Drupal Contrib Security

Project: Configuration SplitDate: 2025-February-12Security risk: Moderately critical 12 ∕ 25 AC:Complex/A:None/CI:None/II:Some/E:Theoretical/TD:AllVulnerability: Cross Site Request ForgeryAffected versions: <1.10.0 || >=2.0.0 <2.0.2Description: 

This module enables you to create super sets of configuration and enable them conditionally, for example have some modules installed only in some environments.

The module does not use Cross Site Request Forgery (CSRF) tokens to protect routes for enabling or disabling a split.

This vulnerability is mitigated by the fact that an attacker must know the machine name of a split and deceive a user with the permission to modify it.
The status only takes effect when exporting the configuration (1.x and 2.x) or importing the configuration (1.x only) and the status is not fixed via configuration override, which is the typical setup.

Solution: 

Install the latest version:

• If you use the Config Split module 8.x-1.x, upgrade to Config Split 8.x-1.10
• If you use the Config Split module 2.0.x, upgrade to Config Split 2.0.2

Reported By: 

• Eric Smith (ericgsmith)

Fixed By: 

• Fabian Bircher (bircher)

Coordinated By: 

• Greg Knaddison (greggles) of the Drupal Security Team

Project: SpamSpan filterDate: 2025-February-12Security risk: Moderately critical 13 ∕ 25 AC:Complex/A:User/CI:Some/II:Some/E:Theoretical/TD:AllVulnerability: Cross Site ScriptingAffected versions: <3.2.1Description: 

This module enables your site to obfuscate Email addresses and prevent spambots to collect them.

The module doesn't sanitize HTML data attributes when an email address link is transformed to separate span HTML elements and then transformed back by JavaScript leading to a Cross Site Scripting (XSS) vulnerability.

This is mitigated by the fact an attacker must be able to insert span HTML elements with data attributes in the page.

Solution: 

Install the latest version:

• If you use the Spamspan filter module for Drupal 10.x, upgrade to Spamspan filter 3.2.1

Reported By: 

• Pierre Rudloff (prudloff)

Fixed By: 

• Julian Pustkuchen (anybody)
• Joshua Sedler (grevil)
• Adam Nagy (joevagyok)
• Pierre Rudloff (prudloff)

Coordinated By: 

• Greg Knaddison (greggles) of the Drupal Security Team

Project: Open SocialDate: 2025-February-12Security risk: Less critical 9 ∕ 25 AC:Complex/A:User/CI:Some/II:None/E:Theoretical/TD:DefaultVulnerability: Access bypass, Information DisclosureAffected versions: <12.3.11 || >=12.4.0 <12.4.10Description: 

Open Social is a Drupal distribution for online communities, which ships with a default module to invite users to groups and events.

Invites for a specific user can be seen under certain conditions.

The issue is mitigated for events by the fact that social_event_max_enroll has to be enabled.

Solution: 

Install the latest version:

• If you use Open Social 12.3.x upgrade to Open Social 12.3.11
• If you use Open Social 12.4.x upgrade to Open Social 12.4.10

Reported By: 

• Robert Ragas (robertragas)
• zanvidmar

Fixed By: 

• Denis Kolmerschlag (uber_denis)
• zanvidmar

Coordinated By: 

• Greg Knaddison (greggles) of the Drupal Security Team

Project: Open SocialDate: 2025-February-12Security risk: Moderately critical 12 ∕ 25 AC:Basic/A:None/CI:None/II:Some/E:Theoretical/TD:DefaultVulnerability: Access bypassAffected versions: <12.3.11 || >=12.4.0 <12.4.10 Description: 

Open Social is a Drupal distribution for online communities, which ships with a default (optional) module social_language to make your platform multilingual.

Some site administration configuration does not correctly check access when trying to translate allowing unauthorised people to translate these parts.

The issue is mitigated by the fact that social_language needs to be enabled with more than 1 language.

