Biztonsági figyelmeztetések (contrib)

Project: Klaro Cookie & Consent ManagementDate: 2025-June-25Security risk: Moderately critical 14 ∕ 25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:AllVulnerability: Cross-site ScriptingAffected versions: <3.0.7CVE IDs: CVE-2025-5682Description: 

Klaro Cookie & Consent Management module is used for consent management for cookies and external sources. It makes changes to the markup to enable or disable loading.

The module doesn't sufficiently sanitize some HTML attributes allowing persistent Cross-site Scripting (XSS) attacks.

This vulnerability is mitigated by the fact that an attacker must have a role with permission to enter HTML tags containing specific attributes.

Solution: 

Install the latest version:

• If you use the Klaro Cookie & Consent Management module for Drupal 10.x/11.x, upgrade to Klaro Cookie & Consent Management 3.0.7

Reported By: 

• Pierre Rudloff (prudloff) provisional member of the Drupal Security Team

Fixed By: 

• Jan Kellermann (jan kellermann)

Coordinated By: 

• Greg Knaddison (greggles) of the Drupal Security Team
• Juraj Nemec (poker10) of the Drupal Security Team
• Pierre Rudloff (prudloff) provisional member of the Drupal Security Team

Project: Open SocialDate: 2025-June-25Security risk: Moderately critical 13 ∕ 25 AC:None/A:User/CI:None/II:Some/E:Theoretical/TD:AllVulnerability: Cross Site Request ForgeryAffected versions: <12.3.14 || >=12.4.0 <12.4.13CVE IDs: CVE-2025-48921Description: 

Open Social is a Drupal distribution for online communities, which ships with a default module that allows users to enroll in events.

The module doesn't sufficiently protect certain routes from Cross Site Request Forgery (CSRF) attacks. Users can be tricked into accepting or rejecting these enrollments.

This issue only affects sites that have event enrollments enabled for an event.

Solution: 

Install the latest version:

• If you use Open Social 12.3.x upgrade to Open Social 12.3.14
• If you use Open Social 12.4.x upgrade to Open Social 12.4.13

Reported By: 

• Ivo Van Geertruyen (mr.baileys) of the Drupal Security Team

Fixed By: 

• Alexander Varwijk (kingdutch)
• Robert Ragas (robertragas)

Coordinated By: 

• Greg Knaddison (greggles) of the Drupal Security Team

Project: GLightboxDate: 2025-June-25Security risk: Moderately critical 13 ∕ 25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:DefaultVulnerability: Cross-site ScriptingAffected versions: <1.0.16CVE IDs: CVE-2025-48922Description: 

GLightbox module is a pure Javascript lightbox for CKEditor.

The module doesn't sufficiently filter user-supplied text for the GLightbox Javascript library leading to a Cross Site Scripting (XSS) vulnerability.

This vulnerability is mitigated by the fact that an attacker must have a role with the permissions to edit content that is configured to support the Glightbox module.

Solution: 

Install the latest version:

• If you use the GLightbox module, upgrade to GLightbox 1.0.16

Reported By: 

• Pierre Rudloff (prudloff) provisional member of the Drupal Security Team

Fixed By: 

• Ivan Abramenko (levmyshkin)

Coordinated By: 

• Greg Knaddison (greggles) of the Drupal Security Team
• Pierre Rudloff (prudloff) provisional member of the Drupal Security Team

Project: Toc.jsDate: 2025-June-25Security risk: Moderately critical 12 ∕ 25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:UncommonVulnerability: Cross-site ScriptingAffected versions: <3.2.1CVE IDs: CVE-2025-48923Description: 

This module enables you to generate Table of content of your pages given a configuration.

The module doesn't sufficiently sanitise data attributes allowing persistent Cross-site Scripting (XSS) attacks.

This vulnerability is mitigated by the fact that an attacker must have a role with permission to enter HTML tags containing specific data attributes using other modules.

Solution: 

Install the latest version:

• If you use the Toc JS module, upgrade to Toc Js 3.2.1

Reported By: 

• Pierre Rudloff (prudloff) provisional member of the Drupal Security Team

Fixed By: 

• Flocon de toile (flocondetoile)
• Frank Mably (mably)
• Pierre Rudloff (prudloff) provisional member of the Drupal Security Team

Coordinated By: 

• Greg Knaddison (greggles) of the Drupal Security Team
• Juraj Nemec (poker10) of the Drupal Security Team
• Pierre Rudloff (prudloff) provisional member of the Drupal Security Team

Project: COOKiES Consent ManagementDate: 2025-May-28Security risk: Moderately critical 13 ∕ 25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:DefaultVulnerability: Cross Site ScriptingAffected versions: <1.2.15CVE IDs: CVE-2025-48915Description: 

The COOKIES module protects users from executing JavaScript code provided by third parties, e.g., to display ads or track user data without consent.

