Show advisories for only Drupal Core, only contributed projects, or only PSAs

Open Social - Less critical - Access bypass, Information Disclosure - SA-CONTRIB-2025-015

Date: 
2025-February-12
Security risk: 
Less critical 9 ∕ 25 AC:Complex/A:User/CI:Some/II:None/E:Theoretical/TD:Default
CVE IDs: 
CVE-2025-31686

Open Social is a Drupal distribution for online communities, which ships with a default module to invite users to groups and events.

Invites for a specific user can be seen under certain conditions.

The issue is mitigated for events by the fact that social_event_max_enroll has to be enabled.

Open Social - Moderately critical - Access bypass - SA-CONTRIB-2025-014

Date: 
2025-February-12
Security risk: 
Moderately critical 12 ∕ 25 AC:Basic/A:None/CI:None/II:Some/E:Theoretical/TD:Default
CVE IDs: 
CVE-2025-31685

Open Social is a Drupal distribution for online communities, which ships with a default (optional) module social_language to make your platform multilingual.

Some site administration configuration does not correctly check access when trying to translate allowing unauthorised people to translate these parts.

The issue is mitigated by the fact that social_language needs to be enabled with more than 1 language.

OAuth2 Client - Moderately critical - Cross Site Request Forgery - SA-CONTRIB-2025-013

Date: 
2025-February-05
Security risk: 
Moderately critical 12 ∕ 25 AC:Complex/A:None/CI:None/II:Some/E:Theoretical/TD:All
CVE IDs: 
CVE-2025-31684

This module enables a developer to create dedicated OAuth2 clients for connecting to external APIs and other OAuth protected resources.

The module does not use Cross Site Request Forgery (CSRF) tokens to protect routes for enabling a client.

This vulnerability is mitigated by the fact that an attacker must know the machine name of the client and deceive another user with this permission.

Google Tag - Moderately critical - Cross Site Request Forgery - SA-CONTRIB-2025-012

Date: 
2025-January-29
Security risk: 
Moderately critical 12 ∕ 25 AC:Complex/A:None/CI:None/II:Some/E:Theoretical/TD:All
CVE IDs: 
CVE-2025-31683

This module enables you to integrate the site with the Google Tag Manager (GTM) application.

The module doesn't sufficiently validate the enabling or disabling of a tag container. The routes involved are not protected against Cross Site Request Forgery (CSRF).

This vulnerability is mitigated by the fact that an attacker needs to know the machine name of the container. The machine name is a random string, making an attack more difficult.

Google Tag - Moderately critical - Cross Site Scripting - SA-CONTRIB-2025-011

Date: 
2025-January-29
Security risk: 
Moderately critical 13 ∕ 25 AC:Basic/A:Admin/CI:Some/II:Some/E:Theoretical/TD:All
CVE IDs: 
CVE-2025-31682

This module enables you to integrate the site with the Google Tag Manager (GTM) application.

The module doesn't have the "restrict access" flag on the "administer google_tag_container" permission. A user with this permission can load a GTM container that completely changes the page or inserts malicious JS, resulting in a cross site scripting vulnerability.

This vulnerability is mitigated by the fact that an attacker must have a role with the aforementioned permission.

Drupal Admin LTE theme - Critical - Unsupported - SA-CONTRIB-2025-010

Date: 
2025-January-29
Security risk: 
Critical 16 ∕ 25 AC:Complex/A:Admin/CI:All/II:All/E:Theoretical/TD:All
CVE IDs: 
CVE-2025-3062

The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: https://www.drupal.org/node/251466#s-becoming-owner-maintainer-or-co-mai...

Authenticator Login - Critical - Access bypass - SA-CONTRIB-2025-009

Date: 
2025-January-29
Security risk: 
Critical 18 ∕ 25 AC:Basic/A:None/CI:Some/II:All/E:Theoretical/TD:All
CVE IDs: 
CVE-2025-31681

This module allows a site to setup two factor authentication via QR code using authenticator applications on mobile devices including phones.

The module does not properly protect its custom paths, allowing one user to access a different user's two factor configuration.

Matomo Analytics - Moderately critical - Cross site request forgery - SA-CONTRIB-2025-008

Date: 
2025-January-29
Security risk: 
Moderately critical 11 ∕ 25 AC:Complex/A:None/CI:None/II:Some/E:Theoretical/TD:Default
CVE IDs: 
CVE-2025-31680

This module enables you to add the Matomo web statistics tracking system to your website.

The Matomo Analytics Tag Manager sub-module allows you to add one or more Matomo tag containers on your website.

The module does not protect against Cross Site Request Forgeries on routes to enable or disable containers.

This vulnerability is mitigated by the fact that:

  • The website needs to have the submodule "Matomo Analytics Tag Manager" enabled.
  • An attacker must know the machine name of the container.

Ignition Error Pages - Critical - Cross Site Scripting - SA-CONTRIB-2025-007

Date: 
2025-January-22
Security risk: 
Critical 16 ∕ 25 AC:Basic/A:None/CI:Some/II:Some/E:Theoretical/TD:All
CVE IDs: 
CVE-2025-31679

This module enables you to render error pages using the Ignition package.

The module disables certain Drupal core code and does not perform sufficient filtering, allowing HTML to be injected in certain situations leading to a Cross Site Scripting (XSS) vulnerability.

This vulnerability is mitigated by the fact that this module is for development purposes and is not intended to be installed on production environments.

Material Admin - Critical - Unsupported - SA-CONTRIB-2025-006

Date: 
2025-January-22
Security risk: 
Critical 16 ∕ 25 AC:Complex/A:Admin/CI:All/II:All/E:Theoretical/TD:All
CVE IDs: 
CVE-2025-3061

The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: https://www.drupal.org/node/251466#s-becoming-owner-maintainer-or-co-mai...

Pages

Subscribe with RSS Subscribe to Security advisories