Show advisories for only Drupal Core, only contributed projects, or only PSAs

Enterprise MFA - TFA for Drupal - Critical - Access bypass - SA-CONTRIB-2025-056

Date: 
2025-May-07
Security risk: 
Critical 15 ∕ 25 AC:Complex/A:None/CI:Some/II:Some/E:Theoretical/TD:All
CVE IDs: 
CVE-2025-47710

The module enables you to add second-factor authentication in addition to the default Drupal login.

The module does not sufficiently ensure that known login routes are protected.

This vulnerability is mitigated by the fact that an attacker must obtain the user's username and password.

Enterprise MFA - TFA for Drupal - Critical - Access bypass - SA-CONTRIB-2025-055

Date: 
2025-May-07
Security risk: 
Critical 18 ∕ 25 AC:None/A:None/CI:Some/II:Some/E:Theoretical/TD:All
CVE IDs: 
CVE-2025-47709

The module enables you to add second-factor authentication in addition to the default Drupal login.

The module doesn't sufficiently protect certain sensitive routes, allowing an attacker to view or modify various TFA-related settings.

Enterprise MFA - TFA for Drupal - Critical - Cross Site Request Forgery - SA-CONTRIB-2025-054

Date: 
2025-May-07
Security risk: 
Critical 18 ∕ 25 AC:None/A:None/CI:Some/II:Some/E:Theoretical/TD:All
CVE IDs: 
CVE-2025-47708

The module enables you to add second-factor authentication in addition to the default Drupal login.

The module doesn't sufficiently protect certain routes from Cross Site Request Forgery (CSRF) attacks.

Enterprise MFA - TFA for Drupal - Moderately critical - Access bypass - SA-CONTRIB-2025-053

Date: 
2025-May-07
Security risk: 
Moderately critical 13 ∕ 25 AC:Complex/A:User/CI:Some/II:Some/E:Theoretical/TD:All
CVE IDs: 
CVE-2025-47707

The module enables you to add second-factor authentication in addition to the default Drupal login.

The module doesn't invoke two factor authentication (2FA) for the password reset option.

This vulnerability is mitigated by the fact that an attacker must have access to the password reset link.

Enterprise MFA - TFA for Drupal - Moderately critical - Access bypass - SA-CONTRIB-2025-052

Date: 
2025-May-07
Security risk: 
Moderately critical 14 ∕ 25 AC:Complex/A:None/CI:Some/II:Some/E:Theoretical/TD:Default
CVE IDs: 
CVE-2025-47706

The module enables you to add second-factor authentication in addition to the default Drupal login.

The module doesn't sufficiently check whether the TOTP token is already used or not for authenticator-based second-factor methods.

This vulnerability is mitigated by the fact that an attacker must have a username, password and TOTP token generated within the last 5 minutes.

IFrame Remove Filter - Moderately critical - Cross site scripting - SA-CONTRIB-2025-051

Date: 
2025-May-07
Security risk: 
Moderately critical 14 ∕ 25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:All
CVE IDs: 
CVE-2025-47705

This module enables you to add a filter to text formats (Full HTML, Filtered HTML), which will remove every iframe where the "src" is not on the allowlist.

The module doesn't sufficiently filter these iframes in certain situations.

This vulnerability is mitigated by the fact that an attacker must be able to edit content that allows iframes.

Klaro Cookie & Consent Management - Moderately critical - Cross Site Scripting - SA-CONTRIB-2025-050

Date: 
2025-May-07
Security risk: 
Moderately critical 14 ∕ 25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:All
CVE IDs: 
CVE-2025-47704

Klaro Cookie & Consent Management module is used for consent management for cookies and external sources. It makes changes to the markup to enable or disable loading.

The module doesn't sufficiently sanitize data attributes allowing persistent Cross Site Scripting (XSS) attacks.

This vulnerability is mitigated by the fact that an attacker must have a role with permission to enter HTML tags containing specific data attributes.

COOKiES Consent Management - Moderately critical - Cross Site Scripting - SA-CONTRIB-2025-049

Date: 
2025-May-07
Security risk: 
Moderately critical 13 ∕ 25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:Default
CVE IDs: 
CVE-2025-47703

The COOKIES module protects users from executing JavaScript code provided by third parties, e.g., to display ads or track user data without consent.

The cookies_asset_injector module (a sub-module of the COOKiES module) also allows inline JavaScript to be included in consent management. However, this does not adequately check whether the provided JavaScript code originates from authorized users.

A potential attacker would at least need permission to create and publish HTML (e.g. content or comments).

oEmbed Providers - Moderately critical - Cross Site Scripting - SA-CONTRIB-2025-048

Date: 
2025-May-07
Security risk: 
Moderately critical 10 ∕ 25 AC:Complex/A:Admin/CI:Some/II:Some/E:Theoretical/TD:Uncommon
CVE IDs: 
CVE-2025-47702

This module extends the core Media module and allows site creators to permit oEmbed providers in addition to YouTube and Vimeo, which are deemed trustworthy by the Drupal Security Team.

The module doesn't sufficiently mark its administrative permission as restricted, creating the possibility for the permission to be granted too broadly and to users without the ability to adequately vet providers. A malicious provider could execute a Cross Site Scripting (XSS) attack.

Restrict route by IP - Critical - Cross Site Request Forgery - SA-CONTRIB-2025-047

Date: 
2025-May-07
Security risk: 
Critical 16 ∕ 25 AC:Basic/A:None/CI:Some/II:Some/E:Theoretical/TD:All
CVE IDs: 
CVE-2025-47701

The Restrict route by IP module provides an interface to manage route restriction by IP address.

The module doesn't sufficiently protect certain routes from CSRF attacks.

This vulnerability is mitigated by the fact that you need to know the route machine name.

Pages

Subscribe with RSS Subscribe to Security advisories