Biztonsági figyelmeztetések (contrib)

Project: One Time PasswordDate: 2025-May-14Security risk: Moderately critical 14 ∕ 25 AC:Complex/A:None/CI:Some/II:Some/E:Theoretical/TD:DefaultVulnerability: Access bypassAffected versions: <1.3.0CVE IDs: CVE-2025-48012Description: 

This module enables you to allow users to include a second authentication method in addition to password authentication.

The module doesn't sufficiently prevent the same TFA token within a 30 second window.

This vulnerability is mitigated by the fact that an attacker must obtain a valid username/password and second factor.

Solution: 

Install the latest version:

• If you use the One Time Password module for Drupal, upgrade to One Time Password 8.x-1.3

Reported By: 

• Conrad Lara (cmlara)

Fixed By: 

• danielveza
• Lee Rowlands (larowlan) of the Drupal Security Team
• Ivo Van Geertruyen (mr.baileys) of the Drupal Security Team

Coordinated By: 

• Greg Knaddison (greggles) of the Drupal Security Team
• Juraj Nemec (poker10) of the Drupal Security Team

Project: One Time PasswordDate: 2025-May-14Security risk: Moderately critical 14 ∕ 25 AC:Complex/A:None/CI:Some/II:Some/E:Theoretical/TD:DefaultVulnerability: Access bypassAffected versions: <1.3.0CVE IDs: CVE-2025-48011Description: 

This module enables you to allow users to include a second authentication method in addition to password authentication.

The module doesn't sufficiently prevent TFA from being bypassed when using the REST login routes.

A new requirements check has been added to the status report so other authentication providers can be assessed to check if they also allow for this bypass.

This vulnerability is mitigated by the fact that an attacker must obtain a valid username/password.

Solution: 

Install the latest version:

• If you use the One Time Password module for Drupal, upgrade to One Time Password 8.x-1.3

Reported By: 

• Conrad Lara (cmlara)

Fixed By: 

• danielveza
• Kim Pepper (kim.pepper)
• Lee Rowlands (larowlan) of the Drupal Security Team

Coordinated By: 

• Greg Knaddison (greggles) of the Drupal Security Team
• Juraj Nemec (poker10) of the Drupal Security Team

Project: One Time PasswordDate: 2025-May-14Security risk: Moderately critical 14 ∕ 25 AC:Complex/A:None/CI:Some/II:Some/E:Theoretical/TD:DefaultVulnerability: Access bypassAffected versions: <1.3.0CVE IDs: CVE-2025-48010Description: 

This module enables you to allow users to include a second authentication method in addition to password authentication.

The module doesn't sufficiently prevent one time login links from bypassing TFA.

This vulnerability is mitigated by the fact that an attacker must have access to an email account attached to a user or a valid one time password link for a user.

Solution: 

Install the latest version:

• If you use the One Time Password module for Drupal, upgrade to One Time Password 8.x-1.3

Reported By: 

• Conrad Lara (cmlara)

Fixed By: 

• danielveza
• Kim Pepper (kim.pepper)
• Lee Rowlands (larowlan) of the Drupal Security Team

Coordinated By: 

• Greg Knaddison (greggles) of the Drupal Security Team
• Juraj Nemec (poker10) of the Drupal Security Team

Project: Single Content SyncDate: 2025-May-14Security risk: Moderately critical 10 ∕ 25 AC:Complex/A:User/CI:Some/II:None/E:Theoretical/TD:AllVulnerability: Access bypassAffected versions: <1.4.12CVE IDs: CVE-2025-48009Description: 

This module enables you to seamlessly migrate and deploy content across environments, eliminating manual steps. It simplifies the process by exporting content to a YML file or a ZIP archive, which can be imported into another environment effortlessly.

While the export feature rightfully bypasses implemented access controls, enabling it to extract all entity data, including private and confidential information, to the mentioned formats, it fails to adequately safeguard the generated output.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission "export single content" or "Allow user to export all content".

Solution: 

Install the latest version:

• If you use the Single Content Sync module for Drupal, upgrade to Single Content Sync 1.4.12.

