Show advisories for only Drupal Core, only contributed projects, or only PSAs

Simple Klaro - Moderately critical - Cross Site Scripting - SA-CONTRIB-2025-071

Date: 
2025-May-28
Security risk: 
Moderately critical 13 ∕ 25 AC:Complex/A:User/CI:Some/II:Some/E:Theoretical/TD:All
CVE IDs: 
CVE-2025-48918

The "Simple Klaro" module adds the "Klaro! A Simple Consent Manager" to your website and allows you to configure it according to your needs in the Drupal backend.

The module doesn't sufficiently mark its administrative permission as restricted, creating the possibility for the permission to be granted too broadly. A malicious admin could execute a Cross Site Scripting (XSS) attack.

This vulnerability is mitigated by the fact that an attacker must have a role with the "administer simple klaro" permission.

Bookable Calendar - Less critical - Access bypass - SA-CONTRIB-2025-070

Date: 
2025-May-28
Security risk: 
Less critical 9 ∕ 25 AC:Basic/A:User/CI:Some/II:None/E:Theoretical/TD:Uncommon
CVE IDs: 
CVE-2025-48916

This module enables you to setup a repeating date rule that users can "book" different dates, allowing you to let users register for a variety of different things like conference rooms or guitar lessons.

This module has a permission of "view booking" and "view booking contact" which allows you to view them regardless of whether you own them or not. Due to bad naming of the permissions it's likely admins have configured those to users that shouldn't have them.

Lightgallery - Moderately critical - Cross Site Scripting - SA-CONTRIB-2025-069

Date: 
2025-May-21
Security risk: 
Moderately critical 13 ∕ 25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:Default
CVE IDs: 
CVE-2025-48447

This module integrates Drupal with LightGallery, enabling the use of the LightGallery library with any image field or view.

The module does not adequately sanitize user input in the image field’s "alt" attribute, potentially allowing cross-site scripting (XSS) attacks when tags or scripts are inserted.

This vulnerability is partially mitigated by the requirement that an attacker must have permission to create content containing an image field configured to use the LightGallery format.

Admin Audit Trail - Less critical - Denial of Service - SA-CONTRIB-2025-068

Date: 
2025-May-21
Security risk: 
Less critical 9 ∕ 25 AC:Basic/A:None/CI:None/II:None/E:Theoretical/TD:Default
CVE IDs: 
CVE-2025-48448

The Admin Audit Trail module tracks logs of specific events that you'd like to review. When the submodule Admin Audit Trail: User Authentication is enabled, it logs user authentication events (login, logout, and password reset requests).

The module does not sufficiently limit some large values before logging the data.

Commerce Alphabank Redirect - Moderately critical - Access bypass - SA-CONTRIB-2025-067

Date: 
2025-May-21
Security risk: 
Moderately critical 13 ∕ 25 AC:Basic/A:None/CI:None/II:Some/E:Theoretical/TD:All
CVE IDs: 
CVE-2025-48446

This module enables you to pay for Commerce order to an environment provided and secured by the bank

The module doesn't sufficiently verify the payment status on canceled orders. An attacker can issue a specially crafted request to update the order status to completed.

Commerce Eurobank (Redirect) - Moderately critical - Access bypass - SA-CONTRIB-2025-066

Date: 
2025-May-21
Security risk: 
Moderately critical 13 ∕ 25 AC:Basic/A:None/CI:None/II:Some/E:Theoretical/TD:All
CVE IDs: 
CVE-2025-48445

This module enables you to pay for Commerce order to an environment provided and secured by the bank

The module doesn't sufficiently verify the payment status on canceled orders. An attacker can issue a specially crafted request to update the order status to completed.

Quick Node Block - Moderately critical - Access bypass - SA-CONTRIB-2025-065

Date: 
2025-May-21
Security risk: 
Moderately critical 13 ∕ 25 AC:None/A:None/CI:Some/II:None/E:Theoretical/TD:Uncommon
CVE IDs: 
CVE-2025-48013

This module provides a block to easily display a rendered node.

Access to the rendered node isn't validated before rendering the block. Allowing access to node content for users that would normally not be allowed to access the node.

Quick Node Block - Moderately critical - Access bypass - SA-CONTRIB-2025-064

Date: 
2025-May-21
Security risk: 
Moderately critical 11 ∕ 25 AC:Basic/A:None/CI:Some/II:None/E:Theoretical/TD:Uncommon
CVE IDs: 
CVE-2025-48444

This module provides a block to easily display a rendered node.

The module doesn't check access to content before displaying it to a visitor, allowing unauthorized users to retrieve a list of labels of all nodes.

One Time Password - Moderately critical - Access bypass - SA-CONTRIB-2025-063

Date: 
2025-May-14
Security risk: 
Moderately critical 14 ∕ 25 AC:Complex/A:None/CI:Some/II:Some/E:Theoretical/TD:Default
CVE IDs: 
CVE-2025-48012

This module enables you to allow users to include a second authentication method in addition to password authentication.

The module doesn't sufficiently prevent the same TFA token within a 30 second window.

This vulnerability is mitigated by the fact that an attacker must obtain a valid username/password and second factor.

One Time Password - Moderately critical - Access bypass - SA-CONTRIB-2025-062

Date: 
2025-May-14
Security risk: 
Moderately critical 14 ∕ 25 AC:Complex/A:None/CI:Some/II:Some/E:Theoretical/TD:Default
CVE IDs: 
CVE-2025-48011

This module enables you to allow users to include a second authentication method in addition to password authentication.

The module doesn't sufficiently prevent TFA from being bypassed when using the REST login routes.

A new requirements check has been added to the status report so other authentication providers can be assessed to check if they also allow for this bypass.

This vulnerability is mitigated by the fact that an attacker must obtain a valid username/password.

Pages

Subscribe with RSS Subscribe to Security advisories