Drupal Security

Project: ObfuscateDate: 2025-April-02Security risk: Moderately critical 12 ∕ 25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:UncommonVulnerability: Cross Site ScriptingAffected versions: <2.0.1CVE IDs: CVE-2025-3130Description: 

This module enables you to obfuscate email addresses, to avoid them being easily available to spammers.

The module doesn't sufficiently sanitise input when ROT13 encoding is used.
This vulnerability is mitigated by the fact that an attacker must have a role with the ability to enter specific HTML tag attributes. In a default Drupal installation this would require the administrator role and use of the Full HTML text format. It also requires that the ROT13 encoding be enabled in Obfuscate settings.

Solution: 

Install the latest version:

• Upgrade to Obfuscate 2.0.1

Reported By: 

• Pierre Rudloff (prudloff)

Fixed By: 

• Nigel Cunningham (nigelcunningham)
• Pierre Rudloff (prudloff)

Coordinated By: 

• Greg Knaddison (greggles) of the Drupal Security Team
• Drew Webber (mcdruid) of the Drupal Security Team

Project: Access codeDate: 2025-April-02Security risk: Moderately critical 14 ∕ 25 AC:Complex/A:None/CI:Some/II:Some/E:Theoretical/TD:DefaultVulnerability: Access bypassAffected versions: <2.0.4CVE IDs: CVE-2025-3129Description: 

This module enables users to log in using a short access code instead of providing a username/password combination.

The module doesn't sufficiently protect against brute force attacks to guess a user's access code.

This vulnerability is mitigated by the fact that access code based logins are off by default and only enabled for accounts that enable it. Sites could mitigate the issue without updating by:

1. disabling the access code login method for critical accounts
2. monitor and prevent brute force attacks in other ways (for example, with a Web Application Firewall)

Solution: 

Install the latest version:

• If you use the access_code module for Drupal 8.x or later, upgrade to access_code 2.0.4

Reported By: 

• Marcin Maruszewski (marcin maruszewski)

Fixed By: 

• Gergely Lekli (glekli)

Coordinated By: 

• Greg Knaddison (greggles) of the Drupal Security Team
• Drew Webber (mcdruid) of the Drupal Security Team
• Juraj Nemec (poker10) of the Drupal Security Team

Project: TacJSDate: 2025-April-02Security risk: Moderately critical 13 ∕ 25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:DefaultVulnerability: Cross Site ScriptingAffected versions: <6.7.0CVE IDs: CVE-2025-31476Description: 

This module enables sites to comply with the European cookie law using tarteaucitron.js.

The module doesn't sufficiently filter user-supplied markup inside of content leading to a persistent Cross Site Scripting (XSS) vulnerability.

This vulnerability is mitigated by the fact that an attacker needs to be able to insert specific data attributes in the page.

Solution: 

Install the latest version:

• If you use the tacjs module for Drupal 8.x, upgrade to tacjs 8.x-6.7

Reported By: 

• Pierre Rudloff (prudloff)

Fixed By: 

• Frank Mably (mably)
• Pierre Rudloff (prudloff)

Coordinated By: 

• Greg Knaddison (greggles) of the Drupal Security Team
• Drew Webber (mcdruid) of the Drupal Security Team
• Juraj Nemec (poker10) of the Drupal Security Team

Project: Drupal coreDate: 2025-March-19Security risk: Moderately critical 13 ∕ 25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:DefaultVulnerability: Cross Site ScriptingAffected versions: >= 8.0.0 < 10.3.14 || >= 10.4.0 < 10.4.5 || >= 11.0.0 < 11.0.13 || >= 11.1.0 < 11.1.5CVE IDs: CVE-2025-31675Description: 

Drupal core Link field attributes are not sufficiently sanitized, which can lead to a Cross Site Scripting vulnerability (XSS).

This vulnerability is mitigated by that fact that an attacker would need to have the ability to add specific attributes to a Link field, which typically requires edit access via core web services, or a contrib or custom module.

Sites with the Link module disabled or that do not use any link fields are not affected.

Solution: 

Install the latest version:

• If you use Drupal 10.3.x, update to Drupal 10.3.14
• If you use Drupal 10.4.x, update to Drupal 10.4.5
• If you use Drupal 11.0.x, update to Drupal 11.0.13
• If you use Drupal 11.1.x, update to Drupal 11.1.5

All versions of Drupal prior to 10.3 are end-of-life and do not receive security coverage from the Drupal Security Team.

