Biztonsági figyelmeztetések (contrib)

Project: Disable Login PageDate: 2025-December-03Security risk: Critical 15 ∕ 25 AC:Complex/A:None/CI:Some/II:Some/E:Theoretical/TD:AllVulnerability: Access bypassAffected versions: <1.1.3CVE IDs: CVE-2025-13986Description: 

This module enables you to disable the standard Drupal login form (/user/login) so site owners can prevent interactive logins via the UI.

The module does not sufficiently block authentication when the REST/HTTP login route is used. An attacker (or legitimate user) with valid credentials can authenticate using the REST login endpoint (/user/login?_format=json) or other HTTP-based authentication routes, effectively bypassing the module’s protection of the UI login page.

This vulnerability is mitigated by the fact that an attacker must already possess valid account credentials.

Solution: 

Install the latest version:

• If you use the Disable Login Page module, upgrade to Disable Login Page 1.1.3

Reported By: 

• Pierre Rudloff (prudloff) provisional member of the Drupal Security Team

Fixed By: 

• Anoop John (anoopjohn)
• Jijo Joseph (jijojoseph_zyxware)
• Pierre Rudloff (prudloff) provisional member of the Drupal Security Team

Coordinated By: 

• cilefen (cilefen) of the Drupal Security Team
• Greg Knaddison (greggles) of the Drupal Security Team
• Drew Webber (mcdruid) of the Drupal Security Team
• Juraj Nemec (poker10) of the Drupal Security Team
• Jess (xjm) of the Drupal Security Team

Project: Entity ShareDate: 2025-December-03Security risk: Moderately critical 14 ∕ 25 AC:None/A:None/CI:Some/II:None/E:Theoretical/TD:DefaultVulnerability: Access bypass, Information DisclosureAffected versions: <3.13.0CVE IDs: CVE-2025-13985Description: 

This module enables you to deploy content from one Drupal website to another.

The module provides some default configuration without sufficient access control.

This vulnerability is mitigated by the fact that an administrator can add some default access control permission.

Solution: 

Install the latest version:

• If you use the Entity Share module for Drupal on branch 8.x-3.x, upgrade to Entity Share 8.x-3.13.

For a hotfix without upgrading the module, edit the entity_share_client_entity_import_status view to ensure access permissions are set.

Reported By: 

• Jürgen Haas (jurgenhaas)

Fixed By: 

• Florent Torregrosa (grimreaper)
• Joachim Noreiko (joachim)

Coordinated By: 

• Bram Driesen (bramdriesen) provisional member of the Drupal Security Team
• cilefen (cilefen) of the Drupal Security Team
• Greg Knaddison (greggles) of the Drupal Security Team
• Drew Webber (mcdruid) of the Drupal Security Team
• Juraj Nemec (poker10) of the Drupal Security Team
• Jess (xjm) of the Drupal Security Team

Project: Next.jsDate: 2025-December-03Security risk: Critical 16 ∕ 25 AC:Basic/A:None/CI:Some/II:Some/E:Theoretical/TD:AllVulnerability: Access bypassAffected versions: <1.6.4 || >=2.0.0 <2.0.1CVE IDs: CVE-2025-13984Description: 

This module enables integration between Next.js and Drupal for headless CMS functionality.

When installed, the module automatically enables cross-origin resource sharing (CORS) with insecure default settings (Access-Control-Allow-Origin: *), overriding any services.yml CORS configuration. This allows any origin to make cross-origin requests to the site without administrator knowledge or consent.

This vulnerability affects all installations as there are no configuration options to disable this behavior.

Solution: 

There are two steps to resolve the issue: Install the latest version and review your configuration,

1. Update the module:
   • If you use the Next.js module for Drupal 10 or 11, upgrade to Next.js 2.0.1.
   • If you use the Next.js module for Drupal 9 (1.x branch), upgrade to Next.js 1.6.4.

2. After upgrading, review the CORS configuration in sites/default/services.yml. (See this module's CORS.md for details.). This is especially important if you previously relied on the automatic CORS configuration.

