Skip to content

Commit 41b425a

Browse files
feat: update advisories (#103)
🤖 beep boop - looks like there's some changes to the advisories! Co-authored-by: github-actions <41898282+github-actions[bot]@users.noreply.github.com>
1 parent a3230ff commit 41b425a

2 files changed

Lines changed: 124 additions & 0 deletions

File tree

Lines changed: 55 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,55 @@
1+
{
2+
"schema_version": "1.7.0",
3+
"id": "DSA-CONTRIB-2025-087",
4+
"modified": "2025-07-09T16:37:27.000Z",
5+
"published": "2025-07-09T16:37:27.000Z",
6+
"aliases": [
7+
"CVE-2025-7392"
8+
],
9+
"details": "This module provides a format filter, which allows you to \"disable\" iframes (e.g. remove their src attribute) specified by the user. These elements will be enabled again, once the Cookies banner is accepted.\n\nThe module doesn't sufficiently filter user-supplied content when their value might contain malicious content leading to a Cross-site Scripting (XSS) vulnerability.\n\nThis vulnerability is mitigated by the fact that the site must have the Cookies Addons Embed Iframe submodule enabled and an attacker must have the correct permissions to use a text field with a text format that allows iframes to be used.",
10+
"affected": [
11+
{
12+
"package": {
13+
"ecosystem": "Packagist",
14+
"name": "drupal/cookies_addons"
15+
},
16+
"severity": [],
17+
"ranges": [
18+
{
19+
"type": "ECOSYSTEM",
20+
"events": [
21+
{
22+
"introduced": "1.0.1"
23+
},
24+
{
25+
"fixed": "1.2.4"
26+
}
27+
],
28+
"database_specific": {
29+
"constraint": ">1.0.0 < 1.2.4",
30+
"warnings": [
31+
"the > operator should be avoided as it does not provide a concrete version"
32+
]
33+
}
34+
}
35+
],
36+
"database_specific": {
37+
"affected_versions": ">1.0.0 < 1.2.4"
38+
}
39+
}
40+
],
41+
"references": [
42+
{
43+
"type": "WEB",
44+
"url": "https://www.drupal.org/sa-contrib-2025-087"
45+
}
46+
],
47+
"credits": [
48+
{
49+
"name": "Pierre Rudloff (prudloff)",
50+
"contact": [
51+
"/u/prudloff"
52+
]
53+
}
54+
]
55+
}
Lines changed: 69 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,69 @@
1+
{
2+
"schema_version": "1.7.0",
3+
"id": "DSA-CONTRIB-2025-088",
4+
"modified": "2025-07-09T16:37:40.000Z",
5+
"published": "2025-07-09T16:37:40.000Z",
6+
"aliases": [
7+
"CVE-2025-7393"
8+
],
9+
"details": "This module enables users to login by email address with the minimal configurations.\n\nThe module included some protection against brute force attacks on the login form, however they were incomplete. An attacker could bypass the brute force protection allowing them to potentially gain access to an account.",
10+
"affected": [
11+
{
12+
"package": {
13+
"ecosystem": "Packagist",
14+
"name": "drupal/mail_login"
15+
},
16+
"severity": [],
17+
"ranges": [
18+
{
19+
"type": "ECOSYSTEM",
20+
"events": [
21+
{
22+
"introduced": "3.0.1"
23+
},
24+
{
25+
"fixed": "3.2.0"
26+
}
27+
],
28+
"database_specific": {
29+
"constraint": ">3.0.0 <3.2.0",
30+
"warnings": [
31+
"the > operator should be avoided as it does not provide a concrete version"
32+
]
33+
}
34+
},
35+
{
36+
"type": "ECOSYSTEM",
37+
"events": [
38+
{
39+
"introduced": "4.0.0"
40+
},
41+
{
42+
"fixed": "4.2.0"
43+
}
44+
],
45+
"database_specific": {
46+
"constraint": ">=4.0.0 <4.2.0"
47+
}
48+
}
49+
],
50+
"database_specific": {
51+
"affected_versions": ">3.0.0 <3.2.0 || >=4.0.0 <4.2.0"
52+
}
53+
}
54+
],
55+
"references": [
56+
{
57+
"type": "WEB",
58+
"url": "https://www.drupal.org/sa-contrib-2025-088"
59+
}
60+
],
61+
"credits": [
62+
{
63+
"name": "Ryugo Kinoshita (dc-kinoshita)",
64+
"contact": [
65+
"/u/dc-kinoshita"
66+
]
67+
}
68+
]
69+
}

0 commit comments

Comments
 (0)