Skip to content

Commit c5ec11e

Browse files
feat: update advisories
1 parent 975bc6b commit c5ec11e

10 files changed

Lines changed: 480 additions & 5 deletions

File tree

Lines changed: 52 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,52 @@
1+
{
2+
"schema_version": "1.7.0",
3+
"id": "DSA-CONTRIB-2025-081",
4+
"modified": "2025-06-25T18:42:06.000Z",
5+
"published": "2025-06-25T18:42:06.000Z",
6+
"aliases": [
7+
"CVE-2025-6674"
8+
],
9+
"details": "The CKEditor5 Youtube module enhances content creation in Drupal by seamlessly integrating YouTube video embedding into the CKEditor 5 text editor.\n\nThe module doesn't sufficiently validate iframe sources under the scenario where a user embeds a video using the CKEditor YouTube integration leading to a Cross-site Scripting (XSS) vulnerabiity. \nThis vulnerability is mitigated by the fact that an attacker must have a role with necessary permissions to use CKEditor Youtube embed button.",
10+
"affected": [
11+
{
12+
"package": {
13+
"ecosystem": "Packagist",
14+
"name": "drupal/ckeditor5_youtube"
15+
},
16+
"severity": [],
17+
"ranges": [
18+
{
19+
"type": "ECOSYSTEM",
20+
"events": [
21+
{
22+
"introduced": "0"
23+
},
24+
{
25+
"fixed": "1.0.3"
26+
}
27+
],
28+
"database_specific": {
29+
"constraint": "<1.0.3"
30+
}
31+
}
32+
],
33+
"database_specific": {
34+
"affected_versions": "<1.0.3"
35+
}
36+
}
37+
],
38+
"references": [
39+
{
40+
"type": "WEB",
41+
"url": "https://www.drupal.org/sa-contrib-2025-081"
42+
}
43+
],
44+
"credits": [
45+
{
46+
"name": "nico.b",
47+
"contact": [
48+
"/u/nicob"
49+
]
50+
}
51+
]
52+
}

advisories/core/DSA-CORE-2025-004.json

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,7 +1,7 @@
11
{
22
"schema_version": "1.7.0",
33
"id": "DSA-CORE-2025-004",
4-
"modified": "2025-03-31T21:57:44.000Z",
4+
"modified": "2025-06-14T13:06:04.000Z",
55
"published": "2025-03-19T18:54:35.000Z",
66
"aliases": [
77
"CVE-2025-31675"

