Skip to content

Commit c0b7d28

Browse files
feat: update advisories (#129)
🤖 beep boop - looks like there's some changes to the advisories! Co-authored-by: github-actions <41898282+github-actions[bot]@users.noreply.github.com>
1 parent bfb2d5e commit c0b7d28

6 files changed

Lines changed: 312 additions & 0 deletions

File tree

Lines changed: 52 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,52 @@
1+
{
2+
"schema_version": "1.7.0",
3+
"id": "DSA-CONTRIB-2025-108",
4+
"modified": "2025-09-24T17:27:20.000Z",
5+
"published": "2025-09-24T17:27:20.000Z",
6+
"aliases": [
7+
"CVE-2025-10928"
8+
],
9+
"details": "This module enables users to sign in with an access code instead of entering user names and passwords. When users are allowed to pick their own access codes, they can guess other users' access codes based on the fact that access codes need to be unique and the system warns if the code of their choice is taken.\n\nThis vulnerability is mitigated by the fact that an attacker must have a role with the \"change own access code\" permission.",
10+
"affected": [
11+
{
12+
"package": {
13+
"ecosystem": "Packagist",
14+
"name": "drupal/access_code"
15+
},
16+
"severity": [],
17+
"ranges": [
18+
{
19+
"type": "ECOSYSTEM",
20+
"events": [
21+
{
22+
"introduced": "0"
23+
},
24+
{
25+
"fixed": "2.0.5"
26+
}
27+
],
28+
"database_specific": {
29+
"constraint": "<2.0.5"
30+
}
31+
}
32+
],
33+
"database_specific": {
34+
"affected_versions": "<2.0.5"
35+
}
36+
}
37+
],
38+
"references": [
39+
{
40+
"type": "WEB",
41+
"url": "https://www.drupal.org/sa-contrib-2025-108"
42+
}
43+
],
44+
"credits": [
45+
{
46+
"name": "Pierre Rudloff (prudloff)",
47+
"contact": [
48+
"https://www.drupal.org/u/prudloff"
49+
]
50+
}
51+
]
52+
}
Lines changed: 52 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,52 @@
1+
{
2+
"schema_version": "1.7.0",
3+
"id": "DSA-CONTRIB-2025-110",
4+
"modified": "2025-09-24T17:27:41.000Z",
5+
"published": "2025-09-24T17:27:41.000Z",
6+
"aliases": [
7+
"CVE-2025-10930"
8+
],
9+
"details": "This module allows you to use different currencies on your website and do currency conversion.\n\nThe module doesn't sufficiently protect routes used to enable and disable currencies from Cross-Site Request Forgery (CSRF) attacks, potentially allowing an attacker to trick an admin into changing settings.",
10+
"affected": [
11+
{
12+
"package": {
13+
"ecosystem": "Packagist",
14+
"name": "drupal/currency"
15+
},
16+
"severity": [],
17+
"ranges": [
18+
{
19+
"type": "ECOSYSTEM",
20+
"events": [
21+
{
22+
"introduced": "0"
23+
},
24+
{
25+
"fixed": "3.5.0"
26+
}
27+
],
28+
"database_specific": {
29+
"constraint": "<3.5.0"
30+
}
31+
}
32+
],
33+
"database_specific": {
34+
"affected_versions": "<3.5.0"
35+
}
36+
}
37+
],
38+
"references": [
39+
{
40+
"type": "WEB",
41+
"url": "https://www.drupal.org/sa-contrib-2025-110"
42+
}
43+
],
44+
"credits": [
45+
{
46+
"name": "Juraj Nemec (poker10)",
47+
"contact": [
48+
"https://www.drupal.org/u/poker10"
49+
]
50+
}
51+
]
52+
}
Lines changed: 52 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,52 @@
1+
{
2+
"schema_version": "1.7.0",
3+
"id": "DSA-CONTRIB-2025-106",
4+
"modified": "2025-09-24T17:16:20.000Z",
5+
"published": "2025-09-24T17:16:20.000Z",
6+
"aliases": [
7+
"CVE-2025-10926"
8+
],
9+
"details": "This module enables you to store and display JSON data using optional 3rd party libraries.\n\nThe module doesn't sufficiently filter data using some of the included field formatters leading to a Cross-site Scripting (XSS) vulnerability.",
10+
"affected": [
11+
{
12+
"package": {
13+
"ecosystem": "Packagist",
14+
"name": "drupal/json_field"
15+
},
16+
"severity": [],
17+
"ranges": [
18+
{
19+
"type": "ECOSYSTEM",
20+
"events": [
21+
{
22+
"introduced": "0"
23+
},
24+
{
25+
"fixed": "1.5.0"
26+
}
27+
],
28+
"database_specific": {
29+
"constraint": "<1.5"
30+
}
31+
}
32+
],
33+
"database_specific": {
34+
"affected_versions": "<1.5"
35+
}
36+
}
37+
],
38+
"references": [
39+
{
40+
"type": "WEB",
41+
"url": "https://www.drupal.org/sa-contrib-2025-106"
42+
}
43+
],
44+
"credits": [
45+
{
46+
"name": "Ivan (chi)",
47+
"contact": [
48+
"https://www.drupal.org/u/chi"
49+
]
50+
}
51+
]
52+
}
