Hírolvasó

Project: Real-time SEO for DrupalDate: 2025-July-16Security risk: Moderately critical 14 ∕ 25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:AllVulnerability: Cross-site ScriptingAffected versions: >=2.0.0 <2.2.0CVE IDs: CVE-2025-7716Description: 

This module enables you to analyze the content that you're authoring for a website. It shows you a preview of what a search result might look like.

The module doesn't sufficiently escape the metadata from content while rendering the preview, opening up the possibility of a XSS attack.

This vulnerability is mitigated by the fact that an attacker must be able to author content that is analyzed by the Real-Time SEO module.

Solution: 

Install the latest version:

• Upgrade to yoast_seo 8.x-2.2.

Reported By: 

• Pierre Rudloff (prudloff), provisional member of the Drupal Security Team.

Fixed By: 

• Alexander Varwijk (kingdutch)
• Pierre Rudloff (prudloff), provisional member of the Drupal Security Team.

Coordinated By: 

• Damien McKenna (damienmckenna) of the Drupal Security Team
• Greg Knaddison (greggles) of the Drupal Security Team
• Pierre Rudloff (prudloff), provisional member of the Drupal Security Team
• Jess (xjm) of the Drupal Security Team

Project: Block AttributesDate: 2025-July-16Security risk: Moderately critical 14 ∕ 25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:AllVulnerability: Cross-site ScriptingAffected versions: <1.1.0 || >=2.0.0 <2.0.1CVE IDs: CVE-2025-7715Description: 

This module allows you to define custom attributes for a block. You can specify an attribute name to be added to the block in a predefined format.

The module does not sufficiently validate the provided attributes, which makes it possible to insert JavaScript event attributes such as onmouseover, onkeyup, etc. These attributes can execute JavaScript code when the page is rendered, leading to cross-site scripting (XSS) vulnerabilities.

This vulnerability is partially mitigated by the requirement to manually add the specific attributes and corresponding JavaScript code to the form after the attribute has been created.

Solution: 

Install the latest version:

• If you use the Block Attributes module for Drupal, upgrade to Block Attributes 8.x-1.1 or Block Attributes 2.0.1.

Reported By: 

• Pierre Rudloff (prudloff) provisional member of the Drupal Security Team

Fixed By: 

• Kostia Bohach (_shy)

Coordinated By: 

• Greg Knaddison (greggles) of the Drupal Security Team
• Juraj Nemec (poker10) of the Drupal Security Team
• Pierre Rudloff (prudloff), provisional member of the Drupal Security Team
• Jess (xjm) of the Drupal Security Team

Project: File DownloadDate: 2025-July-16Security risk: Moderately critical 13 ∕ 25 AC:Basic/A:None/CI:Some/II:None/E:Theoretical/TD:AllVulnerability: Access bypassAffected versions: <1.9.0 || >=2.0.0 <2.0.1CVE IDs: CVE-2025-7717Description: 

The File Download enables you to allow users to download file and image entities directly using a custom field formatter. It also provides an optional submodule to count and display file downloads in Views, similar to how the core statistics module tracks content views.

The File Download module does not properly validate input when handling file access requests. This can allow users to bypass protections and access private files that should not be publicly available.

Solution: 

Install the latest version:

• If you use the File Download module for Drupal 8.x, upgrade to File Download 2.0.1 or File Download 8.x-1.9.

Reported By: 

• Willem Drupal enthousiast (willempje2)

Fixed By: 

• Shelane French (shelane)
• Willem Drupal enthousiast (willempje2)

Coordinated By: 

• Greg Knaddison (greggles) of the Drupal Security Team
• Juraj Nemec (poker10) of the Drupal Security Team
• Jess (xjm) of the Drupal Security Team

Project: Mail LoginDate: 2025-July-09Security risk: Critical 15 ∕ 25 AC:Complex/A:None/CI:Some/II:Some/E:Theoretical/TD:AllVulnerability: Access bypassAffected versions: >3.0.0 <3.2.0 || >=4.0.0 <4.2.0CVE IDs: CVE-2025-7393Description: 

This module enables users to login by email address with the minimal configurations.

