Biztonsági figyelmeztetések (contrib)
Google Tag - Moderately critical - Cross Site Request Forgery - SA-CONTRIB-2025-012
This module enables you to integrate the site with the Google Tag Manager (GTM) application.
The module doesn't sufficiently validate the enabling or disabling of a tag container. The routes involved are not protected against Cross Site Request Forgery (CSRF).
This vulnerability is mitigated by the fact that an attacker needs to know the machine name of the container. The machine name is a random string, making an attack more difficult.
Solution:Install the latest version:
- If you use the Google Tag module 8.x, upgrade to Google Tag 8.x-1.8
- If you use the Google Tag module 2.0.x, upgrade to Google Tag 2.0.8
- Greg Knaddison of the Drupal Security Team
- Juraj Nemec of the Drupal Security Team
Google Tag - Moderately critical - Cross Site Scripting - SA-CONTRIB-2025-011
This module enables you to integrate the site with the Google Tag Manager (GTM) application.
The module doesn't have the "restrict access" flag on the "administer google_tag_container" permission. A user with this permission can load a GTM container that completely changes the page or inserts malicious JS, resulting in a cross site scripting vulnerability.
This vulnerability is mitigated by the fact that an attacker must have a role with the aforementioned permission.
Solution:Install the latest version:
- If you use the Google Tag module 8.x, upgrade to Google Tag 8.x-1.8
- If you use the Google Tag module 2.0.x, upgrade to Google Tag 2.0.8
- Greg Knaddison of the Drupal Security Team
- Juraj Nemec of the Drupal Security Team
Drupal Admin LTE theme - Critical - Unsupported - SA-CONTRIB-2025-010
The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: https://www.drupal.org/node/251466#s-becoming-owner-maintainer-or-co-mai...
Solution:If you use this project, you should uninstall it. To take over maintainership, please read https://www.drupal.org/node/251466#s-becoming-owner-maintainer-or-co-mai...
Authenticator Login - Critical - Access bypass - SA-CONTRIB-2025-009
This module allows a site to setup two factor authentication via QR code using authenticator applications on mobile devices including phones.
The module does not properly protect its custom paths, allowing one user to access a different user's two factor configuration.
Solution:Install the latest version:
- If you use the alogin module 1.0.x, upgrade to at least Authenticator Login 2.0.6 or more recent, as the 1.0.x branch is now unsupported
- If you use the alogin module 2.0.x, upgrade to at least Authenticator Login 2.0.6 or more recent
- If you use the alogin module 2.1.x, you do not need to do anything
- Damien McKenna of the Drupal Security Team
- Ivo Van Geertruyen of the Drupal Security Team
- Juraj Nemec of the Drupal Security Team
Matomo Analytics - Moderately critical - Cross site request forgery - SA-CONTRIB-2025-008
This module enables you to add the Matomo web statistics tracking system to your website.
The Matomo Analytics Tag Manager sub-module allows you to add one or more Matomo tag containers on your website.
The module does not protect against Cross Site Request Forgeries on routes to enable or disable containers.
This vulnerability is mitigated by the fact that:
- The website needs to have the submodule "Matomo Analytics Tag Manager" enabled.
- An attacker must know the machine name of the container.
Install the latest version:
- If you use the Matomo Analytics module 8.x-1.23 and below, upgrade to Matomo Analytics 8.x-1.24
- Ivo Van Geertruyen of the Drupal Security Team
- Ivo Van Geertruyen of the Drupal Security Team
- Florent Torregrosa
- Ivo Van Geertruyen of the Drupal Security Team
Ignition Error Pages - Critical - Cross Site Scripting - SA-CONTRIB-2025-007
This module enables you to render error pages using the Ignition package.
The module disables certain Drupal core code and does not perform sufficient filtering, allowing HTML to be injected in certain situations leading to a Cross Site Scripting (XSS) vulnerability.
This vulnerability is mitigated by the fact that this module is for development purposes and is not intended to be installed on production environments.
Solution:Install the latest version:
- If you use the Ignition Error Pages module for Drupal 10/11, upgrade to Ignition Error Pages 1.0.4
- catch of the Drupal Security Team
- Dieter Holvoet
- Heine Deelstra of the Drupal Security Team
- Greg Knaddison of the Drupal Security Team
- Juraj Nemec of the Drupal Security Team
- James Gilliland of the Drupal Security Team
Material Admin - Critical - Unsupported - SA-CONTRIB-2025-006
The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: https://www.drupal.org/node/251466#s-becoming-owner-maintainer-or-co-mai...