Each sub-module allows to include a specific third party service in the consent management, by controlling the execution of javascript. However, this does not adequately check whether the provided JavaScript code originates from authorized users.

A potential attacker would at least need permission to create and publish HTML (e.g. content or comments).

Solution: 

Install the latest version:

• If you use the COOKiES Consent Management module for Drupal 9 or above, upgrade to COOKiES Consent Management 1.2.15

Reported By: 

• Pierre Rudloff (prudloff)

Fixed By: 

• Joachim Feltkamp (jfeltkamp)

Coordinated By: 

• Greg Knaddison (greggles) of the Drupal Security Team
• Juraj Nemec (poker10) of the Drupal Security Team
• Cathy Theys (yesct) of the Drupal Security Team

Project: COOKiES Consent ManagementDate: 2025-May-28Security risk: Moderately critical 12 ∕ 25 AC:Complex/A:Admin/CI:Some/II:Some/E:Theoretical/TD:AllVulnerability: Cross Site ScriptingAffected versions: <1.2.15CVE IDs: CVE-2025-48914Description: 

This module provides a format filter, which allows you to "disable" certain HTML elements (e.g. remove their src attribute) specified by the user. These elements will be enabled again, once the COOKiES banner is accepted.

The module doesn't sufficiently check whether to convert "data-src" attributes to "src" when their value might contain malicious content under the scenario, that module specific classes are set on the HTML element.

This vulnerability is mitigated by the fact that the site must have the COOKiES filter submodule enabled and an attacker must have the correct permissions to have a specific HTML element display for all users, and this HTML element needs to have three concise classes set.

Solution: 

Install the latest version:

• If you use the COOKiES Consent Management module for Drupal 9 or above, upgrade to COOKiES Consent Management 1.2.15

Reported By: 

• Pierre Rudloff (prudloff)

Fixed By: 

• Julian Pustkuchen (anybody)
• Joshua Sedler (grevil)
• Joachim Feltkamp (jfeltkamp)

Coordinated By: 

• Juraj Nemec (poker10) of the Drupal Security Team
• Cathy Theys (yesct) of the Drupal Security Team

Project: etrackerDate: 2025-May-28Security risk: Moderately critical 13 ∕ 25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:DefaultVulnerability: Cross Site ScriptingAffected versions: <3.1.0CVE IDs: CVE-2025-48920Description: 

The module adds the etracker web statistics tracking system to your website.

The cookies_etracker submodule allows the inline JavaScript to be included in consent management. However, this does not adequately check whether the provided JavaScript code originates from authorized users.

A potential attacker would at least need permission to create and publish HTML (e.g. content or comments).

Solution: 

Install the latest version:

• If you use the etracker module for Drupal 9 and above, upgrade to etracker 8.x-3.1

Reported By: 

• Pierre Rudloff (prudloff)

Fixed By: 

• Julian Pustkuchen (anybody)
• Sven Schüring (sunlix)

Coordinated By: 

• Juraj Nemec (poker10) of the Drupal Security Team
• Pierre Rudloff (prudloff)
• Cathy Theys (yesct) of the Drupal Security Team

Project: Simple KlaroDate: 2025-May-28Security risk: Moderately critical 13 ∕ 25 AC:Complex/A:User/CI:Some/II:Some/E:Theoretical/TD:AllVulnerability: Cross Site ScriptingAffected versions: <1.10.0CVE IDs: CVE-2025-48919Description: 

The "Simple Klaro" module adds the "Klaro! A Simple Consent Manager" to your website and allows you to configure it according to your needs in the Drupal backend.

The module doesn't sufficiently sanitise data attributes allowing persistent Cross Site Scripting (XSS) attacks.

This vulnerability is mitigated by the fact that an attacker must have a role with permission to enter HTML tags containing specific data attributes.

