Show advisories for only Drupal Core, only contributed projects, or only PSAs

Mail Login - Critical - Access bypass - SA-CONTRIB-2025-088

Date: 
2025-July-09
Security risk: 
Critical 15 ∕ 25 AC:Complex/A:None/CI:Some/II:Some/E:Theoretical/TD:All
CVE IDs: 
CVE-2025-7393

This module enables users to login by email address with the minimal configurations.

The module included some protection against brute force attacks on the login form, however they were incomplete. An attacker could bypass the brute force protection allowing them to potentially gain access to an account.

Cookies Addons - Moderately critical - Cross-site Scripting - SA-CONTRIB-2025-087

Date: 
2025-July-09
Security risk: 
Moderately critical 13 ∕ 25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:Default
CVE IDs: 
CVE-2025-7392

This module provides a format filter, which allows you to "disable" iframes (e.g. remove their src attribute) specified by the user. These elements will be enabled again, once the Cookies banner is accepted.

The module doesn't sufficiently filter user-supplied content when their value might contain malicious content leading to a Cross-site Scripting (XSS) vulnerability.

Config Pages Viewer - Critical - Access bypass - SA-CONTRIB-2025-086

Date: 
2025-July-02
Security risk: 
Critical 15 ∕ 25 AC:None/A:None/CI:Some/II:None/E:Theoretical/TD:All
CVE IDs: 
CVE-2025-7031

This module enables you to use config_pages as a content entity.

The module doesn't check permission or entity access before rendering config_pages content.

Two-factor Authentication (TFA) - Less critical - Access bypass - SA-CONTRIB-2025-085

Date: 
2025-July-02
Security risk: 
Less critical 9 ∕ 25 AC:Basic/A:Admin/CI:Some/II:None/E:Theoretical/TD:Default
CVE IDs: 
CVE-2025-7030

This module enables you to allow and/or require a second authentication method in addition to password authentication.

The module does not sufficiently ensure that users with enhanced privileges are prevented from viewing recovery codes of other users.

This vulnerability is mitigated by the fact that an attacker must have a role with the Administer TFA for other users permission.

Paragraphs table - Moderately critical - Cross Site Scripting - SA-CONTRIB-2025-084

Date: 
2025-June-25
Security risk: 
Moderately critical 13 ∕ 25 AC:None/A:Admin/CI:Some/II:Some/E:Theoretical/TD:Uncommon
CVE IDs: 
CVE-2025-6677

Project Paragraphs table provides a field for a collection table.

The module doesn't sufficiently sanitise certain data attributes allowing Cross Site Scripting (XSS) attacks.

This vulnerability is mitigated by the fact that an attacker must have a role with permission to enter HTML tags containing specific data attributes.

Simple XML sitemap - Moderately critical - Cross-site Scripting - SA-CONTRIB-2025-083

Date: 
2025-June-25
Security risk: 
Moderately critical 13 ∕ 25 AC:Basic/A:Admin/CI:Some/II:Some/E:Theoretical/TD:All
CVE IDs: 
CVE-2025-6676

Simple XML sitemap is a SEO module that allows creating various XML sitemaps of the site's content and submitting them to search engines.
The module doesn't sufficiently sanitize input when administering it, which leads to a Cross-site scripting (XSS) attack vector.
This vulnerability is mitigated by the fact that an attacker must have the administrative permission 'administer sitemap settings'.

Enterprise MFA - TFA for Drupal - Critical - Access bypass - SA-CONTRIB-2025-082

Date: 
2025-June-25
Security risk: 
Critical 15 ∕ 25 AC:Complex/A:None/CI:Some/II:Some/E:Theoretical/TD:All
CVE IDs: 
CVE-2025-6675

The module enables you to add second-factor authentication on top of the default Drupal login.

The module does not sufficiently ensure that known authorization routes are protected.

This vulnerability is mitigated by the fact that an attacker must obtain the user's username and password.

CKEditor5 Youtube - Moderately critical - Cross-site Scripting - SA-CONTRIB-2025-081

Date: 
2025-June-25
Security risk: 
Moderately critical 14 ∕ 25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:All
CVE IDs: 
CVE-2025-6674

The CKEditor5 Youtube module enhances content creation in Drupal by seamlessly integrating YouTube video embedding into the CKEditor 5 text editor.

The module doesn't sufficiently validate iframe sources under the scenario where a user embeds a video using the CKEditor YouTube integration leading to a Cross-site Scripting (XSS) vulnerabiity.
This vulnerability is mitigated by the fact that an attacker must have a role with necessary permissions to use CKEditor Youtube embed button.

Klaro Cookie & Consent Management - Moderately critical - Cross-site Scripting - SA-CONTRIB-2025-080

Date: 
2025-June-25
Security risk: 
Moderately critical 14 ∕ 25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:All
CVE IDs: 
CVE-2025-5682

Klaro Cookie & Consent Management module is used for consent management for cookies and external sources. It makes changes to the markup to enable or disable loading.

The module doesn't sufficiently sanitize some HTML attributes allowing persistent Cross-site Scripting (XSS) attacks.

This vulnerability is mitigated by the fact that an attacker must have a role with permission to enter HTML tags containing specific attributes.

Open Social - Moderately critical - Cross Site Request Forgery - SA-CONTRIB-2025-079

Date: 
2025-June-25
Security risk: 
Moderately critical 13 ∕ 25 AC:None/A:User/CI:None/II:Some/E:Theoretical/TD:All
CVE IDs: 
CVE-2025-48921

Open Social is a Drupal distribution for online communities, which ships with a default module that allows users to enroll in events.

The module doesn't sufficiently protect certain routes from Cross Site Request Forgery (CSRF) attacks. Users can be tricked into accepting or rejecting these enrollments.

This issue only affects sites that have event enrollments enabled for an event.

Pages

Subscribe with RSS Subscribe to Security advisories