diff --git a/advisories/canvas/DRUPAL-CONTRIB-2026-017.json b/advisories/canvas/DRUPAL-CONTRIB-2026-017.json new file mode 100644 index 00000000..51d1d37e --- /dev/null +++ b/advisories/canvas/DRUPAL-CONTRIB-2026-017.json @@ -0,0 +1,52 @@ +{ + "schema_version": "1.7.0", + "id": "DRUPAL-CONTRIB-2026-017", + "modified": "2026-02-25T18:51:01.000Z", + "published": "2026-02-25T18:51:01.000Z", + "aliases": [ + "CVE-2026-3216" + ], + "details": "This module enables you to easily theme and build an entire website using only their browser, without the need to write code beyond basic JSX and CSS. Content creators are able to compose content on any part of the page without relying on developers.\n\nThe project has a hidden sub-module, **Drupal Canvas AI**, which is disabled by default. It is typically enabled as a dependency by Drupal Recipes or enabled directly via deployment scripts (e.g., Drush). When the submodule is enabled, the following vulnerability is exposed.\n\nThe module doesn't sufficiently sanitize user-supplied data via crafted API requests within the messages JSON payload.\n\nIt is mitigated by the fact that an attacker must have a role with the permission \"use Drupal Canvas AI\".\n\n**How the Canvas AI sub-module gets enabled:** As a hidden submodule, `canvas_ai` is not intended for manual activation via the UI. It is designed to be pulled in as a dependency by Drupal Recipes or enabled directly via deployment scripts (e.g., Drush).", + "affected": [ + { + "package": { + "ecosystem": "Packagist:https://packages.drupal.org/8", + "name": "drupal/canvas" + }, + "severity": [], + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.1.1" + } + ], + "database_specific": { + "constraint": "<1.1.1" + } + } + ], + "database_specific": { + "affected_versions": "<1.1.1" + } + } + ], + "references": [ + { + "type": "WEB", + "url": "https://www.drupal.org/sa-contrib-2026-017" + } + ], + "credits": [ + { + "name": "Drew Webber (mcdruid)", + "contact": [ + "https://www.drupal.org/u/mcdruid" + ] + } + ] +} diff --git a/advisories/captcha/DRUPAL-CONTRIB-2026-015.json b/advisories/captcha/DRUPAL-CONTRIB-2026-015.json new file mode 100644 index 00000000..88fd3655 --- /dev/null +++ b/advisories/captcha/DRUPAL-CONTRIB-2026-015.json @@ -0,0 +1,84 @@ +{ + "schema_version": "1.7.0", + "id": "DRUPAL-CONTRIB-2026-015", + "modified": "2026-02-25T18:47:57.000Z", + "published": "2026-02-25T18:47:57.000Z", + "aliases": [ + "CVE-2026-3214" + ], + "details": "This module enables you to protect web forms from automated spam by requiring users to pass a challenge.\n\nThe module doesn't sufficiently invalidate used security tokens under certain scenarios, which can lead to the CAPTCHA being bypassed on subsequent submissions.\n\nThis vulnerability is mitigated by the fact that an attacker must first successfully solve at least one CAPTCHA manually to harvest the valid tokens.", + "affected": [ + { + "package": { + "ecosystem": "Packagist:https://packages.drupal.org/8", + "name": "drupal/captcha" + }, + "severity": [], + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.17.0" + } + ], + "database_specific": { + "constraint": "<1.17.0" + } + }, + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "2.0.0" + }, + { + "fixed": "2.0.10" + } + ], + "database_specific": { + "constraint": ">=2.0.0 < 2.0.10" + } + } + ], + "database_specific": { + "affected_versions": "<1.17.0 || >=2.0.0 < 2.0.10" + } + } + ], + "references": [ + { + "type": "WEB", + "url": "https://www.drupal.org/sa-contrib-2026-015" + } + ], + "credits": [ + { + "name": "Andrew Belcher (andrewbelcher)", + "contact": [ + "https://www.drupal.org/u/andrewbelcher" + ] + }, + { + "name": "Chris Dudley (dudleyc)", + "contact": [ + "https://www.drupal.org/u/dudleyc" + ] + }, + { + "name": "Tim