Show advisories for only Drupal Core, only contributed projects, or only PSAs

Commerce Alphabank Redirect - Moderately critical - Access bypass - SA-CONTRIB-2025-067

Date: 
2025-May-21
Security risk: 
Moderately critical 13 ∕ 25 AC:Basic/A:None/CI:None/II:Some/E:Theoretical/TD:All
CVE IDs: 
CVE-2025-48446

This module enables you to pay for Commerce order to an environment provided and secured by the bank

The module doesn't sufficiently verify the payment status on canceled orders. An attacker can issue a specially crafted request to update the order status to completed.

Commerce Eurobank (Redirect) - Moderately critical - Access bypass - SA-CONTRIB-2025-066

Date: 
2025-May-21
Security risk: 
Moderately critical 13 ∕ 25 AC:Basic/A:None/CI:None/II:Some/E:Theoretical/TD:All
CVE IDs: 
CVE-2025-48445

This module enables you to pay for Commerce order to an environment provided and secured by the bank

The module doesn't sufficiently verify the payment status on canceled orders. An attacker can issue a specially crafted request to update the order status to completed.

Quick Node Block - Moderately critical - Access bypass - SA-CONTRIB-2025-065

Date: 
2025-May-21
Security risk: 
Moderately critical 13 ∕ 25 AC:None/A:None/CI:Some/II:None/E:Theoretical/TD:Uncommon
CVE IDs: 
CVE-2025-48013

This module provides a block to easily display a rendered node.

Access to the rendered node isn't validated before rendering the block. Allowing access to node content for users that would normally not be allowed to access the node.

Quick Node Block - Moderately critical - Access bypass - SA-CONTRIB-2025-064

Date: 
2025-May-21
Security risk: 
Moderately critical 11 ∕ 25 AC:Basic/A:None/CI:Some/II:None/E:Theoretical/TD:Uncommon
CVE IDs: 
CVE-2025-48444

This module provides a block to easily display a rendered node.

The module doesn't check access to content before displaying it to a visitor, allowing unauthorized users to retrieve a list of labels of all nodes.

One Time Password - Moderately critical - Access bypass - SA-CONTRIB-2025-063

Date: 
2025-May-14
Security risk: 
Moderately critical 14 ∕ 25 AC:Complex/A:None/CI:Some/II:Some/E:Theoretical/TD:Default
CVE IDs: 
CVE-2025-48012

This module enables you to allow users to include a second authentication method in addition to password authentication.

The module doesn't sufficiently prevent the same TFA token within a 30 second window.

This vulnerability is mitigated by the fact that an attacker must obtain a valid username/password and second factor.

One Time Password - Moderately critical - Access bypass - SA-CONTRIB-2025-062

Date: 
2025-May-14
Security risk: 
Moderately critical 14 ∕ 25 AC:Complex/A:None/CI:Some/II:Some/E:Theoretical/TD:Default
CVE IDs: 
CVE-2025-48011

This module enables you to allow users to include a second authentication method in addition to password authentication.

The module doesn't sufficiently prevent TFA from being bypassed when using the REST login routes.

A new requirements check has been added to the status report so other authentication providers can be assessed to check if they also allow for this bypass.

This vulnerability is mitigated by the fact that an attacker must obtain a valid username/password.

One Time Password - Moderately critical - Access bypass - SA-CONTRIB-2025-061

Date: 
2025-May-14
Security risk: 
Moderately critical 14 ∕ 25 AC:Complex/A:None/CI:Some/II:Some/E:Theoretical/TD:Default
CVE IDs: 
CVE-2025-48010

This module enables you to allow users to include a second authentication method in addition to password authentication.

The module doesn't sufficiently prevent one time login links from bypassing TFA.

This vulnerability is mitigated by the fact that an attacker must have access to an email account attached to a user or a valid one time password link for a user.

Single Content Sync - Moderately critical - Access bypass - SA-CONTRIB-2025-060

Date: 
2025-May-14
Security risk: 
Moderately critical 10 ∕ 25 AC:Complex/A:User/CI:Some/II:None/E:Theoretical/TD:All
CVE IDs: 
CVE-2025-48009

This module enables you to seamlessly migrate and deploy content across environments, eliminating manual steps. It simplifies the process by exporting content to a YML file or a ZIP archive, which can be imported into another environment effortlessly.

While the export feature rightfully bypasses implemented access controls, enabling it to extract all entity data, including private and confidential information, to the mentioned formats, it fails to adequately safeguard the generated output.

Events Log Track - Moderately critical - Denial of Service - SA-CONTRIB-2025-059

Date: 
2025-May-14
Security risk: 
Moderately critical 10 ∕ 25 AC:Basic/A:None/CI:None/II:None/E:Theoretical/TD:All
CVE IDs: 
CVE-2025-4416

The Events Log Track module enables you to log specific events on a Drupal site.

The module doesn't sufficiently mitigate resource consumption for certain requests which allows a Denial of Service attack.

Piwik PRO - Moderately critical - Cross Site Scripting - SA-CONTRIB-2025-058

Date: 
2025-May-14
Security risk: 
Moderately critical 13 ∕ 25 AC:Basic/A:Admin/CI:Some/II:Some/E:Theoretical/TD:All
CVE IDs: 
CVE-2025-4415

This module enables you to add the Piwik Pro web statistics tracking system to your website.

The module does not check the JS code that is loaded on the website. So a user with the "Administer Piwik Pro" permission could configure the module to load JS from a malicious website.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer piwik pro" to access the settings form where this can be configured.

Pages

Subscribe with RSS Subscribe to Security advisories