Solution: 

Install the latest version:

• If you use Open Social 12.3.x upgrade to Open Social 12.3.11
• If you use Open Social 12.4.x upgrade to Open Social 12.4.10

Reported By: 

• Robert Ragas (robertragas)
• zanvidmar

Fixed By: 

• Denis Kolmerschlag (uber_denis)
• zanvidmar

Coordinated By: 

• Greg Knaddison (greggles) of the Drupal Security Team

Project: OAuth2 ClientDate: 2025-February-05Security risk: Moderately critical 12 ∕ 25 AC:Complex/A:None/CI:None/II:Some/E:Theoretical/TD:AllVulnerability: Cross Site Request ForgeryAffected versions: <4.1.3Description: 

This module enables a developer to create dedicated OAuth2 clients for connecting to external APIs and other OAuth protected resources.

The module does not use Cross Site Request Forgery (CSRF) tokens to protect routes for enabling a client.

This vulnerability is mitigated by the fact that an attacker must know the machine name of the client and deceive another user with this permission.

Solution: 

Install the latest version:

• If you use the Oauth2 Client module for Drupal 10 or 11, upgrade to Oauth2 Client 4.1.3

Reported By: 

• Tobias Bähr

Fixed By: 

• Shawn Duncan
• Tobias Bähr

Coordinated By: 

• cilefen of the Drupal Security Team
• Greg Knaddison of the Drupal Security Team

Project: Google TagDate: 2025-January-29Security risk: Moderately critical 12 ∕ 25 AC:Complex/A:None/CI:None/II:Some/E:Theoretical/TD:AllVulnerability: Cross Site Request ForgeryAffected versions: <1.8.0 || >=2.0.0 <2.0.8Description: 

This module enables you to integrate the site with the Google Tag Manager (GTM) application.

The module doesn't sufficiently validate the enabling or disabling of a tag container. The routes involved are not protected against Cross Site Request Forgery (CSRF).

This vulnerability is mitigated by the fact that an attacker needs to know the machine name of the container. The machine name is a random string, making an attack more difficult.

Solution: 

Install the latest version:

• If you use the Google Tag module 8.x, upgrade to Google Tag 8.x-1.8
• If you use the Google Tag module 2.0.x, upgrade to Google Tag 2.0.8

Reported By: 

• Pierre Rudloff
• Florent Torregrosa

Fixed By: 

• Jim Berry
• Jakob P

Coordinated By: 

• Greg Knaddison of the Drupal Security Team
• Juraj Nemec of the Drupal Security Team

Project: Google TagDate: 2025-January-29Security risk: Moderately critical 13 ∕ 25 AC:Basic/A:Admin/CI:Some/II:Some/E:Theoretical/TD:AllVulnerability: Cross Site ScriptingAffected versions: <1.8.0 || >=2.0.0 <2.0.8Description: 

This module enables you to integrate the site with the Google Tag Manager (GTM) application.

The module doesn't have the "restrict access" flag on the "administer google_tag_container" permission. A user with this permission can load a GTM container that completely changes the page or inserts malicious JS, resulting in a cross site scripting vulnerability.

This vulnerability is mitigated by the fact that an attacker must have a role with the aforementioned permission.

Solution: 

Install the latest version:

• If you use the Google Tag module 8.x, upgrade to Google Tag 8.x-1.8
• If you use the Google Tag module 2.0.x, upgrade to Google Tag 2.0.8

Reported By: 

• Pierre Rudloff

Fixed By: 

• Jakob P
• Jim Berry

Coordinated By: 

• Greg Knaddison of the Drupal Security Team
• Juraj Nemec of the Drupal Security Team

Project:  Drupal Admin LTE themeDate: 2025-January-29Security risk: Critical 16 ∕ 25 AC:Complex/A:Admin/CI:All/II:All/E:Theoretical/TD:AllVulnerability: UnsupportedAffected versions: *Description: 

The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: https://www.drupal.org/node/251466#s-becoming-owner-maintainer-or-co-mai...

