Hírolvasó

Project: Access codeDate: 2025-September-24Security risk: Moderately critical 14 ∕ 25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:AllVulnerability: Access bypassAffected versions: <2.0.5CVE IDs: CVE-2025-10928Description: 

This module enables users to sign in with an access code instead of entering user names and passwords. When users are allowed to pick their own access codes, they can guess other users' access codes based on the fact that access codes need to be unique and the system warns if the code of their choice is taken.

This vulnerability is mitigated by the fact that an attacker must have a role with the "change own access code" permission.

Solution: 

Install the latest version:

• If you use access_code module for Drupal, upgrade to access_code 2.0.5

Reported By: 

• Pierre Rudloff (prudloff)

Fixed By: 

• Gergely Lekli (glekli)
• Pierre Rudloff (prudloff)

Coordinated By: 

• Greg Knaddison (greggles) of the Drupal Security Team
• Pierre Rudloff (prudloff) provisional member of the Drupal Security Team

Project: Plausible trackingDate: 2025-September-24Security risk: Moderately critical 13 ∕ 25 AC:Basic/A:Admin/CI:Some/II:Some/E:Theoretical/TD:AllVulnerability: Cross Site ScriptingAffected versions: <1.0.2CVE IDs: CVE-2025-10927Description: 

This module integrates Plausible Analytics on a site.

The module did not properly filter output in certain cases.

This vulnerability is mitigated by the fact that an attacker must have permission to add raw HTML to the website, such as an unfiltered WYSIWYG field on a public-facing comment.

Solution: 

Install the latest version:

• If you use the Plausible Analytics module for Drupal, upgrade to Plausible Analytics v1.0.2

Reported By: 

• Pierre Rudloff (prudloff)

Fixed By: 

• Pierre Rudloff (prudloff)
• Benjamin Rasmussen (ras-ben)

Coordinated By: 

• Damien McKenna (damienmckenna) of the Drupal Security Team

Project: JSON FieldDate: 2025-September-24Security risk: Critical 15 ∕ 25 AC:Basic/A:None/CI:Some/II:Some/E:Theoretical/TD:DefaultVulnerability: Cross Site ScriptingAffected versions: <1.5CVE IDs: CVE-2025-10926Description: 

This module enables you to store and display JSON data using optional 3rd party libraries.

The module doesn't sufficiently filter data using some of the included field formatters leading to a Cross-site Scripting (XSS) vulnerability.

Solution: 

Install the latest version:

• If you use the JSON Field module for Drupal 8.x, upgrade to JSON Field 8.x-1.5.

Reported By: 

• Ivan (chi)

Fixed By: 

• Ivan (chi)
• Damien McKenna (damienmckenna) of the Drupal Security Team

Coordinated By: 

• Damien McKenna (damienmckenna) of the Drupal Security Team
• Greg Knaddison (greggles) of the Drupal Security Team

Project: Acquia DAMDate: 2025-September-03Security risk: Moderately critical 12 ∕ 25 AC:Basic/A:None/CI:Some/II:None/E:Theoretical/TD:DefaultVulnerability: Access bypass, Information DisclosureAffected versions: <1.1.5CVE IDs: CVE-2025-9954Description: 

This module enables you to connect a Drupal site to the Acquia DAM service, which syncs media from the third party service to the site.

The module doesn't sufficiently validate authorization to a list of DAM assets currently synced to the website creating an access bypass vulnerability.

This vulnerability is mitigated by the fact that it only impacts sites where users having the “view media” permission accessing any DAM asset is undesirable.

CVSS risk score (experimental) 6.9 / Medium

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Solution: 

Install the latest version which will automatically reset three views to have permission-based access control based on the "access media overview" permission. If you have modified the view access in some other way you will need to redo that modification after upgrading the module.

• If you use the acquia_dam module for Drupal 8.x, upgrade to acquia_dam 1.1.5

Sites that cannot update to this code can mitigate the issue by modifying three views to be restricted to that permission: Acquia DAM Asset Library, Acquia DAM links, DAM Content Overview.

Reported By: 

• Brandon Goodwin (bgoodie)
• Chris Burge (chris burge)
• Todd Woofenden (toddwoof)

Fixed By: 

• Chris Burge (chris burge)
• Damien McKenna (damienmckenna) of the Drupal Security Team
• Jakob P (japerry)
• Todd Woofenden (toddwoof)

Coordinated By: 

• cilefen (cilefen) of the Drupal Security Team
• Greg Knaddison (greggles) of the Drupal Security Team
• Cathy Theys (yesct) of the Drupal Security Team

Project: Owl Carousel 2Date: 2025-August-27Security risk: Critical 16 ∕ 25 AC:Complex/A:Admin/CI:All/II:All/E:Theoretical/TD:AllVulnerability: UnsupportedAffected versions: *CVE IDs: CVE-2025-9554Description: 

The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: https://www.drupal.org/node/251466#s-becoming-owner-maintainer-or-co-mai...

Solution: 

If you use this project, you should uninstall it. To take over maintainership, please read https://www.drupal.org/node/251466#s-becoming-owner-maintainer-or-co-mai...

Project: API Key managerDate: 2025-August-27Security risk: Critical 16 ∕ 25 AC:Complex/A:Admin/CI:All/II:All/E:Theoretical/TD:AllVulnerability: UnsupportedAffected versions: *CVE IDs: CVE-2025-9553Description: 

The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: https://www.drupal.org/node/251466#s-becoming-owner-maintainer-or-co-mai...

Solution: 

If you use this project, you should uninstall it. To take over maintainership, please read https://www.drupal.org/node/251466#s-becoming-owner-maintainer-or-co-mai...

