Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
52 changes: 52 additions & 0 deletions advisories/ckeditor5_youtube/DSA-CONTRIB-2025-081.json
Original file line number Diff line number Diff line change
@@ -0,0 +1,52 @@
{
"schema_version": "1.7.0",
"id": "DSA-CONTRIB-2025-081",
"modified": "2025-06-25T18:42:06.000Z",
"published": "2025-06-25T18:42:06.000Z",
"aliases": [
"CVE-2025-6674"
],
"details": "The CKEditor5 Youtube module enhances content creation in Drupal by seamlessly integrating YouTube video embedding into the CKEditor 5 text editor.\n\nThe module doesn't sufficiently validate iframe sources under the scenario where a user embeds a video using the CKEditor YouTube integration leading to a Cross-site Scripting (XSS) vulnerabiity. \nThis vulnerability is mitigated by the fact that an attacker must have a role with necessary permissions to use CKEditor Youtube embed button.",
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "drupal/ckeditor5_youtube"
},
"severity": [],
"ranges": [
{
"type": "ECOSYSTEM",
"events": [
{
"introduced": "0"
},
{
"fixed": "1.0.3"
}
],
"database_specific": {
"constraint": "<1.0.3"
}
}
],
"database_specific": {
"affected_versions": "<1.0.3"
}
}
],
"references": [
{
"type": "WEB",
"url": "https://www.drupal.org/sa-contrib-2025-081"
}
],
"credits": [
{
"name": "nico.b",
"contact": [
"/u/nicob"
]
}
]
}
2 changes: 1 addition & 1 deletion advisories/core/DSA-CORE-2025-004.json
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
{
"schema_version": "1.7.0",
"id": "DSA-CORE-2025-004",
"modified": "2025-03-31T21:57:44.000Z",
"modified": "2025-06-14T13:06:04.000Z",
"published": "2025-03-19T18:54:35.000Z",
"aliases": [
"CVE-2025-31675"
Expand Down
11 changes: 7 additions & 4 deletions advisories/email_tfa/DSA-CONTRIB-2025-001.json
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
{
"schema_version": "1.7.0",
"id": "DSA-CONTRIB-2025-001",
"modified": "2025-03-31T22:03:35.000Z",
"modified": "2025-06-19T22:05:09.000Z",
"published": "2025-01-08T17:22:11.000Z",
"aliases": [
"CVE-2025-31676"
Expand All @@ -19,19 +19,22 @@
"type": "ECOSYSTEM",
"events": [
{
"introduced": "0"
"introduced": "2.0.1"
},
{
"fixed": "2.0.3"
}
],
"database_specific": {
"constraint": "<2.0.3"
"constraint": ">2.0.0 <2.0.3",
"warnings": [