Solution: 

If you use this project, you should uninstall it. To take over maintainership, please read https://www.drupal.org/node/251466#s-becoming-owner-maintainer-or-co-mai...

Project: Authenticator LoginDate: 2025-January-29Security risk: Critical 18 ∕ 25 AC:Basic/A:None/CI:Some/II:All/E:Theoretical/TD:AllVulnerability: Access bypassAffected versions: <2.0.6Description: 

This module allows a site to setup two factor authentication via QR code using authenticator applications on mobile devices including phones.

The module does not properly protect its custom paths, allowing one user to access a different user's two factor configuration.

Solution: 

Install the latest version:

• If you use the alogin module 1.0.x, upgrade to at least Authenticator Login 2.0.6 or more recent, as the 1.0.x branch is now unsupported
• If you use the alogin module 2.0.x, upgrade to at least Authenticator Login 2.0.6 or more recent
• If you use the alogin module 2.1.x, you do not need to do anything

Reported By: 

• Ahmed Raza

Fixed By: 

• Ahmed Raza

Coordinated By: 

• Damien McKenna of the Drupal Security Team
• Ivo Van Geertruyen of the Drupal Security Team
• Juraj Nemec of the Drupal Security Team

Project: Matomo AnalyticsDate: 2025-January-29Security risk: Moderately critical 11 ∕ 25 AC:Complex/A:None/CI:None/II:Some/E:Theoretical/TD:DefaultVulnerability: Cross site request forgeryAffected versions: <1.24.0Description: 

This module enables you to add the Matomo web statistics tracking system to your website.

The Matomo Analytics Tag Manager sub-module allows you to add one or more Matomo tag containers on your website.

The module does not protect against Cross Site Request Forgeries on routes to enable or disable containers.

This vulnerability is mitigated by the fact that:

• The website needs to have the submodule "Matomo Analytics Tag Manager" enabled.
• An attacker must know the machine name of the container.

Solution: 

Install the latest version:

• If you use the Matomo Analytics module 8.x-1.23 and below, upgrade to Matomo Analytics 8.x-1.24

Reported By: 

• Ivo Van Geertruyen of the Drupal Security Team

Fixed By: 

• Ivo Van Geertruyen of the Drupal Security Team
• Florent Torregrosa

Coordinated By: 

• Ivo Van Geertruyen of the Drupal Security Team

Project: Ignition Error PagesDate: 2025-January-22Security risk: Critical 16 ∕ 25 AC:Basic/A:None/CI:Some/II:Some/E:Theoretical/TD:AllVulnerability: Cross Site ScriptingAffected versions: <1.0.4Description: 

This module enables you to render error pages using the Ignition package.

The module disables certain Drupal core code and does not perform sufficient filtering, allowing HTML to be injected in certain situations leading to a Cross Site Scripting (XSS) vulnerability.

This vulnerability is mitigated by the fact that this module is for development purposes and is not intended to be installed on production environments.

Solution: 

Install the latest version:

• If you use the Ignition Error Pages module for Drupal 10/11, upgrade to Ignition Error Pages 1.0.4

Reported By: 

• Dieter Holvoet

Fixed By: 

• catch of the Drupal Security Team
• Dieter Holvoet
• Heine Deelstra of the Drupal Security Team

Coordinated By: 

• Greg Knaddison of the Drupal Security Team
• Juraj Nemec of the Drupal Security Team
• James Gilliland of the Drupal Security Team

Project: Material AdminDate: 2025-January-22Security risk: Critical 16 ∕ 25 AC:Complex/A:Admin/CI:All/II:All/E:Theoretical/TD:AllVulnerability: UnsupportedAffected versions: *Description: 

The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: https://www.drupal.org/node/251466#s-becoming-owner-maintainer-or-co-mai...

