Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
52 changes: 52 additions & 0 deletions advisories/alogin/DSA-CONTRIB-2025-096.json
Original file line number Diff line number Diff line change
@@ -0,0 +1,52 @@
{
"schema_version": "1.7.0",
"id": "DSA-CONTRIB-2025-096",
"modified": "2025-08-13T17:33:24.000Z",
"published": "2025-08-13T17:33:24.000Z",
"aliases": [
"CVE-2025-8995"
],
"details": "This module enables users to setup two-factor authentication (2FA) using authenticator apps for enhanced login security. The module alters the standard Drupal login form to use AJAX callbacks for handling authentication flow.\n\nThe module doesn't sufficiently validate authentication under specific conditions, allowing an attacker to log in as any account where they know the username.\n\nThis vulnerability is mitigated by the fact that an attacker must make a series of requests to trigger the necessary conditions that allow authentication byass. The series of requests could alert a site owner that they are being attacked; however, the number of requests necessary to trigger the conditions is usually quite small (the number depends on site configuration, by default it is 5).",
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "drupal/alogin"
},
"severity": [],
"ranges": [
{
"type": "ECOSYSTEM",
"events": [
{
"introduced": "0"
},
{
"fixed": "2.1.4"
}
],
"database_specific": {
"constraint": "<2.1.4"
}
}
],
"database_specific": {
"affected_versions": "<2.1.4"
}
}
],
"references": [
{
"type": "WEB",
"url": "https://www.drupal.org/sa-contrib-2025-096"
}
],
"credits": [
{
"name": "Pierre Rudloff (prudloff)",
"contact": [
"https://www.drupal.org/u/prudloff"
]
}
]
}
58 changes: 58 additions & 0 deletions advisories/layout_builder_perms/DSA-CONTRIB-2025-097.json
Original file line number Diff line number Diff line change
@@ -0,0 +1,58 @@
{
"schema_version": "1.7.0",
"id": "DSA-CONTRIB-2025-097",
"modified": "2025-08-13T17:33:34.000Z",
"published": "2025-08-13T17:33:34.000Z",
"aliases": [
"CVE-2025-8996"
],
"details": "The Layout Builder Advanced Permissions module enables you to have fine grained control over who can do what in editing pages built with Layout Builder.\n\nThe module doesn't sufficiently control access for adding sections in the submodule.\n\nThis vulnerability is mitigated by the fact that an attacker must have a role with a specific set of permissions:\n\n* Node: View published content\n* Node: (Your content type): Create new content\n* Node: (Your content type): Edit any content\n* Layout builder: (Your content type): Configure layout overrides for content items that the user can edit\n* Layout builder advanced permissions: Access Layout Builder page",
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "drupal/layout_builder_perms"
},
"severity": [],
"ranges": [
{
"type": "ECOSYSTEM",
"events": [
{
"introduced": "2.2.0"
},
{
"last_affected": "2.2.0"
}
],
"database_specific": {
"constraint": "2.2.0"
}
}
],
"database_specific": {
"affected_versions": "2.2.0"
}
}
],
"references": [
{
"type": "WEB",
"url": "https://www.drupal.org/sa-contrib-2025-097"
}
],
"credits": [
{
"name": "Eelke Blok (eelkeblok)",
"contact": [
"https://www.drupal.org/u/eelkeblok"
]
},
{
"name": "Michael Whittaker (mrwhittaker)",
"contact": [
"https://www.drupal.org/u/mrwhittaker"
]
}
]
}