From c5ec11e164b26c20149f057a2f7473bbbc1e2a08 Mon Sep 17 00:00:00 2001 From: github-actions <41898282+github-actions[bot]@users.noreply.github.com> Date: Wed, 25 Jun 2025 21:12:18 +0000 Subject: [PATCH] feat: update advisories --- .../DSA-CONTRIB-2025-081.json | 52 ++++++++++ advisories/core/DSA-CORE-2025-004.json | 2 +- .../email_tfa/DSA-CONTRIB-2025-001.json | 11 ++- .../glightbox/DSA-CONTRIB-2025-078.json | 52 ++++++++++ advisories/klaro/DSA-CONTRIB-2025-080.json | 52 ++++++++++ .../miniorange_2fa/DSA-CONTRIB-2025-082.json | 94 +++++++++++++++++++ .../DSA-CONTRIB-2025-084.json | 52 ++++++++++ .../simple_sitemap/DSA-CONTRIB-2025-083.json | 52 ++++++++++ advisories/social/DSA-CONTRIB-2025-079.json | 66 +++++++++++++ advisories/toc_js/DSA-CONTRIB-2025-077.json | 52 ++++++++++ 10 files changed, 480 insertions(+), 5 deletions(-) create mode 100644 advisories/ckeditor5_youtube/DSA-CONTRIB-2025-081.json create mode 100644 advisories/glightbox/DSA-CONTRIB-2025-078.json create mode 100644 advisories/klaro/DSA-CONTRIB-2025-080.json create mode 100644 advisories/miniorange_2fa/DSA-CONTRIB-2025-082.json create mode 100644 advisories/paragraphs_table/DSA-CONTRIB-2025-084.json create mode 100644 advisories/simple_sitemap/DSA-CONTRIB-2025-083.json create mode 100644 advisories/social/DSA-CONTRIB-2025-079.json create mode 100644 advisories/toc_js/DSA-CONTRIB-2025-077.json diff --git a/advisories/ckeditor5_youtube/DSA-CONTRIB-2025-081.json b/advisories/ckeditor5_youtube/DSA-CONTRIB-2025-081.json new file mode 100644 index 00000000..813bf527 --- /dev/null +++ b/advisories/ckeditor5_youtube/DSA-CONTRIB-2025-081.json @@ -0,0 +1,52 @@ +{ + "schema_version": "1.7.0", + "id": "DSA-CONTRIB-2025-081", + "modified": "2025-06-25T18:42:06.000Z", + "published": "2025-06-25T18:42:06.000Z", + "aliases": [ + "CVE-2025-6674" + ], + "details": "The CKEditor5 Youtube module enhances content creation in Drupal by seamlessly integrating YouTube video embedding into the CKEditor 5 text editor.\n\nThe module doesn't sufficiently validate iframe sources under the scenario where a user embeds a video using the CKEditor YouTube integration leading to a Cross-site Scripting (XSS) vulnerabiity. \nThis vulnerability is mitigated by the fact that an attacker must have a role with necessary permissions to use CKEditor Youtube embed button.", + "affected": [ + { + "package": { + "ecosystem": "Packagist", + "name": "drupal/ckeditor5_youtube" + }, + "severity": [], + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.0.3" + } + ], + "database_specific": { + "constraint": "<1.0.3" + } + } + ], + "database_specific": { + "affected_versions": "<1.0.3" + } + } + ], + "references": [ + { + "type": "WEB", + "url": "https://www.drupal.org/sa-contrib-2025-081" + } + ], + "credits": [ + { + "name": "nico.b", + "contact": [ + "/u/nicob" + ] + } + ] +} diff --git a/advisories/core/DSA-CORE-2025-004.json b/advisories/core/DSA-CORE-2025-004.json index eeef0984..e1cd827c 100644 --- a/advisories/core/DSA-CORE-2025-004.json +++ b/advisories/core/DSA-CORE-2025-004.json @@ -1,7 +1,7 @@ { "schema_version": "1.7.0", "id": "DSA-CORE-2025-004", - "modified": "2025-03-31T21:57:44.000Z", + "modified": "2025-06-14T13:06:04.000Z", "published": "2025-03-19T18:54:35.000Z", "aliases": [ "CVE-2025-31675" diff --git a/advisories/email_tfa/DSA-CONTRIB-2025-001.json b/advisories/email_tfa/DSA-CONTRIB-2025-001.json index c2ad9504..9d188241 100644 --- a/advisories/email_tfa/DSA-CONTRIB-2025-001.json +++ b/advisories/email_tfa/DSA-CONTRIB-2025-001.json @@ -1,7 +1,7 @@ { "schema_version": "1.7.0", "id": "DSA-CONTRIB-2025-001", - "modified": "2025-03-31T22:03:35.000Z", + "modified": "2025-06-19T22:05:09.000Z", "published": "2025-01-08T17:22:11.000Z", "aliases": [ "CVE-2025-31676" @@ -19,19 +19,22 @@ "type": "ECOSYSTEM", "events": [ { - "introduced": "0" + "introduced": "2.0.1" }, { "fixed": "2.0.3" } ], "database_specific": { - "constraint": "<2.0.3" + "constraint": ">2.0.0 <2.0.3", + "warnings": [ + "the > operator should be avoided as it does not provide a concrete version" + ] } } ], "database_specific": { - "affected_versions": "<2.0.3" + "affected_versions": ">2.0.0 <2.0.3" } } ], diff --git a/advisories/glightbox/DSA-CONTRIB-2025-078.json b/advisories/glightbox/DSA-CONTRIB-2025-078.json new file mode 100644 index 00000000..2018a50b --- /dev/null +++ b/advisories/glightbox/DSA-CONTRIB-2025-078.json @@ -0,0 +1,52 @@ +{ + "schema_version": "1.7.0", + "id": "DSA-CONTRIB-2025-078", + "modified": "2025-06-25T18:41:20.000Z", + "published": "2025-06-25T18:41:20.000Z", + "aliases": [ + "CVE-2025-48922" + ], + "details": "GLightbox module is a pure Javascript lightbox for CKEditor.\n\nThe module doesn't sufficiently filter user-supplied text for the GLightbox Javascript library leading to a Cross Site Scripting (XSS) vulnerability.\n\nThis vulnerability is mitigated by the fact that an attacker must have a role with the permissions to edit content that is configured to support the Glightbox module.", + "affected": [ + { + "package": { + "ecosystem": "Packagist", + "name": "drupal/glightbox" + }, + "severity": [], + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.0.16" + } + ], + "database_specific": { + "constraint": "<1.0.16" + } + } + ], + "database_specific": { + "affected_versions": "<1.0.16" + } + } + ], + "references": [ + { + "type": "WEB", + "url": "https://www.drupal.org/sa-contrib-2025-078" + } + ], + "credits": [ + { + "name": "Pierre Rudloff (prudloff)", + "contact": [ + "/u/prudloff" + ] + } + ] +} diff --git a/advisories/klaro/DSA-CONTRIB-2025-080.json b/advisories/klaro/DSA-CONTRIB-2025-080.json new file mode 100644 index 00000000..3d92da5d --- /dev/null +++ b/advisories/klaro/DSA-CONTRIB-2025-080.json @@ -0,0 +1,52 @@ +{ + "schema_version": "1.7.0", + "id": "DSA-CONTRIB-2025-080", + "modified": "2025-06-25T18:41:56.000Z", + "published": "2025-06-25T18:41:56.000Z", + "aliases": [ + "CVE-2025-5682" + ], + "details": "Klaro Cookie & Consent Management module is used for consent management for cookies and external sources. It makes changes to the markup to enable or disable loading.\n\nThe module doesn't sufficiently sanitize some HTML attributes allowing persistent Cross-site Scripting (XSS) attacks.\n\nThis vulnerability is mitigated by the fact that an attacker must have a role with permission to enter HTML tags containing specific attributes.", + "affected": [ + { + "package": { + "ecosystem": "Packagist", + "name": "drupal/klaro" + }, + "severity": [], + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "3.0.7" + } + ], + "database_specific": { + "constraint": "<3.0.7" + } + } + ], + "database_specific": { + "affected_versions": "<3.0.7" + } + } + ], + "references": [ + { + "type": "WEB", + "url": "https://www.drupal.org/sa-contrib-2025-080" + } + ], + "credits": [ + { + "name": "Pierre Rudloff (prudloff)", + "contact": [ + "/u/prudloff" + ] + } + ] +} diff --git a/advisories/miniorange_2fa/DSA-CONTRIB-2025-082.json b/advisories/miniorange_2fa/DSA-CONTRIB-2025-082.json new file mode 100644 index 00000000..3ad72ef2 --- /dev/null +++ b/advisories/miniorange_2fa/DSA-CONTRIB-2025-082.json @@ -0,0 +1,94 @@ +{ + "schema_version": "1.7.0", + "id": "DSA-CONTRIB-2025-082", + "modified": "2025-06-25T18:42:17.000Z", + "published": "2025-06-25T18:42:17.000Z", + "aliases": [ + "CVE-2025-6675" + ], + "details": "The module enables you to add second-factor authentication on top of the default Drupal login.