Solution: 

If you use this project, you should uninstall it. To take over maintainership, please read https://www.drupal.org/node/251466#s-becoming-owner-maintainer-or-co-mai...

Project: Flattern – Multipurpose Bootstrap Business ProfileDate: 2025-January-22Security risk: Critical 16 ∕ 25 AC:Complex/A:Admin/CI:All/II:All/E:Theoretical/TD:AllVulnerability: UnsupportedAffected versions: *Description: 

The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: https://www.drupal.org/node/251466#s-becoming-owner-maintainer-or-co-mai...

Solution: 

If you use this project, you should uninstall it. To take over maintainership, please read https://www.drupal.org/node/251466#s-becoming-owner-maintainer-or-co-mai...

Project: AI (Artificial Intelligence)Date: 2025-January-22Security risk: Moderately critical 14 ∕ 25 AC:None/A:None/CI:Some/II:None/E:Theoretical/TD:DefaultVulnerability: Access bypass, Information DisclosureAffected versions: <1.0.3Description: 

The AI logging sub-module enables you to log AI requests and responses for debugging and auditing purposes.

The module doesn't sufficiently check for access to view the preview listing of the logs. Full log details are correctly protected, and API keys are never logged.

This vulnerability is mitigated by the fact that it only affects sites using the AI Logging sub-module with 'Log requests' enabled in the AI Logging configuration page.

Solution: 

Install the latest version:

• If you use AI 1.x, upgrade to AI 1.0.3.

An update hook will update the view to use the view ai log permission. If you use version controlled configuration, remember to capture this.

(or) Disable the AI Logging module.

(or) Manually update the ai_logs view's access check to use the view ai log permission.

Reported By: 

• Mingsong

Fixed By: 

• Scott Euser
• Marcus Johansson
• Andrew Belcher

Coordinated By: 

• Greg Knaddison of the Drupal Security Team
• Juraj Nemec of the Drupal Security Team
• Dave Long of the Drupal Security Team

Project: AI (Artificial Intelligence)Date: 2025-January-15Security risk: Critical 15 ∕ 25 AC:Basic/A:None/CI:Some/II:Some/E:Theoretical/TD:DefaultVulnerability: Cross Site Request ForgeryAffected versions: >1.0.0 <1.0.2Description: 

The Drupal AI module provides a framework for easily integrating Artificial Intelligence on any Drupal site using any kind of AI (from multiple vendors). The sub-modules AI Chatbot and AI Assistants API allow users to interact with the Drupal site via a 'chat' interface.

The AI Chatbot module doesn't protect against Cross Site Request Forgeries in the Deepchat chatbot. This could allow an attacker to craft a scenario that can forge a request on behalf of a privileged user. When combined with the AI Search submodule, this could result in the AI Assistant exposing indexed data that the attacker should not have access to. When combined with the external AI Agent module, this could result in the AI Assistant exposing and allowing modification of site configuration of fields, content types, and vocabularies. Sites with custom built agents, with more privileged access, could be at greater risk from an exploit of this vulnerability.

This vulnerability is mitigated by:

• The targeted user needs to have an active session with a role with the "access deepchat api" permission and permission to assistants.
• To extract data, the target site must have a permissive CORS policy allowing the attacking site to read the result of a cross origin request.
• To modify data, the targeted user must have permission to use the configured agents.

Solution: 

Install the latest version:

• If you use the AI module, upgrade to AI 1.0.2

If you cannot update, you can can uninstall the AI Chatbot sub-module.

Reported By: 

• Marcus Johansson

Fixed By: 

• Marcus Johansson
• Michal Gow
• Kevin Quillen
• Andrew Belcher

Coordinated By: 

• Greg Knaddison of the Drupal Security Team
• Drew Webber of the Drupal Security Team
• Juraj Nemec of the Drupal Security Team

Project: Profile PrivateDate: 2025-January-08Security risk: Critical 15 ∕ 25 AC:None/A:None/CI:Some/II:None/E:Theoretical/TD:AllVulnerability: UnsupportedAffected versions: *Description: 

The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: https://www.drupal.org/node/251466#s-becoming-owner-maintainer-or-co-mai...