Lines changed: 52 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,52 @@
1+
{
2+
"schema_version": "1.7.0",
3+
"id": "DSA-CONTRIB-2025-107",
4+
"modified": "2025-09-24T17:18:08.000Z",
5+
"published": "2025-09-24T17:18:08.000Z",
6+
"aliases": [
7+
"CVE-2025-10927"
8+
],
9+
"details": "This module integrates Plausible Analytics on a site.\n\nThe module did not properly filter output in certain cases.\n\nThis vulnerability is mitigated by the fact that an attacker must have permission to add raw HTML to the website, such as an unfiltered WYSIWYG field on a public-facing comment.",
10+
"affected": [
11+
{
12+
"package": {
13+
"ecosystem": "Packagist",
14+
"name": "drupal/plausible_tracking"
15+
},
16+
"severity": [],
17+
"ranges": [
18+
{
19+
"type": "ECOSYSTEM",
20+
"events": [
21+
{
22+
"introduced": "0"
23+
},
24+
{
25+
"fixed": "1.0.2"
26+
}
27+
],
28+
"database_specific": {
29+
"constraint": "<1.0.2"
30+
}
31+
}
32+
],
33+
"database_specific": {
34+
"affected_versions": "<1.0.2"
35+
}
36+
}
37+
],
38+
"references": [
39+
{
40+
"type": "WEB",
41+
"url": "https://www.drupal.org/sa-contrib-2025-107"
42+
}
43+
],
44+
"credits": [
45+
{
46+
"name": "Pierre Rudloff (prudloff)",
47+
"contact": [
48+
"https://www.drupal.org/u/prudloff"
49+
]
50+
}
51+
]
52+
}
Lines changed: 52 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,52 @@
1+
{
2+
"schema_version": "1.7.0",
3+
"id": "DSA-CONTRIB-2025-111",
4+
"modified": "2025-09-24T17:28:05.000Z",
5+
"published": "2025-09-24T17:28:05.000Z",
6+
"aliases": [
7+
"CVE-2025-10929"
8+
],
9+
"details": "This module allows you to specify an HTTP header name to determine the client's IP address.\n\nThe module doesn't sufficiently handle all cases under the scenario if Drupal Core settings `$settings['reverse_proxy']` is set to TRUE and `$settings['reverse_proxy_addresses']` is configured.\n\nThis vulnerability allows an attacker to spoof a request IP address (as Drupal sees it), potentially bypassing a variety of controls.",
10+
"affected": [
11+
{
12+
"package": {
13+
"ecosystem": "Packagist",
14+
"name": "drupal/reverse_proxy_header"
15+
},
16+
"severity": [],
17+
"ranges": [
18+
{
19+
"type": "ECOSYSTEM",
20+
"events": [
21+
{
22+
"introduced": "0"
23+
},
24+
{
25+
"fixed": "1.1.2"
26+
}
27+
],
28+
"database_specific": {
29+
"constraint": "<1.1.2"
30+
}
31+
}
32+
],
33+
"database_specific": {
34+
"affected_versions": "<1.1.2"
35+
}
36+
}
37+
],
38+
"references": [
39+
{
40+
"type": "WEB",
41+
"url": "https://www.drupal.org/sa-contrib-2025-111"
42+
}
43+
],
44+
"credits": [
45+
{
46+
"name": "Pierre Rudloff (prudloff)",
47+
"contact": [
48+
"https://www.drupal.org/u/prudloff"
49+
]
50+
}
51+
]
52+
}
Lines changed: 52 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,52 @@
1+
{
2+
"schema_version": "1.7.0",
3+
"id": "DSA-CONTRIB-2025-109",
4+
"modified": "2025-09-24T17:27:33.000Z",
5+
"published": "2025-09-24T17:27:33.000Z",
6+
"aliases": [
7+
"CVE-2025-10931"
8+
],
9+
"details": "This module enables you to add Umami Analytics web statistics tracking system to your website.\n\nThe \"administer umami analytics\" permission allows inserting an arbitrary JavaScript file on every page. While this is an expected feature, the permission lacks the \"restrict access\" flag, which should alert administrators that this permission is potentially dangerous and can lead to cross-site scripting (XSS) vulnerabilities.\n\nThis vulnerability is mitigated by the fact that an attacker must have a role with the permission \u201cadminister umami analytics\u201d.",
10+
"affected": [
11+
{
12+
"package": {
13+
"ecosystem": "Packagist",
14+
"name": "drupal/umami_analytics"
15+
},
16+
"severity": [],
17+
"ranges": [
18+
{
19+
"type": "ECOSYSTEM",
20+
"events": [
21+
{
22+
"introduced": "0"
23+
},
24+
{
25+
"fixed": "1.0.1"
26+
}
27+
],
28+
"database_specific": {
29+
"constraint": "<1.0.1"
30+
}
31+
}
32+
],
33+
"database_specific": {
34+
"affected_versions": "<1.0.1"
35+
}
36+
}
37+
],
38+
"references": [
39+
{
40+
"type": "WEB",
41+
"url": "https://www.drupal.org/sa-contrib-2025-109"
42+
}
43+
],
44+
"credits": [
45+
{
46+
"name": "Pierre Rudloff (prudloff)",
47+
"contact": [
48+
"https://www.drupal.org/u/prudloff"
49+
]
50+
}
51+
]
52+
}

0 commit comments

Comments
 (0)