Reported By: 

• Samuel Mortenson (samuel.mortenson)

Fixed By: 

• Benji Fisher (benjifisher) of the Drupal Security Team
• Bram Driesen (bramdriesen) Provisional Member of the Drupal Security Team
• Alex Bronstein (effulgentsia)
• Jen Lampton (jenlampton) Provisional Member of the Drupal Security Team
• Lee Rowlands (larowlan) of the Drupal Security Team
• Dave Long (longwave) of the Drupal Security Team
• Drew Webber (mcdruid) of the Drupal Security Team
• Joseph Zhao (pandaski) Provisional Member of the Drupal Security Team
• Adam G-H (phenaproxima)
• Samuel Mortenson (samuel.mortenson)
• Jess (xjm) of the Drupal Security Team

Project: Formatter SuiteDate: 2025-March-19Security risk: Moderately critical 13 ∕ 25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:DefaultVulnerability: Cross site scriptingAffected versions: <2.1.0CVE IDs: CVE-2025-31697Description: 

Formatter Suite provides a suite of field formatters to help present numbers, dates, times, text, links, entity references, files, and images. The module provides a custom formatter for link fields.

Drupal core does not sufficiently sanitize link element attributes, which can lead to a Cross Site Scripting vulnerability (XSS).

A separate fix for Drupal core has been released but this module requires a concurrent release to make use of the Drupal core fix.

This vulnerability is mitigated by that fact that an attacker would need to have the ability to add specific attributes to a Link field, which typically requires edit access via core web services, or a contrib or custom module.

Solution: 

Install the latest version:

• If you use the Formatter Suite module for Drupal 10, upgrade to Formatter Suite 2.1.0
• Upgrade to Drupal 10.3.14, 10.4.5, 11.0.13, or 11.1.5

Reported By: 

• Daniel Wehner (dawehner)
• Joseph Zhao (pandaski) Provisional Member of the Drupal Security Team

Fixed By: 

• Benji Fisher (benjifisher) of the Drupal Security Team
• Bram Driesen (bramdriesen) Provisional Member of the Drupal Security Team
• cyoun
• Lee Rowlands (larowlan) of the Drupal Security Team
• Joseph Zhao (pandaski) Provisional Member of the Drupal Security Team

Coordinated By: 

• Greg Knaddison (greggles) of the Drupal Security Team
• Drew Webber (mcdruid) of the Drupal Security Team
• Juraj Nemec (poker10) of the Drupal Security Team

Project: RapiDoc OAS Field FormatterDate: 2025-March-19Security risk: Moderately critical 13 ∕ 25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:DefaultVulnerability: Cross site scriptingAffected versions: <1.0.1CVE IDs: CVE-2025-31696Description: 

This module can be used to render Open API Documentation using the RapiDoc library. The module provides a custom formatter for link fields.

Drupal core does not sufficiently sanitize link element attributes, which can lead to a Cross Site Scripting vulnerability (XSS).

A separate fix for Drupal core has been released but this module requires a concurrent release to make use of the Drupal core fix.

This vulnerability is mitigated by that fact that an attacker would need to have the ability to add specific attributes to a Link field, which typically requires edit access via core web services, or a contrib or custom module.

Solution: 

Install the latest version:

• If you use the RapiDoc OAS Field Formatter module for Drupal 10, upgrade to RapiDoc OAS Field Formatter 1.0.1
• Upgrade to Drupal 10.3.14, 10.4.5, 11.0.13, or 11.1.5

Reported By: 

• Joseph Zhao (pandaski) Provisional Member of the Drupal Security Team

Fixed By: 

• Arlina Espinoza Rhoton (arlina)
• Benji Fisher (benjifisher) of the Drupal Security Team
• Lee Rowlands (larowlan) of the Drupal Security Team

Coordinated By: 

• Bram Driesen (bramdriesen) Provisional Member of the Drupal Security Team
• Greg Knaddison (greggles) of the Drupal Security Team
• Drew Webber (mcdruid) of the Drupal Security Team
• Juraj Nemec (poker10) of the Drupal Security Team

Project: Link field display mode formatterDate: 2025-March-19Security risk: Moderately critical 13 ∕ 25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:DefaultVulnerability: Cross site scriptingAffected versions: <1.6.0CVE IDs: CVE-2025-31695Description: 

This module adds a formatter for link fields that displays the current entity with another view mode inside the link.