advisories/email_tfa/DSA-CONTRIB-2025-001.json

Lines changed: 7 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -1,7 +1,7 @@
11
{
22
"schema_version": "1.7.0",
33
"id": "DSA-CONTRIB-2025-001",
4-
"modified": "2025-03-31T22:03:35.000Z",
4+
"modified": "2025-06-19T22:05:09.000Z",
55
"published": "2025-01-08T17:22:11.000Z",
66
"aliases": [
77
"CVE-2025-31676"
@@ -19,19 +19,22 @@
1919
"type": "ECOSYSTEM",
2020
"events": [
2121
{
22-
"introduced": "0"
22+
"introduced": "2.0.1"
2323
},
2424
{
2525
"fixed": "2.0.3"
2626
}
2727
],
2828
"database_specific": {
29-
"constraint": "<2.0.3"
29+
"constraint": ">2.0.0 <2.0.3",
30+
"warnings": [
31+
"the > operator should be avoided as it does not provide a concrete version"
32+
]
3033
}
3134
}
3235
],
3336
"database_specific": {
34-
"affected_versions": "<2.0.3"
37+
"affected_versions": ">2.0.0 <2.0.3"
3538
}
3639
}
3740
],
Lines changed: 52 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,52 @@
1+
{
2+
"schema_version": "1.7.0",
3+
"id": "DSA-CONTRIB-2025-078",
4+
"modified": "2025-06-25T18:41:20.000Z",
5+
"published": "2025-06-25T18:41:20.000Z",
6+
"aliases": [
7+
"CVE-2025-48922"
8+
],
9+
"details": "GLightbox module is a pure Javascript lightbox for CKEditor.\n\nThe module doesn't sufficiently filter user-supplied text for the GLightbox Javascript library leading to a Cross Site Scripting (XSS) vulnerability.\n\nThis vulnerability is mitigated by the fact that an attacker must have a role with the permissions to edit content that is configured to support the Glightbox module.",
10+
"affected": [
11+
{
12+
"package": {
13+
"ecosystem": "Packagist",
14+
"name": "drupal/glightbox"
15+
},
16+
"severity": [],
17+
"ranges": [
18+
{
19+
"type": "ECOSYSTEM",
20+
"events": [
21+
{
22+
"introduced": "0"
23+
},
24+
{
25+
"fixed": "1.0.16"
26+
}
27+
],
28+
"database_specific": {
29+
"constraint": "<1.0.16"
30+
}
31+
}
32+
],
33+
"database_specific": {
34+
"affected_versions": "<1.0.16"
35+
}
36+
}
37+
],
38+
"references": [
39+
{
40+
"type": "WEB",
41+
"url": "https://www.drupal.org/sa-contrib-2025-078"
42+
}
43+
],
44+
"credits": [
45+
{
46+
"name": "Pierre Rudloff (prudloff)",
47+
"contact": [
48+
"/u/prudloff"
49+
]
50+
}
51+
]
52+
}
Lines changed: 52 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,52 @@
1+
{
2+
"schema_version": "1.7.0",
3+
"id": "DSA-CONTRIB-2025-080",
4+
"modified": "2025-06-25T18:41:56.000Z",
5+
"published": "2025-06-25T18:41:56.000Z",
6+
"aliases": [
7+
"CVE-2025-5682"
8+
],
9+
"details": "Klaro Cookie & Consent Management module is used for consent management for cookies and external sources. It makes changes to the markup to enable or disable loading.\n\nThe module doesn't sufficiently sanitize some HTML attributes allowing persistent Cross-site Scripting (XSS) attacks.\n\nThis vulnerability is mitigated by the fact that an attacker must have a role with permission to enter HTML tags containing specific attributes.",
10+
"affected": [
11+
{
12+
"package": {
13+
"ecosystem": "Packagist",
14+
"name": "drupal/klaro"
15+
},
16+
"severity": [],
17+
"ranges": [
18+
{
19+
"type": "ECOSYSTEM",
20+
"events": [
21+
{
22+
"introduced": "0"
23+
},
24+
{
25+
"fixed": "3.0.7"
26+
}
27+
],
28+
"database_specific": {
29+
"constraint": "<3.0.7"
30+
}
31+
}
32+
],
33+
"database_specific": {
34+
"affected_versions": "<3.0.7"
35+
}
36+
}
37+
],
38+
"references": [
39+
{
40+
"type": "WEB",
41+
"url": "https://www.drupal.org/sa-contrib-2025-080"
42+
}
43+
],
44+
"credits": [
45+
{
46+
"name": "Pierre Rudloff (prudloff)",
47+
"contact": [
48+
"/u/prudloff"
49+
]
50+
}
51+
]
52+
}
Lines changed: 94 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,94 @@
1+
{
2+
"schema_version": "1.7.0",
3+
"id": "DSA-CONTRIB-2025-082",
4+
"modified": "2025-06-25T18:42:17.000Z",
5+
"published": "2025-06-25T18:42:17.000Z",
6+
"aliases": [
7+
"CVE-2025-6675"
8+
],
9+
"details": "The module enables you to add second-factor authentication on top of the default Drupal login.\n\nThe module does not sufficiently ensure that known authorization routes are protected.\n\nThis vulnerability is mitigated by the fact that an attacker must obtain the user's username and password.",
10+
"affected": [
11+
{
12+
"package": {
13+
"ecosystem": "Packagist",
14+
"name": "drupal/miniorange_2fa"
15+
},
16+
"severity": [],
17+
"ranges": [
18+
{
19+
"type": "ECOSYSTEM",
20+
"events": [
21+
{
22+
"introduced": "0"
23+
},
24+
{
25+
"fixed": "4.8.0"
26+
}
27+
],
28+
"database_specific": {
29+
"constraint": "<4.8.0"
30+
}
31+
},
32+
{
33+
"type": "ECOSYSTEM",
34+
"events": [
35+
{
36+
"introduced": "5.2.0"
37+
},
38+
{
39+
"fixed": "5.2.1"
40+
}
41+
],
42+
"database_specific": {
43+
"constraint": ">=5.2.0 <5.2.1"
44+
}
45+
},
46+
{
47+
"type": "ECOSYSTEM",
48+
"events": [
49+
{
50+
"introduced": "5.0.0"
51+
},
52+
{
53+
"fixed": "5.1.0"
54+
}
55+
],
56+
"database_specific": {
57+
"constraint": "5.0.*"
58+
}
59+
},
60+
{
61+
"type": "ECOSYSTEM",
62+
"events": [
63+
{
64+
"introduced": "5.1.0"
65+
},
66+
{
67+
"fixed": "5.2.0"
68+
}
69+
],
70+
"database_specific": {
71+
"constraint": "5.1.*"
72+
}
73+
}
74+
],
75+
"database_specific": {
76+
"affected_versions": "<4.8.0 || >=5.2.0 <5.2.1 || 5.0.* || 5.1.*"
77+
}
78+
}
79+
],
80+
"references": [
81+
{
82+
"type": "WEB",
83+
"url": "https://www.drupal.org/sa-contrib-2025-082"
84+
}
85+
],
86+
"credits": [
87+
{
88+
"name": "Conrad Lara (cmlara)",
89+
"contact": [
90+
"/u/cmlara"
91+
]
92+
}
93+
]
94+
}
Lines changed: 52 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,52 @@
1+
{
2+
"schema_version": "1.7.0",
3+
"id": "DSA-CONTRIB-2025-084",
4+
"modified": "2025-06-25T18:43:00.000Z",
5+
"published": "2025-06-25T18:43:00.000Z",
6+
"aliases": [
7+
"CVE-2025-6677"
8+
],
9+
"details": "Project Paragraphs table provides a field for a collection table.\n\nThe module doesn't sufficiently sanitise certain data attributes allowing Cross Site Scripting (XSS) attacks.\n\nThis vulnerability is mitigated by the fact that an attacker must have a role with permission to enter HTML tags containing specific data attributes.",
10+
"affected": [
11+
{
12+
"package": {
13+
"ecosystem": "Packagist",
14+
"name": "drupal/paragraphs_table"
15+
},
16+
"severity": [],
17+
"ranges": [
18+
{
19+
"type": "ECOSYSTEM",
20+
"events": [
21+
{
22+
"introduced": "2.0.0"
23+
},
24+
{
25+
"fixed": "2.0.5"
26+
}
27+
],
28+
"database_specific": {
29+
"constraint": ">=2.0.0 <2.0.5"
30+
}
31+
}
32+
],
33+
"database_specific": {
34+
"affected_versions": ">=2.0.0 <2.0.5"
35+
}
36+
}
37+
],
38+
"references": [
39+
{
40+
"type": "WEB",
41+
"url": "https://www.drupal.org/sa-contrib-2025-084"
42+
}
43+
],
44+
"credits": [
45+
{
46+
"name": "Pierre Rudloff (prudloff)",
47+
"contact": [
48+
"/u/prudloff"
49+
]
50+
}
51+
]
52+
}

0 commit comments

Comments
 (0)