Show advisories for only Drupal Core, only contributed projects, or only PSAs

Flattern – Multipurpose Bootstrap Business Profile - Critical - Unsupported - SA-CONTRIB-2025-005

Date: 
2025-January-22
Security risk: 
Critical 16 ∕ 25 AC:Complex/A:Admin/CI:All/II:All/E:Theoretical/TD:All
CVE IDs: 
CVE-2025-3060

The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: https://www.drupal.org/node/251466#s-becoming-owner-maintainer-or-co-mai...

AI (Artificial Intelligence) - Moderately critical - Access bypass, Information Disclosure - SA-CONTRIB-2025-004

Date: 
2025-January-22
Security risk: 
Moderately critical 14 ∕ 25 AC:None/A:None/CI:Some/II:None/E:Theoretical/TD:Default
CVE IDs: 
CVE-2025-31678

The AI logging sub-module enables you to log AI requests and responses for debugging and auditing purposes.

The module doesn't sufficiently check for access to view the preview listing of the logs. Full log details are correctly protected, and API keys are never logged.

This vulnerability is mitigated by the fact that it only affects sites using the AI Logging sub-module with 'Log requests' enabled in the AI Logging configuration page.

AI (Artificial Intelligence) - Critical - Cross Site Request Forgery - SA-CONTRIB-2025-003

Date: 
2025-January-15
Security risk: 
Critical 15 ∕ 25 AC:Basic/A:None/CI:Some/II:Some/E:Theoretical/TD:Default
CVE IDs: 
CVE-2025-31677

The Drupal AI module provides a framework for easily integrating Artificial Intelligence on any Drupal site using any kind of AI (from multiple vendors). The sub-modules AI Chatbot and AI Assistants API allow users to interact with the Drupal site via a 'chat' interface.

Profile Private - Critical - Unsupported - SA-CONTRIB-2025-002

Date: 
2025-January-08
Security risk: 
Critical 15 ∕ 25 AC:None/A:None/CI:Some/II:None/E:Theoretical/TD:All
CVE IDs: 
CVE-2025-3059

The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: https://www.drupal.org/node/251466#s-becoming-owner-maintainer-or-co-mai...

Email TFA - Moderately critical - Access bypass - SA-CONTRIB-2025-001

Date: 
2025-January-08
Security risk: 
Moderately critical 14 ∕ 25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:All
CVE IDs: 
CVE-2025-31676

This module enables you to do Two-Factor Authentication by email, using a user registered email to send a verification code to the user's email every time the user tries to log in to your site.

The module did not sufficiently protect against brute force attacks, allowing an attacker to bypass the second factor.

This vulnerability is mitigated by the fact the attacker must be able to present the username and first factor (i.e. password).

Drupal 7 End of Life - PSA-2025-01-06

Date: 
2025-January-06

Drupal core version 7 has reached end of life, and is no longer community supported on Drupal.org. This means that new releases of Drupal 7 core and contributed projects will no longer happen on Drupal.org and community support is no longer provided.

What this means for you:

Open Social - Moderately critical - Access bypass - SA-CONTRIB-2024-076

Date: 
2024-December-11
Security risk: 
Moderately critical 12 ∕ 25 AC:Basic/A:None/CI:Some/II:None/E:Theoretical/TD:Default
CVE IDs: 
CVE-2024-13312

Open Social is a Drupal distribution for online communities, which ships with a default (optional) module social_file_private to ensure the images and files provided by the distribution are stored in the private instead of the public filesystem.

For installations of Open Social prior to version 11.8.0, after updating to 11.8.0 or higher, newly uploaded files were no longer stored in the private file system as intended. Instead, they were stored in the public file system.

Allow All File Extensions for file fields - Critical - Unsupported - SA-CONTRIB-2024-075

Date: 
2024-December-11
Security risk: 
Critical 18 ∕ 25 AC:Basic/A:User/CI:All/II:All/E:Theoretical/TD:All
CVE IDs: 
CVE-2024-13311

The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: https://www.drupal.org/node/251466#s-becoming-owner-maintainer-or-co-mai...

Git Utilities for Drupal - Critical - Unsupported - SA-CONTRIB-2024-074

Date: 
2024-December-11
Security risk: 
Critical 17 ∕ 25 AC:Basic/A:Admin/CI:All/II:All/E:Theoretical/TD:All
CVE IDs: 
CVE-2024-13310

The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: https://www.drupal.org/node/251466#s-becoming-owner-maintainer-or-co-mai...

Login Disable - Critical - Access bypass - SA-CONTRIB-2024-073

Date: 
2024-December-11
Security risk: 
Critical 16 ∕ 25 AC:None/A:User/CI:Some/II:Some/E:Theoretical/TD:All
CVE IDs: 
CVE-2024-13309

This module enables you to prevent existing users from logging in to your Drupal site unless they know the secret key to add to the end of the ?q=user login form page.

The Login Disable module does not correctly prevent a user with a disabled login from logging in, allowing those users to by-pass the protection offered by the module.

This vulnerability is mitigated by the fact that an attacker must already have a user account to log in. This bug therefore allows users to log in even if their login is disabled.

Pages

Subscribe with RSS Subscribe to Security advisories