Skip to content

Commit b50349d

Browse files
authored
feat: update advisories as of 2025-05-22 (#43)
1 parent c93b795 commit b50349d

24 files changed

Lines changed: 1322 additions & 1 deletion
Lines changed: 54 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,54 @@
1+
{
2+
"schema_version": "1.3.0",
3+
"id": "OSV-SA-CONTRIB-2025-068",
4+
"modified": "2025-05-22T05:29:14.000Z",
5+
"published": "2025-05-22T05:29:14.000Z",
6+
"aliases": [
7+
"CVE-2025-48448"
8+
],
9+
"related": [],
10+
"summary": "",
11+
"details": "The Admin Audit Trail module tracks logs of specific events that you'd like to review. When the submodule Admin Audit Trail: User Authentication is enabled, it logs user authentication events (login, logout, and password reset requests).\n\nThe module does not sufficiently limit some large values before logging the data.",
12+
"affected": [
13+
{
14+
"package": {
15+
"ecosystem": "Packagist",
16+
"name": "drupal/admin_audit_trail"
17+
},
18+
"severity": [],
19+
"ranges": [
20+
{
21+
"type": "ECOSYSTEM",
22+
"events": [
23+
{
24+
"introduced": "0"
25+
},
26+
{
27+
"fixed": "1.0.5"
28+
}
29+
],
30+
"database_specific": {
31+
"constraint": "<1.0.5"
32+
}
33+
}
34+
],
35+
"database_specific": {
36+
"affected_versions": "<1.0.5"
37+
}
38+
}
39+
],
40+
"references": [
41+
{
42+
"type": "WEB",
43+
"url": "https://www.drupal.org/sa-contrib-2025-068"
44+
}
45+
],
46+
"credits": [
47+
{
48+
"name": "Scott Phillips (scottatdrake)",
49+
"contact": [
50+
"/u/scottatdrake"
51+
]
52+
}
53+
]
54+
}
Lines changed: 49 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,49 @@
1+
{
2+
"schema_version": "1.3.0",
3+
"id": "OSV-SA-CONTRIB-2025-057",
4+
"modified": "2025-05-15T07:39:43.000Z",
5+
"published": "2025-05-15T06:04:31.000Z",
6+
"aliases": [],
7+
"related": [],
8+
"summary": "",
9+
"details": "The Advanced File Destination module enhances file upload management in Drupal by allowing users to choose and create custom directories during file uploads.\n\nThe module has multiple vulnerabilities that were reported through the Drupal Security Team's coordinated vulnerability process. The project maintainer did not follow the terms and conditions for hosting projects on drupal.org that are opted into security coverage, so the module is losing its security coverage. The private issues may be made public at the discretion of the reporter and maintainer.",
10+
"affected": [
11+
{
12+
"package": {
13+
"ecosystem": "Packagist",
14+
"name": "drupal/advanced_file_destination"
15+
},
16+
"severity": [],
17+
"ranges": [
18+
{
19+
"type": "ECOSYSTEM",
20+
"events": [
21+
{
22+
"introduced": "0"
23+
}
24+
],
25+
"database_specific": {
26+
"constraint": "*"
27+
}
28+
}
29+
],
30+
"database_specific": {
31+
"affected_versions": "*"
32+
}
33+
}
34+
],
35+
"references": [
36+
{
37+
"type": "WEB",
38+
"url": "https://www.drupal.org/sa-contrib-2025-057"
39+
}
40+
],
41+
"credits": [
42+
{
43+
"name": "Conrad Lara (cmlara)",
44+
"contact": [
45+
"/u/cmlara"
46+
]
47+
}
48+
]
49+
}
Lines changed: 54 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,54 @@
1+
{
2+
"schema_version": "1.3.0",
3+
"id": "OSV-SA-CONTRIB-2025-067",
4+
"modified": "2025-05-22T05:28:55.000Z",
5+
"published": "2025-05-22T05:28:55.000Z",
6+
"aliases": [
7+
"CVE-2025-48446"
8+
],
9+