\n\nThe module does not sufficiently ensure that known authorization routes are protected.\n\nThis vulnerability is mitigated by the fact that an attacker must obtain the user's username and password.", + "affected": [ + { + "package": { + "ecosystem": "Packagist", + "name": "drupal/miniorange_2fa" + }, + "severity": [], + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "4.8.0" + } + ], + "database_specific": { + "constraint": "<4.8.0" + } + }, + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "5.2.0" + }, + { + "fixed": "5.2.1" + } + ], + "database_specific": { + "constraint": ">=5.2.0 <5.2.1" + } + }, + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "5.0.0" + }, + { + "fixed": "5.1.0" + } + ], + "database_specific": { + "constraint": "5.0.*" + } + }, + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "5.1.0" + }, + { + "fixed": "5.2.0" + } + ], + "database_specific": { + "constraint": "5.1.*" + } + } + ], + "database_specific": { + "affected_versions": "<4.8.0 || >=5.2.0 <5.2.1 || 5.0.* || 5.1.*" + } + } + ], + "references": [ + { + "type": "WEB", + "url": "https://www.drupal.org/sa-contrib-2025-082" + } + ], + "credits": [ + { + "name": "Conrad Lara (cmlara)", + "contact": [ + "/u/cmlara" + ] + } + ] +} diff --git a/advisories/paragraphs_table/DSA-CONTRIB-2025-084.json b/advisories/paragraphs_table/DSA-CONTRIB-2025-084.json new file mode 100644 index 00000000..7f0c2a08 --- /dev/null +++ b/advisories/paragraphs_table/DSA-CONTRIB-2025-084.json @@ -0,0 +1,52 @@ +{ + "schema_version": "1.7.0", + "id": "DSA-CONTRIB-2025-084", + "modified": "2025-06-25T18:43:00.000Z", + "published": "2025-06-25T18:43:00.000Z", + "aliases": [ + "CVE-2025-6677" + ], + "details": "Project Paragraphs table provides a field for a collection table.\n\nThe module doesn't sufficiently sanitise certain data attributes allowing Cross Site Scripting (XSS) attacks.\n\nThis vulnerability is mitigated by the fact that an attacker must have a role with permission to enter HTML tags containing specific data attributes.", + "affected": [ + { + "package": { + "ecosystem": "Packagist", + "name": "drupal/paragraphs_table" + }, + "severity": [], + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "2.0.0" + }, + { + "fixed": "2.0.5" + } + ], + "database_specific": { + "constraint": ">=2.0.0 <2.0.5" + } + } + ], + "database_specific": { + "affected_versions": ">=2.0.0 <2.0.5" + } + } + ], + "references": [ + { + "type": "WEB", + "url": "https://www.drupal.org/sa-contrib-2025-084" + } + ], + "credits": [ + { + "name": "Pierre Rudloff (prudloff)", + "contact": [ + "/u/prudloff" + ] + } + ] +} diff --git a/advisories/simple_sitemap/DSA-CONTRIB-2025-083.json b/advisories/simple_sitemap/DSA-CONTRIB-2025-083.json new file mode 100644 index 00000000..b6d3d748 --- /dev/null +++ b/advisories/simple_sitemap/DSA-CONTRIB-2025-083.json @@ -0,0 +1,52 @@ +{ + "schema_version": "1.7.0", + "id": "DSA-CONTRIB-2025-083", + "modified": "2025-06-25T18:42:38.000Z", + "published": "2025-06-25T18:42:38.000Z", + "aliases": [ + "CVE-2025-6676" + ], + "details": "[Simple XML sitemap](https://www.drupal.org/project/simple_sitemap) is a SEO module that allows creating various XML sitemaps of the site's content and submitting them to search engines. \nThe module doesn't sufficiently sanitize input when administering it, which