Hírolvasó

Authenticator Login - Highly critical - Access bypass - SA-CONTRIB-2025-096

Biztonsági figyelmeztetések (contrib) - 2025. augusztus 13. 19.33
Project: Authenticator LoginDate: 2025-August-13Security risk: Highly critical 21 ∕ 25 AC:Basic/A:None/CI:All/II:All/E:Proof/TD:AllVulnerability: Access bypassAffected versions: <2.1.4CVE IDs: CVE-2025-8995Description: 

This module enables users to setup two-factor authentication (2FA) using authenticator apps for enhanced login security. The module alters the standard Drupal login form to use AJAX callbacks for handling authentication flow.

The module doesn't sufficiently validate authentication under specific conditions, allowing an attacker to log in as any account where they know the username.

This vulnerability is mitigated by the fact that an attacker must make a series of requests to trigger the necessary conditions that allow authentication byass. The series of requests could alert a site owner that they are being attacked; however, the number of requests necessary to trigger the conditions is usually quite small (the number depends on site configuration, by default it is 5).

Solution: 

Install the latest version:

  • If you use the alogin module for Drupal 10^, upgrade to the latest version or at least Alogin 2.1.5

Note: the fix is in a tag in git for 2.1.4 however there is no release for that tag. The fix is also in 2.1.5 release.

Reported By: Fixed By: Coordinated By: 
Kategóriák: Biztonsági figyelmeztetések

AI SEO Link Advisor - Less critical - Server-side Request Forgery - SA-CONTRIB-2025-095

Biztonsági figyelmeztetések (contrib) - 2025. augusztus 6. 18.50
Project: AI SEO Link AdvisorDate: 2025-August-06Security risk: Less critical 8 ∕ 25 AC:Basic/A:User/CI:None/II:None/E:Theoretical/TD:AllVulnerability: Server-side Request ForgeryAffected versions: <1.0.6CVE IDs: CVE-2025-8675Description: 

This module enables you to provide SEO analysis and recommendations for a given URL.

The module doesn't sufficiently sanitize user-supplied URLs, leading to a Server-side request forgery (SSRF) vulnerability.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission "access seo analyzer".

Solution: 

Install the latest version:

Reported By: Fixed By: Coordinated By: 
Kategóriák: Biztonsági figyelmeztetések

GoogleTag Manager - Moderately critical - Cross-site scripting - SA-CONTRIB-2025-094

Biztonsági figyelmeztetések (contrib) - 2025. július 30. 18.31
Project: GoogleTag ManagerDate: 2025-July-30Security risk: Moderately critical 11 ∕ 25 AC:Complex/A:Admin/CI:Some/II:Some/E:Theoretical/TD:DefaultVulnerability: Cross-site scriptingAffected versions: <1.10.0CVE IDs: CVE-2025-8362Description: 

This module enables you to integrate Google Tag Manager (GTM) into your Drupal site by allowing administrators to configure and embed GTM container snippets.

The module doesn't sufficiently sanitize the GTM container ID under the scenario where a user with the Administer gtm permission enters malicious input into the GTM-ID field. This value is directly inserted into a <script> tag, making the site vulnerable to Cross-site Scripting (XSS) attacks.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission Administer gtm, and the input field is limited to 20 characters.

Solution: 

Install the latest version:

If you use the Google Tag Manager module for Drupal 8.x, upgrade to Google Tag Manager 8.x-1.10.

The new version includes validation to prevent injection and restricts risky inputs.

Additionally, site administrators should review which roles have the Administer gtm permission at /admin/people/permissions.

Reported By: Fixed By: Coordinated By: 
Kategóriák: Biztonsági figyelmeztetések

Config Pages - Moderately critical - Access bypass - SA-CONTRIB-2025-093

Biztonsági figyelmeztetések (contrib) - 2025. július 30. 18.30
Project: Config PagesDate: 2025-July-30Security risk: Moderately critical 12 ∕ 25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:UncommonVulnerability: Access bypassAffected versions: <2.18.0CVE IDs: CVE-2025-8361Description: 

This module enables you to access an edit page for a config page.

The module doesn't sufficiently check the access permissions (hook_ENTITY_TYPE_access() wasn't taken into account).

This vulnerability is mitigated by the fact that an attacker must have a role with the permission "edit ID config page" and that it only affects sites that have access restricted via the hook_ENTITY_TYPE_access() hook.

Solution: 

Install the latest version:

Reported By: Fixed By: Coordinated By: 
Kategóriák: Biztonsági figyelmeztetések

COOKiES Consent Management - Moderately critical - Cross-site Scripting - SA-CONTRIB-2025-092

Biztonsági figyelmeztetések (contrib) - 2025. július 23. 19.10
Project: COOKiES Consent ManagementDate: 2025-July-23Security risk: Moderately critical 12 ∕ 25 AC:Complex/A:Admin/CI:Some/II:Some/E:Theoretical/TD:AllVulnerability: Cross-site ScriptingAffected versions: <1.2.16CVE IDs: CVE-2025-8092Description: 

This module allows you to manage video media items using the COOKiES module (disabling external video elements). These elements will be enabled again, once the COOKiES banner is accepted.

The module doesn't sufficiently check whether to convert "data-src" attributes to "src" when their value might contain malicious content under the scenario, that module specific classes are set on the HTML element.

This vulnerability is mitigated by the fact that an attacker must have the correct permissions to have a specific HTML element display for all users, and this HTML element needs to have a specific class set.

Solution: 

Install the latest version:

  • If you use the COOKiES Video submodule for Drupal upgrade to COOKiES 1.2.16
Reported By: Fixed By: Coordinated By: 
Kategóriák: Biztonsági figyelmeztetések