Reported By: 

• Dezső Biczó (mxr576)

Fixed By: 

• Dave Long (longwave) of the Drupal Security Team
• Dezső Biczó (mxr576)
• Oleksandr Kuzava (nginex)

Coordinated By: 

• Greg Knaddison (greggles) of the Drupal Security Team
• Juraj Nemec (poker10) of the Drupal Security Team

Project: Events Log TrackDate: 2025-May-14Security risk: Moderately critical 10 ∕ 25 AC:Basic/A:None/CI:None/II:None/E:Theoretical/TD:AllVulnerability: Denial of ServiceAffected versions: <3.1.11 || >=4.0.0 <4.0.2CVE IDs: CVE-2025-4416Description: 

The Events Log Track module enables you to log specific events on a Drupal site.

The module doesn't sufficiently mitigate resource consumption for certain requests which allows a Denial of Service attack.

Solution: 

Install the latest version:

• If you use the event_log_track_auth_user_login_validate sub-module for Drupal 10.x or 11.x, upgrade to events_log_track 4.0.2 or events_log_track 3.1.11

Reported By: 

• Scott Phillips (scottatdrake)

Fixed By: 

• Mingsong (mingsong)
• Stephen Mustgrave (smustgrave)

Coordinated By: 

• Greg Knaddison (greggles) of the Drupal Security Team

Project: Piwik PRODate: 2025-May-14Security risk: Moderately critical 13 ∕ 25 AC:Basic/A:Admin/CI:Some/II:Some/E:Theoretical/TD:AllVulnerability: Cross Site ScriptingAffected versions: <1.3.2CVE IDs: CVE-2025-4415Description: 

This module enables you to add the Piwik Pro web statistics tracking system to your website.

The module does not check the JS code that is loaded on the website. So a user with the "Administer Piwik Pro" permission could configure the module to load JS from a malicious website.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer piwik pro" to access the settings form where this can be configured.

Solution: 

Install the latest version:

• If you use the Piwik Pro module, upgrade to Piwik Pro 1.3.2

Sites are encouraged to review which roles have that permission and which users have that role, to ensure that only trusted users have that permission.

Reported By: 

• Pierre Rudloff (prudloff)

Fixed By: 

• Hartsak (hartsak)
• Josha Hubbers (joshahubbers)

Coordinated By: 

• Juraj Nemec (poker10) of the Drupal Security Team
• Pierre Rudloff (prudloff)

Project: Advanced File DestinationDate: 2025-May-14Security risk: Critical 15 ∕ 25 Critical 16 ∕ 25 AC:Complex/A:Admin/CI:All/II:All/E:Theoretical/TD:AllVulnerability: Multiple vulnerabilitiesAffected versions: *Description: 

The Advanced File Destination module enhances file upload management in Drupal by allowing users to choose and create custom directories during file uploads.

The module has multiple vulnerabilities that were reported through the Drupal Security Team's coordinated vulnerability process. The project maintainer did not follow the terms and conditions for hosting projects on drupal.org that are opted into security coverage, so the module is losing its security coverage. The private issues may be made public at the discretion of the reporter and maintainer.

Project: Enterprise MFA - TFA for DrupalDate: 2025-May-07Security risk: Critical 15 ∕ 25 AC:Complex/A:None/CI:Some/II:Some/E:Theoretical/TD:AllVulnerability: Access bypassAffected versions: <4.7.0 || >=5.2.0 <5.2.0 || 5.0.*CVE IDs: CVE-2025-47710Description: 

The module enables you to add second-factor authentication in addition to the default Drupal login.

The module does not sufficiently ensure that known login routes are protected.

This vulnerability is mitigated by the fact that an attacker must obtain the user's username and password.

Solution: 

Install the latest version:

• If you use the Enterprise MFA - TFA module version 5.x for Drupal 9.3 and above, upgrade to miniorange_2fa 5.2.0.
• If you use the Enterprise MFA - TFA module version 4.x for Drupal 8, 9 or 10, upgrade to miniorange_2fa 8.x-4.7.

