—–BEGIN PGP SIGNED MESSAGE—–

Hash: SHA256

Multiple vulnerabilities in Drupal Modules 

Indian – Computer Emergency Response Team (https://www.cert-in.org.in)

Severity Rating: HIGH

Software Affected

Drupal Real-time SEO versions prior to 2.2.0

Drupal Block Attributes versions prior to 1.1.0 and version 2.0.0

Drupal File Download versions prior to 1.9.0 and version 2.0.0

Overview

Multiple vulnerabilities have been reported in Drupal modules which could be exploited by an attacker to bypass security restrictions or can perform cross site scripting attack on the targeted system.

Target Audience:

Individuals and end-user organizations using Drupal Modules.

Risk Assessment:

High risk of unauthorized access to sensitive data.

Impact Assessment:

Potential for data theft and system compromise.

Description

Drupal is an open-source content management system (CMS) which allows individuals and organizations to create, manage and maintain websites and web applications.

These vulnerabilities exist in the Drupal modules due to inadequate input validation when processing file access requests, improper validation of provided attributes and insufficient escaping of metadata from content while rendering the preview.

Successful exploitation of this vulnerability could allow an attacker to bypass security restrictions or can perform cross site scripting attack on the targeted system.

Solution

Apply appropriate updates as mentioned:

https://www.drupal.org/project/yoast_seo/releases/8.x-2.2

https://www.drupal.org/project/block_attributes/releases/8.x-1.1

https://www.drupal.org/project/block_attributes/releases/2.0.1

https://www.drupal.org/project/file_download/releases/2.0.1

https://www.drupal.org/project/file_download/releases/8.x-1.9

Vendor Information

Drupal

https://www.drupal.org/sa-contrib-2025-089

https://www.drupal.org/sa-contrib-2025-090

https://www.drupal.org/sa-contrib-2025-091

References

Drupal

https://www.drupal.org/sa-contrib-2025-089

https://www.drupal.org/sa-contrib-2025-090

https://www.drupal.org/sa-contrib-2025-091

CVE Name

CVE-2025-7715

CVE-2025-7716

CVE-2025-7717

– —

Thanks and Regards,

CERT-In

Incident Response Help Desk

e-mail: incident@cert-in.org.in

Phone: +91-11-22902657

Toll Free Number: 1800-11-4949

Toll Free Fax : 1800-11-6969

Web: http://www.cert-in.org.in

PGP Fingerprint: A768 083E 4475 5725 B81A A379 2156 C0C0 B620 D0B4

PGP Key information:

https://www.cert-in.org.in/s2cMainServlet?pageid=CONTACTUS

Postal address:

Indian Computer Emergency Response Team (CERT-In)

Ministry of Electronics and Information Technology

Government of India

Electronics Niketan

6, C.G.O. Complex

New Delhi-110 003

—–BEGIN PGP SIGNATURE—–

iQIzBAEBCAAdFiEE6r4Iam/Ey0c/KakL3jCgcSdcys8FAmiM2hIACgkQ3jCgcSdc

ys8AQBAAjnJjwjwtHGpre1pNMNaA/M4jKTC2NcdQiCSFWU++dIhvby1rRRsaEoQP

7bd9WiBAWsp+8ytxlDfj912VxPuY1OGWWrPv6G7Tp6HLsycx9Tnf20jpqSI6oT2c

Ga51CjLNQFFZBT7OQR0cJSufwtRP1C485n9TLB+AtMKsEi/ahvGK03xgfQJCg0hC

Eww8tKRFaAbSBXL+46QwrIpdcs5SS45OV+hXaZdliLdPrUOUfbH0QnJbsR1k3gyW

TJ0au5LtHheLIv57qR5gSdflbCwZxsy7p2yftDQsm0QQUqKiY8XXebdnxgNHHGcu

pAgfMc6bcKKjOHwGHH/HfjdPcX5n16REEo8oW+bOiTOX0XQt6dsJSS0M1aOv/Fxe

KVOafffBQZbjW6RicafipdYb4xjmFA8/jTrKFnrjIg3vxlvnxohHFuj8dICnh00V

aupS8N4Nlk4MbZ2S8OOm/rtv23a2sKkq+5IeVLLeRHN9HQouMMuQ0ZAgUTMCHpvn

pyG4PRoiRDdhpyVDaQ3xDoUU8TF/FP4LTWvltFE/+Ar1CythTurquRBN12D/CPYa

KpXrHLVVu2JDdgWgP4O5D5Z/CuF1aDmuOYwXNroqarPp8tYGDnEh+3JAfCICgWOT

pGv2PMEccsfmNS/hsbUYUY8LefCm3QusHV2zYGGYiObSmUrwW7o=

=sMVK

—–END PGP SIGNATURE—–