From 8959315c7df3cd448c75992245683e3c9324ab05 Mon Sep 17 00:00:00 2001 From: github-actions <41898282+github-actions[bot]@users.noreply.github.com> Date: Wed, 13 Aug 2025 19:00:44 +0000 Subject: [PATCH] feat: update advisories --- advisories/alogin/DSA-CONTRIB-2025-096.json | 52 +++++++++++++++++ .../DSA-CONTRIB-2025-097.json | 58 +++++++++++++++++++ 2 files changed, 110 insertions(+) create mode 100644 advisories/alogin/DSA-CONTRIB-2025-096.json create mode 100644 advisories/layout_builder_perms/DSA-CONTRIB-2025-097.json diff --git a/advisories/alogin/DSA-CONTRIB-2025-096.json b/advisories/alogin/DSA-CONTRIB-2025-096.json new file mode 100644 index 00000000..9053c9ab --- /dev/null +++ b/advisories/alogin/DSA-CONTRIB-2025-096.json @@ -0,0 +1,52 @@ +{ + "schema_version": "1.7.0", + "id": "DSA-CONTRIB-2025-096", + "modified": "2025-08-13T17:33:24.000Z", + "published": "2025-08-13T17:33:24.000Z", + "aliases": [ + "CVE-2025-8995" + ], + "details": "This module enables users to setup two-factor authentication (2FA) using authenticator apps for enhanced login security. The module alters the standard Drupal login form to use AJAX callbacks for handling authentication flow.\n\nThe module doesn't sufficiently validate authentication under specific conditions, allowing an attacker to log in as any account where they know the username.\n\nThis vulnerability is mitigated by the fact that an attacker must make a series of requests to trigger the necessary conditions that allow authentication byass. The series of requests could alert a site owner that they are being attacked; however, the number of requests necessary to trigger the conditions is usually quite small (the number depends on site configuration, by default it is 5).", + "affected": [ + { + "package": { + "ecosystem": "Packagist", + "name": "drupal/alogin" + }, + "severity": [], + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "2.1.4" + } + ], + "database_specific": { + "constraint": "<2.1.4" + } + } + ], + "database_specific": { + "affected_versions": "<2.1.4" + } + } + ], + "references": [ + { + "type": "WEB", + "url": "https://www.drupal.org/sa-contrib-2025-096" + } + ], + "credits": [ + { + "name": "Pierre Rudloff (prudloff)", + "contact": [ + "https://www.drupal.org/u/prudloff" + ] + } + ] +} diff --git a/advisories/layout_builder_perms/DSA-CONTRIB-2025-097.json b/advisories/layout_builder_perms/DSA-CONTRIB-2025-097.json new file mode 100644 index 00000000..215844e5 --- /dev/null +++ b/advisories/layout_builder_perms/DSA-CONTRIB-2025-097.json @@ -0,0 +1,58 @@ +{ + "schema_version": "1.7.0", + "id": "DSA-CONTRIB-2025-097", + "modified": "2025-08-13T17:33:34.000Z", + "published": "2025-08-13T17:33:34.000Z", + "aliases": [ + "CVE-2025-8996" + ], + "details": "The Layout Builder Advanced Permissions module enables you to have fine grained control over who can do what in editing pages built with Layout Builder.\n\nThe module doesn't sufficiently control access for adding sections in the submodule.\n\nThis vulnerability is mitigated by the fact that an attacker must have a role with a specific set of permissions:\n\n* Node: View published content\n* Node: (Your content type): Create new content\n* Node: (Your content type): Edit any content\n* Layout builder: (Your content type): Configure layout overrides for content items that the user can edit\n* Layout builder advanced permissions: Access Layout Builder page", + "affected": [ + { + "package": { + "ecosystem": "Packagist", + "name": "drupal/layout_builder_perms" + }, + "severity": [], + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "2.2.0" + }, + { + "last_affected": "2.2.0" + } + ], + "database_specific": { + "constraint": "2.2.0" + } + } + ], + "database_specific": { + "affected_versions": "2.2.0" + } + } + ], + "references": [ + { + "type": "WEB", + "url": "https://www.drupal.org/sa-contrib-2025-097" + } + ], + "credits": [ + { + "name": "Eelke Blok (eelkeblok)", + "contact": [ + "https://www.drupal.org/u/eelkeblok" + ] + }, + { + "name": "Michael Whittaker (mrwhittaker)", + "contact": [ + "https://www.drupal.org/u/mrwhittaker" + ] + } + ] +}