgrade to Alogin 2.1.8

Reported By: 

• Pierre Rudloff (prudloff)

Fixed By: 

• Ahmed Raza (ahmed.raza)
• Pierre Rudloff (prudloff), provisional member of the Drupal Security Team

Coordinated By: 

• Damien McKenna (damienmckenna) of the Drupal Security Team
• Greg Knaddison (greggles) of the Drupal Security Team
• Drew Webber (mcdruid) of the Drupal Security Team
• Juraj Nemec (poker10) of the Drupal Security Team
• Cathy Theys (yesct) of the Drupal Security Team

Project: Layout Builder Advanced PermissionsDate: 2025-August-13Security risk: Moderately critical 10 ∕ 25 AC:Basic/A:User/CI:None/II:Some/E:Theoretical/TD:DefaultVulnerability: Access bypassAffected versions: 2.2.0CVE IDs: CVE-2025-8996Description: 

The Layout Builder Advanced Permissions module enables you to have fine grained control over who can do what in editing pages built with Layout Builder.

The module doesn't sufficiently control access for adding sections in the submodule.

This vulnerability is mitigated by the fact that an attacker must have a role with a specific set of permissions:

• Node: View published content
• Node: (Your content type): Create new content
• Node: (Your content type): Edit any content
• Layout builder: (Your content type): Configure layout overrides for content items that the user can edit
• Layout builder advanced permissions: Access Layout Builder page

Solution: 

Install the latest version:

• If you use the Layout Builder Advanced Permissions module, upgrade to Layout Builder Advanced Permissions 2.2.1

Reported By: 

• Eelke Blok (eelkeblok)
• Michael Whittaker (mrwhittaker)

Fixed By: 

• Eelke Blok (eelkeblok)
• Sorin Dediu (sdstyles)
• Sean Blommaert (seanb)

Coordinated By: 

• Anna Kalata (akalata)
• Damien McKenna (damienmckenna) of the Drupal Security Team
• Greg Knaddison (greggles) of the Drupal Security Team
• Juraj Nemec (poker10) of the Drupal Security Team
• Cathy Theys (yesct) of the Drupal Security Team

Project: Authenticator LoginDate: 2025-August-13Security risk: Highly critical 21 ∕ 25 AC:Basic/A:None/CI:All/II:All/E:Proof/TD:AllVulnerability: Access bypassAffected versions: <2.1.4CVE IDs: CVE-2025-8995Description: 

This module enables users to setup two-factor authentication (2FA) using authenticator apps for enhanced login security. The module alters the standard Drupal login form to use AJAX callbacks for handling authentication flow.

The module doesn't sufficiently validate authentication under specific conditions, allowing an attacker to log in as any account where they know the username.

This vulnerability is mitigated by the fact that an attacker must make a series of requests to trigger the necessary conditions that allow authentication byass. The series of requests could alert a site owner that they are being attacked; however, the number of requests necessary to trigger the conditions is usually quite small (the number depends on site configuration, by default it is 5).

Solution: 

Install the latest version:

• If you use the alogin module for Drupal 10^, upgrade to the latest version or at least Alogin 2.1.5

Note: the fix is in a tag in git for 2.1.4 however there is no release for that tag. The fix is also in 2.1.5 release.

Reported By: 

• Pierre Rudloff (prudloff)

Fixed By: 

• Ahmed Raza (ahmed.raza)

Coordinated By: 

• Damien McKenna (damienmckenna) of the Drupal Security Team
• Dan Smith (galooph) of the Drupal Security Team
• Greg Knaddison (greggles) of the Drupal Security Team
• Cathy Theys (yesct) of the Drupal Security Team

Project: AI SEO Link AdvisorDate: 2025-August-06Security risk: Less critical 8 ∕ 25 AC:Basic/A:User/CI:None/II:None/E:Theoretical/TD:AllVulnerability: Server-side Request ForgeryAffected versions: <1.0.6CVE IDs: CVE-2025-8675Description: 

This module enables you to provide SEO analysis and recommendations for a given URL.

The module doesn't sufficiently sanitize user-supplied URLs, leading to a Server-side request forgery (SSRF) vulnerability.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission "access seo analyzer".

Solution: 

Install the latest version:

• If you use the AI SEO Link Advisor module 1.0.x, upgrade to AI SEO Link Advisor 1.0.6

Reported By: 

• Alberto Cocchiara (bigbabert)
• Conrad Lara (cmlara)

Fixed By: 

• Alberto Cocchiara (bigbabert)
• Conrad Lara (cmlara)
• Vishal Kadam (vishal.kadam)

Coordinated By: 

• Benji Fisher (benjifisher) of the Drupal Security Team
• catch (catch) of the Drupal Security Team
• Damien McKenna (damienmckenna) of the Drupal Security Team
• Greg Knaddison (greggles) of the Drupal Security Team

Project: GoogleTag ManagerDate: 2025-July-30Security risk: Moderately critical 11 ∕ 25 AC:Complex/A:Admin/CI:Some/II:Some/E:Theoretical/TD:DefaultVulnerability: Cross-site scriptingAffected versions: <1.10.0CVE IDs: CVE-2025-8362Description: 

This module enables you to integrate Google Tag Manager (GTM) into your Drupal site by allowing administrators to configure and embed GTM container snippets.

The module doesn't sufficiently sanitize the GTM container ID under the scenario where a user with the Administer gtm permission enters malicious input into the GTM-ID field. This value is directly inserted into a <script> tag, making the site vulnerable to Cross-site Scripting (XSS) attacks.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission Administer gtm, and the input field is limited to 20 characters.

Solution: 

Install the latest version:

If you use the Google Tag Manager module for Drupal 8.x, upgrade to Google Tag Manager 8.x-1.10.

The new version includes validation to prevent injection and restricts risky inputs.

Additionally, site administrators should review which roles have the Administer gtm permission at /admin/people/permissions.

Reported By: 

• Pierre Rudloff (prudloff), provisional member of the Drupal Security Team

Fixed By: 

• Anatoly Politsin (apolitsin)
• Pierre Rudloff (prudloff), provisional member of the Drupal Security Team

Coordinated By: 

• Ivo Van Geertruyen (mr.baileys) of the Drupal Security Team
• Juraj Nemec (poker10) of the Drupal Security Team
• Jess (xjm) of the Drupal Security Team

Project: Config PagesDate: 2025-July-30Security risk: Moderately critical 12 ∕ 25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:UncommonVulnerability: Access bypassAffected versions: <2.18.0CVE IDs: CVE-2025-8361Description: 

This module enables you to access an edit page for a config page.

The module doesn't sufficiently check the access permissions (hook_ENTITY_TYPE_access() wasn't taken into account).

This vulnerability is mitigated by the fact that an attacker must have a role with the permission "edit ID config page" and that it only affects sites that have access restricted via the hook_ENTITY_TYPE_access() hook.

Solution: 

Install the latest version:

• If you use the Config Pages module, upgrade to Config Pages 8.x-2.18.

Reported By: 

• Pierre Rudloff (prudloff), provisional member of the Drupal Security Team

Fixed By: 

• Pierre Rudloff (prudloff), provisional member of the Drupal Security Team
• Alexander Shumenko (shumer)

Coordinated By: 

• Greg Knaddison (greggles) of the Drupal Security Team
• Heine Deelstra (heine) of the Drupal Security Team
• Jess (xjm) of the Drupal Security Team