Solution:If you use this project, you should uninstall it. To take over maintainership, please read https://www.drupal.org/node/251466#s-becoming-owner-maintainer-or-co-mai...
Flattern – Multipurpose Bootstrap Business Profile - Critical - Unsupported - SA-CONTRIB-2025-005
The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: https://www.drupal.org/node/251466#s-becoming-owner-maintainer-or-co-mai...
Solution:If you use this project, you should uninstall it. To take over maintainership, please read https://www.drupal.org/node/251466#s-becoming-owner-maintainer-or-co-mai...
AI (Artificial Intelligence) - Moderately critical - Access bypass, Information Disclosure - SA-CONTRIB-2025-004
The AI logging sub-module enables you to log AI requests and responses for debugging and auditing purposes.
The module doesn't sufficiently check for access to view the preview listing of the logs. Full log details are correctly protected, and API keys are never logged.
This vulnerability is mitigated by the fact that it only affects sites using the AI Logging sub-module with 'Log requests' enabled in the AI Logging configuration page.
Solution:Install the latest version:
- If you use AI 1.x, upgrade to AI 1.0.3.
An update hook will update the view to use the view ai log permission. If you use version controlled configuration, remember to capture this.
(or) Disable the AI Logging module.
(or) Manually update the ai_logs view's access check to use the view ai log permission.
Reported By: Fixed By: Coordinated By:- Greg Knaddison of the Drupal Security Team
- Juraj Nemec of the Drupal Security Team
- Dave Long of the Drupal Security Team
AI (Artificial Intelligence) - Critical - Cross Site Request Forgery - SA-CONTRIB-2025-003
The Drupal AI module provides a framework for easily integrating Artificial Intelligence on any Drupal site using any kind of AI (from multiple vendors). The sub-modules AI Chatbot and AI Assistants API allow users to interact with the Drupal site via a 'chat' interface.
The AI Chatbot module doesn't protect against Cross Site Request Forgeries in the Deepchat chatbot. This could allow an attacker to craft a scenario that can forge a request on behalf of a privileged user. When combined with the AI Search submodule, this could result in the AI Assistant exposing indexed data that the attacker should not have access to. When combined with the external AI Agent module, this could result in the AI Assistant exposing and allowing modification of site configuration of fields, content types, and vocabularies. Sites with custom built agents, with more privileged access, could be at greater risk from an exploit of this vulnerability.
This vulnerability is mitigated by:
- The targeted user needs to have an active session with a role with the "access deepchat api" permission and permission to assistants.
- To extract data, the target site must have a permissive CORS policy allowing the attacking site to read the result of a cross origin request.
- To modify data, the targeted user must have permission to use the configured agents.
Install the latest version:
- If you use the AI module, upgrade to AI 1.0.2
If you cannot update, you can can uninstall the AI Chatbot sub-module.
Reported By: Fixed By: Coordinated By:- Greg Knaddison of the Drupal Security Team
- Drew Webber of the Drupal Security Team
- Juraj Nemec of the Drupal Security Team
Profile Private - Critical - Unsupported - SA-CONTRIB-2025-002
The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: https://www.drupal.org/node/251466#s-becoming-owner-maintainer-or-co-mai...
Solution:If you use this project, you should uninstall it. To take over maintainership, please read https://www.drupal.org/node/251466#s-becoming-owner-maintainer-or-co-mai...
Reported By: Coordinated By:- Ivo Van Geertruyen of the Drupal Security Team
- Cathy Theys of the Drupal Security Team
- Greg Knaddison of the Drupal Security Team
Email TFA - Moderately critical - Access bypass - SA-CONTRIB-2025-001
This module enables you to do Two-Factor Authentication by email, using a user registered email to send a verification code to the user's email every time the user tries to log in to your site.
The module did not sufficiently protect against brute force attacks, allowing an attacker to bypass the second factor.
This vulnerability is mitigated by the fact the attacker must be able to present the username and first factor (i.e. password).
Solution:Install the latest version:
- If you use the Email TFA module, upgrade to Email TFA 2.0.3
- Greg Knaddison of the Drupal Security Team
- Juraj Nemec of the Drupal Security Team
Open Social - Moderately critical - Access bypass - SA-CONTRIB-2024-076
Open Social is a Drupal distribution for online communities, which ships with a default (optional) module social_file_private to ensure the images and files provided by the distribution are stored in the private instead of the public filesystem.