Drupal core does not sufficiently sanitize link element attributes, which can lead to a Cross Site Scripting vulnerability (XSS).

A separate fix for Drupal core has been released but this module requires a concurrent release to make use of the Drupal core fix.

This vulnerability is mitigated by that fact that an attacker would need to have the ability to add specific attributes to a Link field, which typically requires edit access via core web services, or a contrib or custom module.

Solution: 

Install the latest version:

• If you use the Link field display mode formatter module for Drupal 10 or 11, upgrade to Link field display mode formatter 8.x-1.6
• Upgrade to Drupal 10.3.14, 10.4.5, 11.0.13, or 11.1.5

Reported By: 

• Daniel Wehner (dawehner)
• Joseph Zhao (pandaski) Provisional Member of the Drupal Security Team

Fixed By: 

• Benji Fisher (benjifisher) of the Drupal Security Team
• Joseph Zhao (pandaski) Provisional Member of the Drupal Security Team
• Rodrigo Aguilera (rodrigoaguilera)

Coordinated By: 

• Bram Driesen (bramdriesen) Provisional Member of the Drupal Security Team
• Greg Knaddison (greggles) of the Drupal Security Team
• Drew Webber (mcdruid) of the Drupal Security Team
• Juraj Nemec (poker10) of the Drupal Security Team

Project: Two-factor Authentication (TFA)Date: 2025-March-05Security risk: Moderately critical 13 ∕ 25 AC:Complex/A:None/CI:Some/II:Some/E:Theoretical/TD:UncommonVulnerability: Access bypassAffected versions: <1.10.0CVE IDs: CVE-2025-31694Description: 

This module enables you to allow and/or require users to use a second authentication method in addition to password authentication.

The module does not sufficiently ensure that known login routes are not overridden by third-party modules which can allow an access bypass to occur.

This vulnerability is mitigated by the fact that an attacker must obtain a first-factor login credential.

Solution: 

Install the latest version and run database updates:

1. If you use the Two-factor Authentication (TFA) module for Drupal 8.x, upgrade to Two-factor Authentication (TFA) 8.x-1.10
2. Run the database updates. See help documentation on how to run database updates.

TFA 8.x-1.10 will provide a status report error if it detects a known route is being bypassed.

Caution: TFA 8.x-1.10 will attempt to restore these routes to expected norms. This may disable routes added by other modules.

Reported By: 

• Conrad Lara (cmlara)
• Elaman Imashov (elaman)

Fixed By: 

• Conrad Lara (cmlara)

Coordinated By: 

• Greg Knaddison (greggles) of the Drupal Security Team

Project: AI (Artificial Intelligence)Date: 2025-March-05Security risk: Moderately critical 14 ∕ 25 AC:Complex/A:Admin/CI:All/II:All/E:Theoretical/TD:UncommonVulnerability: Gadget ChainAffected versions: <1.0.5CVE IDs: CVE-2025-31693Description: 

The AI Automators module (a submodule of AI) enables you to create different automated tasks that fills out a field data using LLM outputs.

The module contains a potential PHP Object Injection vulnerability that (if combined with another exploit) could lead to Arbitrary File Deletion. It may be possible to escalate this attack to Remote Code Execution. It is not directly exploitable.

This issue is mitigated by the fact that for it to be exploitable, a separate vulnerability must be present to allow an attacker to pass unsafe input to unserialize(). The potential vulnerability exists in optional Automator Types which are part of the optional AI Automators (sub)module.

The AI module is included in Drupal CMS.

Solution: 

Install the latest version:

• If you use the AI module for Drupal, upgrade to AI 1.0.5

Reported By: 

• Drew Webber (mcdruid) of the Drupal Security Team

Fixed By: 

• Marcus Johansson (marcus_johansson)
• Drew Webber (mcdruid) of the Drupal Security Team

Coordinated By: 

• Drew Webber (mcdruid) of the Drupal Security Team

Project: AI (Artificial Intelligence)Date: 2025-March-05Security risk: Critical 15 ∕ 25 AC:Complex/A:User/CI:All/II:All/E:Theoretical/TD:UncommonVulnerability: Remote Code ExecutionAffected versions: <1.0.5CVE IDs: CVE-2025-31692Description: 

The AI Automators module (a submodule of AI) enables you to create different automated tasks that fills out field data using LLM outputs.