Reported By: 

• Conrad Lara (cmlara)

Fixed By: 

• Sudhanshu Dhage (sudhanshu0542)

Coordinated By: 

• Greg Knaddison (greggles) of the Drupal Security Team
• Juraj Nemec (poker10) of the Drupal Security Team

Project: Enterprise MFA - TFA for DrupalDate: 2025-May-07Security risk: Critical 18 ∕ 25 AC:None/A:None/CI:Some/II:Some/E:Theoretical/TD:AllVulnerability: Access bypassAffected versions: <4.7.0 || >=5.2.0 <5.2.0 || 5.0.*CVE IDs: CVE-2025-47709Description: 

The module enables you to add second-factor authentication in addition to the default Drupal login.

The module doesn't sufficiently protect certain sensitive routes, allowing an attacker to view or modify various TFA-related settings.

Solution: 

Install the latest version:

• If you use the Enterprise MFA - TFA module version 5.x for Drupal 9.3 and above, upgrade to miniorange_2fa 5.2.0.
• If you use the Enterprise MFA - TFA module version 4.x for Drupal 8, 9 or 10, upgrade to miniorange_2fa 8.x-4.7.

Reported By: 

• Juraj Nemec (poker10) of the Drupal Security Team

Fixed By: 

• Sudhanshu Dhage (sudhanshu0542)

Coordinated By: 

• Juraj Nemec (poker10) of the Drupal Security Team

Project: Enterprise MFA - TFA for DrupalDate: 2025-May-07Security risk: Critical 18 ∕ 25 AC:None/A:None/CI:Some/II:Some/E:Theoretical/TD:AllVulnerability: Cross Site Request ForgeryAffected versions: <4.7.0 || >=5.2.0 <5.2.0 || 5.0.*CVE IDs: CVE-2025-47708Description: 

The module enables you to add second-factor authentication in addition to the default Drupal login.

The module doesn't sufficiently protect certain routes from Cross Site Request Forgery (CSRF) attacks.

Solution: 

Install the latest version:

• If you use the Enterprise MFA - TFA module version 5.x for Drupal 9.3 and above, upgrade to miniorange_2fa 5.2.0.
• If you use the Enterprise MFA - TFA module version 4.x for Drupal 8, 9 or 10, upgrade to miniorange_2fa 8.x-4.7.

Reported By: 

• Juraj Nemec (poker10) of the Drupal Security Team

Fixed By: 

• Sudhanshu Dhage (sudhanshu0542)

Coordinated By: 

• Juraj Nemec (poker10) of the Drupal Security Team

Project: Enterprise MFA - TFA for DrupalDate: 2025-May-07Security risk: Moderately critical 13 ∕ 25 AC:Complex/A:User/CI:Some/II:Some/E:Theoretical/TD:AllVulnerability: Access bypassAffected versions: <4.7.0 || >=5.2.0 <5.2.0 || 5.0.*CVE IDs: CVE-2025-47707Description: 

The module enables you to add second-factor authentication in addition to the default Drupal login.

The module doesn't invoke two factor authentication (2FA) for the password reset option.

This vulnerability is mitigated by the fact that an attacker must have access to the password reset link.

Solution: 

Install the latest version:

• If you use the Enterprise MFA - TFA module version 5.x for Drupal 9.3 and above, upgrade to miniorange_2fa 5.2.0.
• If you use the Enterprise MFA - TFA module version 4.x for Drupal 8, 9 or 10, upgrade to miniorange_2fa 8.x-4.7.

Reported By: 

• Conrad Lara (cmlara)

Fixed By: 

• Sudhanshu Dhage (sudhanshu0542)

Coordinated By: 

• Greg Knaddison (greggles) of the Drupal Security Team
• Juraj Nemec (poker10) of the Drupal Security Team

Project: Enterprise MFA - TFA for DrupalDate: 2025-May-07Security risk: Moderately critical 14 ∕ 25 AC:Complex/A:None/CI:Some/II:Some/E:Theoretical/TD:DefaultVulnerability: Access bypassAffected versions: <4.7.0 || >=5.2.0 <5.2.0 || 5.0.*CVE IDs: CVE-2025-47706Description: 

The module enables you to add second-factor authentication in addition to the default Drupal login.

The module doesn't sufficiently check whether the TOTP token is already used or not for authenticator-based second-factor methods.

This vulnerability is mitigated by the fact that an attacker must have a username, password and TOTP token generated within the last 5 minutes.