Solution: 

Install the latest version:

• If you use the "Simple Klaro" module for Drupal 9.x/10.x/11.x, upgrade to Simple Klaro 1.10.0

Reported By: 

• Pierre Rudloff (prudloff)

Fixed By: 

• Norman Kämper-Leymann (norman.lol)

Coordinated By: 

• Juraj Nemec (poker10) of the Drupal Security Team
• Pierre Rudloff (prudloff)
• Cathy Theys (yesct) of the Drupal Security Team

Project: EU Cookie Compliance (GDPR Compliance)Date: 2025-May-28Security risk: Moderately critical 13 ∕ 25 AC:Complex/A:User/CI:Some/II:Some/E:Theoretical/TD:AllVulnerability: Cross Site ScriptingAffected versions: <1.26.0CVE IDs: CVE-2025-48917Description: 

This module addresses the General Data Protection Regulation (GDPR) and the EU Directive on Privacy and Electronic Communications.

The module doesn't sufficiently verify whether "disabled JavaScript" entries are valid or correspond to actual scripts on the page. As a result, an attacker could inject and execute arbitrary JavaScript by adding invalid or non-existent entries, which the module then attempts to process.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission "Administer EU Cookie Compliance banner".

Solution: 

Install the latest version:

• If you use EU Cookie Compliance (GDPR Compliance) module for Drupal 10+, upgrade to EU Cookie Compliance (GDPR Compliance) 8.x-1.26

Reported By: 

• Pierre Rudloff (prudloff)

Fixed By: 

• Grant McEwan (atowl)

Coordinated By: 

• Greg Knaddison (greggles) of the Drupal Security Team
• Juraj Nemec (poker10) of the Drupal Security Team
• Cathy Theys (yesct) of the Drupal Security Team

Project: Simple KlaroDate: 2025-May-28Security risk: Moderately critical 13 ∕ 25 AC:Complex/A:User/CI:Some/II:Some/E:Theoretical/TD:AllVulnerability: Cross Site ScriptingAffected versions: <1.10.0CVE IDs: CVE-2025-48918Description: 

The "Simple Klaro" module adds the "Klaro! A Simple Consent Manager" to your website and allows you to configure it according to your needs in the Drupal backend.

The module doesn't sufficiently mark its administrative permission as restricted, creating the possibility for the permission to be granted too broadly. A malicious admin could execute a Cross Site Scripting (XSS) attack.

This vulnerability is mitigated by the fact that an attacker must have a role with the "administer simple klaro" permission.

Solution: 

Install the latest version:

• If you use the "Simple Klaro" module for Drupal 9.x/10.x/11.x, upgrade to Simple Klaro 1.10.0

Reported By: 

• Pierre Rudloff (prudloff)

Fixed By: 

• Norman Kämper-Leymann (norman.lol)

Coordinated By: 

• Juraj Nemec (poker10) of the Drupal Security Team
• Pierre Rudloff (prudloff)
• Cathy Theys (yesct) of the Drupal Security Team

Project: Bookable CalendarDate: 2025-May-28Security risk: Less critical 9 ∕ 25 AC:Basic/A:User/CI:Some/II:None/E:Theoretical/TD:UncommonVulnerability: Access bypassAffected versions: <2.2.13CVE IDs: CVE-2025-48916Description: 

This module enables you to setup a repeating date rule that users can "book" different dates, allowing you to let users register for a variety of different things like conference rooms or guitar lessons.

This module has a permission of "view booking" and "view booking contact" which allows you to view them regardless of whether you own them or not. Due to bad naming of the permissions it's likely admins have configured those to users that shouldn't have them.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission "view booking" or "view booking contact".

Solution: 

Install the latest version:

• If you use the Bookable Calendar module for Drupal 8.x, upgrade to Bookable Calendar 2.2.13

Manual Steps to patch issue

This fix requires a View update to resolve the issue. The full view config can be found in: config/install/views.view.booking_contant.yml. If you haven't customised this view yourself, you can just re-import the view config, either through the Config Sync UI or through drush like this: drush cim --partial --source=modules/contrib/bookable_calendar/config/install. The Drush config import will import all View changes to the whole module, not just this one view.

If you want to manually update the view through the Views UI, go to admin/structure/views/view/booking_contact and edit both the User Bookings and Past Bookings display on the view. The only change required is in the Contextual Filter, add a Validation Criteria under the section (when the filter is in the URL or a default is provided) and set the Action to "Display 'Access Denied'".

Reported By: 

• Ludo Hartzema (absoludo)

Fixed By: 

• Ludo Hartzema (absoludo)
• Josh Fabean (josh.fabean)

Coordinated By: 

• Bram Driesen (bramdriesen)
• Greg Knaddison (greggles) of the Drupal Security Team
• Juraj Nemec (poker10) of the Drupal Security Team
• Cathy Theys (yesct) of the Drupal Security Team

Project: LightgalleryDate: 2025-May-21Security risk: Moderately critical 13 ∕ 25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:DefaultVulnerability: Cross Site ScriptingAffected versions: <1.6.0CVE IDs: CVE-2025-48447Description: 

This module integrates Drupal with LightGallery, enabling the use of the LightGallery library with any image field or view.