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

note: I'll address this warning later today

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I've opened #96 for this

"the > operator should be avoided as it does not provide a concrete version"
]
}
}
],
"database_specific": {
"affected_versions": "<2.0.3"
"affected_versions": ">2.0.0 <2.0.3"
}
}
],
Expand Down
52 changes: 52 additions & 0 deletions advisories/glightbox/DSA-CONTRIB-2025-078.json
Original file line number Diff line number Diff line change
@@ -0,0 +1,52 @@
{
"schema_version": "1.7.0",
"id": "DSA-CONTRIB-2025-078",
"modified": "2025-06-25T18:41:20.000Z",
"published": "2025-06-25T18:41:20.000Z",
"aliases": [
"CVE-2025-48922"
],
"details": "GLightbox module is a pure Javascript lightbox for CKEditor.\n\nThe module doesn't sufficiently filter user-supplied text for the GLightbox Javascript library leading to a Cross Site Scripting (XSS) vulnerability.\n\nThis vulnerability is mitigated by the fact that an attacker must have a role with the permissions to edit content that is configured to support the Glightbox module.",
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "drupal/glightbox"
},
"severity": [],
"ranges": [
{
"type": "ECOSYSTEM",
"events": [
{
"introduced": "0"
},
{
"fixed": "1.0.16"
}
],
"database_specific": {
"constraint": "<1.0.16"
}
}
],
"database_specific": {
"affected_versions": "<1.0.16"
}
}
],
"references": [
{
"type": "WEB",
"url": "https://www.drupal.org/sa-contrib-2025-078"
}
],
"credits": [
{
"name": "Pierre Rudloff (prudloff)",
"contact": [
"/u/prudloff"
]
}
]
}
52 changes: 52 additions & 0 deletions advisories/klaro/DSA-CONTRIB-2025-080.json
Original file line number Diff line number Diff line change
@@ -0,0 +1,52 @@
{
"schema_version": "1.7.0",
"id": "DSA-CONTRIB-2025-080",
"modified": "2025-06-25T18:41:56.000Z",
"published": "2025-06-25T18:41:56.000Z",
"aliases": [
"CVE-2025-5682"
],
"details": "Klaro Cookie & Consent Management module is used for consent management for cookies and external sources. It makes changes to the markup to enable or disable loading.\n\nThe module doesn't sufficiently sanitize some HTML attributes allowing persistent Cross-site Scripting (XSS) attacks.\n\nThis vulnerability is mitigated by the fact that an attacker must have a role with permission to enter HTML tags containing specific attributes.",
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "drupal/klaro"
},
"severity": [],
"ranges": [
{
"type": "ECOSYSTEM",
"events": [
{
"introduced": "0"
},
{
"fixed": "3.0.7"
}
],
"database_specific": {
"constraint": "<3.0.7"
}
}
],
"database_specific": {
"affected_versions": "<3.0.7"
}
}
],
"references": [
{
"type": "WEB",
"url": "https://www.drupal.org/sa-contrib-2025-080"
}
],
"credits": [
{
"name": "Pierre Rudloff (prudloff)",
"contact": [
"/u/prudloff"
]
}
]
}
94 changes: 94 additions & 0 deletions advisories/miniorange_2fa/DSA-CONTRIB-2025-082.json
Original file line number Diff line number Diff line change
@@ -0,0 +1,94 @@
{
"schema_version": "1.7.0",
"id": "DSA-CONTRIB-2025-082",
"modified": "2025-06-25T18:42:17.000Z",
"published": "2025-06-25T18:42:17.000Z",
"aliases": [
"CVE-2025-6675"
],
"details": "The module enables you to add second-factor authentication on top of the default Drupal login.\n\nThe module does not sufficiently ensure that known authorization routes are protected.\n\nThis vulnerability is mitigated by the fact that an attacker must obtain the user's username and password.",
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "drupal/miniorange_2fa"
},
"severity": [],
"ranges": [
{
"type": "ECOSYSTEM",
"events": [
{
"introduced": "0"
},
{
"fixed": "4.8.0"
}
],
"database_specific": {
"constraint": "<4.8.0"
}
},
{
"type": "ECOSYSTEM",
"events": [
{
"introduced": "5.2.0"
},
{
"fixed": "5.2.1"
}
],
"database_specific": {
"constraint": ">=5.2.0 <5.2.1"
}
},
{
"type": "ECOSYSTEM",
"events": [
{
"introduced": "5.0.0"
},
{
"fixed": "5.1.0"
}
],
"database_specific": {
"constraint": "5.0.*"
}
},
{
"type": "ECOSYSTEM",
"events": [
{
"introduced": "5.1.0"
},
{
"fixed": "5.2.0"
}
],
"database_specific": {
"constraint": "5.1.*"
}
}
],
"database_specific": {
"affected_versions": "<4.8.0 || >=5.2.0 <5.2.1 || 5.0.* || 5.1.*"
}
}
],
"references": [
{
"type": "WEB",
"url": "https://www.drupal.org/sa-contrib-2025-082"
}
],
"credits": [
{
"name": "Conrad Lara (cmlara)",
"contact": [
"/u/cmlara"
]
}
]
}
52 changes: 52 additions & 0 deletions advisories/paragraphs_table/DSA-CONTRIB-2025-084.json
Original file line number Diff line number Diff line change
@@ -0,0 +1,52 @@
{
"schema_version": "1.7.0",
"id": "DSA-CONTRIB-2025-084",
"modified": "2025-06-25T18:43:00.000Z",
"published": "2025-06-25T18:43:00.000Z",
"aliases": [
"CVE-2025-6677"
],
"details": "Project Paragraphs table provides a field for a collection table.\n\nThe module doesn't sufficiently sanitise certain data attributes allowing Cross Site Scripting (XSS) attacks.\n\nThis vulnerability is mitigated by the fact that an attacker must have a role with permission to enter HTML tags containing specific data attributes.",
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "drupal/paragraphs_table"
},
"severity": [],
"ranges": [
{
"type": "ECOSYSTEM",
"events": [
{
"introduced": "2.0.0"
},
{
"fixed": "2.0.5"
}
],
"database_specific": {
"constraint": ">=2.0.0 <2.0.5"
}
}
],
"database_specific": {
"affected_versions": ">=2.0.0 <2.0.5"
}
}
],
"references": [
{
"type": "WEB",
"url": "https://www.drupal.org/sa-contrib-2025-084"
}
],
"credits": [
{
"name": "Pierre Rudloff (prudloff)",
"contact": [
"/u/prudloff"
]
}
]
}
Loading
Loading