Show advisories for only Drupal Core, only contributed projects, or only PSAs

Cache Utility - Moderately critical - Cross Site Request Forgery - SA-CONTRIB-2025-019

Date: 
2025-February-26
Security risk: 
Moderately critical 13 ∕ 25 AC:Basic/A:None/CI:None/II:Some/E:Theoretical/TD:All
CVE IDs: 
CVE-2025-31690

The Cache Utility module provides an ability to view status and flush various caches.

The module doesn't sufficiently protect against Cross Site Request Forgery (CSRF) attacks by validating user identity and intent when flushing a cache.

General Data Protection Regulation - Moderately critical - Cross Site Request Forgery - SA-CONTRIB-2025-018

Date: 
2025-February-26
Security risk: 
Moderately critical 13 ∕ 25 AC:Basic/A:None/CI:None/II:Some/E:Theoretical/TD:All
CVE IDs: 
CVE-2025-31689

The GDPR Task submodule enables you to create GDPR tasks.

The module doesn't sufficiently protect against Cross Site Request Forgery (CSRF) attacks by validating user identity and intent when creating tasks.

Drupal core - Moderately critical - Gadget Chain - SA-CORE-2025-003

Date: 
2025-February-19
Security risk: 
Moderately critical 14 ∕ 25 AC:Complex/A:Admin/CI:All/II:All/E:Theoretical/TD:Uncommon
CVE IDs: 
CVE-2025-31674

Drupal core contains a potential PHP Object Injection vulnerability that (if combined with another exploit) could lead to Arbitrary File Inclusion. Techniques exist to escalate this attack to Remote Code Execution. It is not directly exploitable.

This issue is mitigated by the fact that in order for it to be exploitable, a separate vulnerability must be present to allow an attacker to pass unsafe input to unserialize(). There are no such known exploits in Drupal core.

Drupal core - Moderately critical - Access bypass - SA-CORE-2025-002

Date: 
2025-February-19
Security risk: 
Moderately critical 13 ∕ 25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:Default
CVE IDs: 
CVE-2025-31673

Bulk operations allow authorized users to modify several nodes at once from the Content page (/admin/content). A site builder can also add bulk operations to other pages using Views.

A bug in the core Actions system allows some users to modify some fields using bulk actions that they do not have permission to modify on individual nodes.

This vulnerability is mitigated by the fact that an attacker must have permission to access /admin/content or other, custom views and to edit nodes.

Drupal core - Critical - Cross site scripting - SA-CORE-2025-001

Date: 
2025-February-19
Security risk: 
Critical 17 ∕ 25 AC:Basic/A:None/CI:Some/II:Some/E:Proof/TD:All
CVE IDs: 
CVE-2025-3057

Drupal core doesn't sufficiently filter error messages under certain circumstances, leading to a reflected Cross Site Scripting vulnerability (XSS).

Sites are encouraged to update. There are not yet public documented steps to exploit this, but there may be soon given the nature of this issue.

This issue is being protected by Drupal Steward. Sites that use Drupal Steward are already protected, but are still encouraged to upgrade in the near future.

Configuration Split - Moderately critical - Cross Site Request Forgery - SA-CONTRIB-2025-017

Date: 
2025-February-12
Security risk: 
Moderately critical 12 ∕ 25 AC:Complex/A:None/CI:None/II:Some/E:Theoretical/TD:All
CVE IDs: 
CVE-2025-31688

This module enables you to create super sets of configuration and enable them conditionally, for example have some modules installed only in some environments.

The module does not use Cross Site Request Forgery (CSRF) tokens to protect routes for enabling or disabling a split.

SpamSpan filter - Moderately critical - Cross Site Scripting - SA-CONTRIB-2025-016

Date: 
2025-February-12
Security risk: 
Moderately critical 13 ∕ 25 AC:Complex/A:User/CI:Some/II:Some/E:Theoretical/TD:All
CVE IDs: 
CVE-2025-31687

This module enables your site to obfuscate Email addresses and prevent spambots to collect them.

The module doesn't sanitize HTML data attributes when an email address link is transformed to separate span HTML elements and then transformed back by JavaScript leading to a Cross Site Scripting (XSS) vulnerability.

This is mitigated by the fact an attacker must be able to insert span HTML elements with data attributes in the page.

Open Social - Less critical - Access bypass, Information Disclosure - SA-CONTRIB-2025-015

Date: 
2025-February-12
Security risk: 
Less critical 9 ∕ 25 AC:Complex/A:User/CI:Some/II:None/E:Theoretical/TD:Default
CVE IDs: 
CVE-2025-31686

Open Social is a Drupal distribution for online communities, which ships with a default module to invite users to groups and events.

Invites for a specific user can be seen under certain conditions.

The issue is mitigated for events by the fact that social_event_max_enroll has to be enabled.

Open Social - Moderately critical - Access bypass - SA-CONTRIB-2025-014

Date: 
2025-February-12
Security risk: 
Moderately critical 12 ∕ 25 AC:Basic/A:None/CI:None/II:Some/E:Theoretical/TD:Default
CVE IDs: 
CVE-2025-31685

Open Social is a Drupal distribution for online communities, which ships with a default (optional) module social_language to make your platform multilingual.

Some site administration configuration does not correctly check access when trying to translate allowing unauthorised people to translate these parts.

The issue is mitigated by the fact that social_language needs to be enabled with more than 1 language.

OAuth2 Client - Moderately critical - Cross Site Request Forgery - SA-CONTRIB-2025-013

Date: 
2025-February-05
Security risk: 
Moderately critical 12 ∕ 25 AC:Complex/A:None/CI:None/II:Some/E:Theoretical/TD:All
CVE IDs: 
CVE-2025-31684

This module enables a developer to create dedicated OAuth2 clients for connecting to external APIs and other OAuth protected resources.

The module does not use Cross Site Request Forgery (CSRF) tokens to protect routes for enabling a client.

This vulnerability is mitigated by the fact that an attacker must know the machine name of the client and deceive another user with this permission.

Pages

Subscribe with RSS Subscribe to Security advisories