"related": [],
10+
"summary": "",
11+
"details": "This module enables you to pay for Commerce order to an environment provided and secured by the bank\n\nThe module doesn't sufficiently verify the payment status on canceled orders. An attacker can issue a specially crafted request to update the order status to completed.",
12+
"affected": [
13+
{
14+
"package": {
15+
"ecosystem": "Packagist",
16+
"name": "drupal/commerce_alphabank_redirect"
17+
},
18+
"severity": [],
19+
"ranges": [
20+
{
21+
"type": "ECOSYSTEM",
22+
"events": [
23+
{
24+
"introduced": "0"
25+
},
26+
{
27+
"fixed": "1.0.3"
28+
}
29+
],
30+
"database_specific": {
31+
"constraint": "<1.0.3"
32+
}
33+
}
34+
],
35+
"database_specific": {
36+
"affected_versions": "<1.0.3"
37+
}
38+
}
39+
],
40+
"references": [
41+
{
42+
"type": "WEB",
43+
"url": "https://www.drupal.org/sa-contrib-2025-067"
44+
}
45+
],
46+
"credits": [
47+
{
48+
"name": "Marios Tsalkidis (silios)",
49+
"contact": [
50+
"/u/silios"
51+
]
52+
}
53+
]
54+
}
Lines changed: 54 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,54 @@
1+
{
2+
"schema_version": "1.3.0",
3+
"id": "OSV-SA-CONTRIB-2025-066",
4+
"modified": "2025-05-22T05:28:47.000Z",
5+
"published": "2025-05-22T05:28:47.000Z",
6+
"aliases": [
7+
"CVE-2025-48445"
8+
],
9+
"related": [],
10+
"summary": "",
11+
"details": "This module enables you to pay for Commerce order to an environment provided and secured by the bank\n\nThe module doesn't sufficiently verify the payment status on canceled orders. An attacker can issue a specially crafted request to update the order status to completed.",
12+
"affected": [
13+
{
14+
"package": {
15+
"ecosystem": "Packagist",
16+
"name": "drupal/commerce_eurobank_redirect"
17+
},
18+
"severity": [],
19+
"ranges": [
20+
{
21+
"type": "ECOSYSTEM",
22+
"events": [
23+
{
24+
"introduced": "0"
25+
},
26+
{
27+
"fixed": "2.1.1"
28+
}
29+
],
30+
"database_specific": {
31+
"constraint": "<2.1.1"
32+
}
33+
}
34+
],
35+
"database_specific": {
36+
"affected_versions": "<2.1.1"
37+
}
38+
}
39+
],
40+
"references": [
41+
{
42+
"type": "WEB",
43+
"url": "https://www.drupal.org/sa-contrib-2025-066"
44+
}
45+
],
46+
"credits": [
47+
{
48+
"name": "Marios Tsalkidis (silios)",
49+
"contact": [
50+
"/u/silios"
51+
]
52+
}
53+
]
54+
}
Lines changed: 54 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,54 @@
1+
{
2+
"schema_version": "1.3.0",
3+
"id": "OSV-SA-CONTRIB-2025-049",
4+
"modified": "2025-05-08T05:06:36.000Z",
5+
"published": "2025-05-08T05:06:36.000Z",
6+
"aliases": [
7+
"CVE-2025-47703"
8+
],
9+
"related": [],
10+
"summary": "",
11+
"details": "The COOKIES module protects users from executing JavaScript code provided by third parties, e.g., to display ads or track user data without consent.\n\nThe cookies\\_asset\\_injector module (a sub-module of the COOKiES module) also allows inline JavaScript to be included in consent management. However, this does not adequately check whether the provided JavaScript code originates from authorized users.\n\nA potential attacker would at least need permission to create and publish HTML (e.g. content or comments).",
12+
"affected": [
13+
{
14+
"package": {
15+
"ecosystem": "Packagist",
16+
"name": "drupal/cookies"
17+
},
18+
"severity": [],
19+
"ranges": [
20+
{
21+
"type": "ECOSYSTEM",
