Biztonsági figyelmeztetések (contrib)
Owl Carousel 2 - Critical - Unsupported - SA-CONTRIB-2025-104
The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: https://www.drupal.org/node/251466#s-becoming-owner-maintainer-or-co-mai...
Solution:If you use this project, you should uninstall it. To take over maintainership, please read https://www.drupal.org/node/251466#s-becoming-owner-maintainer-or-co-mai...
API Key manager - Critical - Unsupported - SA-CONTRIB-2025-103
The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: https://www.drupal.org/node/251466#s-becoming-owner-maintainer-or-co-mai...
Solution:If you use this project, you should uninstall it. To take over maintainership, please read https://www.drupal.org/node/251466#s-becoming-owner-maintainer-or-co-mai...
Synchronize composer.json With Contrib Modules - Critical - Unsupported - SA-CONTRIB-2025-102
The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: https://www.drupal.org/node/251466#s-becoming-owner-maintainer-or-co-mai...
Solution:If you use this project, you should uninstall it. To take over maintainership, please read https://www.drupal.org/node/251466#s-becoming-owner-maintainer-or-co-mai...
Protected Pages - Moderately critical - Access bypass - SA-CONTRIB-2025-101
This module enables you to protect individual pages with a password.
The module doesn't limit the number of password attempts, making it vulnerable to brute force attacks.
This vulnerability is mitigated by the fact that an attacker must know the protected page's URL.
CVSS risk score (experimental) 6.3 / Medium
CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
Solution:Install the latest version:
- If you use the Protected Pages module for Drupal 8.x, upgrade to Protected Pages 8.x-1.8
- Benji Fisher (benjifisher) of the Drupal Security Team
- Damien McKenna (damienmckenna) of the Drupal Security Team
- Greg Knaddison (greggles) of the Drupal Security Team
- Drew Webber (mcdruid) of the Drupal Security Team
- Juraj Nemec (poker10) of the Drupal Security Team
Facets - Moderately critical - Cross Site Scripting - SA-CONTRIB-2025-100
This module enables you to to easily create and manage faceted search interfaces.
The module doesn’t sufficiently filter certain user-provided text leading to a cross site scripting (XSS) vulnerability.
This vulnerability is mitigated by the fact that an attacker must have a role with the permission “administer facets”.
CVSS risk score (experimental) 4.8 / Medium
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:L/SI:N/SA:N
Solution:Install the latest version:
- If you use the Facets module for Drupal 8.x or higher, upgrade to Facets 2.0.10 or Facets 3.0.1
- Joris Vercammen (borisson_)
- Thomas Seidl (drunken monkey)
- Pierre Rudloff (prudloff), provisional member of the Drupal Security Team
- Damien McKenna (damienmckenna) of the Drupal Security Team
- Ivo Van Geertruyen (mr.baileys) of the Drupal Security Team
- Pierre Rudloff (prudloff), provisional member of the Drupal Security Team
- Drew Webber (mcdruid) of the Drupal Security Team
Facets - Moderately critical - Information Disclosure - SA-CONTRIB-2025-099
This module enables you to to easily create and manage faceted search interfaces.
The module doesn't sufficiently check access to entities when they are displayed as facets.
This vulnerability is mitigated by the fact that only sites that show facets with entity labels (like taxonomy terms) are affected, and only if some of those entities are unpublished or have other access restrictions.
CVSS risk score (experimental) 6.9 / Medium
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
Solution:Install the latest version:
- If you use the Facets module for Drupal 8.x or higher, upgrade to Facets 2.0.10 or Facets 3.0.1
- Damien McKenna (damienmckenna) of the Drupal Security Team
- Benji Fisher (benjifisher) of the Drupal Security Team
- Joris Vercammen (borisson_)
- Damien McKenna (damienmckenna) of the Drupal Security Team
- Thomas Seidl (drunken monkey)
- Jimmy Henderickx (strykaizer)
- Benji Fisher (benjifisher) of the Drupal Security Team
- Damien McKenna (damienmckenna) of the Drupal Security Team
- Greg Knaddison (greggles) of the Drupal Security Team
- Drew Webber (mcdruid) of the Drupal Security Team
- Cathy Theys (yesct) of the Drupal Security Team
Authenticator Login - Moderately critical - Access bypass - SA-CONTRIB-2025-098
This module allows users to setup two-factor authentication (2FA) using authenticator apps for enhanced login security.
The module did not protect all possible login paths provided by core modules.
CVSS risk score (experimental) 6.3 / Medium
CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N
Solution:Install the latest version:
- If you use the Alogin module for Drupal 10^, upgrade to Alogin 2.1.8
- Ahmed Raza (ahmed.raza)
- Pierre Rudloff (prudloff), provisional member of the Drupal Security Team
- Damien McKenna (damienmckenna) of the Drupal Security Team
- Greg Knaddison (greggles) of the Drupal Security Team
- Drew Webber (mcdruid) of the Drupal Security Team
- Juraj Nemec (poker10) of the Drupal Security Team
- Cathy Theys (yesct) of the Drupal Security Team
