Show advisories for only Drupal Core, only contributed projects, or only PSAs

One Time Password - Moderately critical - Access bypass - SA-CONTRIB-2025-061

Date: 
2025-May-14
Security risk: 
Moderately critical 14 ∕ 25 AC:Complex/A:None/CI:Some/II:Some/E:Theoretical/TD:Default
CVE IDs: 
CVE-2025-48010

This module enables you to allow users to include a second authentication method in addition to password authentication.

The module doesn't sufficiently prevent one time login links from bypassing TFA.

This vulnerability is mitigated by the fact that an attacker must have access to an email account attached to a user or a valid one time password link for a user.

Single Content Sync - Moderately critical - Access bypass - SA-CONTRIB-2025-060

Date: 
2025-May-14
Security risk: 
Moderately critical 10 ∕ 25 AC:Complex/A:User/CI:Some/II:None/E:Theoretical/TD:All
CVE IDs: 
CVE-2025-48009

This module enables you to seamlessly migrate and deploy content across environments, eliminating manual steps. It simplifies the process by exporting content to a YML file or a ZIP archive, which can be imported into another environment effortlessly.

While the export feature rightfully bypasses implemented access controls, enabling it to extract all entity data, including private and confidential information, to the mentioned formats, it fails to adequately safeguard the generated output.

Events Log Track - Moderately critical - Denial of Service - SA-CONTRIB-2025-059

Date: 
2025-May-14
Security risk: 
Moderately critical 10 ∕ 25 AC:Basic/A:None/CI:None/II:None/E:Theoretical/TD:All
CVE IDs: 
CVE-2025-4416

The Events Log Track module enables you to log specific events on a Drupal site.

The module doesn't sufficiently mitigate resource consumption for certain requests which allows a Denial of Service attack.

Piwik PRO - Moderately critical - Cross Site Scripting - SA-CONTRIB-2025-058

Date: 
2025-May-14
Security risk: 
Moderately critical 13 ∕ 25 AC:Basic/A:Admin/CI:Some/II:Some/E:Theoretical/TD:All
CVE IDs: 
CVE-2025-4415

This module enables you to add the Piwik Pro web statistics tracking system to your website.

The module does not check the JS code that is loaded on the website. So a user with the "Administer Piwik Pro" permission could configure the module to load JS from a malicious website.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer piwik pro" to access the settings form where this can be configured.

Advanced File Destination - Critical - Multiple vulnerabilities - SA-CONTRIB-2025-057

Date: 
2025-May-14
Security risk: 
Critical 15 ∕ 25 Critical 16 ∕ 25 AC:Complex/A:Admin/CI:All/II:All/E:Theoretical/TD:All

The Advanced File Destination module enhances file upload management in Drupal by allowing users to choose and create custom directories during file uploads.

The module has multiple vulnerabilities that were reported through the Drupal Security Team's coordinated vulnerability process. The project maintainer did not follow the terms and conditions for hosting projects on drupal.org that are opted into security coverage, so the module is losing its security coverage. The private issues may be made public at the discretion of the reporter and maintainer.

Enterprise MFA - TFA for Drupal - Critical - Access bypass - SA-CONTRIB-2025-056

Date: 
2025-May-07
Security risk: 
Critical 15 ∕ 25 AC:Complex/A:None/CI:Some/II:Some/E:Theoretical/TD:All
CVE IDs: 
CVE-2025-47710

The module enables you to add second-factor authentication in addition to the default Drupal login.

The module does not sufficiently ensure that known login routes are protected.

This vulnerability is mitigated by the fact that an attacker must obtain the user's username and password.

Enterprise MFA - TFA for Drupal - Critical - Access bypass - SA-CONTRIB-2025-055

Date: 
2025-May-07
Security risk: 
Critical 18 ∕ 25 AC:None/A:None/CI:Some/II:Some/E:Theoretical/TD:All
CVE IDs: 
CVE-2025-47709

The module enables you to add second-factor authentication in addition to the default Drupal login.

The module doesn't sufficiently protect certain sensitive routes, allowing an attacker to view or modify various TFA-related settings.

Enterprise MFA - TFA for Drupal - Critical - Cross Site Request Forgery - SA-CONTRIB-2025-054

Date: 
2025-May-07
Security risk: 
Critical 18 ∕ 25 AC:None/A:None/CI:Some/II:Some/E:Theoretical/TD:All
CVE IDs: 
CVE-2025-47708

The module enables you to add second-factor authentication in addition to the default Drupal login.

The module doesn't sufficiently protect certain routes from Cross Site Request Forgery (CSRF) attacks.

Enterprise MFA - TFA for Drupal - Moderately critical - Access bypass - SA-CONTRIB-2025-053

Date: 
2025-May-07
Security risk: 
Moderately critical 13 ∕ 25 AC:Complex/A:User/CI:Some/II:Some/E:Theoretical/TD:All
CVE IDs: 
CVE-2025-47707

The module enables you to add second-factor authentication in addition to the default Drupal login.

The module doesn't invoke two factor authentication (2FA) for the password reset option.

This vulnerability is mitigated by the fact that an attacker must have access to the password reset link.

Enterprise MFA - TFA for Drupal - Moderately critical - Access bypass - SA-CONTRIB-2025-052

Date: 
2025-May-07
Security risk: 
Moderately critical 14 ∕ 25 AC:Complex/A:None/CI:Some/II:Some/E:Theoretical/TD:Default
CVE IDs: 
CVE-2025-47706

The module enables you to add second-factor authentication in addition to the default Drupal login.

The module doesn't sufficiently check whether the TOTP token is already used or not for authenticator-based second-factor methods.

This vulnerability is mitigated by the fact that an attacker must have a username, password and TOTP token generated within the last 5 minutes.

Pages

Subscribe with RSS Subscribe to Security advisories