Show advisories for only Drupal Core, only contributed projects, or only PSAs

Drupal core - Moderately critical - Cross Site Scripting - SA-CORE-2025-004

Date: 
2025-March-19
Security risk: 
Moderately critical 13 ∕ 25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:Default

Drupal core Link field attributes are not sufficiently sanitized, which can lead to a Cross Site Scripting vulnerability (XSS).

This vulnerability is mitigated by that fact that an attacker would need to have the ability to add specific attributes to a Link field, which typically requires edit access via core web services, or a contrib or custom module.

Sites with the Link module disabled or that do not use any link fields are not affected.

Formatter Suite - Moderately critical - Cross site scripting - SA-CONTRIB-2025-026

Date: 
2025-March-19
Security risk: 
Moderately critical 13 ∕ 25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:Default

Formatter Suite provides a suite of field formatters to help present numbers, dates, times, text, links, entity references, files, and images. The module provides a custom formatter for link fields.

Drupal core does not sufficiently sanitize link element attributes, which can lead to a Cross Site Scripting vulnerability (XSS).

A separate fix for Drupal core has been released but this module requires a concurrent release to make use of the Drupal core fix.

RapiDoc OAS Field Formatter - Moderately critical - Cross site scripting - SA-CONTRIB-2025-025

Date: 
2025-March-19
Security risk: 
Moderately critical 13 ∕ 25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:Default

This module can be used to render Open API Documentation using the RapiDoc library. The module provides a custom formatter for link fields.

Drupal core does not sufficiently sanitize link element attributes, which can lead to a Cross Site Scripting vulnerability (XSS).

A separate fix for Drupal core has been released but this module requires a concurrent release to make use of the Drupal core fix.

Link field display mode formatter - Moderately critical - Cross site scripting - SA-CONTRIB-2025-024

Date: 
2025-March-19
Security risk: 
Moderately critical 13 ∕ 25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:Default

This module adds a formatter for link fields that displays the current entity with another view mode inside the link.

Drupal core does not sufficiently sanitize link element attributes, which can lead to a Cross Site Scripting vulnerability (XSS).

A separate fix for Drupal core has been released but this module requires a concurrent release to make use of the Drupal core fix.

Two-factor Authentication (TFA) - Moderately critical - Access bypass - SA-CONTRIB-2025-023

Date: 
2025-March-05
Security risk: 
Moderately critical 13 ∕ 25 AC:Complex/A:None/CI:Some/II:Some/E:Theoretical/TD:Uncommon

This module enables you to allow and/or require users to use a second authentication method in addition to password authentication.

The module does not sufficiently ensure that known login routes are not overridden by third-party modules which can allow an access bypass to occur.

This vulnerability is mitigated by the fact that an attacker must obtain a first-factor login credential.

AI (Artificial Intelligence) - Moderately critical - Gadget Chain - SA-CONTRIB-2025-022

Date: 
2025-March-05
Security risk: 
Moderately critical 14 ∕ 25 AC:Complex/A:Admin/CI:All/II:All/E:Theoretical/TD:Uncommon

The AI Automators module (a submodule of AI) enables you to create different automated tasks that fills out a field data using LLM outputs.

The module contains a potential PHP Object Injection vulnerability that (if combined with another exploit) could lead to Arbitrary File Deletion. It may be possible to escalate this attack to Remote Code Execution. It is not directly exploitable.

AI (Artificial Intelligence) - Critical - Remote Code Execution - SA-CONTRIB-2025-021

Date: 
2025-March-05
Security risk: 
Critical 15 ∕ 25 AC:Complex/A:User/CI:All/II:All/E:Theoretical/TD:Uncommon

The AI Automators module (a submodule of AI) enables you to create different automated tasks that fills out field data using LLM outputs.

The module doesn't sufficiently sanitize input before passing it to the underlying shell as part of a command for execution, allowing an attacker to run arbitrary commands.

The vulnerability exists in optional Automator Types which are part of the optional AI Automators (sub)module.

The AI module is included in Drupal CMS.

OAuth2 Server - Moderately critical - Access bypass - SA-CONTRIB-2025-020

Date: 
2025-February-26
Security risk: 
Moderately critical 14 ∕ 25 AC:Basic/A:None/CI:Some/II:Some/E:Theoretical/TD:Uncommon

Provides OAuth2 server functionality based on the oauth2-server-php library.

The module does not consistently enforce admin configurations allowing users on a disabled server to still authenticate.

Cache Utility - Moderately critical - Cross Site Request Forgery - SA-CONTRIB-2025-019

Date: 
2025-February-26
Security risk: 
Moderately critical 13 ∕ 25 AC:Basic/A:None/CI:None/II:Some/E:Theoretical/TD:All

The Cache Utility module provides an ability to view status and flush various caches.

The module doesn't sufficiently protect against Cross Site Request Forgery (CSRF) attacks by validating user identity and intent when flushing a cache.

General Data Protection Regulation - Moderately critical - Cross Site Request Forgery - SA-CONTRIB-2025-018

Date: 
2025-February-26
Security risk: 
Moderately critical 13 ∕ 25 AC:Basic/A:None/CI:None/II:Some/E:Theoretical/TD:All

The GDPR Task submodule enables you to create GDPR tasks.

The module doesn't sufficiently protect against Cross Site Request Forgery (CSRF) attacks by validating user identity and intent when creating tasks.

Pages

Subscribe with RSS Subscribe to Security advisories