[CIVN-2025-0160] Multiple vulnerabilities in Drupal Modules
—–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA256
Multiple vulnerabilities in Drupal Modules
Indian – Computer Emergency Response Team (https://www.cert-in.org.in)
Severity Rating: HIGH
Software Affected
Drupal Real-time SEO versions prior to 2.2.0
Drupal Block Attributes versions prior to 1.1.0 and version 2.0.0
Drupal File Download versions prior to 1.9.0 and version 2.0.0
Overview
Multiple vulnerabilities have been reported in Drupal modules which could be exploited by an attacker to bypass security restrictions or can perform cross site scripting attack on the targeted system.
Target Audience:
Individuals and end-user organizations using Drupal Modules.
Risk Assessment:
High risk of unauthorized access to sensitive data.
Impact Assessment:
Potential for data theft and system compromise.
Description
Drupal is an open-source content management system (CMS) which allows individuals and organizations to create, manage and maintain websites and web applications.
These vulnerabilities exist in the Drupal modules due to inadequate input validation when processing file access requests, improper validation of provided attributes and insufficient escaping of metadata from content while rendering the preview.
Successful exploitation of this vulnerability could allow an attacker to bypass security restrictions or can perform cross site scripting attack on the targeted system.
Solution
Apply appropriate updates as mentioned:
https://www.drupal.org/project/yoast_seo/releases/8.x-2.2
https://www.drupal.org/project/block_attributes/releases/8.x-1.1
https://www.drupal.org/project/block_attributes/releases/2.0.1
https://www.drupal.org/project/file_download/releases/2.0.1
https://www.drupal.org/project/file_download/releases/8.x-1.9
Vendor Information
Drupal
https://www.drupal.org/sa-contrib-2025-089
https://www.drupal.org/sa-contrib-2025-090
https://www.drupal.org/sa-contrib-2025-091
References
Drupal
https://www.drupal.org/sa-contrib-2025-089
https://www.drupal.org/sa-contrib-2025-090
https://www.drupal.org/sa-contrib-2025-091
CVE Name
CVE-2025-7715
CVE-2025-7716
CVE-2025-7717
– —
Thanks and Regards,
CERT-In
Incident Response Help Desk
e-mail: incident@cert-in.org.in
Phone: +91-11-22902657
Toll Free Number: 1800-11-4949
Toll Free Fax : 1800-11-6969
Web: http://www.cert-in.org.in
PGP Fingerprint: A768 083E 4475 5725 B81A A379 2156 C0C0 B620 D0B4
PGP Key information:
https://www.cert-in.org.in/s2cMainServlet?pageid=CONTACTUS
Postal address:
Indian Computer Emergency Response Team (CERT-In)
Ministry of Electronics and Information Technology
Government of India
Electronics Niketan
6, C.G.O. Complex
New Delhi-110 003
—–BEGIN PGP SIGNATURE—–
iQIzBAEBCAAdFiEE6r4Iam/Ey0c/KakL3jCgcSdcys8FAmiM2hIACgkQ3jCgcSdc
ys8AQBAAjnJjwjwtHGpre1pNMNaA/M4jKTC2NcdQiCSFWU++dIhvby1rRRsaEoQP
7bd9WiBAWsp+8ytxlDfj912VxPuY1OGWWrPv6G7Tp6HLsycx9Tnf20jpqSI6oT2c
Ga51CjLNQFFZBT7OQR0cJSufwtRP1C485n9TLB+AtMKsEi/ahvGK03xgfQJCg0hC
Eww8tKRFaAbSBXL+46QwrIpdcs5SS45OV+hXaZdliLdPrUOUfbH0QnJbsR1k3gyW
TJ0au5LtHheLIv57qR5gSdflbCwZxsy7p2yftDQsm0QQUqKiY8XXebdnxgNHHGcu
pAgfMc6bcKKjOHwGHH/HfjdPcX5n16REEo8oW+bOiTOX0XQt6dsJSS0M1aOv/Fxe
KVOafffBQZbjW6RicafipdYb4xjmFA8/jTrKFnrjIg3vxlvnxohHFuj8dICnh00V
aupS8N4Nlk4MbZ2S8OOm/rtv23a2sKkq+5IeVLLeRHN9HQouMMuQ0ZAgUTMCHpvn
pyG4PRoiRDdhpyVDaQ3xDoUU8TF/FP4LTWvltFE/+Ar1CythTurquRBN12D/CPYa
KpXrHLVVu2JDdgWgP4O5D5Z/CuF1aDmuOYwXNroqarPp8tYGDnEh+3JAfCICgWOT
pGv2PMEccsfmNS/hsbUYUY8LefCm3QusHV2zYGGYiObSmUrwW7o=
=sMVK
—–END PGP SIGNATURE—–