The module does not adequately sanitize user input in the image field’s "alt" attribute, potentially allowing cross-site scripting (XSS) attacks when tags or scripts are inserted.

This vulnerability is partially mitigated by the requirement that an attacker must have permission to create content containing an image field configured to use the LightGallery format.

Solution: 

Install the latest version:

• If you use the Lightgallery module, upgrade to Lightgallery 8.x-1.6

Reported By: 

• Pierre Rudloff (prudloff)

Fixed By: 

• Murilo Henrique Pucci (murilohp)

Coordinated By: 

• Greg Knaddison (greggles) of the Drupal Security Team
• Juraj Nemec (poker10) of the Drupal Security Team
• Pierre Rudloff (prudloff)

Project: Admin Audit TrailDate: 2025-May-21Security risk: Less critical 9 ∕ 25 AC:Basic/A:None/CI:None/II:None/E:Theoretical/TD:DefaultVulnerability: Denial of ServiceAffected versions: <1.0.5CVE IDs: CVE-2025-48448Description: 

The Admin Audit Trail module tracks logs of specific events that you'd like to review. When the submodule Admin Audit Trail: User Authentication is enabled, it logs user authentication events (login, logout, and password reset requests).

The module does not sufficiently limit some large values before logging the data.

Solution: 

Install the latest version:

• If you use the Admin Audit Trail module for Drupal 9/10/11, upgrade to Admin Audit Trail 1.0.5

Reported By: 

• Scott Phillips (scottatdrake)

Fixed By: 

• Rajab Natshah (rajab natshah)

Coordinated By: 

• Greg Knaddison (greggles) of the Drupal Security Team
• Juraj Nemec (poker10) of the Drupal Security Team

Project: Commerce Alphabank RedirectDate: 2025-May-21Security risk: Moderately critical 13 ∕ 25 AC:Basic/A:None/CI:None/II:Some/E:Theoretical/TD:AllVulnerability: Access bypassAffected versions: <1.0.3CVE IDs: CVE-2025-48446Description: 

This module enables you to pay for Commerce order to an environment provided and secured by the bank

The module doesn't sufficiently verify the payment status on canceled orders. An attacker can issue a specially crafted request to update the order status to completed.

Solution: 

Install the latest version:

• If you use the commerce_alphabank_redirect module for Drupal 8.x, upgrade to commerce_alphabank_redirect 1.0.3

Reported By: 

• Marios Tsalkidis (silios)

Fixed By: 

• Bill Seremetis (bserem)
• Panagiotis Moutsopoulos (vensires)

Coordinated By: 

• Greg Knaddison (greggles) of the Drupal Security Team
• Juraj Nemec (poker10) of the Drupal Security Team

Project: Commerce Eurobank (Redirect)Date: 2025-May-21Security risk: Moderately critical 13 ∕ 25 AC:Basic/A:None/CI:None/II:Some/E:Theoretical/TD:AllVulnerability: Access bypassAffected versions: <2.1.1CVE IDs: CVE-2025-48445Description: 

This module enables you to pay for Commerce order to an environment provided and secured by the bank

The module doesn't sufficiently verify the payment status on canceled orders. An attacker can issue a specially crafted request to update the order status to completed.

Solution: 

Install the latest version:

• If you use the commerce_eurobank_redirect module for Drupal 8.x, upgrade to commerce_eurobank_redirect 2.1.1

Reported By: 

• Marios Tsalkidis (silios)

Fixed By: 

• Bill Seremetis (bserem)
• Panagiotis Moutsopoulos (vensires)

Coordinated By: 

• Greg Knaddison (greggles) of the Drupal Security Team
• Juraj Nemec (poker10) of the Drupal Security Team

Project: Quick Node BlockDate: 2025-May-21Security risk: Moderately critical 13 ∕ 25 AC:None/A:None/CI:Some/II:None/E:Theoretical/TD:UncommonVulnerability: Access bypassAffected versions: <2.0.0CVE IDs: CVE-2025-48013Description: 

This module provides a block to easily display a rendered node.

Access to the rendered node isn't validated before rendering the block. Allowing access to node content for users that would normally not be allowed to access the node.

Solution: 

Update to the latest version.