Wood (timwood)", + "contact": [ + "https://www.drupal.org/u/timwood" + ] + }, + { + "name": "tamasd", + "contact": [ + "https://www.drupal.org/u/tamasd" + ] + } + ] +} diff --git a/advisories/cleantalk/DRUPAL-CONTRIB-2026-014.json b/advisories/cleantalk/DRUPAL-CONTRIB-2026-014.json new file mode 100644 index 00000000..56b48160 --- /dev/null +++ b/advisories/cleantalk/DRUPAL-CONTRIB-2026-014.json @@ -0,0 +1,52 @@ +{ + "schema_version": "1.7.0", + "id": "DRUPAL-CONTRIB-2026-014", + "modified": "2026-02-25T18:46:10.000Z", + "published": "2026-02-25T18:46:10.000Z", + "aliases": [ + "CVE-2026-3213" + ], + "details": "This module enables you to block bots by Firewall.\n\nThe module doesn't sufficiently sanitize user input leading to a reflected Cross-site scripting (XSS) vulnerability.\n\nThis vulnerability is mitigated by the fact that the vulnerable functionality is only presented to users that are \"challenged\" or blocked by the firewall.", + "affected": [ + { + "package": { + "ecosystem": "Packagist:https://packages.drupal.org/8", + "name": "drupal/cleantalk" + }, + "severity": [], + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "9.7.0" + } + ], + "database_specific": { + "constraint": "<9.7.0" + } + } + ], + "database_specific": { + "affected_versions": "<9.7.0" + } + } + ], + "references": [ + { + "type": "WEB", + "url": "https://www.drupal.org/sa-contrib-2026-014" + } + ], + "credits": [ + { + "name": "Drew Webber (mcdruid)", + "contact": [ + "https://www.drupal.org/u/mcdruid" + ] + } + ] +} diff --git a/advisories/islandora/DRUPAL-CONTRIB-2026-016.json b/advisories/islandora/DRUPAL-CONTRIB-2026-016.json new file mode 100644 index 00000000..6bd2168f --- /dev/null +++ b/advisories/islandora/DRUPAL-CONTRIB-2026-016.json @@ -0,0 +1,52 @@ +{ + "schema_version": "1.7.0", + "id": "DRUPAL-CONTRIB-2026-016", + "modified": "2026-02-25T18:49:59.000Z", + "published": "2026-02-25T18:49:59.000Z", + "aliases": [ + "CVE-2026-3215" + ], + "details": "This module integrates with Islandora, an open-source digital asset management (DAM) framework. Islandora integrates with various open-source services, which can be run in a distributed environment.\n\nThe module doesn't sufficiently sanitize URI paths for its custom route used for attaching media to nodes, which can also lead to cross-site scripting and other vulnerabilities.\n\nThis vulnerability is mitigated by the fact that an attacker must have a role with the permission \"create media\" and the ability to edit the node the media is being attached to.", + "affected": [ + { + "package": { + "ecosystem": "Packagist:https://packages.drupal.org/8", + "name": "drupal/islandora" + }, + "severity": [], + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "2.17.5" + } + ], + "database_specific": { + "constraint": "<2.17.5" + } + } + ], + "database_specific": { + "affected_versions": "<2.17.5" + } + } + ], + "references": [ + { + "type": "WEB", + "url": "https://www.drupal.org/sa-contrib-2026-016" + } + ], + "credits": [ + { + "name": "Drew Webber (mcdruid)", + "contact": [ + "https://www.drupal.org/u/mcdruid" + ] + } + ] +} diff --git a/advisories/material_icons/DRUPAL-CONTRIB-2026-011.json b/advisories/material_icons/DRUPAL-CONTRIB-2026-011.json new file mode 100644 index 00000000..d21451b1 --- /dev/null +++ b/advisories/material_icons/DRUPAL-CONTRIB-2026-011.json @@ -0,0 +1,52 @@ +{ + "schema_version": "1.7.0", + "id": "DRUPAL-CONTRIB-2026-011", + "modified": "2026-02-25T18:43:32.000Z", + "published": "2026-02-25T18:43:32.000Z", + "aliases": [ + "CVE-2026-3210" + ], + "details": "This module enables you to add icons to CKEditor.\n\nThe module doesn't sufficiently add custom permissions to the dialog and autocomplete routes, allowing full access to the routes in most scenarios.", + "affected": [ + { + "package": { + "ecosystem": "Packagist:https://packages.drupal.org/8", + "name": "drupal/material_icons" + }, + "severity": [], + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "2.0.4" + } + ], + "database_specific": { + "constraint": "<2.0.4" + } + } + ], + "database_specific": { + "affected_versions": "<2.0.4" + } + } + ], + "references": [ + { + "type": "WEB", + "url": "https://www.drupal.org/sa-contrib-2026-011" + } + ], + "credits": [ + { + "name": "Jen M (jannakha)", + "contact": [ + "https://www.drupal.org/u/jannakha" + ] + } + ] +} diff --git a/advisories/miniorange_saml/DRUPAL-CONTRIB-2026-018.json b/advisories/miniorange_saml/DRUPAL-CONTRIB-2026-018.json new file mode 100644 index 00000000..37b6a157 --- /dev/null +++ b/advisories/miniorange_saml/DRUPAL-CONTRIB-2026-018.json @@ -0,0 +1,52 @@ +{ + "schema_version": "1.7.0", + "id": "DRUPAL-CONTRIB-2026-018", + "modified": "2026-02-25T18:51:26.000Z", + "published": "2026-02-25T18:51:26.000Z", + "aliases": [ + "CVE-2026-3217" + ], + "details": "This module enables you to perform SAML protocol-based single sign-on (SSO) on a Drupal site.\n\nThe module doesn't sufficiently sanitize user input, leading to a reflected Cross-site scripting (XSS) vulnerability.", + "affected": [ + { + "package": { + "ecosystem": "Packagist:https://packages.drupal.org/8", + "name": "drupal/miniorange_saml" + }, + "severity": [], + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "3.1.3" + } + ], + "database_specific": { + "constraint": "<3.1.3" + } + } + ], + "database_specific": { + "affected_versions": "<3.1.3" + } + } + ], + "references": [ + { + "type": "WEB", + "url": "https://www.drupal.org/sa-contrib-2026-018" + } + ], + "credits": [ + { + "name": "Drew Webber (mcdruid)", + "contact": [ + "https://www.drupal.org/u/mcdruid" + ] + } + ] +} diff --git a/advisories/responsive_favicons/DRUPAL-CONTRIB-2026-019.json b/advisories/responsive_favicons/DRUPAL-CONTRIB-2026-019.json new file mode 100644 index 00000000..91408835 --- /dev/null +++ b/advisories/responsive_favicons/DRUPAL-CONTRIB-2026-019.json @@ -0,0 +1,52 @@ +{ + "schema_version": "1.7.0", + "id": "DRUPAL-CONTRIB-2026-019", + "modified": "2026-02-25T18:51:43.000Z", + "published": "2026-02-25T18:51:43.000Z", + "aliases": [ + "CVE-2026-3218" + ], + "details": "This module adds the favicons generated by `realfavicongenerator.net` to your Drupal site.\n\nThe module does not filter administrator-entered text, leading to a persistent Cross-site scripting (XSS) vulnerability.\n\nThis vulnerability is mitigated by the fact that an attacker must have a role with the permission \"administer responsive favicons\".", + "affected": [ + { + "package": { + "ecosystem": "Packagist:https://packages.drupal.org/8", + "name": "drupal/responsive_favicons" + }, + "severity": [], + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "2.0.2" + } + ], + "database_specific": { + "constraint": "<2.0.2" + } + } + ], + "database_specific": { + "affected_versions": "<2.0.2" + } + } + ], + "references": [ + { + "type": "WEB", + "url": "https://www.drupal.org/sa-contrib-2026-019" + } + ], + "credits": [ + { + "name": "Simon B\u00e4se (simonbaese)", + "contact": [ + "https://www.drupal.org/u/simonbaese" + ] + } + ] +} diff --git a/advisories/tagify/DRUPAL-CONTRIB-2026-013.json b/advisories/tagify/DRUPAL-CONTRIB-2026-013.json new file mode 100644 index 00000000..66f77bd2 --- /dev/null +++ b/advisories/tagify/DRUPAL-CONTRIB-2026-013.json @@ -0,0 +1,58 @@ +{ + "schema_version": "1.7.0", + "id": "DRUPAL-CONTRIB-2026-013", + "modified": "2026-02-25T18:45:13.000Z", + "published": "2026-02-25T18:45:13.000Z", + "aliases": [ + "CVE-2026-3212" + ], + "details": "This module integrates the Tagify JavaScript library to enhance taxonomy entity reference widgets.\n\nThe module does not sufficiently sanitise user-supplied input before rendering it inside JavaScript template strings within the Tagify widget. This allows arbitrary JavaScript execution in the browser when a user creates or edits content.", + "affected": [ + { + "package": { + "ecosystem": "Packagist:https://packages.drupal.org/8", + "name": "drupal/tagify" + }, + "severity": [], + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.2.49" + } + ], + "database_specific": { + "constraint": "<1.2.49" + } + } + ], + "database_specific": { + "affected_versions": "<1.2.49" + } + } + ], + "references": [ + { + "type": "WEB", + "url": "https://www.drupal.org/sa-contrib-2026-013" + } + ], + "credits": [ + { + "name": "David L\u00f3pez (akalam)", + "contact": [ + "https://www.drupal.org/u/akalam" + ] + }, + { + "name": "Mingsong (mingsong)", + "contact": [ + "https://www.drupal.org/u/mingsong" + ] + } + ] +} diff --git a/advisories/theme_rule/DRUPAL-CONTRIB-2026-012.json b/advisories/theme_rule/DRUPAL-CONTRIB-2026-012.json new file mode 100644 index 00000000..b869b42b --- /dev/null +++ b/advisories/theme_rule/DRUPAL-CONTRIB-2026-012.json @@ -0,0 +1,52 @@ +{ + "schema_version": "1.7.0", + "id": "DRUPAL-CONTRIB-2026-012", + "modified": "2026-02-25T18:44:38.000Z", + "published": "2026-02-25T18:44:38.000Z", + "aliases": [ + "CVE-2026-3211" + ], + "details": "This module allows site builders to create so-called \"theme\\_rule\" config entities. These theme rules can render pages with different themes than the default when certain conditions match.\n\nThe module uses simple GET request to disable or enable theme rules, which allows attackers to disable or enable theme rules by tricking site administrators to click on links.\n\nThis vulnerability is mitigated by the fact that an attacker must know the machine name of the theme rule.", + "affected": [ + { + "package": { + "ecosystem": "Packagist:https://packages.drupal.org/8", + "name": "drupal/theme_rule" + }, + "severity": [], + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.2.1" + } + ], + "database_specific": { + "constraint": "<1.2.1" + } + } + ], + "database_specific": { + "affected_versions": "<1.2.1" + } + } + ], + "references": [ + { + "type": "WEB", + "url": "https://www.drupal.org/sa-contrib-2026-012" + } + ], + "credits": [ + { + "name": "Juraj Nemec (poker10)", + "contact": [ + "https://www.drupal.org/u/poker10" + ] + } + ] +} diff --git a/advisories/ui_icons/DRUPAL-CONTRIB-2026-010.json b/advisories/ui_icons/DRUPAL-CONTRIB-2026-010.json index 6748e759..5762bfea 100644 --- a/advisories/ui_icons/DRUPAL-CONTRIB-2026-010.json +++ b/advisories/ui_icons/DRUPAL-CONTRIB-2026-010.json @@ -1,12 +1,12 @@ { "schema_version": "1.7.0", "id": "DRUPAL-CONTRIB-2026-010", - "modified": "2026-02-11T16:54:18.000Z", + "modified": "2026-02-25T17:17:46.000Z", "published": "2026-02-11T16:54:18.000Z", "aliases": [ "CVE-2026-2349" ], - "details": "This module enables you to integrate and manage icons with Drupal.\n\nThe module doesn't sufficiently sanitize user input leading to a reflected Cross-site Scripting (XSS) vulnerability.\n\nThe vulnerability is mitigated by the fact that in order to be vulnerable, the \"UI Icons for CKEditor 5\" submodule must be enabled.", + "details": "This module enables you to integrate and manage icons with Drupal.\n\nThe module doesn't sufficiently sanitize user input leading to a reflected Cross-site Scripting (XSS) vulnerability.\n\nThe vulnerability is mitigated by the fact that in order to be vulnerable, the \"UI Icons for CKEditor 5\" submodule must be enabled.\n\n*Note: this SA was edited after release to correct the risk score; there is no user authentication requirement.*", "affected": [ { "package": {