DrupalSecurityTeam
diff --git a/‎advisories/access_code/DRUPAL-CONTRIB-2025-028.json‎
Lines changed: 52 additions & 0 deletions b/‎advisories/access_code/DRUPAL-CONTRIB-2025-028.json‎
Lines changed: 52 additions & 0 deletions
diff --git a/‎advisories/access_code/DRUPAL-CONTRIB-2025-108.json‎
Lines changed: 52 additions & 0 deletions b/‎advisories/access_code/DRUPAL-CONTRIB-2025-108.json‎
Lines changed: 52 additions & 0 deletions
diff --git a/‎advisories/acl/DRUPAL-CONTRIB-2023-034.json‎
Lines changed: 56 additions & 0 deletions b/‎advisories/acl/DRUPAL-CONTRIB-2023-034.json‎
Lines changed: 56 additions & 0 deletions
diff --git a/‎advisories/acquia_connector/DRUPAL-CONTRIB-2019-014.json‎
Lines changed: 50 additions & 0 deletions b/‎advisories/acquia_connector/DRUPAL-CONTRIB-2019-014.json‎
Lines changed: 50 additions & 0 deletions
diff --git a/‎advisories/acquia_dam/DRUPAL-CONTRIB-2024-025.json‎
Lines changed: 67 additions & 0 deletions b/‎advisories/acquia_dam/DRUPAL-CONTRIB-2024-025.json‎
Lines changed: 67 additions & 0 deletions
diff --git a/‎advisories/acquia_dam/DRUPAL-CONTRIB-2025-105.json‎
Lines changed: 64 additions & 0 deletions b/‎advisories/acquia_dam/DRUPAL-CONTRIB-2025-105.json‎
Lines changed: 64 additions & 0 deletions
diff --git a/‎advisories/addtoany/DRUPAL-CONTRIB-2019-039.json‎
Lines changed: 50 additions & 0 deletions b/‎advisories/addtoany/DRUPAL-CONTRIB-2019-039.json‎
Lines changed: 50 additions & 0 deletions
@@ -0,0 +1,52 @@
+{
+  "schema_version": "1.7.0",
+  "id": "DRUPAL-CONTRIB-2025-028",
+  "modified": "2025-04-02T17:02:32.000Z",
+  "published": "2025-04-02T17:02:32.000Z",
+  "aliases": [
+    "CVE-2025-3129"
+  ],
+  "details": "This module enables users to log in using a short access code instead of providing a username/password combination.\n\nThe module doesn't sufficiently protect against brute force attacks to guess a user's access code.\n\nThis vulnerability is mitigated by the fact that access code based logins are off by default and only enabled for accounts that enable it. Sites could mitigate the issue without updating by:\n\n1. disabling the access code login method for critical accounts\n2. monitor and prevent brute force attacks in other ways (for example, with a Web Application Firewall)",
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "Packagist",
+        "name": "drupal/access_code"
+      },
+      "severity": [],
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "2.0.4"
+            }
+          ],
+          "database_specific": {
+            "constraint": "<2.0.4"
+          }
+        }
+      ],
+      "database_specific": {
+        "affected_versions": "<2.0.4"
+      }
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://www.drupal.org/sa-contrib-2025-028"
+    }
+  ],
+  "credits": [
+    {
+      "name": "Marcin Maruszewski (marcin maruszewski)",
+      "contact": [
+        "https://www.drupal.org/u/marcin-maruszewski"
+      ]
+    }
+  ]
+}
@@ -0,0 +1,52 @@
+{
+  "schema_version": "1.7.0",
+  "id": "DRUPAL-CONTRIB-2025-108",
+  "modified": "2025-09-24T17:27:20.000Z",
+  "published": "2025-09-24T17:27:20.000Z",
+  "aliases": [
+    "CVE-2025-10928"
+  ],
+  "details": "This module enables users to sign in with an access code instead of entering user names and passwords. When users are allowed to pick their own access codes, they can guess other users' access codes based on the fact that access codes need to be unique and the system warns if the code of their choice is taken.\n\nThis vulnerability is mitigated by the fact that an attacker must have a role with the \"change own access code\" permission.",
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "Packagist",
+        "name": "drupal/access_code"
+      },
+      "severity": [],
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "2.0.5"
+            }
+          ],
+          "database_specific": {
+            "constraint": "<2.0.5"
+          }
+        }
+      ],
+      "database_specific": {
+        "affected_versions": "<2.0.5"
+      }
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://www.drupal.org/sa-contrib-2025-108"
+    }
+  ],
+  "credits": [
+    {