Solution: 

Install the latest version:

• If you use the Enterprise MFA - TFA module version 5.x for Drupal 9.3 and above, upgrade to miniorange_2fa 5.2.0.
• If you use the Enterprise MFA - TFA module version 4.x for Drupal 8, 9 or 10, upgrade to miniorange_2fa 8.x-4.7.

Reported By: 

• Conrad Lara (cmlara)

Fixed By: 

• Sudhanshu Dhage (sudhanshu0542)

Coordinated By: 

• Greg Knaddison (greggles) of the Drupal Security Team
• Juraj Nemec (poker10) of the Drupal Security Team

Project: IFrame Remove FilterDate: 2025-May-07Security risk: Moderately critical 14 ∕ 25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:AllVulnerability: Cross site scriptingAffected versions: <2.0.5CVE IDs: CVE-2025-47705Description: 

This module enables you to add a filter to text formats (Full HTML, Filtered HTML), which will remove every iframe where the "src" is not on the allowlist.

The module doesn't sufficiently filter these iframes in certain situations.

This vulnerability is mitigated by the fact that an attacker must be able to edit content that allows iframes.

Solution: 

Install the latest version:

• If you use the IFrame Remove Filter module for Drupal 10.x or 11.x, upgrade to IFrame Remove Filter 2.0.5

Reported By: 

• Pierre Rudloff (prudloff)

Fixed By: 

• Bálint Nagy (nagy.balint)

Coordinated By: 

• Greg Knaddison (greggles) of the Drupal Security Team
• Drew Webber (mcdruid) of the Drupal Security Team
• Juraj Nemec (poker10) of the Drupal Security Team

Project: Klaro Cookie & Consent ManagementDate: 2025-May-07Security risk: Moderately critical 14 ∕ 25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:AllVulnerability: Cross Site ScriptingAffected versions: <3.0.5CVE IDs: CVE-2025-47704Description: 

Klaro Cookie & Consent Management module is used for consent management for cookies and external sources. It makes changes to the markup to enable or disable loading.

The module doesn't sufficiently sanitize data attributes allowing persistent Cross Site Scripting (XSS) attacks.

This vulnerability is mitigated by the fact that an attacker must have a role with permission to enter HTML tags containing specific data attributes.

Solution: 

Install the latest version:

• If you use the Klaro Cookie & Consent Management module for Drupal 10.x/11.x, upgrade to Klaro Cookie & Consent Management 3.0.5

Reported By: 

• Pierre Rudloff (prudloff)

Fixed By: 

• Jan Kellermann (jan kellermann)

Coordinated By: 

• Greg Knaddison (greggles) of the Drupal Security Team
• Juraj Nemec (poker10) of the Drupal Security Team

Project: COOKiES Consent ManagementDate: 2025-May-07Security risk: Moderately critical 13 ∕ 25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:DefaultVulnerability: Cross Site ScriptingAffected versions: <1.2.14CVE IDs: CVE-2025-47703Description: 

The COOKIES module protects users from executing JavaScript code provided by third parties, e.g., to display ads or track user data without consent.

The cookies_asset_injector module (a sub-module of the COOKiES module) also allows inline JavaScript to be included in consent management. However, this does not adequately check whether the provided JavaScript code originates from authorized users.

A potential attacker would at least need permission to create and publish HTML (e.g. content or comments).

Solution: 

Install the latest version:

• If you use the COOKiES Consent Management module for Drupal 9 or above, upgrade to COOKiES Consent Management 1.2.14

Reported By: 

• Pierre Rudloff (prudloff)

Fixed By: 

• Joachim Feltkamp (jfeltkamp)

Coordinated By: 

• Greg Knaddison (greggles) of the Drupal Security Team
• Juraj Nemec (poker10) of the Drupal Security Team

Project: oEmbed ProvidersDate: 2025-May-07Security risk: Moderately critical 10 ∕ 25 AC:Complex/A:Admin/CI:Some/II:Some/E:Theoretical/TD:UncommonVulnerability: Cross Site ScriptingAffected versions: <2.2.2CVE IDs: CVE-2025-47702Description: 

This module extends the core Media module and allows site creators to permit oEmbed providers in addition to YouTube and Vimeo, which are deemed trustworthy by the Drupal Security Team.