Reported By: 

• Mike Decker (pookmish)

Fixed By: 

• Brian Perry (brianperry)
• Rob Decker (rrrob)

Coordinated By: 

• Bram Driesen (bramdriesen) provisional member of the Drupal Security Team
• Greg Knaddison (greggles) of the Drupal Security Team
• Jess (xjm) of the Drupal Security Team

Project: TagifyDate: 2025-December-03Security risk: Moderately critical 12 ∕ 25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:UncommonVulnerability: Cross-site ScriptingAffected versions: <1.2.44CVE IDs: CVE-2025-13983Description: 

This module enables you to use the Tagify library to enhance text input fields with tag-style UI elements.

The module does not sufficiently sanitize the infoLabel value under certain configurations, which can result in a cross-site scripting (XSS) vulnerability.

This vulnerability is mitigated by the fact that only uncommon module configurations expose the affected infoLabel output, and an attacker must have user-level access to supply or manipulate this value.

Solution: 

Install the latest version:

• If you use the Tagify module for Drupal, upgrade to Tagify 1.2.44.

Reported By: 

• Drew Webber (mcdruid) of the Drupal Security Team

Fixed By: 

• Bram Driesen (bramdriesen) provisional member of the Drupal Security Team
• David Galeano (gxleano)
• Lee Rowlands (larowlan) of the Drupal Security Team
• Drew Webber (mcdruid) of the Drupal Security Team

Coordinated By: 

• Bram Driesen (bramdriesen) provisional member of the Drupal Security Team
• Greg Knaddison (greggles) of the Drupal Security Team
• Drew Webber (mcdruid) of the Drupal Security Team
• Jess (xjm) of the Drupal Security Team

Project: Login Time RestrictionDate: 2025-December-03Security risk: Moderately critical 10 ∕ 25 AC:Basic/A:None/CI:None/II:None/E:Theoretical/TD:AllVulnerability: Cross-Site Request ForgeryAffected versions: <1.0.3CVE IDs: CVE-2025-13982Description: 

This module enables you to apply time-based login restrictions and display related warning or logout confirmation pages.

The module doesn't sufficiently protect its confirmation routes from cross-site request forgery (CSRF), allowing the logout confirmation route to be triggered without user interaction.

Solution: 

Install the latest version:

• If you use the Login Time Restriction module for Drupal, upgrade to Login Time Restriction v1.0.3.

Reported By: 

• Pierre Rudloff (prudloff) provisional member of the Drupal Security Team

Fixed By: 

• Kunal Singh (kunal_singh)

Coordinated By: 

• Greg Knaddison (greggles) of the Drupal Security Team
• Juraj Nemec (poker10) of the Drupal Security Team
• Pierre Rudloff (prudloff) provisional member of the Drupal Security Team
• Jess (xjm) of the Drupal Security Team

Project: AI (Artificial Intelligence)Date: 2025-December-03Security risk: Moderately critical 13 ∕ 25 AC:Complex/A:User/CI:Some/II:Some/E:Theoretical/TD:AllVulnerability: Cross-Site ScriptingAffected versions: <1.0.7 || >=1.1.0 <1.1.7 || >=1.2.0 <1.2.4CVE IDs: CVE-2025-13981Description: 

This modules provides the ability to chat with an AI Agent using a large-language model (LLM) provider for different purposes.

The module doesn’t sufficiently filter LLM responses. This leads to a cross-site scripting (XSS) vulnerability where an attacker can use prompt injections on user-generated content with the LLM as context.

Solution: 

Install the latest version:

• If you use the AI module 1.0.x, upgrade to AI 1.0.7.
• If you use the AI module 1.1.x, upgrade to AI 1.1.7.
• If you use the AI module 1.2.x, upgrade to AI 1.2.4.

