Cert-In-Advisories

[CIVN-2025-0359] Multiple Vulnerabilities in Drupal Products

By Published On: December 12, 2025

—–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA256
Multiple Vulnerabilities in Drupal Products 
Indian – Computer Emergency Response Team (https://www.cert-in.org.in)
Severity Rating: MEDIUM
Software Affected
Mini Site module for Drupal versions prior to 3.0.2
CKEditor 5 Premium Features module for Drupal versions before 1.2.10
CKEditor 5 Premium Features module for Drupal versions 1.3.0 – 1.3.6
CKEditor 5 Premium Features module for Drupal versions 1.4.0 – 1.4.3
CKEditor 5 Premium Features module for Drupal versions 1.5.0 – 1.5.1
CKEditor 5 Premium Features module for Drupal versions 1.6.0 – 1.6.4
AI (Artificial Intelligence) module for Drupal versions before 1.0.7
AI (Artificial Intelligence) module for Drupal versions 1.1.0 – 1.1.7
AI (Artificial Intelligence) module for Drupal versions 1.2.0 – 1.2.4
Login Time Restriction module for Drupal versions prior to 1.0.3
Tagify module for Drupal versions prior to 1.2.44
Next.js module for Drupal versions prior to 1.6.4
Next.js module for Drupal versions 2.0.0 – 2.0.1
Entity Share module for Drupal versions prior to 3.13.0
Disable Login Page module for Drupal versions prior to 1.1.3
Overview
Multiple vulnerabilities have been reported in Drupal which could allow an attacker to disclose sensitive information, bypass access restrictions, execute cross-site scripting (XSS) and cross-site request forgery (CSRF) attacks.
 
Target Audience:
Individuals and end-user organizations using Drupal.
Risk Assessment:
High risk of cross-site scripting attacks, unauthorized access to restricted resources, cross-origin abuse, authentication bypass, and forced session termination.
Impact Assessment:
Potential for account compromise, data exposure, and unauthorized access.
Description
Drupal is an open-source, content management system (CMS) which allows individuals and organizations to create, manage and maintain websites and web applications.
These vulnerabilities exist in Drupal module due to insufficient access controls, insecure default configurations, or improper validation and sanitization of user inputs.
Successful exploitation of these vulnerabilities could allow the attacker to bypass authentication or access controls, execute cross-site scripting (XSS), perform unauthorized cross-origin requests, extract restricted files, or trigger logout actions.
Solution
Upgrade to the latest versions as mentioned in the security advisories:
https://www.drupal.org/sa-contrib-2025-117
https://www.drupal.org/sa-contrib-2025-118
https://www.drupal.org/sa-contrib-2025-119
https://www.drupal.org/sa-contrib-2025-120
https://www.drupal.org/sa-contrib-2025-121
https://www.drupal.org/sa-contrib-2025-122
https://www.drupal.org/sa-contrib-2025-123
https://www.drupal.org/sa-contrib-2025-124
Vendor Information
Drupal
https://www.drupal.org
References
Drupal
https://www.drupal.org/sa-contrib-2025-117
https://www.drupal.org/sa-contrib-2025-118
https://www.drupal.org/sa-contrib-2025-119
https://www.drupal.org/sa-contrib-2025-120
https://www.drupal.org/sa-contrib-2025-121
https://www.drupal.org/sa-contrib-2025-122
https://www.drupal.org/sa-contrib-2025-123
https://www.drupal.org/sa-contrib-2025-124
CVE Name
CVE-2025-13979
CVE-2025-13980
CVE-2025-13981
CVE-2025-13982
CVE-2025-13983
CVE-2025-13984
CVE-2025-13985
CVE-2025-13986
– —
Thanks and Regards,
CERT-In
Incident Response Help Desk
e-mail: incident@cert-in.org.in
Phone: +91-11-22902657
Toll Free Number: 1800-11-4949
Toll Free Fax : 1800-11-6969
Web: http://www.cert-in.org.in
PGP Fingerprint: A768 083E 4475 5725 B81A A379 2156 C0C0 B620 D0B4
PGP Key information:
https://www.cert-in.org.in/s2cMainServlet?pageid=CONTACTUS
Postal address:
Indian Computer Emergency Response Team (CERT-In)
Ministry of Electronics and Information Technology
Government of India
Electronics Niketan
6, C.G.O. Complex
New Delhi-110 003
—–BEGIN PGP SIGNATURE—–
iQIzBAEBCAAdFiEE6r4Iam/Ey0c/KakL3jCgcSdcys8FAmk8IJsACgkQ3jCgcSdc
ys8ubw/+KeAN9QCTrsLpqK81sES1HT9hTz23Cz81ib+mftDCgAjaj0fmFS2SJsGE
1mi/bnRXbzg3osA3FfFS66Iq4pQfx/Nnlrx4Uk2hpaxHXKfgDYZlWNr1SLGjZnEU
wBj7Hr9AhIyrgcjyo1vpqXeRH1US9FvK1qKJ7xn3ptOYGMAMfiemnL1t0wQILDBP
yzDufuJk3p51ROIFlynt+4jloV24DSQSVK5cQe90/JGd4GUL1G2/5fNL6QldThOz
PgTEoisqNIqlnCRGHDILkY0eQDxfMwNqZ3q5y3f/AhzqqE7X46ekOTQ4VAKyZ7Wb
haPXuAR47H1xBWcwEzsIkyR/MaJCi09+/PJSu1jg6ckxszBAhYhFpyurObM270Sp
pdMuNsOwP/rXYHKjLfMfFPeEXbCBqTVlc5engkgtDB8BiXCmPzKB+T+uKBZffikQ
ckys20Pqkg131ado1Tdk13F7xujdN0IXgOb6vmasBk/ZCrzeFyQxzpRD3qHyKRY3
pgcOu/CduooW9inMM//xN+Arje87uHf88X+TB2Cf7NvPo8eN8XnLDDjwMu5zAT3L
ZJD3wgqXriC6bFRsBSqWtt26ujhClJVb2GKIL3WPiSwU74gRcnnGqYnZzKfOyH9I
kpPCKpmbIEhCTxt9/Rwz2l3jD0O+x0hiWk11t1OmUMk9Rm9O/Wo=
=kJPp
—–END PGP SIGNATURE—–

Share this article

Related Posts

[CIAD-2025-0051] Multiple vulnerabilities in SAP Products

[CIAD-2025-0051] Multiple vulnerabilities in SAP Products

December 12, 2025
[CIVN-2025-0358] Multiple Vulnerabilities in Zoom

[CIVN-2025-0358] Multiple Vulnerabilities in Zoom

December 12, 2025
[CIVN-2025-0357] Privilege Escalation Vulnerability in Windows Cloud Files Mini Filter Driver

[CIVN-2025-0357] Privilege Escalation Vulnerability in Windows Cloud Files Mini Filter Driver

December 12, 2025
Total Views: 23|Daily Views: 23
Follow us :

Categories

Archives

Join our team

Join us today latest article updates!