+      "name": "Pierre Rudloff (prudloff)",
+      "contact": [
+        "https://www.drupal.org/u/prudloff"
+      ]
+    }
+  ]
+}
@@ -0,0 +1,56 @@
+{
+  "schema_version": "1.7.0",
+  "id": "DRUPAL-CONTRIB-2023-034",
+  "modified": "2023-08-23T18:45:47.000Z",
+  "published": "2023-08-23T14:51:16.000Z",
+  "aliases": [],
+  "details": "The ACL module, short for Access Control Lists, is an API for other modules to create lists of users and give them access to nodes.\n\nThe module processes user input in a way that could be unsafe. This can lead to Remote Code Execution via Object Injection.\n\nAs this is an API module, it is only exploitable if a \"client\" module exposes the vulnerability. Details of some contributed client modules are given below. Custom modules using ACL could also expose the vulnerability.\n\nThis vulnerability is mitigated by the fact that an attacker typically needs an \"admin\"-type permission provided by one of ACL's client modules.\n\nKnown client modules include:\n\n* Forum Access\n* Flexi Access\n* Content Access\n\nCoordinated Security Advisories are being released for those client modules that have Security coverage.",
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "Packagist",
+        "name": "drupal/acl"
+      },
+      "severity": [],
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "1.0.0"
+            }
+          ],
+          "database_specific": {
+            "constraint": "<1.0.0"
+          }
+        }
+      ],
+      "database_specific": {
+        "affected_versions": "<1.0.0"
+      }
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://www.drupal.org/sa-contrib-2023-034"
+    }
+  ],
+  "credits": [
+    {
+      "name": "Drew Webber",
+      "contact": [
+        "https://www.drupal.org/user/255969"
+      ]
+    },
+    {
+      "name": "Samuel Mortenson",
+      "contact": [
+        "https://www.drupal.org/user/2582268"
+      ]
+    }
+  ]
+}
@@ -0,0 +1,50 @@
+{
+  "schema_version": "1.7.0",
+  "id": "DRUPAL-CONTRIB-2019-014",
+  "modified": "2023-08-11T19:23:01.000Z",
+  "published": "2019-02-06T18:13:19.000Z",
+  "aliases": [],
+  "details": "Acquia Connector facilitates sending certain telemetry data to Acquia for the purposes of analysis. The module automates the collection of site information to speed support communication and issue resolution. It is required for use with the Acquia Insight service.\n\nThe module does not properly enforce access control in a specific case, which can lead to disclosing information.\n\nThe vulnerability is mitigated by requiring the module diff feature to be enabled. This feature is enabled by default.",
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "Packagist",
+        "name": "drupal/acquia_connector"
+      },
+      "severity": [],
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "1.16.0"
+            }
+          ],
+          "database_specific": {
+            "constraint": "<1.16.0"
+          }
+        }
+      ],
+      "database_specific": {
+        "affected_versions": "<1.16.0"
+      }
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://www.drupal.org/sa-contrib-2019-014"
+    }
+  ],
+  "credits": [
+    {
+      "name": "Samuel Mortenson",
+      "contact": [
+        "https://www.drupal.org/user/2582268"
+      ]
+    }
+  ]
+}
@@ -0,0 +1,67 @@
+{
+  "schema_version": "1.7.0",
+  "id": "DRUPAL-CONTRIB-2024-025",
+  "modified": "2025-02-20T19:13:15.000Z",
+  "published": "2024-06-05T16:45:02.000Z",
+  "aliases": [
+    "CVE-2024-13261"
+  ],
+  "details": "Acquia DAM provides a connection to a third-party asset management system, allowing for images to be managed, linked to, and viewed from Drupal. In order for assets to be managed in Drupal, a site administrator must first authenticate the site to their DAM instance.\n\nThe module doesn't sufficiently protect the ability to disconnect a site from DAM. While disconnected sites do not lose asset data in Drupal, it will prevent site editors from accessing the DAM until a site administrator re-authenticates the site. Some uncached media images may also fail to be fetched while disconnected.",
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "Packagist",