The module doesn't sufficiently sanitize input before passing it to the underlying shell as part of a command for execution, allowing an attacker to run arbitrary commands.

The vulnerability exists in optional Automator Types which are part of the optional AI Automators (sub)module.

The AI module is included in Drupal CMS.

Solution: 

Install the latest version:

• If you use the AI module for Drupal, upgrade to AI 1.0.5

Reported By: 

• Drew Webber (mcdruid) of the Drupal Security Team

Fixed By: 

• Marcus Johansson (marcus_johansson)
• Drew Webber (mcdruid) of the Drupal Security Team
• Michal Gow (seogow)

Coordinated By: 

• Drew Webber (mcdruid) of the Drupal Security Team

Project: OAuth2 ServerDate: 2025-February-26Security risk: Moderately critical 14 ∕ 25 AC:Basic/A:None/CI:Some/II:Some/E:Theoretical/TD:UncommonVulnerability: Access bypassAffected versions: <2.1.0CVE IDs: CVE-2025-31691Description: 

Provides OAuth2 server functionality based on the oauth2-server-php library.

The module does not consistently enforce admin configurations allowing users on a disabled server to still authenticate.

Solution: 

Install the latest version:

• If you use the OAuth2 server module for Drupal 2.x, upgrade to OAuth2 server 2.1.0

Reported By: 

• Pierre Rudloff (prudloff)

Fixed By: 

• cafuego
• Lee Rowlands (larowlan) of the Drupal Security Team

Coordinated By: 

• Greg Knaddison (greggles) of the Drupal Security Team

Project: Cache UtilityDate: 2025-February-26Security risk: Moderately critical 13 ∕ 25 AC:Basic/A:None/CI:None/II:Some/E:Theoretical/TD:AllVulnerability: Cross Site Request ForgeryAffected versions: <1.2.1CVE IDs: CVE-2025-31690Description: 

The Cache Utility module provides an ability to view status and flush various caches.

The module doesn't sufficiently protect against Cross Site Request Forgery (CSRF) attacks by validating user identity and intent when flushing a cache.

Solution: 

Install the latest version:

• If you use the Cache Utility module for Drupal 1.2.x, upgrade to Cache Utility 1.2.1
• If you use the Cache Utility module for Drupal 1.x, you can also upgrade to Cache Utility 1.3.0

Reported By: 

• Pierre Rudloff (prudloff)

Fixed By: 

• cyoun

Coordinated By: 

• Greg Knaddison (greggles) of the Drupal Security Team

Project: General Data Protection RegulationDate: 2025-February-26Security risk: Moderately critical 13 ∕ 25 AC:Basic/A:None/CI:None/II:Some/E:Theoretical/TD:AllVulnerability: Cross Site Request ForgeryAffected versions: <3.0.1 || >=3.1.0 <3.1.2CVE IDs: CVE-2025-31689Description: 

The GDPR Task submodule enables you to create GDPR tasks.

The module doesn't sufficiently protect against Cross Site Request Forgery (CSRF) attacks by validating user identity and intent when creating tasks.

Solution: 

Install the latest version:

• If you use the General Data Protection Regulation module 3.0.x, upgrade to 3.0.1
• If you use the General Data Protection Regulation module 3.1.x, upgrade to 3.1.2

Reported By: 

• Pierre Rudloff (prudloff)

Fixed By: 

• Peter Pónya (pedrop)
• szato

Coordinated By: 

• Greg Knaddison (greggles) of the Drupal Security Team

Project: Drupal coreDate: 2025-February-19Security risk: Moderately critical 14 ∕ 25 AC:Complex/A:Admin/CI:All/II:All/E:Theoretical/TD:UncommonVulnerability: Gadget ChainAffected versions: >= 8.0.0 < 10.3.13 || >= 10.4.0 < 10.4.3 || >= 11.0.0 < 11.0.12 || >= 11.1.0 < 11.1.3CVE IDs: CVE-2025-31674Description: 

Drupal core contains a potential PHP Object Injection vulnerability that (if combined with another exploit) could lead to Arbitrary File Inclusion. Techniques exist to escalate this attack to Remote Code Execution. It is not directly exploitable.

This issue is mitigated by the fact that in order for it to be exploitable, a separate vulnerability must be present to allow an attacker to pass unsafe input to unserialize(). There are no such known exploits in Drupal core.