Reported By: 

• Drew Webber (mcdruid) of the Drupal Security Team

Fixed By: 

• Marcus Johansson (marcus_johansson)

Coordinated By: 

• Bram Driesen (bramdriesen) provisional member of the Drupal Security Team
• Greg Knaddison (greggles) of the Drupal Security Team
• Drew Webber (mcdruid) of the Drupal Security Team
• Juraj Nemec (poker10) of the Drupal Security Team
• Jess (xjm) of the Drupal Security Team

Project: CKEditor 5 Premium FeaturesDate: 2025-December-03Security risk: Moderately critical 13 ∕ 25 AC:Basic/A:None/CI:Some/II:None/E:Theoretical/TD:AllVulnerability: Access bypassAffected versions: <1.2.10 || >=1.3.0 <1.3.6 || >=1.4.0 <1.4.3 || >=1.5.0 <1.5.1 || >=1.6.0 <1.6.4CVE IDs: CVE-2025-13980Description: 

The module provides instant integration of the official CKEditor 5 Premium plugins into the Drupal editor configuration.

This module has a path traversal vulnerability, which allows an access bypass to restricted image files in the system.

This access bypass is possible for any account with a View published content permission, but the risk is mitigated by the fact that only images can be opened.

Solution: 

Install the latest version:

• If you use the 10.3 or higher or 11.x versions of Drupal core, upgrade the module to CKEditor 5 Premium Features 1.6.4.
• If you use the 10.0 to 10.2 versions of Drupal core, upgrade the module to CKEditor 5 Premium Features 1.5.1.
• If you use the 9.x version of Drupal core, upgrade the module to CKEditor 5 Premium Features 1.3.6.

A fix was also released to already unsupported branches. However, we recommend to use the latest version that works with the version of Drupal core that you're using:

• CKEditor 5 Premium Features 1.4.3.
• CKEditor 5 Premium Features 1.2.10.

After the module is updated, if you are using the Export to Word or Export to PDF plugins, please grant the Use exporters endpoints permission to roles that are allowed to use text formats with export plugins enabled.

Reported By: 

• Wojciech Kukowski (salmonek)

Fixed By: 

• Wojciech Kukowski (salmonek)

Coordinated By: 

• Greg Knaddison (greggles) of the Drupal Security Team
• Juraj Nemec (poker10) of the Drupal Security Team
• Jess (xjm) of the Drupal Security Team

Project: Mini siteDate: 2025-December-03Security risk: Moderately critical 14 ∕ 25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:AllVulnerability: Cross-Site ScriptingAffected versions: <3.0.2CVE IDs: CVE-2025-13979Description: 

This module allows uploading a zip file and extracting its content in the public file directory to serve this content from a Drupal website.

These zip files may contain arbitrary HTML or SVG content that could allow cross-site scripting vulnerabilities. While this is an expected feature, the module does not sufficiently restrict this functionality to trusted users with a "restricted access" permission. Users without a restricted permission should not be able to inject arbitrary JavaScript.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission create [bundle] content permission.

Solution: 

Two steps are required. Install the latest version and adjust configuration:

1. If you use Mini site 2.x or 3.x versions, upgrade to the Mini site 3.0.2.

2. A new manage minisites permission has been added. This new permission will need to be assigned to a trusted role for the user to be able to upload the zip file.

Reported By: 

• Pierre Rudloff (prudloff) provisional member of the Drupal Security Team

Fixed By: 

• cb_govcms

Coordinated By: 

• Greg Knaddison (greggles) of the Drupal Security Team
• Juraj Nemec (poker10) of the Drupal Security Team
• Pierre Rudloff (prudloff) provisional member of the Drupal Security Team
• Jess (xjm) of the Drupal Security Team

Project: Simple multi step formDate: 2025-November-05Security risk: Moderately critical 13 ∕ 25 AC:Basic/A:Admin/CI:Some/II:Some/E:Theoretical/TD:AllVulnerability: Cross-site ScriptingAffected versions: <2.0.0CVE IDs: CVE-2025-12761Description: 

This module provides the ability to convert any entity form into a simple multi-step form.

The module doesn’t sufficiently filter certain user-provided text leading to a cross-site scripting (XSS) vulnerability.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission “administer node form display”.