22+
"events": [
23+
{
24+
"introduced": "0"
25+
},
26+
{
27+
"fixed": "1.2.14"
28+
}
29+
],
30+
"database_specific": {
31+
"constraint": "<1.2.14"
32+
}
33+
}
34+
],
35+
"database_specific": {
36+
"affected_versions": "<1.2.14"
37+
}
38+
}
39+
],
40+
"references": [
41+
{
42+
"type": "WEB",
43+
"url": "https://www.drupal.org/sa-contrib-2025-049"
44+
}
45+
],
46+
"credits": [
47+
{
48+
"name": "Pierre Rudloff (prudloff)",
49+
"contact": [
50+
"/u/prudloff"
51+
]
52+
}
53+
]
54+
}
Lines changed: 68 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,68 @@
1+
{
2+
"schema_version": "1.3.0",
3+
"id": "OSV-SA-CONTRIB-2025-059",
4+
"modified": "2025-05-15T06:04:52.000Z",
5+
"published": "2025-05-15T06:04:52.000Z",
6+
"aliases": [
7+
"CVE-2025-4416"
8+
],
9+
"related": [],
10+
"summary": "",
11+
"details": "The Events Log Track module enables you to log specific events on a Drupal site.\n\nThe module doesn't sufficiently mitigate resource consumption for certain requests which allows a Denial of Service attack.",
12+
"affected": [
13+
{
14+
"package": {
15+
"ecosystem": "Packagist",
16+
"name": "drupal/events_log_track"
17+
},
18+
"severity": [],
19+
"ranges": [
20+
{
21+
"type": "ECOSYSTEM",
22+
"events": [
23+
{
24+
"introduced": "0"
25+
},
26+
{
27+
"fixed": "3.1.11"
28+
}
29+
],
30+
"database_specific": {
31+
"constraint": "<3.1.11"
32+
}
33+
},
34+
{
35+
"type": "ECOSYSTEM",
36+
"events": [
37+
{
38+
"introduced": "4.0.0"
39+
},
40+
{
41+
"fixed": "4.0.2"
42+
}
43+
],
44+
"database_specific": {
45+
"constraint": ">=4.0.0 <4.0.2"
46+
}
47+
}
48+
],
49+
"database_specific": {
50+
"affected_versions": "<3.1.11 || >=4.0.0 <4.0.2"
51+
}
52+
}
53+
],
54+
"references": [
55+
{
56+
"type": "WEB",
57+
"url": "https://www.drupal.org/sa-contrib-2025-059"
58+
}
59+
],
60+
"credits": [
61+
{
62+
"name": "Scott Phillips (scottatdrake)",
63+
"contact": [
64+
"/u/scottatdrake"
65+
]
66+
}
67+
]
68+
}
Lines changed: 54 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,54 @@
1+
{
2+
"schema_version": "1.3.0",
3+
"id": "OSV-SA-CONTRIB-2025-051",
4+
"modified": "2025-05-08T05:35:33.000Z",
5+
"published": "2025-05-08T05:07:03.000Z",
6+
"aliases": [
7+
"CVE-2025-47705"
8+
],
9+
"related": [],
10+
"summary": "",
11+
"details": "This module enables you to add a filter to text formats (Full HTML, Filtered HTML), which will remove every iframe where the \"src\" is not on the allowlist.\n\nThe module doesn't sufficiently filter these iframes in certain situations.\n\nThis vulnerability is mitigated by the fact that an attacker must be able to edit content that allows iframes.",
12+
"affected": [
13+
{
14+
"package": {
15+
"ecosystem": "Packagist",
16+
"name": "drupal/iframeremove"
17+
},
18+
"severity": [],
19+
"ranges": [
20+
{
21+
"type": "ECOSYSTEM",
22+
"events": [
23+
{
24+
"introduced": "0"
25+
},
26+
{
27+
"fixed": "2.0.5"
28+
}
29+
],
30+
"database_specific": {
31+
"constraint": "<2.0.5"
32+
}
33+
}
34+
],
35+
"database_specific": {
36+
"affected_versions": "<2.0.5"
37+
}
38+
}
39+
],
40+
"references": [
41+
{
42+
"type": "WEB",
43+
"url": "https://www.drupal.org/sa-contrib-2025-051"
44+
}
45+
],
46+
"credits": [
47+
{
48+
"name": "Pierre Rudloff (prudloff)",
49+
"contact": [
50+
"/u/prudloff"
51+
]
52+
}
53+
]
54+
}

0 commit comments

Comments
 (0)