Solution: 

If you use this project, you should uninstall it. To take over maintainership, please read https://www.drupal.org/node/251466#s-becoming-owner-maintainer-or-co-mai...

Reported By: 

• Dezső Biczó

Coordinated By: 

• Ivo Van Geertruyen of the Drupal Security Team
• Cathy Theys of the Drupal Security Team
• Greg Knaddison of the Drupal Security Team

Project: Email TFADate: 2025-January-08Security risk: Moderately critical 14 ∕ 25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:AllVulnerability: Access bypassAffected versions: <2.0.3Description: 

This module enables you to do Two-Factor Authentication by email, using a user registered email to send a verification code to the user's email every time the user tries to log in to your site.

The module did not sufficiently protect against brute force attacks, allowing an attacker to bypass the second factor.

This vulnerability is mitigated by the fact the attacker must be able to present the username and first factor (i.e. password).

Solution: 

Install the latest version:

• If you use the Email TFA module, upgrade to Email TFA 2.0.3

Reported By: 

• Ursin Cola

Fixed By: 

• Ursin Cola
• abdulaziz zaid

Coordinated By: 

• Greg Knaddison of the Drupal Security Team
• Juraj Nemec of the Drupal Security Team

Project: Open SocialDate: 2024-December-11Security risk: Moderately critical 12 ∕ 25 AC:Basic/A:None/CI:Some/II:None/E:Theoretical/TD:DefaultVulnerability: Access bypassAffected versions: >=11.8.0 <12.3.10 || >=12.4.0 <12.4.9CVE IDs: CVE-2024-13312Description: 

Open Social is a Drupal distribution for online communities, which ships with a default (optional) module social_file_private to ensure the images and files provided by the distribution are stored in the private instead of the public filesystem.

For installations of Open Social prior to version 11.8.0, after updating to 11.8.0 or higher, newly uploaded files were no longer stored in the private file system as intended. Instead, they were stored in the public file system.

Solution: 

Install the latest version and make sure to run the update hooks.

• If you use Open Social 12.3.x upgrade to Open Social 12.3.10
• If you use Open Social 12.4.x upgrade to Open Social 12.4.9

Note: If some files were uploaded during that time and became unused, the update hook cannot move them. These files will require manual cleanup. Read the module release notes linked above for advice on how to handle that situation.

Reported By: 

• corn696

Fixed By: 

• corn696
• Robert Ragas

Coordinated By: 

• Greg Knaddison of the Drupal Security Team

Project: Allow All File Extensions for file fieldsDate: 2024-December-11Security risk: Critical 18 ∕ 25 AC:Basic/A:User/CI:All/II:All/E:Theoretical/TD:AllVulnerability: UnsupportedAffected versions: *CVE IDs: CVE-2024-13311Description: 

The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: https://www.drupal.org/node/251466#s-becoming-owner-maintainer-or-co-mai...

Solution: 

If you use this project, you should uninstall it. To take over maintainership, please read https://www.drupal.org/node/251466#s-becoming-owner-maintainer-or-co-mai...

Project: Git Utilities for DrupalDate: 2024-December-11Security risk: Critical 17 ∕ 25 AC:Basic/A:Admin/CI:All/II:All/E:Theoretical/TD:AllVulnerability: UnsupportedAffected versions: *CVE IDs: CVE-2024-13310Description: 

The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: https://www.drupal.org/node/251466#s-becoming-owner-maintainer-or-co-mai...

Solution: 

If you use this project, you should uninstall it. To take over maintainership, please read https://www.drupal.org/node/251466#s-becoming-owner-maintainer-or-co-mai...