Solution: 

Install the latest version:

• If you use the Simple multi step form module for Drupal, upgrade to a release from the 2.x branch, as the 8.x-1.x branch is now unsupported

Reported By: 

• Ide Braakman (idebr)

Fixed By: 

• Diosbel Mezquía (dmezquia)
• Ide Braakman (idebr)
• Vitaliy Bogomazyuk (vitaliyb98)

Coordinated By: 

• Greg Knaddison (greggles) of the Drupal Security Team
• Ivo Van Geertruyen (mr.baileys) of the Drupal Security Team
• Juraj Nemec (poker10) of the Drupal Security Team

Project: Email TFADate: 2025-November-05Security risk: Moderately critical 13 ∕ 25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:DefaultVulnerability: Access bypassAffected versions: <2.0.6CVE IDs: CVE-2025-12760Description: 

The Email TFA module provides additional email-based two-factor authentication for Drupal logins.

In certain scenarios, the module does not fully protect all login mechanisms as expected.

This issue is mitigated by the fact that an attacker must already have valid user credentials (username and password) to take advantage of the weakness.

Solution: 

Install the latest version:

• If you use the Email TFA module for Drupal, upgrade to Email TFA 2.0.6

Reported By: 

• Pierre Rudloff (prudloff) provisional member of the Drupal Security Team

Fixed By: 

• abdulaziz zaid

Coordinated By: 

• Greg Knaddison (greggles) of the Drupal Security Team
• Juraj Nemec (poker10) of the Drupal Security Team
• Pierre Rudloff (prudloff)

Project: Simple OAuth (OAuth2) & OpenID ConnectDate: 2025-October-29Security risk: Critical 15 ∕ 25 AC:Complex/A:None/CI:Some/II:Some/E:Theoretical/TD:AllVulnerability: Access bypassAffected versions: >6.0.0 <6.0.7CVE IDs: CVE-2025-12466Description: 

This module introduces an OAuth 2.0 authorization server, which can be configured to protect your Drupal instance with access tokens, or allow clients to request new access tokens and refresh them.

The module doesn't sufficiently respect granted scopes, it affects all access checks that are based on roles. For example: routes that have the _role requirement, can be bypassed with an access token.

This vulnerability is mitigated by the fact that an attacker must have the access token in possession and the user related to the token must have the associated (role requirement) roles assigned.

Solution: 

Install the latest version:

• If you use the "Simple OAuth (OAuth2) & OpenID Connect" module for Drupal, upgrade to Simple OAuth (OAuth2) & OpenID Connect 6.0.7

Reported By: 

• coffeemakr

Fixed By: 

• Bojan Bogdanovic (bojan_dev)
• coffeemakr
• Juraj Nemec (poker10) of the Drupal Security Team

Coordinated By: 

• Greg Knaddison (greggles) of the Drupal Security Team
• Juraj Nemec (poker10) of the Drupal Security Team

Project: CivicTheme Design SystemDate: 2025-October-22Security risk: Moderately critical 14 ∕ 25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:AllVulnerability: Cross-site ScriptingAffected versions: <1.12.0CVE IDs: CVE-2025-12083Description: 

CivicTheme is a design system and theme framework used to build content-rich Drupal websites. It includes editorial workflows, structured content types, and flexible theming components.

CivicTheme does not sufficiently filter field data before rendering them in Twig templates. This combined with multiple instances of the Twig raw filter throughout CivicTheme components, allows for the injection of malicious scripts in browser contexts.

Additionally, CivicTheme fails to filter markup from SVGs embedded within the web page allowing potentially malicious scripts to be injected.

This vulnerability is mitigated by an attacker needing permission to create or edit content within a CivicTheme site.

CivicTheme with its default permissions restricts the creation of content to content author and content approver roles.

Solution: 

Install the latest version:

• If you use the CivicTheme theme, upgrade to CivicTheme 1.12.