Solution: 

Install the latest version:

• If you use Drupal 10.3.x, update to Drupal 10.3.13
• If you use Drupal 10.4.x, update to Drupal 10.4.3
• If you use Drupal 11.0.x, update to Drupal 11.0.12
• If you use Drupal 11.1.x, update to Drupal 11.1.3

All versions of Drupal 10 prior to 10.3 are end-of-life and do not receive security coverage. (Drupal 8 and Drupal 9 have both reached end-of-life.)

Reported By: 

• anzuukino
• shin24

Fixed By: 

• ghost of drupal past
• Dave Long (longwave) of the Drupal Security Team
• Drew Webber (mcdruid) of the Drupal Security Team
• nicxvan
• shin24

Project: Drupal coreDate: 2025-February-19Security risk: Moderately critical 13 ∕ 25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:DefaultVulnerability: Access bypassAffected versions: >= 8.0.0 < 10.3.13 || >= 10.4.0 < 10.4.3 || >= 11.0.0 < 11.0.12 || >= 11.1.0 < 11.1.3CVE IDs: CVE-2025-31673Description: 

Bulk operations allow authorized users to modify several nodes at once from the Content page (/admin/content). A site builder can also add bulk operations to other pages using Views.

A bug in the core Actions system allows some users to modify some fields using bulk actions that they do not have permission to modify on individual nodes.

This vulnerability is mitigated by the fact that an attacker must have permission to access /admin/content or other, custom views and to edit nodes.

In particular, the bulk operations

• Make content sticky
• Make content unsticky
• Promote content to front page
• Publish content
• Remove content from front page
• Unpublish content

now require the "Administer content" permission.

Solution: 

Install the latest version:

• If you are using Drupal 10.3, update to Drupal 10.3.13.
• If you are using Drupal 10.4, update to Drupal 10.4.3.
• If you are using Drupal 11.0, update to Drupal 11.0.12.
• If you are using Drupal 11.1, update to Drupal 11.1.3.

All versions of Drupal 10 prior to 10.3 are end-of-life and do not receive security coverage. (Drupal 8 and Drupal 9 have both reached end-of-life.)

Reported By: 

• jeff cardwell

Fixed By: 

• Benji Fisher (benjifisher) of the Drupal Security Team
• jeff cardwell
• Mingsong (mingsong) Provisional Member of the Drupal Security Team
• Juraj Nemec (poker10) of the Drupal Security Team

Project: Drupal coreDate: 2025-February-19Security risk: Critical 17 ∕ 25 AC:Basic/A:None/CI:Some/II:Some/E:Proof/TD:AllVulnerability: Cross site scriptingAffected versions: >= 8.0.0 < 10.3.13 || >= 10.4.0 < 10.4.3 || >= 11.0.0 < 11.0.12 || >= 11.1.0 < 11.1.3CVE IDs: CVE-2025-3057Description: 

Drupal core doesn't sufficiently filter error messages under certain circumstances, leading to a reflected Cross Site Scripting vulnerability (XSS).

Sites are encouraged to update. There are not yet public documented steps to exploit this, but there may be soon given the nature of this issue.

This issue is being protected by Drupal Steward. Sites that use Drupal Steward are already protected, but are still encouraged to upgrade in the near future.

Solution: 

Install the latest version:

• If you use Drupal 10.3.x, update to Drupal 10.3.13
• If you use Drupal 10.4.x, update to Drupal 10.4.3
• If you use Drupal 11.0.x, update to Drupal 11.0.12
• If you use Drupal 11.1.x, update to Drupal 11.1.3

All versions of Drupal 10 prior to 10.3 are end-of-life and do not receive security coverage. (Drupal 8 and Drupal 9 have both reached end-of-life.)

Reported By: 

• Arne (arkepp)
• bdanin
• Douglas Groene (dgroene)
• Dragos Dumitrescu (dragos-dumi)
• Flo Kosiol (flokosiol)
• Gerardo Cadau (juanramonperez)
• Justin Christoffersen (larsdesigns)
• nuwans
• Sven Decabooter (svendecabooter)
• Will Gunn (wgunn_e)

Fixed By: 

• catch (catch) of the Drupal Security Team
• Drew Webber (mcdruid) of the Drupal Security

Team

Project: Configuration SplitDate: 2025-February-12Security risk: Moderately critical 12 ∕ 25 AC:Complex/A:None/CI:None/II:Some/E:Theoretical/TD:AllVulnerability: Cross Site Request ForgeryAffected versions: <1.10.0 || >=2.0.0 <2.0.2CVE IDs: CVE-2025-31688Description: 

This module enables you to create super sets of configuration and enable them conditionally, for example have some modules installed only in some environments.

