From 7ae4991a5e5f73d10e0f3a67b39f628d32b964c9 Mon Sep 17 00:00:00 2001 From: github-actions <41898282+github-actions[bot]@users.noreply.github.com> Date: Wed, 29 Oct 2025 17:28:54 +0000 Subject: [PATCH] feat: update advisories --- .../simple_oauth/DSA-CONTRIB-2025-114.json | 55 +++++++++++++++++++ 1 file changed, 55 insertions(+) create mode 100644 advisories/simple_oauth/DSA-CONTRIB-2025-114.json diff --git a/advisories/simple_oauth/DSA-CONTRIB-2025-114.json b/advisories/simple_oauth/DSA-CONTRIB-2025-114.json new file mode 100644 index 00000000..b323d103 --- /dev/null +++ b/advisories/simple_oauth/DSA-CONTRIB-2025-114.json @@ -0,0 +1,55 @@ +{ + "schema_version": "1.7.0", + "id": "DSA-CONTRIB-2025-114", + "modified": "2025-10-29T17:14:34.000Z", + "published": "2025-10-29T16:44:39.000Z", + "aliases": [ + "CVE-2025-12466" + ], + "details": "This module introduces an OAuth 2.0 authorization server, which can be configured to protect your Drupal instance with access tokens, or allow clients to request new access tokens and refresh them.\n\nThe module doesn't sufficiently respect granted scopes, it affects all access checks that are based on roles. For example: routes that have the `_role` requirement, can be bypassed with an access token.\n\nThis vulnerability is mitigated by the fact that an attacker must have the access token in possession and the user related to the token must have the associated (role requirement) roles assigned.", + "affected": [ + { + "package": { + "ecosystem": "Packagist", + "name": "drupal/simple_oauth" + }, + "severity": [], + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "6.0.1" + }, + { + "fixed": "6.0.7" + } + ], + "database_specific": { + "constraint": ">6.0.0 <6.0.7", + "warnings": [ + "the > operator should be avoided as it does not provide a concrete version" + ] + } + } + ], + "database_specific": { + "affected_versions": ">6.0.0 <6.0.7" + } + } + ], + "references": [ + { + "type": "WEB", + "url": "https://www.drupal.org/sa-contrib-2025-114" + } + ], + "credits": [ + { + "name": "coffeemakr", + "contact": [ + "https://www.drupal.org/u/coffeemakr" + ] + } + ] +}