Skip to content

Commit d764ab2

Browse files
feat: update advisories (#116)
🤖 beep boop - looks like there's some changes to the advisories! Co-authored-by: github-actions <41898282+github-actions[bot]@users.noreply.github.com>
1 parent a366563 commit d764ab2

2 files changed

Lines changed: 104 additions & 0 deletions

File tree

Lines changed: 52 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,52 @@
1+
{
2+
"schema_version": "1.7.0",
3+
"id": "DSA-CONTRIB-2025-093",
4+
"modified": "2025-07-30T16:30:44.000Z",
5+
"published": "2025-07-30T16:30:44.000Z",
6+
"aliases": [
7+
"CVE-2025-8361"
8+
],
9+
"details": "This module enables you to access an edit page for a config page.\n\nThe module doesn't sufficiently check the access permissions (`hook_ENTITY_TYPE_access()` wasn't taken into account).\n\nThis vulnerability is mitigated by the fact that an attacker must have a role with the permission \"edit ID config page\" and that it only affects sites that have access restricted via the `hook_ENTITY_TYPE_access()` hook.",
10+
"affected": [
11+
{
12+
"package": {
13+
"ecosystem": "Packagist",
14+
"name": "drupal/config_pages"
15+
},
16+
"severity": [],
17+
"ranges": [
18+
{
19+
"type": "ECOSYSTEM",
20+
"events": [
21+
{
22+
"introduced": "0"
23+
},
24+
{
25+
"fixed": "2.18.0"
26+
}
27+
],
28+
"database_specific": {
29+
"constraint": "<2.18.0"
30+
}
31+
}
32+
],
33+
"database_specific": {
34+
"affected_versions": "<2.18.0"
35+
}
36+
}
37+
],
38+
"references": [
39+
{
40+
"type": "WEB",
41+
"url": "https://www.drupal.org/sa-contrib-2025-093"
42+
}
43+
],
44+
"credits": [
45+
{
46+
"name": "Pierre Rudloff (prudloff)",
47+
"contact": [
48+
"https://www.drupal.org/u/prudloff"
49+
]
50+
}
51+
]
52+
}
Lines changed: 52 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,52 @@
1+
{
2+
"schema_version": "1.7.0",
3+
"id": "DSA-CONTRIB-2025-094",
4+
"modified": "2025-07-30T16:31:23.000Z",
5+
"published": "2025-07-30T16:31:23.000Z",
6+
"aliases": [
7+
"CVE-2025-8362"
8+
],
9+
"details": "This module enables you to integrate Google Tag Manager (GTM) into your Drupal site by allowing administrators to configure and embed GTM container snippets.\n\nThe module doesn't sufficiently sanitize the GTM container ID under the scenario where a user with the *Administer gtm* permission enters malicious input into the *GTM-ID* field. This value is directly inserted into a `<script>` tag, making the site vulnerable to Cross-site Scripting (XSS) attacks.\n\nThis vulnerability is mitigated by the fact that an attacker must have a role with the permission *Administer gtm*, and the input field is limited to 20 characters.",
10+
"affected": [
11+
{
12+
"package": {
13+
"ecosystem": "Packagist",
14+
"name": "drupal/gtm"
15+
},
16+
"severity": [],
17+
"ranges": [
18+
{
19+
"type": "ECOSYSTEM",
20+
"events": [
21+
{
22+
"introduced": "0"
23+
},
24+
{
25+
"fixed": "1.10.0"
26+
}
27+
],
28+
"database_specific": {
29+
"constraint": "<1.10.0"
30+
}
31+
}
32+
],
33+
"database_specific": {
34+
"affected_versions": "<1.10.0"
35+
}
36+
}
37+
],
38+
"references": [
39+
{
40+
"type": "WEB",
41+
"url": "https://www.drupal.org/sa-contrib-2025-094"
42+
}
43+
],
44+
"credits": [
45+
{
46+
"name": "Pierre Rudloff (prudloff)",
47+
"contact": [
48+
"https://www.drupal.org/u/prudloff"
49+
]
50+
}
51+
]
52+
}

0 commit comments

Comments
 (0)