The module included some protection against brute force attacks on the login form, however they were incomplete. An attacker could bypass the brute force protection allowing them to potentially gain access to an account.

Solution: 

Install the latest version:

• If you use the mail_login 3.x, upgrade to Mail Login 3.2.0
• If you use the mail_login 4.x, upgrade to Mail Login 4.2.0

Reported By: 

• Ryugo Kinoshita (dc-kinoshita)

Fixed By: 

• Damien McKenna (damienmckenna) of the Drupal Security Team
• Mohammad AlQanneh (mqanneh)

Coordinated By: 

• Greg Knaddison (greggles) of the Drupal Security Team

Project: Cookies AddonsDate: 2025-July-09Security risk: Moderately critical 13 ∕ 25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:DefaultVulnerability: Cross-site ScriptingAffected versions: >1.0.0 < 1.2.4CVE IDs: CVE-2025-7392Description: 

This module provides a format filter, which allows you to "disable" iframes (e.g. remove their src attribute) specified by the user. These elements will be enabled again, once the Cookies banner is accepted.

The module doesn't sufficiently filter user-supplied content when their value might contain malicious content leading to a Cross-site Scripting (XSS) vulnerability.

This vulnerability is mitigated by the fact that the site must have the Cookies Addons Embed Iframe submodule enabled and an attacker must have the correct permissions to use a text field with a text format that allows iframes to be used.

Solution: 

Install the latest version:

• Upgrade to Cookies Addons 1.2.4

Reported By: 

• Pierre Rudloff (prudloff) provisional member of the Drupal Security Team

Fixed By: 

• Guido Schmitz (guido_s)
• Kostia Bohach (_shy)

Coordinated By: 

• Greg Knaddison (greggles) of the Drupal Security Team
• Pierre Rudloff (prudloff) provisional member of the Drupal Security Team

Project: Config Pages ViewerDate: 2025-July-02Security risk: Critical 15 ∕ 25 AC:None/A:None/CI:Some/II:None/E:Theoretical/TD:AllVulnerability: Access bypassAffected versions: <1.0.4CVE IDs: CVE-2025-7031Description: 

This module enables you to use config_pages as a content entity.

The module doesn't check permission or entity access before rendering config_pages content.

Solution: 

Install the latest version:

• If you use the Config Pages Viewer module at version 1.0.3 and lesser, upgrade to Config Pages Viewer 1.0.4.

Reported By: 

• Pierre Rudloff (prudloff)

Fixed By: 

• drdam
• Pierre Rudloff (prudloff)

Coordinated By: 

• Greg Knaddison (greggles) of the Drupal Security Team
• Juraj Nemec (poker10) of the Drupal Security Team
• Jess (xjm) of the Drupal Security Team

Project: Two-factor Authentication (TFA)Date: 2025-July-02Security risk: Less critical 9 ∕ 25 AC:Basic/A:Admin/CI:Some/II:None/E:Theoretical/TD:DefaultVulnerability: Access bypassAffected versions: <1.11.0CVE IDs: CVE-2025-7030Description: 

This module enables you to allow and/or require a second authentication method in addition to password authentication.

The module does not sufficiently ensure that users with enhanced privileges are prevented from viewing recovery codes of other users.

This vulnerability is mitigated by the fact that an attacker must have a role with the Administer TFA for other users permission.

Solution: 

Install the latest version:

• If you use the Two-factor Authentication (TFA) module for Drupal 8.x, upgrade to Two-factor Authentication (TFA) 8.x-1.11.

Reported By: 

• Conrad Lara (cmlara)

Fixed By: 

• Conrad Lara (cmlara)

Coordinated By: 

• cilefen (cilefen) of the Drupal Security Team
• Dan Smith (galooph) of the Drupal Security Team
• Greg Knaddison (greggles) of the Drupal Security Team
• Jess (xjm) of the Drupal Security Team

Project: Klaro Cookie & Consent ManagementDate: 2025-June-25Security risk: Moderately critical 14 ∕ 25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:AllVulnerability: Cross-site ScriptingAffected versions: <3.0.7CVE IDs: CVE-2025-5682Description: 

Klaro Cookie & Consent Management module is used for consent management for cookies and external sources. It makes changes to the markup to enable or disable loading.

