Show advisories for only Drupal Core, only contributed projects, or only PSAs

AI (Artificial Intelligence) - Critical - Cross Site Request Forgery - SA-CONTRIB-2025-003

Date: 
2025-January-15
Security risk: 
Critical 15 ∕ 25 AC:Basic/A:None/CI:Some/II:Some/E:Theoretical/TD:Default

The Drupal AI module provides a framework for easily integrating Artificial Intelligence on any Drupal site using any kind of AI (from multiple vendors). The sub-modules AI Chatbot and AI Assistants API allow users to interact with the Drupal site via a 'chat' interface.

Profile Private - Critical - Unsupported - SA-CONTRIB-2025-002

Date: 
2025-January-08
Security risk: 
Critical 15 ∕ 25 AC:None/A:None/CI:Some/II:None/E:Theoretical/TD:All

The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: https://www.drupal.org/node/251466#s-becoming-owner-maintainer-or-co-mai...

Email TFA - Moderately critical - Access bypass - SA-CONTRIB-2025-001

Date: 
2025-January-08
Security risk: 
Moderately critical 14 ∕ 25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:All

This module enables you to do Two-Factor Authentication by email, using a user registered email to send a verification code to the user's email every time the user tries to log in to your site.

The module did not sufficiently protect against brute force attacks, allowing an attacker to bypass the second factor.

This vulnerability is mitigated by the fact the attacker must be able to present the username and first factor (i.e. password).

Drupal 7 End of Life - PSA-2025-01-06

Date: 
2025-January-06

Drupal core version 7 has reached end of life, and is no longer community supported on Drupal.org. This means that new releases of Drupal 7 core and contributed projects will no longer happen on Drupal.org and community support is no longer provided.

What this means for you:

Open Social - Moderately critical - Access bypass - SA-CONTRIB-2024-076

Date: 
2024-December-11
Security risk: 
Moderately critical 12 ∕ 25 AC:Basic/A:None/CI:Some/II:None/E:Theoretical/TD:Default

Open Social is a Drupal distribution for online communities, which ships with a default (optional) module social_file_private to ensure the images and files provided by the distribution are stored in the private instead of the public filesystem.

For installations of Open Social prior to version 11.8.0, after updating to 11.8.0 or higher, newly uploaded files were no longer stored in the private file system as intended. Instead, they were stored in the public file system.

Allow All File Extensions for file fields - Critical - Unsupported - SA-CONTRIB-2024-075

Date: 
2024-December-11
Security risk: 
Critical 18 ∕ 25 AC:Basic/A:User/CI:All/II:All/E:Theoretical/TD:All

The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: https://www.drupal.org/node/251466#s-becoming-owner-maintainer-or-co-mai...

Git Utilities for Drupal - Critical - Unsupported - SA-CONTRIB-2024-074

Date: 
2024-December-11
Security risk: 
Critical 17 ∕ 25 AC:Basic/A:Admin/CI:All/II:All/E:Theoretical/TD:All

The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: https://www.drupal.org/node/251466#s-becoming-owner-maintainer-or-co-mai...

Login Disable - Critical - Access bypass - SA-CONTRIB-2024-073

Date: 
2024-December-11
Security risk: 
Critical 16 ∕ 25 AC:None/A:User/CI:Some/II:Some/E:Theoretical/TD:All

This module enables you to prevent existing users from logging in to your Drupal site unless they know the secret key to add to the end of the ?q=user login form page.

The Login Disable module does not correctly prevent a user with a disabled login from logging in, allowing those users to by-pass the protection offered by the module.

This vulnerability is mitigated by the fact that an attacker must already have a user account to log in. This bug therefore allows users to log in even if their login is disabled.

Browser Back Button - Moderately critical - Cross site scripting - SA-CONTRIB-2024-072

Date: 
2024-December-11
Security risk: 
Moderately critical 13 ∕ 25 AC:Basic/A:Admin/CI:Some/II:Some/E:Theoretical/TD:All

This module provides a block that renders a link providing the functionality of a browser's back button.

The module does not sufficiently escape text entered by an administrator, resulting in a cross scripting vulnerability.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer blocks".

Entity Form Steps - Moderately critical - Cross site scripting - SA-CONTRIB-2024-071

Date: 
2024-December-04
Security risk: 
Moderately critical 13 ∕ 25 AC:Basic/A:Admin/CI:Some/II:Some/E:Theoretical/TD:All

This module allows a site builder to create multi-step entity forms leveraging the Field Group field type plugins.

The module doesn't escape plain text administrative configurations. An attacker with admin access could inject arbitrary JavaScript code.

This vulnerability is mitigated by the fact that an attacker must have a role with the 'administer [entity_type] form display' permission allowing access to configure entity form displays.

Pages

Subscribe with RSS Subscribe to Security advisories