Show advisories for only Drupal Core, only contributed projects, or only PSAs

Colorbox - Moderately critical - Cross Site Scripting - SA-CONTRIB-2025-041

Date: 
2025-April-23
Security risk: 
Moderately critical 14 ∕ 25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:All
CVE IDs: 
CVE-2025-3900

Colorbox is a module that allows Images, and iframed or inline content to be displayed in a modal above the current page.

The Colorbox module doesn't sufficiently sanitize data attributes before opening modals.

This vulnerability is mitigated by the fact that an attacker must have a role with permission to enter HTML tags containing specific data attributes.

Drupal 8 Google Optimize Hide Page - Critical - Unsupported - SA-CONTRIB-2025-040

Date: 
2025-April-16
Security risk: 
Critical 16 ∕ 25 AC:Complex/A:Admin/CI:All/II:All/E:Theoretical/TD:All
CVE IDs: 
CVE-2025-3739

The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: https://www.drupal.org/node/251466#s-becoming-owner-maintainer-or-co-mai...

Google Optimize - Critical - Unsupported - SA-CONTRIB-2025-039

Date: 
2025-April-16
Security risk: 
Critical 16 ∕ 25 AC:Complex/A:Admin/CI:All/II:All/E:Theoretical/TD:All
CVE IDs: 
CVE-2025-3738

The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: https://www.drupal.org/node/251466#s-becoming-owner-maintainer-or-co-mai...

Google Maps: Store Locator - Critical - Unsupported - SA-CONTRIB-2025-038

Date: 
2025-April-16
Security risk: 
Critical 16 ∕ 25 AC:Complex/A:Admin/CI:All/II:All/E:Theoretical/TD:All
CVE IDs: 
CVE-2025-3737

The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: https://www.drupal.org/node/251466#s-becoming-owner-maintainer-or-co-mai...

Simple GTM - Critical - Unsupported - SA-CONTRIB-2025-037

Date: 
2025-April-16
Security risk: 
Critical 16 ∕ 25 AC:Complex/A:Admin/CI:All/II:All/E:Theoretical/TD:All
CVE IDs: 
CVE-2025-3736

The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: https://www.drupal.org/node/251466#s-becoming-owner-maintainer-or-co-mai...

Panelizer (obsolete) - Critical - Unsupported - SA-CONTRIB-2025-036

Date: 
2025-April-16
Security risk: 
Critical 16 ∕ 25 AC:Complex/A:Admin/CI:All/II:All/E:Theoretical/TD:All
CVE IDs: 
CVE-2025-3735

The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: https://www.drupal.org/node/251466#s-becoming-owner-maintainer-or-co-mai...

Stage File Proxy - Moderately critical - Denial of Service - SA-CONTRIB-2025-035

Date: 
2025-April-16
Security risk: 
Moderately critical 11 ∕ 25 AC:Complex/A:None/CI:None/II:Some/E:Theoretical/TD:Default
CVE IDs: 
CVE-2025-3734

Stage File Proxy is a general solution for getting production files on a development server on demand.

The module doesn't sufficiently validate the existence of remote files prior to attempting to download and create them. An attacker could send many requests and exhaust disk resources.

This vulnerability is mitigated by the fact it only affects sites where the Origin is configured with a trailing slash. Sites that cannot upgrade immediately can confirm they do not have a trailing slash or remove the trailing slash to mitigate the issue.

baguetteBox.js - Moderately critical - Cross Site Scripting - SA-CONTRIB-2025-034

Date: 
2025-April-16
Security risk: 
Moderately critical 14 ∕ 25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:All
CVE IDs: 
CVE-2025-3733

The baguetteBox.js module provides integration with baguetteBox.js library.

The module doesn't sufficiently sanitize user-supplied text values leading to a cross site scripting vulnerability.

Panels - Critical - Access bypass - SA-CONTRIB-2025-033

Date: 
2025-April-09
Security risk: 
Critical 16 ∕ 25 AC:Basic/A:None/CI:Some/II:Some/E:Theoretical/TD:All
CVE IDs: 
CVE-2025-3474

Panels enables administrators to add page variants within page manager, panelizer, etc to create custom pages.

The module doesn't sufficiently protect sensitive routes, allowing an attacker to view and modify blocks within variants without requiring appropriate permission.

Gif Player Field - Moderately critical - Cross site scripting - SA-CONTRIB-2025-032

Date: 
2025-April-09
Security risk: 
Moderately critical 12 ∕ 25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:Uncommon
CVE IDs: 
CVE-2025-31128

Gif Player Field creates a simple file field types that allows you to upload the GIF files and configure the output for this using the Field Formatters.

The module uses GifPlayer jQuery library to render the GIF according to configured setups for the Field Formatter. The external Gif Player Library doesn't satinize the attributes properly when rendering the widget, allowing a malicious user to run XSS attacks.

Pages

Subscribe with RSS Subscribe to Security advisories