leads to a Cross-site scripting (XSS) attack vector. \nThis vulnerability is mitigated by the fact that an attacker must have the administrative permission 'administer sitemap settings'.", + "affected": [ + { + "package": { + "ecosystem": "Packagist", + "name": "drupal/simple_sitemap" + }, + "severity": [], + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "4.2.2" + } + ], + "database_specific": { + "constraint": "< 4.2.2" + } + } + ], + "database_specific": { + "affected_versions": "< 4.2.2" + } + } + ], + "references": [ + { + "type": "WEB", + "url": "https://www.drupal.org/sa-contrib-2025-083" + } + ], + "credits": [ + { + "name": "Nick Vanpraet (grayle)", + "contact": [ + "/u/grayle" + ] + } + ] +} diff --git a/advisories/social/DSA-CONTRIB-2025-079.json b/advisories/social/DSA-CONTRIB-2025-079.json new file mode 100644 index 00000000..50813285 --- /dev/null +++ b/advisories/social/DSA-CONTRIB-2025-079.json @@ -0,0 +1,66 @@ +{ + "schema_version": "1.7.0", + "id": "DSA-CONTRIB-2025-079", + "modified": "2025-06-25T18:41:34.000Z", + "published": "2025-06-25T18:41:34.000Z", + "aliases": [ + "CVE-2025-48921" + ], + "details": "Open Social is a Drupal distribution for online communities, which ships with a default module that allows users to enroll in events.\n\nThe module doesn't sufficiently protect certain routes from Cross Site Request Forgery (CSRF) attacks. Users can be tricked into accepting or rejecting these enrollments.\n\nThis issue only affects sites that have event enrollments enabled for an event.", + "affected": [ + { + "package": { + "ecosystem": "Packagist", + "name": "drupal/social" + }, + "severity": [], + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "12.3.14" + } + ], + "database_specific": { + "constraint": "<12.3.14" + } + }, + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "12.4.0" + }, + { + "fixed": "12.4.13" + } + ], + "database_specific": { + "constraint": ">=12.4.0 <12.4.13" + } + } + ], + "database_specific": { + "affected_versions": "<12.3.14 || >=12.4.0 <12.4.13" + } + } + ], + "references": [ + { + "type": "WEB", + "url": "https://www.drupal.org/sa-contrib-2025-079" + } + ], + "credits": [ + { + "name": "Ivo Van Geertruyen (mr.baileys)", + "contact": [ + "/u/mrbaileys" + ] + } + ] +} diff --git a/advisories/toc_js/DSA-CONTRIB-2025-077.json b/advisories/toc_js/DSA-CONTRIB-2025-077.json new file mode 100644 index 00000000..4bff5d5b --- /dev/null +++ b/advisories/toc_js/DSA-CONTRIB-2025-077.json @@ -0,0 +1,52 @@ +{ + "schema_version": "1.7.0", + "id": "DSA-CONTRIB-2025-077", + "modified": "2025-06-25T18:41:06.000Z", + "published": "2025-06-25T18:41:06.000Z", + "aliases": [ + "CVE-2025-48923" + ], + "details": "This module enables you to generate Table of content of your pages given a configuration.\n\nThe module doesn't sufficiently sanitise data attributes allowing persistent Cross-site Scripting (XSS) attacks.\n\nThis vulnerability is mitigated by the fact that an attacker must have a role with permission to enter HTML tags containing specific data attributes using other modules.", + "affected": [ + { + "package": { + "ecosystem": "Packagist", + "name": "drupal/toc_js" + }, + "severity": [], + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "3.2.1" + } + ], + "database_specific": { + "constraint": "<3.2.1" + } + } + ], + "database_specific": { + "affected_versions": "<3.2.1" + } + } + ], + "references": [ + { + "type": "WEB", + "url": "https://www.drupal.org/sa-contrib-2025-077" + } + ], + "credits": [ + { + "name": "Pierre Rudloff (prudloff)", + "contact": [ + "/u/prudloff" + ] + } + ] +}