Project: 
Date: 
2023-March-15
Vulnerability: 
Information Disclosure
Affected versions: 
>=8.0.0 <9.4.12 || >=9.5.0 <9.5.5 || >=10.0.0 <10.0.5
Description: 

The language module provides a Language switcher block which can be placed to provide links to quickly switch between different languages.

The URL of unpublished translations may be disclosed. When used in conjunction with a module like Pathauto, this may reveal the title of unpublished content.

This advisory is not covered by Drupal Steward.

Solution: 

Install the latest version:

All versions of Drupal 9 prior to 9.4.x are end-of-life and do not receive security coverage. Note that Drupal 8 has reached its end of life.

Drupal 7 core does not include the Language module and therefore is not affected. The contributed modules for translation do not have the same code for language-switching links, so they are not affected, either.

Reported By: 
Fixed By: