CIVN-2025-0203] Multiple Vulnerabilities in Drupal modules
—–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA256
Multiple Vulnerabilities in Drupal modules
Indian – Computer Emergency Response Team (https://www.cert-in.org.in)
Severity Rating: HIGH
Software Affected
Drupal Authenticator Login versions prior to 2.1.8
Drupal Facets versions prior to 2.0.10 and version 3.0.0
Drupal Protected Pages versions prior to 1.8.0
Drupal Synchronize composer.json With Contrib Modules
Drupal API Key manager
Drupal Owl Carousel 2
Overview
Multiple vulnerabilities have been reported in Drupal modules which could be exploited by an attacker to obtain bypass security restrictions, disclose sensitive information and perform cross site scripting attack on the targeted system.
Target Audience:
Individuals and end-user organizations using Drupal Modules.
Risk Assessment:
High risk of unauthorized access to sensitive data.
Impact Assessment:
Potential for data theft and system compromise.
Description
Drupal is an open-source, content management system (CMS) which allows individuals and organizations to create, manage and maintain websites and web applications.
Multiple vulnerabilities exist in Drupal modules due to inadequate input validation when processing file access requests, improper validation of provided attributes and insufficient escaping of metadata from content while rendering the preview.
Successful exploitation of these vulnerabilities could allow an attacker to obtain bypass security restrictions, disclose sensitive information and perform cross site scripting attack on the targeted system.
Solution
Apply appropriate updates as mentioned by the vendor
https://www.drupal.org/sa-contrib-2025-098
https://www.drupal.org/sa-contrib-2025-099
https://www.drupal.org/sa-contrib-2025-100
https://www.drupal.org/sa-contrib-2025-101
https://www.drupal.org/sa-contrib-2025-102
https://www.drupal.org/sa-contrib-2025-103
https://www.drupal.org/sa-contrib-2025-104
Vendor Information
Drupal
https://www.drupal.org/sa-contrib-2025-099
https://www.drupal.org/sa-contrib-2025-098
https://www.drupal.org/sa-contrib-2025-100
https://www.drupal.org/sa-contrib-2025-101
https://www.drupal.org/sa-contrib-2025-102
https://www.drupal.org/sa-contrib-2025-103
https://www.drupal.org/sa-contrib-2025-104
References
Drupal
https://www.drupal.org/sa-contrib-2025-098
https://www.drupal.org/sa-contrib-2025-099
https://www.drupal.org/sa-contrib-2025-100
https://www.drupal.org/sa-contrib-2025-101
https://www.drupal.org/sa-contrib-2025-102
https://www.drupal.org/sa-contrib-2025-103
https://www.drupal.org/sa-contrib-2025-104
CVE Name
CVE-2025-8093
CVE-2025-9549
CVE-2025-9550
CVE-2025-9551
CVE-2025-9552
CVE-2025-9553
CVE-2025-9554
– —
Thanks and Regards,
CERT-In
Incident Response Help Desk
e-mail: incident@cert-in.org.in
Phone: +91-11-22902657
Toll Free Number: 1800-11-4949
Toll Free Fax : 1800-11-6969
Web: http://www.cert-in.org.in
PGP Fingerprint: A768 083E 4475 5725 B81A A379 2156 C0C0 B620 D0B4
PGP Key information:
https://www.cert-in.org.in/s2cMainServlet?pageid=CONTACTUS
Postal address:
Indian Computer Emergency Response Team (CERT-In)
Ministry of Electronics and Information Technology
Government of India
Electronics Niketan
6, C.G.O. Complex
New Delhi-110 003
—–BEGIN PGP SIGNATURE—–
iQIzBAEBCAAdFiEE6r4Iam/Ey0c/KakL3jCgcSdcys8FAmi5ijcACgkQ3jCgcSdc
ys/RCw/9HYuEXdjJ/gdnNuWjA6PrFWERgGgL+XMhJRXj3ddPO4PCtDOddUrBIPgF
h1YJjlCACoeC3StFr6j8b91cdmvLKBxVx82HcB3wUjoU6q+eZIOBj7vbSm9vFfkq
EOlq+7ENonFCOD6XhbPCXWfCWJ66B9whBw+TEj0ovt8iX2fbFO4sdoV46d2Rev1P
/HO0thN9Ai9xh0esg5Nt0Tt0W8fZ3kHi6EozfyZ+s47hdz5NVKm1viG7FKVFOlV5
l5mdFOlEdJAiAOEz1pvgRH1k45hm+cmz5cRzWM0hvPy4civAGn+RTQr199tGYpaj
GFq3Y+5OhiXcAErcapempyyKurHvaq5krR4VYZV+0qFGLSs/hwLMRc6B47lfHexT
cTisJ2gjqzGIBakqTIVYrgfCMg5jey2P77i74aNUCLRYv5C9FJFOAfwnBfCR4QLi
S2LNsI3VVHuQsNDNcOOVHc280MUDm60GvCnl5TbhNgmJaQH+EqJtN2yU3PhMflfg
GaIeT1TOsp6AOIi445/I5j80UgrCPXCjAIXK5YWLrqwwgiJUc8+wIAc9rzx0pZIn
VNpZ9BmLUddW4T+qeemEDD4c9CwMazjtpKnTsrnZrjmnW+YYszeKsjFp4Wyptoxv
KmSZzU3Dk94Hslar32zXUxf8Gil+Q54WYmVG+gH2cbV6VpD5dVU=
=0Mae
—–END PGP SIGNATURE—–