Reported By: 

• Adam Bramley (acbramley)
• Lee Rowlands (larowlan) of the Drupal Security Team

Fixed By: 

• Alan Cole (alan.cole)
• Daniel (danielgry)
• Fiona Morrison (fionamorrison23)
• Suchi Garg (gargsuchi)
• Lee Rowlands (larowlan) of the Drupal Security Team
• Richard Gaunt (richardgaunt)

Coordinated By: 

• Greg Knaddison (greggles) of the Drupal Security Team
• Lee Rowlands (larowlan) of the Drupal Security Team
• Drew Webber (mcdruid) of the Drupal Security Team

Project: CivicTheme Design SystemDate: 2025-October-22Security risk: Moderately critical 12 ∕ 25 AC:Basic/A:None/CI:Some/II:None/E:Theoretical/TD:DefaultVulnerability: Information disclosureAffected versions: <1.12.0CVE IDs: CVE-2025-12082Description: 

CivicTheme is a design system and theme framework used to build content-rich Drupal websites. It includes editorial workflows, structured content types, and flexible theming components.

The theme doesn't sufficiently check access to entities when they are displayed as reference cards used in manual lists, which leads to an information disclosure vulnerability

Specifically, when unpublished or archived nodes (CivicTheme Page and Event) are referenced via card components and placed into manually curated lists or blocks, a referenced card is rendered on the page for users who do not have permission to view unpublished content. The referenced node itself is correctly checked for permission, but the information in the card component (title, thumbnail, tags) discloses information that the user does not have access to view.

This results in:

• Draft or never-published Event node data being visible to anonymous users on cards.
• Archived content persisting in curated content lists.

This disclosure bypasses editorial expectations and may expose sensitive or internal-only content unintentionally. It does not require complex interaction or elevated permissions. It is triggered by standard reference configurations and view templates.

Solution: 

Install the latest version:

• If you use the CivicTheme theme for Drupal 10.x / 11.x, upgrade to CivicTheme-1.12.0

Reported By: 

• Lee Rowlands (larowlan) of the Drupal Security Team

Fixed By: 

• Alan Cole (alan.cole)
• Daniel (danielgry)
• Fiona Morrison (fionamorrison23)
• Suchi Garg (gargsuchi)
• Joshua Fernandes (joshua1234511)
• Lee Rowlands (larowlan) of the Drupal Security Team
• Richard Gaunt (richardgaunt)

Coordinated By: 

• Greg Knaddison (greggles) of the Drupal Security Team
• Lee Rowlands (larowlan) of the Drupal Security Team
• Drew Webber (mcdruid) of the Drupal Security Team

Project: Reverse Proxy HeaderDate: 2025-September-24Security risk: Less critical 8 ∕ 25 AC:Basic/A:None/CI:None/II:None/E:Theoretical/TD:UncommonVulnerability: Access bypassAffected versions: <1.1.2CVE IDs: CVE-2025-10929Description: 

This module allows you to specify an HTTP header name to determine the client's IP address.

The module doesn't sufficiently handle all cases under the scenario if Drupal Core settings $settings['reverse_proxy'] is set to TRUE and $settings['reverse_proxy_addresses'] is configured.

This vulnerability allows an attacker to spoof a request IP address (as Drupal sees it), potentially bypassing a variety of controls.

Solution: 

To resolve this issue, sites must both upgrade and confirm their settings.

Install the latest 1.1.2 version.

Check your settings:
- $settings['reverse_proxy'] (Drupal Core setting);
- $settings['reverse_proxy_addresses'] (Drupal Core setting);
- $settings['reverse_proxy_header'] (this module setting);
- $settings['reverse_proxy_header_trusted_addresses_ignore'] (this module setting introduced in this release).

This security release does not affect your Drupal instance if:
- or $settings['reverse_proxy'] is not set or set to FALSE;
- or $settings['reverse_proxy_header'] is not set or set to FALSE;
- or $settings['reverse_proxy_addresses'] is not set or set to an empty array.

This security release may affect your Drupal instance if:
- and $settings['reverse_proxy'] is set to TRUE;
- and $settings['reverse_proxy_header'] is set;
- and $settings['reverse_proxy_addresses'] is configured.
If your configuration meets all three criteria simultaneously, you need to verify how Drupal determines the client IP address.