The module does not use Cross Site Request Forgery (CSRF) tokens to protect routes for enabling or disabling a split.

This vulnerability is mitigated by the fact that an attacker must know the machine name of a split and deceive a user with the permission to modify it.
The status only takes effect when exporting the configuration (1.x and 2.x) or importing the configuration (1.x only) and the status is not fixed via configuration override, which is the typical setup.

Solution: 

Install the latest version:

• If you use the Config Split module 8.x-1.x, upgrade to Config Split 8.x-1.10
• If you use the Config Split module 2.0.x, upgrade to Config Split 2.0.2

Reported By: 

• Eric Smith (ericgsmith)

Fixed By: 

• Fabian Bircher (bircher)

Coordinated By: 

• Greg Knaddison (greggles) of the Drupal Security Team

Project: SpamSpan filterDate: 2025-February-12Security risk: Moderately critical 13 ∕ 25 AC:Complex/A:User/CI:Some/II:Some/E:Theoretical/TD:AllVulnerability: Cross Site ScriptingAffected versions: <3.2.1CVE IDs: CVE-2025-31687Description: 

This module enables your site to obfuscate Email addresses and prevent spambots to collect them.

The module doesn't sanitize HTML data attributes when an email address link is transformed to separate span HTML elements and then transformed back by JavaScript leading to a Cross Site Scripting (XSS) vulnerability.

This is mitigated by the fact an attacker must be able to insert span HTML elements with data attributes in the page.

Solution: 

Install the latest version:

• If you use the Spamspan filter module for Drupal 10.x, upgrade to Spamspan filter 3.2.1

Reported By: 

• Pierre Rudloff (prudloff)

Fixed By: 

• Julian Pustkuchen (anybody)
• Joshua Sedler (grevil)
• Adam Nagy (joevagyok)
• Pierre Rudloff (prudloff)

Coordinated By: 

• Greg Knaddison (greggles) of the Drupal Security Team

Project: Open SocialDate: 2025-February-12Security risk: Less critical 9 ∕ 25 AC:Complex/A:User/CI:Some/II:None/E:Theoretical/TD:DefaultVulnerability: Access bypass, Information DisclosureAffected versions: <12.3.11 || >=12.4.0 <12.4.10CVE IDs: CVE-2025-31686Description: 

Open Social is a Drupal distribution for online communities, which ships with a default module to invite users to groups and events.

Invites for a specific user can be seen under certain conditions.

The issue is mitigated for events by the fact that social_event_max_enroll has to be enabled.

Solution: 

Install the latest version:

• If you use Open Social 12.3.x upgrade to Open Social 12.3.11
• If you use Open Social 12.4.x upgrade to Open Social 12.4.10

Reported By: 

• Robert Ragas (robertragas)
• zanvidmar

Fixed By: 

• Denis Kolmerschlag (uber_denis)
• zanvidmar

Coordinated By: 

• Greg Knaddison (greggles) of the Drupal Security Team

Project: Open SocialDate: 2025-February-12Security risk: Moderately critical 12 ∕ 25 AC:Basic/A:None/CI:None/II:Some/E:Theoretical/TD:DefaultVulnerability: Access bypassAffected versions: <12.3.11 || >=12.4.0 <12.4.10 CVE IDs: CVE-2025-31685Description: 

Open Social is a Drupal distribution for online communities, which ships with a default (optional) module social_language to make your platform multilingual.

Some site administration configuration does not correctly check access when trying to translate allowing unauthorised people to translate these parts.

The issue is mitigated by the fact that social_language needs to be enabled with more than 1 language.

Solution: 

Install the latest version:

• If you use Open Social 12.3.x upgrade to Open Social 12.3.11
• If you use Open Social 12.4.x upgrade to Open Social 12.4.10

Reported By: 

• Robert Ragas (robertragas)
• zanvidmar

Fixed By: 

• Denis Kolmerschlag (uber_denis)
• zanvidmar

Coordinated By: 

• Greg Knaddison (greggles) of the Drupal Security Team