+        "name": "drupal/acquia_dam"
+      },
+      "severity": [],
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "1.0.13"
+            }
+          ],
+          "database_specific": {
+            "constraint": "<1.0.13"
+          }
+        },
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "1.1.0-beta1"
+            },
+            {
+              "fixed": "1.1.0-beta3"
+            }
+          ],
+          "database_specific": {
+            "constraint": ">=1.1.0-beta1 <1.1.0-beta3"
+          }
+        }
+      ],
+      "database_specific": {
+        "affected_versions": "<1.0.13 || >=1.1.0-beta1 <1.1.0-beta3",
+        "patched": true
+      }
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://www.drupal.org/sa-contrib-2024-025"
+    }
+  ],
+  "credits": [
+    {
+      "name": "Matt Glaman",
+      "contact": [
+        "https://www.drupal.org/user/2416470"
+      ]
+    }
+  ]
+}
@@ -0,0 +1,64 @@
+{
+  "schema_version": "1.7.0",
+  "id": "DRUPAL-CONTRIB-2025-105",
+  "modified": "2025-09-03T16:15:48.000Z",
+  "published": "2025-09-03T16:15:48.000Z",
+  "aliases": [
+    "CVE-2025-9954"
+  ],
+  "details": "This module enables you to connect a Drupal site to the Acquia DAM service, which syncs media from the third party service to the site.\n\nThe module doesn't sufficiently validate authorization to a list of DAM assets currently synced to the website creating an access bypass vulnerability.\n\nThis vulnerability is mitigated by the fact that it only impacts sites where users having the \u201cview media\u201d permission accessing any DAM asset is undesirable.\n\n**CVSS risk score ([experimental](https://www.drupal.org/project/securitydrupalorg/issues/3442181)) 6.9 / Medium**\n\n[CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N](https://www.first.org/cvss/calculator/4-0#CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N)",
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "Packagist",
+        "name": "drupal/acquia_dam"
+      },
+      "severity": [],
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "1.1.5"
+            }
+          ],
+          "database_specific": {
+            "constraint": "<1.1.5"
+          }
+        }
+      ],
+      "database_specific": {
+        "affected_versions": "<1.1.5"
+      }
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://www.drupal.org/sa-contrib-2025-105"
+    }
+  ],
+  "credits": [
+    {
+      "name": "Brandon Goodwin (bgoodie)",
+      "contact": [
+        "https://www.drupal.org/u/bgoodie"
+      ]
+    },
+    {
+      "name": "Chris Burge (chris burge)",
+      "contact": [
+        "https://www.drupal.org/u/chris-burge"
+      ]
+    },
+    {
+      "name": "Todd Woofenden (toddwoof)",
+      "contact": [
+        "https://www.drupal.org/u/toddwoof"
+      ]
+    }
+  ]
+}
@@ -0,0 +1,50 @@
+{
+  "schema_version": "1.7.0",
+  "id": "DRUPAL-CONTRIB-2019-039",
+  "modified": "2023-08-11T18:43:25.000Z",
+  "published": "2019-03-20T13:26:14.000Z",
+  "aliases": [],
+  "details": "This module enables you to add social media share buttons on your website to its content and pages.\n\nThe module doesn't sufficiently mark its administration permission restricted, allowing cross site scripting vulnerabilities to users who have access to its admin settings.\n\nThis vulnerability is mitigated by the fact that an attacker must have a role with the permission \"administer addtoany\".\n\n*This advisory was edited on March 25th to add the affected 8.x-1.11 release.*",
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "Packagist",
+        "name": "drupal/addtoany"
+      },
+      "severity": [],
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "1.11.0"
+            }
+          ],
+          "database_specific": {
+            "constraint": "<1.11.0"
+          }
+        }
+      ],
+      "database_specific": {
+        "affected_versions": "<1.11.0"
+      }
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://www.drupal.org/sa-contrib-2019-039"
+    }
+  ],
+  "credits": [
+    {
+      "name": "Balazs Janos Tatar",
+      "contact": [
+        "https://www.drupal.org/user/649590"
+      ]
+    }
+  ]
+}