Project: Synchronize composer.json With Contrib ModulesDate: 2025-August-27Security risk: Critical 16 ∕ 25 AC:Complex/A:Admin/CI:All/II:All/E:Theoretical/TD:AllVulnerability: UnsupportedAffected versions: *CVE IDs: CVE-2025-9552Description: 

The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: https://www.drupal.org/node/251466#s-becoming-owner-maintainer-or-co-mai...

Solution: 

If you use this project, you should uninstall it. To take over maintainership, please read https://www.drupal.org/node/251466#s-becoming-owner-maintainer-or-co-mai...

Project: Protected PagesDate: 2025-August-27Security risk: Moderately critical 13 ∕ 25 AC:Basic/A:None/CI:Some/II:None/E:Theoretical/TD:AllVulnerability: Access bypassAffected versions: <1.8.0CVE IDs: CVE-2025-9551Description: 

This module enables you to protect individual pages with a password.

The module doesn't limit the number of password attempts, making it vulnerable to brute force attacks.

This vulnerability is mitigated by the fact that an attacker must know the protected page's URL.

CVSS risk score (experimental) 6.3 / Medium

CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Solution: 

Install the latest version:

• If you use the Protected Pages module for Drupal 8.x, upgrade to Protected Pages 8.x-1.8

Reported By: 

• Pierre Rudloff (prudloff)

Fixed By: 

• Oksana Cyrwus (oksana-c)
• Ra Mänd (ram4nd)

Coordinated By: 

• Benji Fisher (benjifisher) of the Drupal Security Team
• Damien McKenna (damienmckenna) of the Drupal Security Team
• Greg Knaddison (greggles) of the Drupal Security Team
• Drew Webber (mcdruid) of the Drupal Security Team
• Juraj Nemec (poker10) of the Drupal Security Team

Project: FacetsDate: 2025-August-27Security risk: Moderately critical 13 ∕ 25 AC:Basic/A:Admin/CI:Some/II:Some/E:Theoretical/TD:AllVulnerability: Cross Site ScriptingAffected versions: <2.0.10 || >=3.0.0 <3.0.1CVE IDs: CVE-2025-9550Description: 

This module enables you to to easily create and manage faceted search interfaces.

The module doesn’t sufficiently filter certain user-provided text leading to a cross site scripting (XSS) vulnerability.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission “administer facets”.

CVSS risk score (experimental) 4.8 / Medium

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:L/SI:N/SA:N

Solution: 

Install the latest version:

• If you use the Facets module for Drupal 8.x or higher, upgrade to Facets 2.0.10 or Facets 3.0.1

Reported By: 

• Pierre Rudloff (prudloff)

Fixed By: 

• Joris Vercammen (borisson_)
• Thomas Seidl (drunken monkey)
• Pierre Rudloff (prudloff), provisional member of the Drupal Security Team

Coordinated By: 

• Damien McKenna (damienmckenna) of the Drupal Security Team
• Ivo Van Geertruyen (mr.baileys) of the Drupal Security Team
• Pierre Rudloff (prudloff), provisional member of the Drupal Security Team
• Drew Webber (mcdruid) of the Drupal Security Team

Project: FacetsDate: 2025-August-27Security risk: Moderately critical 11 ∕ 25 AC:Complex/A:None/CI:Some/II:None/E:Theoretical/TD:DefaultVulnerability: Information DisclosureAffected versions: <2.0.10 || >=3.0.0 <3.0.1CVE IDs: CVE-2025-9549Description: 

This module enables you to to easily create and manage faceted search interfaces.

The module doesn't sufficiently check access to entities when they are displayed as facets.

This vulnerability is mitigated by the fact that only sites that show facets with entity labels (like taxonomy terms) are affected, and only if some of those entities are unpublished or have other access restrictions.

CVSS risk score (experimental) 6.9 / Medium

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Solution: 

Install the latest version:

• If you use the Facets module for Drupal 8.x or higher, upgrade to Facets 2.0.10 or Facets 3.0.1

Reported By: 

• Damien McKenna (damienmckenna) of the Drupal Security Team

Fixed By: 

• Benji Fisher (benjifisher) of the Drupal Security Team
• Joris Vercammen (borisson_)
• Damien McKenna (damienmckenna) of the Drupal Security Team
• Thomas Seidl (drunken monkey)
• Jimmy Henderickx (strykaizer)

Coordinated By: 

• Benji Fisher (benjifisher) of the Drupal Security Team
• Damien McKenna (damienmckenna) of the Drupal Security Team
• Greg Knaddison (greggles) of the Drupal Security Team
• Drew Webber (mcdruid) of the Drupal Security Team
• Cathy Theys (yesct) of the Drupal Security Team

Project: Authenticator LoginDate: 2025-August-27Security risk: Moderately critical 13 ∕ 25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:DefaultVulnerability: Access bypassAffected versions: <2.1.8CVE IDs: CVE-2025-8093Description: 

This module allows users to setup two-factor authentication (2FA) using authenticator apps for enhanced login security.

The module did not protect all possible login paths provided by core modules.

CVSS risk score (experimental) 6.3 / Medium

CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

Solution: 

Install the latest version:

• If you use the Alogin module for Drupal 10^, upgrade to Alogin 2.1.8

Reported By: 

• Pierre Rudloff (prudloff)

Fixed By: 

• Ahmed Raza (ahmed.raza)
• Pierre Rudloff (prudloff), provisional member of the Drupal Security Team

Coordinated By: 

• Damien McKenna (damienmckenna) of the Drupal Security Team
• Greg Knaddison (greggles) of the Drupal Security Team
• Drew Webber (mcdruid) of the Drupal Security Team
• Juraj Nemec (poker10) of the Drupal Security Team
• Cathy Theys (yesct) of the Drupal Security Team