How to verify:

It can be checked by sending a request from a non-trusted proxy/server like:
curl -I -H "X-REVERSE-PROXY-HEADER-NAME:8.8.8.8" your-hostname/some-path`

If Drupal detects the client IP address (for example, at the dblog report), everything works as expected.

If Drupal detects the client IP address as 8.8.8.8, you may need to check your $settings['reverse_proxy_addresses'] and/or review the documentation in the README file about $settings['reverse_proxy_header_trusted_addresses_ignore'].

Reccomendation:

Although it is not required to have $settings['reverse_proxy_addresses'] (Drupal Core setting) configured, it's always preferred to do so to improve security.

Reported By: 

• Pierre Rudloff (prudloff) provisional member of the Drupal Security Team

Fixed By: 

• Bohdan Artemchuk (bohart)
• Drew Webber (mcdruid) of the Drupal Security Team
• Pierre Rudloff (prudloff) provisional member of the Drupal Security Team

Coordinated By: 

• Greg Knaddison (greggles) of the Drupal Security Team
• Juraj Nemec (poker10) of the Drupal Security Team
• Pierre Rudloff (prudloff) provisional member of the Drupal Security Team

Project: CurrencyDate: 2025-September-24Security risk: Moderately critical 13 ∕ 25 AC:Basic/A:None/CI:None/II:Some/E:Theoretical/TD:AllVulnerability: Cross Site Request ForgeryAffected versions: <3.5.0CVE IDs: CVE-2025-10930Description: 

This module allows you to use different currencies on your website and do currency conversion.

The module doesn't sufficiently protect routes used to enable and disable currencies from Cross-Site Request Forgery (CSRF) attacks, potentially allowing an attacker to trick an admin into changing settings.

Solution: 

Install the latest version:

• If you use the Currency module for Drupal, upgrade to Currency 8.x-3.5

Reported By: 

• Juraj Nemec (poker10) of the Drupal Security Team

Fixed By: 

• Sascha Grossenbacher (berdir)
• Pieter Frenssen (pfrenssen)

Coordinated By: 

• Juraj Nemec (poker10) of the Drupal Security Team

Project: Umami AnalyticsDate: 2025-September-24Security risk: Moderately critical 13 ∕ 25 AC:Basic/A:Admin/CI:Some/II:Some/E:Theoretical/TD:AllVulnerability: Cross Site ScriptingAffected versions: <1.0.1CVE IDs: CVE-2025-10931Description: 

This module enables you to add Umami Analytics web statistics tracking system to your website.

The "administer umami analytics" permission allows inserting an arbitrary JavaScript file on every page. While this is an expected feature, the permission lacks the "restrict access" flag, which should alert administrators that this permission is potentially dangerous and can lead to cross-site scripting (XSS) vulnerabilities.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission “administer umami analytics”.

Solution: 

Install the latest version:

• If you use the Umami Analytics module upgrade to Umami Analytics 1.0.1 or 2.0.-beta3

Sites are encouraged to review which roles have that permission and which users have that role, to ensure that only trusted users have that permission.

Reported By: 

• Pierre Rudloff (prudloff)

Fixed By: 

• Ivica Puljic (pivica)

Coordinated By: 

• Damien McKenna (damienmckenna) of the Drupal Security Team
• Juraj Nemec (poker10) of the Drupal Security Team
• Pierre Rudloff (prudloff) provisional member of Drupal Security Team

Project: Access codeDate: 2025-September-24Security risk: Moderately critical 14 ∕ 25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:AllVulnerability: Access bypassAffected versions: <2.0.5CVE IDs: CVE-2025-10928Description: 

This module enables users to sign in with an access code instead of entering user names and passwords. When users are allowed to pick their own access codes, they can guess other users' access codes based on the fact that access codes need to be unique and the system warns if the code of their choice is taken.

This vulnerability is mitigated by the fact that an attacker must have a role with the "change own access code" permission.