The module doesn't sufficiently sanitize some HTML attributes allowing persistent Cross-site Scripting (XSS) attacks.

This vulnerability is mitigated by the fact that an attacker must have a role with permission to enter HTML tags containing specific attributes.

Solution: 

Install the latest version:

• If you use the Klaro Cookie & Consent Management module for Drupal 10.x/11.x, upgrade to Klaro Cookie & Consent Management 3.0.7

Reported By: 

• Pierre Rudloff (prudloff) provisional member of the Drupal Security Team

Fixed By: 

• Jan Kellermann (jan kellermann)

Coordinated By: 

• Greg Knaddison (greggles) of the Drupal Security Team
• Juraj Nemec (poker10) of the Drupal Security Team
• Pierre Rudloff (prudloff) provisional member of the Drupal Security Team

Project: Open SocialDate: 2025-June-25Security risk: Moderately critical 13 ∕ 25 AC:None/A:User/CI:None/II:Some/E:Theoretical/TD:AllVulnerability: Cross Site Request ForgeryAffected versions: <12.3.14 || >=12.4.0 <12.4.13CVE IDs: CVE-2025-48921Description: 

Open Social is a Drupal distribution for online communities, which ships with a default module that allows users to enroll in events.

The module doesn't sufficiently protect certain routes from Cross Site Request Forgery (CSRF) attacks. Users can be tricked into accepting or rejecting these enrollments.

This issue only affects sites that have event enrollments enabled for an event.

Solution: 

Install the latest version:

• If you use Open Social 12.3.x upgrade to Open Social 12.3.14
• If you use Open Social 12.4.x upgrade to Open Social 12.4.13

Reported By: 

• Ivo Van Geertruyen (mr.baileys) of the Drupal Security Team

Fixed By: 

• Alexander Varwijk (kingdutch)
• Robert Ragas (robertragas)

Coordinated By: 

• Greg Knaddison (greggles) of the Drupal Security Team

Project: GLightboxDate: 2025-June-25Security risk: Moderately critical 13 ∕ 25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:DefaultVulnerability: Cross-site ScriptingAffected versions: <1.0.16CVE IDs: CVE-2025-48922Description: 

GLightbox module is a pure Javascript lightbox for CKEditor.

The module doesn't sufficiently filter user-supplied text for the GLightbox Javascript library leading to a Cross Site Scripting (XSS) vulnerability.

This vulnerability is mitigated by the fact that an attacker must have a role with the permissions to edit content that is configured to support the Glightbox module.

Solution: 

Install the latest version:

• If you use the GLightbox module, upgrade to GLightbox 1.0.16

Reported By: 

• Pierre Rudloff (prudloff) provisional member of the Drupal Security Team

Fixed By: 

• Ivan Abramenko (levmyshkin)

Coordinated By: 

• Greg Knaddison (greggles) of the Drupal Security Team
• Pierre Rudloff (prudloff) provisional member of the Drupal Security Team

Project: Toc.jsDate: 2025-June-25Security risk: Moderately critical 12 ∕ 25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:UncommonVulnerability: Cross-site ScriptingAffected versions: <3.2.1CVE IDs: CVE-2025-48923Description: 

This module enables you to generate Table of content of your pages given a configuration.

The module doesn't sufficiently sanitise data attributes allowing persistent Cross-site Scripting (XSS) attacks.

This vulnerability is mitigated by the fact that an attacker must have a role with permission to enter HTML tags containing specific data attributes using other modules.

Solution: 

Install the latest version:

• If you use the Toc JS module, upgrade to Toc Js 3.2.1

Reported By: 

• Pierre Rudloff (prudloff) provisional member of the Drupal Security Team

Fixed By: 

• Flocon de toile (flocondetoile)
• Frank Mably (mably)
• Pierre Rudloff (prudloff) provisional member of the Drupal Security Team

Coordinated By: 

• Greg Knaddison (greggles) of the Drupal Security Team
• Juraj Nemec (poker10) of the Drupal Security Team
• Pierre Rudloff (prudloff) provisional member of the Drupal Security Team