The module doesn't sufficiently mark its administrative permission as restricted, creating the possibility for the permission to be granted too broadly and to users without the ability to adequately vet providers. A malicious provider could execute a Cross Site Scripting (XSS) attack.

This vulnerability is mitigated by the fact that an attacker must 1) have a role with the permission "administer oembed providers", 2) have a role with the ability to create or edit Media entities, and 3) have provisioned a publicly-accessible, malicious provider.

Solution: 

Install the latest version:

• If you use oEmbed Providers module for Drupal, upgrade to oEmbed Providers 2.2.2

It is also recommended to review which roles are granted the "administer oembed providers" permission.

Reported By: 

• Pierre Rudloff (prudloff)

Fixed By: 

• Chris Burge (chris burge)

Coordinated By: 

• Greg Knaddison (greggles) of the Drupal Security Team
• Juraj Nemec (poker10) of the Drupal Security Team

Project: Restrict route by IPDate: 2025-May-07Security risk: Critical 16 ∕ 25 AC:Basic/A:None/CI:Some/II:Some/E:Theoretical/TD:AllVulnerability: Cross Site Request ForgeryAffected versions: <1.3.0CVE IDs: CVE-2025-47701Description: 

The Restrict route by IP module provides an interface to manage route restriction by IP address.

The module doesn't sufficiently protect certain routes from CSRF attacks.

This vulnerability is mitigated by the fact that you need to know the route machine name.

Solution: 

Install the latest version:

• If you use the restrict_route_by_ip module for Drupal 10.x or 11.x, upgrade to restrict_route_by_ip 1.3.0

Reported By: 

• Juraj Nemec (poker10) of the Drupal Security Team

Fixed By: 

• lozbes

Coordinated By: 

• Greg Knaddison (greggles) of the Drupal Security Team
• Juraj Nemec (poker10) of the Drupal Security Team

Project: Search API SolrDate: 2025-April-23Security risk: Moderately critical 13 ∕ 25 AC:Basic/A:None/CI:None/II:Some/E:Theoretical/TD:AllVulnerability: Cross Site Request ForgeryAffected versions: <4.3.9CVE IDs: CVE-2025-3907Description: 

This module provides support for creating searches using the Apache Solr search engine and the Search API Drupal module.

The module doesn't sufficiently protect certain routes from CSRF attacks.

This vulnerability is mitigated by the fact that a site admin would have to perform further steps after the attack for it to have any effect.

Solution: 

Install the latest version:

• If you use the Search API Solr module for Drupal 8+, upgrade to Search API Solr 4.3.10.

We also recommend checking your Solr configuration for any unintended changes.

Reported By: 

• Pierre Rudloff (prudloff)

Fixed By: 

• Thomas Seidl (drunken monkey)
• Markus Kalkbrenner (mkalkbrenner)

Coordinated By: 

• Greg Knaddison (greggles) of the Drupal Security Team
• Drew Webber (mcdruid) of the Drupal Security Team
• Juraj Nemec (poker10) of the Drupal Security Team

Project: SportsleagueDate: 2025-April-23Security risk: Critical 16 ∕ 25 AC:Complex/A:Admin/CI:All/II:All/E:Theoretical/TD:AllVulnerability: UnsupportedAffected versions: *CVE IDs: CVE-2025-3904Description: 

The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: https://www.drupal.org/node/251466#s-becoming-owner-maintainer-or-co-mai...

Solution: 

If you use this project, you should uninstall it. To take over maintainership, please read https://www.drupal.org/node/251466#s-becoming-owner-maintainer-or-co-mai...

Project: UEditor - 百度编辑器Date: 2025-April-23Security risk: Critical 16 ∕ 25 AC:Complex/A:Admin/CI:All/II:All/E:Theoretical/TD:AllVulnerability: UnsupportedAffected versions: *CVE IDs: CVE-2025-3903Description: 

The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: https://www.drupal.org/node/251466#s-becoming-owner-maintainer-or-co-mai...

Solution: 

If you use this project, you should uninstall it. To take over maintainership, please read https://www.drupal.org/node/251466#s-becoming-owner-maintainer-or-co-mai...