Solution: 

Install the latest version:

• If you use access_code module for Drupal, upgrade to access_code 2.0.5

Reported By: 

• Pierre Rudloff (prudloff)

Fixed By: 

• Gergely Lekli (glekli)
• Pierre Rudloff (prudloff)

Coordinated By: 

• Greg Knaddison (greggles) of the Drupal Security Team
• Pierre Rudloff (prudloff) provisional member of the Drupal Security Team

Project: Plausible trackingDate: 2025-September-24Security risk: Moderately critical 13 ∕ 25 AC:Basic/A:Admin/CI:Some/II:Some/E:Theoretical/TD:AllVulnerability: Cross Site ScriptingAffected versions: <1.0.2CVE IDs: CVE-2025-10927Description: 

This module integrates Plausible Analytics on a site.

The module did not properly filter output in certain cases.

This vulnerability is mitigated by the fact that an attacker must have permission to add raw HTML to the website, such as an unfiltered WYSIWYG field on a public-facing comment.

Solution: 

Install the latest version:

• If you use the Plausible Analytics module for Drupal, upgrade to Plausible Analytics v1.0.2

Reported By: 

• Pierre Rudloff (prudloff)

Fixed By: 

• Pierre Rudloff (prudloff)
• Benjamin Rasmussen (ras-ben)

Coordinated By: 

• Damien McKenna (damienmckenna) of the Drupal Security Team

Project: JSON FieldDate: 2025-September-24Security risk: Critical 15 ∕ 25 AC:Basic/A:None/CI:Some/II:Some/E:Theoretical/TD:DefaultVulnerability: Cross Site ScriptingAffected versions: <1.5CVE IDs: CVE-2025-10926Description: 

This module enables you to store and display JSON data using optional 3rd party libraries.

The module doesn't sufficiently filter data using some of the included field formatters leading to a Cross-site Scripting (XSS) vulnerability.

Solution: 

Install the latest version:

• If you use the JSON Field module for Drupal 8.x, upgrade to JSON Field 8.x-1.5.

Reported By: 

• Ivan (chi)

Fixed By: 

• Ivan (chi)
• Damien McKenna (damienmckenna) of the Drupal Security Team

Coordinated By: 

• Damien McKenna (damienmckenna) of the Drupal Security Team
• Greg Knaddison (greggles) of the Drupal Security Team

Project: Acquia DAMDate: 2025-September-03Security risk: Moderately critical 12 ∕ 25 AC:Basic/A:None/CI:Some/II:None/E:Theoretical/TD:DefaultVulnerability: Access bypass, Information DisclosureAffected versions: <1.1.5CVE IDs: CVE-2025-9954Description: 

This module enables you to connect a Drupal site to the Acquia DAM service, which syncs media from the third party service to the site.

The module doesn't sufficiently validate authorization to a list of DAM assets currently synced to the website creating an access bypass vulnerability.

This vulnerability is mitigated by the fact that it only impacts sites where users having the “view media” permission accessing any DAM asset is undesirable.

CVSS risk score (experimental) 6.9 / Medium

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Solution: 

Install the latest version which will automatically reset three views to have permission-based access control based on the "access media overview" permission. If you have modified the view access in some other way you will need to redo that modification after upgrading the module.

• If you use the acquia_dam module for Drupal 8.x, upgrade to acquia_dam 1.1.5

Sites that cannot update to this code can mitigate the issue by modifying three views to be restricted to that permission: Acquia DAM Asset Library, Acquia DAM links, DAM Content Overview.

Reported By: 

• Brandon Goodwin (bgoodie)
• Chris Burge (chris burge)
• Todd Woofenden (toddwoof)

Fixed By: 

• Chris Burge (chris burge)
• Damien McKenna (damienmckenna) of the Drupal Security Team
• Jakob P (japerry)
• Todd Woofenden (toddwoof)

Coordinated By: 

• cilefen (cilefen) of the Drupal Security Team
• Greg Knaddison (greggles) of the Drupal Security Team
• Cathy Theys (yesct) of the Drupal Security Team