Show advisories for only Drupal Core, only contributed projects, or only PSAs

Real-time SEO for Drupal - Moderately critical - Cross-site Scripting - SA-CONTRIB-2025-091

Date: 
2025-July-16
Security risk: 
Moderately critical 14 ∕ 25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:All
CVE IDs: 
CVE-2025-7716

This module enables you to analyze the content that you're authoring for a website. It shows you a preview of what a search result might look like.

The module doesn't sufficiently escape the metadata from content while rendering the preview, opening up the possibility of a XSS attack.

This vulnerability is mitigated by the fact that an attacker must be able to author content that is analyzed by the Real-Time SEO module.

Block Attributes - Moderately critical - Cross-site Scripting - SA-CONTRIB-2025-090

Date: 
2025-July-16
Security risk: 
Moderately critical 14 ∕ 25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:All
CVE IDs: 
CVE-2025-7715

This module allows you to define custom attributes for a block. You can specify an attribute name to be added to the block in a predefined format.

The module does not sufficiently validate the provided attributes, which makes it possible to insert JavaScript event attributes such as onmouseover, onkeyup, etc. These attributes can execute JavaScript code when the page is rendered, leading to cross-site scripting (XSS) vulnerabilities.

File Download - Moderately critical - Access bypass - SA-CONTRIB-2025-089

Date: 
2025-July-16
Security risk: 
Moderately critical 13 ∕ 25 AC:Basic/A:None/CI:Some/II:None/E:Theoretical/TD:All
CVE IDs: 
CVE-2025-7717

The File Download enables you to allow users to download file and image entities directly using a custom field formatter. It also provides an optional submodule to count and display file downloads in Views, similar to how the core statistics module tracks content views.

The File Download module does not properly validate input when handling file access requests. This can allow users to bypass protections and access private files that should not be publicly available.

Mail Login - Critical - Access bypass - SA-CONTRIB-2025-088

Date: 
2025-July-09
Security risk: 
Critical 15 ∕ 25 AC:Complex/A:None/CI:Some/II:Some/E:Theoretical/TD:All
CVE IDs: 
CVE-2025-7393

This module enables users to login by email address with the minimal configurations.

The module included some protection against brute force attacks on the login form, however they were incomplete. An attacker could bypass the brute force protection allowing them to potentially gain access to an account.

Cookies Addons - Moderately critical - Cross-site Scripting - SA-CONTRIB-2025-087

Date: 
2025-July-09
Security risk: 
Moderately critical 13 ∕ 25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:Default
CVE IDs: 
CVE-2025-7392

This module provides a format filter, which allows you to "disable" iframes (e.g. remove their src attribute) specified by the user. These elements will be enabled again, once the Cookies banner is accepted.

The module doesn't sufficiently filter user-supplied content when their value might contain malicious content leading to a Cross-site Scripting (XSS) vulnerability.

Config Pages Viewer - Critical - Access bypass - SA-CONTRIB-2025-086

Date: 
2025-July-02
Security risk: 
Critical 15 ∕ 25 AC:None/A:None/CI:Some/II:None/E:Theoretical/TD:All
CVE IDs: 
CVE-2025-7031

This module enables you to use config_pages as a content entity.

The module doesn't check permission or entity access before rendering config_pages content.

Two-factor Authentication (TFA) - Less critical - Access bypass - SA-CONTRIB-2025-085

Date: 
2025-July-02
Security risk: 
Less critical 9 ∕ 25 AC:Basic/A:Admin/CI:Some/II:None/E:Theoretical/TD:Default
CVE IDs: 
CVE-2025-7030

This module enables you to allow and/or require a second authentication method in addition to password authentication.

The module does not sufficiently ensure that users with enhanced privileges are prevented from viewing recovery codes of other users.

This vulnerability is mitigated by the fact that an attacker must have a role with the Administer TFA for other users permission.

Paragraphs table - Moderately critical - Cross Site Scripting - SA-CONTRIB-2025-084

Date: 
2025-June-25
Security risk: 
Moderately critical 13 ∕ 25 AC:None/A:Admin/CI:Some/II:Some/E:Theoretical/TD:Uncommon
CVE IDs: 
CVE-2025-6677

Project Paragraphs table provides a field for a collection table.

The module doesn't sufficiently sanitise certain data attributes allowing Cross Site Scripting (XSS) attacks.

This vulnerability is mitigated by the fact that an attacker must have a role with permission to enter HTML tags containing specific data attributes.

Simple XML sitemap - Moderately critical - Cross-site Scripting - SA-CONTRIB-2025-083

Date: 
2025-June-25
Security risk: 
Moderately critical 13 ∕ 25 AC:Basic/A:Admin/CI:Some/II:Some/E:Theoretical/TD:All
CVE IDs: 
CVE-2025-6676

Simple XML sitemap is a SEO module that allows creating various XML sitemaps of the site's content and submitting them to search engines.
The module doesn't sufficiently sanitize input when administering it, which leads to a Cross-site scripting (XSS) attack vector.
This vulnerability is mitigated by the fact that an attacker must have the administrative permission 'administer sitemap settings'.

Enterprise MFA - TFA for Drupal - Critical - Access bypass - SA-CONTRIB-2025-082

Date: 
2025-June-25
Security risk: 
Critical 15 ∕ 25 AC:Complex/A:None/CI:Some/II:Some/E:Theoretical/TD:All
CVE IDs: 
CVE-2025-6675

The module enables you to add second-factor authentication on top of the default Drupal login.

The module does not sufficiently ensure that known authorization routes are protected.

This vulnerability is mitigated by the fact that an attacker must obtain the user's username and password.

Pages

Subscribe with RSS Subscribe to Security advisories