• If you use the Quick Node Block module, update to Quick Node Block 2.0.1

Reported By: 

• Mitch Portier (arkener)

Fixed By: 

• Mitch Portier (arkener)
• Antonio Sánchez (saesa)

Coordinated By: 

• Greg Knaddison (greggles) of the Drupal Security Team
• Ivo Van Geertruyen (mr.baileys) of the Drupal Security Team
• Juraj Nemec (poker10) of the Drupal Security Team

Project: Quick Node BlockDate: 2025-May-21Security risk: Moderately critical 11 ∕ 25 AC:Basic/A:None/CI:Some/II:None/E:Theoretical/TD:UncommonVulnerability: Access bypassAffected versions: <2.0.0CVE IDs: CVE-2025-48444Description: 

This module provides a block to easily display a rendered node.

The module doesn't check access to content before displaying it to a visitor, allowing unauthorized users to retrieve a list of labels of all nodes.

Solution: 

Update to the latest version.

• If you use the Quick Node Block module, update to Quick Node Block 2.0.1

Reported By: 

• Mitch Portier (arkener)

Fixed By: 

• Mitch Portier (arkener)
• Antonio Sánchez (saesa)

Coordinated By: 

• Greg Knaddison (greggles) of the Drupal Security Team
• Ivo Van Geertruyen (mr.baileys) of the Drupal Security Team
• Juraj Nemec (poker10) of the Drupal Security Team

Project: One Time PasswordDate: 2025-May-14Security risk: Moderately critical 14 ∕ 25 AC:Complex/A:None/CI:Some/II:Some/E:Theoretical/TD:DefaultVulnerability: Access bypassAffected versions: <1.3.0CVE IDs: CVE-2025-48012Description: 

This module enables you to allow users to include a second authentication method in addition to password authentication.

The module doesn't sufficiently prevent the same TFA token within a 30 second window.

This vulnerability is mitigated by the fact that an attacker must obtain a valid username/password and second factor.

Solution: 

Install the latest version:

• If you use the One Time Password module for Drupal, upgrade to One Time Password 8.x-1.3

Reported By: 

• Conrad Lara (cmlara)

Fixed By: 

• danielveza
• Lee Rowlands (larowlan) of the Drupal Security Team
• Ivo Van Geertruyen (mr.baileys) of the Drupal Security Team

Coordinated By: 

• Greg Knaddison (greggles) of the Drupal Security Team
• Juraj Nemec (poker10) of the Drupal Security Team

Project: One Time PasswordDate: 2025-May-14Security risk: Moderately critical 14 ∕ 25 AC:Complex/A:None/CI:Some/II:Some/E:Theoretical/TD:DefaultVulnerability: Access bypassAffected versions: <1.3.0CVE IDs: CVE-2025-48011Description: 

This module enables you to allow users to include a second authentication method in addition to password authentication.

The module doesn't sufficiently prevent TFA from being bypassed when using the REST login routes.

A new requirements check has been added to the status report so other authentication providers can be assessed to check if they also allow for this bypass.

This vulnerability is mitigated by the fact that an attacker must obtain a valid username/password.

Solution: 

Install the latest version:

• If you use the One Time Password module for Drupal, upgrade to One Time Password 8.x-1.3

Reported By: 

• Conrad Lara (cmlara)

Fixed By: 

• danielveza
• Kim Pepper (kim.pepper)
• Lee Rowlands (larowlan) of the Drupal Security Team

Coordinated By: 

• Greg Knaddison (greggles) of the Drupal Security Team
• Juraj Nemec (poker10) of the Drupal Security Team

Project: One Time PasswordDate: 2025-May-14Security risk: Moderately critical 14 ∕ 25 AC:Complex/A:None/CI:Some/II:Some/E:Theoretical/TD:DefaultVulnerability: Access bypassAffected versions: <1.3.0CVE IDs: CVE-2025-48010Description: 

This module enables you to allow users to include a second authentication method in addition to password authentication.

The module doesn't sufficiently prevent one time login links from bypassing TFA.

This vulnerability is mitigated by the fact that an attacker must have access to an email account attached to a user or a valid one time password link for a user.

Solution: 

Install the latest version:

• If you use the One Time Password module for Drupal, upgrade to One Time Password 8.x-1.3

Reported By: 

• Conrad Lara (cmlara)

Fixed By: 

• danielveza
• Kim Pepper (kim.pepper)
• Lee Rowlands (larowlan) of the Drupal Security Team

Coordinated By: 

• Greg Knaddison (greggles) of the Drupal Security Team
• Juraj Nemec (poker10) of the Drupal Security Team