Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
55 changes: 55 additions & 0 deletions advisories/cookies_addons/DSA-CONTRIB-2025-087.json
Original file line number Diff line number Diff line change
@@ -0,0 +1,55 @@
{
"schema_version": "1.7.0",
"id": "DSA-CONTRIB-2025-087",
"modified": "2025-07-09T16:37:27.000Z",
"published": "2025-07-09T16:37:27.000Z",
"aliases": [
"CVE-2025-7392"
],
"details": "This module provides a format filter, which allows you to \"disable\" iframes (e.g. remove their src attribute) specified by the user. These elements will be enabled again, once the Cookies banner is accepted.\n\nThe module doesn't sufficiently filter user-supplied content when their value might contain malicious content leading to a Cross-site Scripting (XSS) vulnerability.\n\nThis vulnerability is mitigated by the fact that the site must have the Cookies Addons Embed Iframe submodule enabled and an attacker must have the correct permissions to use a text field with a text format that allows iframes to be used.",
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "drupal/cookies_addons"
},
"severity": [],
"ranges": [
{
"type": "ECOSYSTEM",
"events": [
{
"introduced": "1.0.1"
},
{
"fixed": "1.2.4"
}
],
"database_specific": {
"constraint": ">1.0.0 < 1.2.4",
"warnings": [
"the > operator should be avoided as it does not provide a concrete version"
]
}
}
],
"database_specific": {
"affected_versions": ">1.0.0 < 1.2.4"
}
}
],
"references": [
{
"type": "WEB",
"url": "https://www.drupal.org/sa-contrib-2025-087"
}
],
"credits": [
{
"name": "Pierre Rudloff (prudloff)",
"contact": [
"/u/prudloff"
]
}
]
}
69 changes: 69 additions & 0 deletions advisories/mail_login/DSA-CONTRIB-2025-088.json
Original file line number Diff line number Diff line change
@@ -0,0 +1,69 @@
{
"schema_version": "1.7.0",
"id": "DSA-CONTRIB-2025-088",
"modified": "2025-07-09T16:37:40.000Z",
"published": "2025-07-09T16:37:40.000Z",
"aliases": [
"CVE-2025-7393"
],
"details": "This module enables users to login by email address with the minimal configurations.\n\nThe module included some protection against brute force attacks on the login form, however they were incomplete. An attacker could bypass the brute force protection allowing them to potentially gain access to an account.",
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "drupal/mail_login"
},
"severity": [],
"ranges": [
{
"type": "ECOSYSTEM",
"events": [
{
"introduced": "3.0.1"
},
{
"fixed": "3.2.0"
}
],
"database_specific": {
"constraint": ">3.0.0 <3.2.0",
"warnings": [
"the > operator should be avoided as it does not provide a concrete version"
]
}
},
{
"type": "ECOSYSTEM",
"events": [
{
"introduced": "4.0.0"
},
{
"fixed": "4.2.0"
}
],
"database_specific": {
"constraint": ">=4.0.0 <4.2.0"
}
}
],
"database_specific": {
"affected_versions": ">3.0.0 <3.2.0 || >=4.0.0 <4.2.0"
}
}
],
"references": [
{
"type": "WEB",
"url": "https://www.drupal.org/sa-contrib-2025-088"
}
],
"credits": [
{
"name": "Ryugo Kinoshita (dc-kinoshita)",
"contact": [
"/u/dc-kinoshita"
]
}
]
}
Loading