During updates from Open Social versions installed prior to 11.8.0 these files were not updated correctly and as a result the module didn't allow access checks to run correctly.
Solution:Install the latest version and make sure to run the update hooks.
- If you use Open Social 12.3.x upgrade to Open Social 12.3.10
- If you use Open Social 12.4.x upgrade to Open Social 12.4.9
- Greg Knaddison of the Drupal Security Team
Allow All File Extensions for file fields - Critical - Unsupported - SA-CONTRIB-2024-075
The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: https://www.drupal.org/node/251466#s-becoming-owner-maintainer-or-co-mai...
Solution:If you use this project, you should uninstall it. To take over maintainership, please read https://www.drupal.org/node/251466#s-becoming-owner-maintainer-or-co-mai...
Git Utilities for Drupal - Critical - Unsupported - SA-CONTRIB-2024-074
The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: https://www.drupal.org/node/251466#s-becoming-owner-maintainer-or-co-mai...
Solution:If you use this project, you should uninstall it. To take over maintainership, please read https://www.drupal.org/node/251466#s-becoming-owner-maintainer-or-co-mai...
Login Disable - Critical - Access bypass - SA-CONTRIB-2024-073
This module enables you to prevent existing users from logging in to your Drupal site unless they know the secret key to add to the end of the ?q=user login form page.
The Login Disable module does not correctly prevent a user with a disabled login from logging in, allowing those users to by-pass the protection offered by the module.
This vulnerability is mitigated by the fact that an attacker must already have a user account to log in. This bug therefore allows users to log in even if their login is disabled.
Solution:Install the latest version:
- If you use the Login Disable module for Drupal 9.x / 10.x, upgrade to Login Disable 2.1.1
The Drupal 7 version of the module is not affected.
Reported By: Fixed By: Coordinated By:- Ivo Van Geertruyen of the Drupal Security Team
- Greg Knaddison of the Drupal Security Team
- Benji Fisher of the Drupal Security Team
Browser Back Button - Moderately critical - Cross site scripting - SA-CONTRIB-2024-072
This module provides a block that renders a link providing the functionality of a browser's back button.
The module does not sufficiently escape text entered by an administrator, resulting in a cross scripting vulnerability.
This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer blocks".
Solution:Install the latest version:
- If you use the Browser Back Button module for Drupal 9.x/10.x, upgrade to Browser Back Button 2.0.2
- Ivo Van Geertruyen of the Drupal Security Team
Entity Form Steps - Moderately critical - Cross site scripting - SA-CONTRIB-2024-071
This module allows a site builder to create multi-step entity forms leveraging the Field Group field type plugins.
The module doesn't escape plain text administrative configurations. An attacker with admin access could inject arbitrary JavaScript code.
This vulnerability is mitigated by the fact that an attacker must have a role with the 'administer [entity_type] form display' permission allowing access to configure entity form displays.
Solution:Install the latest version:
- If you use the Entity Form Steps module for Drupal 9.x/10.x, upgrade to Entity Form Steps 1.1.4
- Ivo Van Geertruyen of the Drupal Security Team
Minify JS - Moderately critical - Cross site request forgery - SA-CONTRIB-2024-070
The Minify JS module allows a site administrator to minify all javascript files that exist in the site's code base and use those minified files on the front end of the website.
Several administrator routes are unprotected against Cross-Site Request Forgery (CRSF) attacks.
Solution:Install the latest version:
- If you use the Minify JS module for Drupal 7.x, upgrade to Minify JS 7.x-1.11
- If you use the Minify JS module for Drupal 8.x, upgrade to Minify JS 3.0.3
- Ivo Van Geertruyen of the Drupal Security Team
- Scott Joudry
- Ivo Van Geertruyen of the Drupal Security Team
Download All Files - Critical - Access bypass - SA-CONTRIB-2024-069
This module provides a field formatter for the field type 'file' called `Table of files with download all link` .
The module had vulnerabilities allowing a user to download files they normally should not be able to download.
Solution:Install the latest version:
- If you use the Download All Files module, upgrade to 2.0.2 version
- Greg Knaddison of the Drupal Security Team
- Damien McKenna of the Drupal Security Team
- Ivo Van Geertruyen of the Drupal Security Team