Show advisories for only Drupal Core, only contributed projects, or only PSAs

Facets - Moderately critical - Cross Site Scripting - SA-CONTRIB-2025-100

Date: 
2025-August-27
Security risk: 
Moderately critical 13 ∕ 25 AC:Basic/A:Admin/CI:Some/II:Some/E:Theoretical/TD:All
CVE IDs: 
CVE-2025-9550

This module enables you to to easily create and manage faceted search interfaces.

The module doesn’t sufficiently filter certain user-provided text leading to a cross site scripting (XSS) vulnerability.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission “administer facets”.

CVSS risk score (experimental) 4.8 / Medium

Facets - Moderately critical - Information Disclosure - SA-CONTRIB-2025-099

Date: 
2025-August-27
Security risk: 
Moderately critical 11 ∕ 25 AC:Complex/A:None/CI:Some/II:None/E:Theoretical/TD:Default
CVE IDs: 
CVE-2025-9549

This module enables you to to easily create and manage faceted search interfaces.

The module doesn't sufficiently check access to entities when they are displayed as facets.

This vulnerability is mitigated by the fact that only sites that show facets with entity labels (like taxonomy terms) are affected, and only if some of those entities are unpublished or have other access restrictions.

CVSS risk score (experimental) 6.9 / Medium

Authenticator Login - Moderately critical - Access bypass - SA-CONTRIB-2025-098

Date: 
2025-August-27
Security risk: 
Moderately critical 13 ∕ 25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:Default
CVE IDs: 
CVE-2025-8093

This module allows users to setup two-factor authentication (2FA) using authenticator apps for enhanced login security.

The module did not protect all possible login paths provided by core modules.

CVSS risk score (experimental) 6.3 / Medium

CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

Layout Builder Advanced Permissions - Moderately critical - Access bypass - SA-CONTRIB-2025-097

Date: 
2025-August-13
Security risk: 
Moderately critical 10 ∕ 25 AC:Basic/A:User/CI:None/II:Some/E:Theoretical/TD:Default
CVE IDs: 
CVE-2025-8996

The Layout Builder Advanced Permissions module enables you to have fine grained control over who can do what in editing pages built with Layout Builder.

The module doesn't sufficiently control access for adding sections in the submodule.

This vulnerability is mitigated by the fact that an attacker must have a role with a specific set of permissions:

Authenticator Login - Highly critical - Access bypass - SA-CONTRIB-2025-096

Date: 
2025-August-13
Security risk: 
Highly critical 21 ∕ 25 AC:Basic/A:None/CI:All/II:All/E:Proof/TD:All
CVE IDs: 
CVE-2025-8995

This module enables users to setup two-factor authentication (2FA) using authenticator apps for enhanced login security. The module alters the standard Drupal login form to use AJAX callbacks for handling authentication flow.

The module doesn't sufficiently validate authentication under specific conditions, allowing an attacker to log in as any account where they know the username.

AI SEO Link Advisor - Less critical - Server-side Request Forgery - SA-CONTRIB-2025-095

Date: 
2025-August-06
Security risk: 
Less critical 8 ∕ 25 AC:Basic/A:User/CI:None/II:None/E:Theoretical/TD:All
CVE IDs: 
CVE-2025-8675

This module enables you to provide SEO analysis and recommendations for a given URL.

The module doesn't sufficiently sanitize user-supplied URLs, leading to a Server-side request forgery (SSRF) vulnerability.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission "access seo analyzer".

GoogleTag Manager - Moderately critical - Cross-site scripting - SA-CONTRIB-2025-094

Date: 
2025-July-30
Security risk: 
Moderately critical 11 ∕ 25 AC:Complex/A:Admin/CI:Some/II:Some/E:Theoretical/TD:Default
CVE IDs: 
CVE-2025-8362

This module enables you to integrate Google Tag Manager (GTM) into your Drupal site by allowing administrators to configure and embed GTM container snippets.

The module doesn't sufficiently sanitize the GTM container ID under the scenario where a user with the Administer gtm permission enters malicious input into the GTM-ID field. This value is directly inserted into a <script> tag, making the site vulnerable to Cross-site Scripting (XSS) attacks.

Config Pages - Moderately critical - Access bypass - SA-CONTRIB-2025-093

Date: 
2025-July-30
Security risk: 
Moderately critical 12 ∕ 25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:Uncommon
CVE IDs: 
CVE-2025-8361

This module enables you to access an edit page for a config page.

The module doesn't sufficiently check the access permissions (hook_ENTITY_TYPE_access() wasn't taken into account).

This vulnerability is mitigated by the fact that an attacker must have a role with the permission "edit ID config page" and that it only affects sites that have access restricted via the hook_ENTITY_TYPE_access() hook.

COOKiES Consent Management - Moderately critical - Cross-site Scripting - SA-CONTRIB-2025-092

Date: 
2025-July-23
Security risk: 
Moderately critical 12 ∕ 25 AC:Complex/A:Admin/CI:Some/II:Some/E:Theoretical/TD:All
CVE IDs: 
CVE-2025-8092

This module allows you to manage video media items using the COOKiES module (disabling external video elements). These elements will be enabled again, once the COOKiES banner is accepted.

The module doesn't sufficiently check whether to convert "data-src" attributes to "src" when their value might contain malicious content under the scenario, that module specific classes are set on the HTML element.

Real-time SEO for Drupal - Moderately critical - Cross-site Scripting - SA-CONTRIB-2025-091

Date: 
2025-July-16
Security risk: 
Moderately critical 14 ∕ 25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:All
CVE IDs: 
CVE-2025-7716

This module enables you to analyze the content that you're authoring for a website. It shows you a preview of what a search result might look like.

The module doesn't sufficiently escape the metadata from content while rendering the preview, opening up the possibility of a XSS attack.

This vulnerability is mitigated by the fact that an attacker must be able to author content that is analyzed by the Real-Time SEO module.

Pages

Subscribe with RSS Subscribe to Security advisories