Cilefen

**Name of the Vulnerable Software and Affected Versions** Drupal core versions 8.0.0 through 10.5.8 Drupal core versions 10.6.0 through 10.6.6 Drupal core versions 11.0.0 through 11.2.10 Drupal core versions 11.3.0 through 11.3.6 **Description** Drupal core allows Object Injection due to improperly controlled modification of dynamically-determined object attributes. This issue involves a gadget chain—a sequence of existing code fragments—that can be leveraged to achieve remote code execution or SQL injection if the application deserializes untrusted data via the `unserialize()` function due to a separate vulnerability. This issue is not directly exploitable on its own. **Recommendations** Update versions 8.0.0 through 10.5.8 to 10.5.9. Update versions 10.6.0 through 10.6.6 to 10.6.7. Update versions 11.0.0 through 11.2.10 to 11.2.11. Update versions 11.3.0 through 11.3.6 to 11.3.7.

**Name of the Vulnerable Software and Affected Versions** Drupal CAPTCHA versions 0.0.0 through 1.16.9 Drupal CAPTCHA versions 2.0.0 through 2.0.9 **Description** A functionality bypass exists in Drupal CAPTCHA due to insufficient invalidation of security tokens. An attacker may bypass the CAPTCHA on subsequent submissions if they first successfully solve at least one CAPTCHA manually to obtain valid tokens. **Recommendations** Update Drupal CAPTCHA to version 1.17.0 or later. Update Drupal CAPTCHA to version 2.0.10 or later.

**Name of the Vulnerable Software and Affected Versions** Drupal Disable Login Page versions prior to 1.1.3 **Description** An authentication bypass issue exists in Drupal Disable Login Page, allowing functionality bypass through an alternate path or channel. This allows attackers to circumvent login requirements. **Recommendations** Update Drupal Disable Login Page to version 1.1.3 or later.

**Name of the Vulnerable Software and Affected Versions** Drupal Entity Share versions prior to 3.13.0 **Description** An authorization issue exists in Drupal Entity Share that permits forceful browsing. This flaw potentially allows unauthorized access to resources. **Recommendations** Update Drupal Entity Share to version 3.13.0 or later.

**Name of the Vulnerable Software and Affected Versions** Drupal versions 8.0.0 through 10.4.9 Drupal versions 10.5.0 through 10.5.6 Drupal versions 11.0.0 through 11.1.9 Drupal versions 11.2.0 through 11.2.8 **Description** An improper check for unusual or exceptional conditions exists in Drupal core, allowing for forceful browsing. This issue impacts the software's ability to handle unexpected input or situations, potentially leading to unauthorized access or information disclosure. **Recommendations** Update Drupal core to version 10.4.9 or later. Update Drupal core to version 10.5.6 or later. Update Drupal core to version 11.1.9 or later. Update Drupal core to version 11.2.8 or later.

**Name of the Vulnerable Software and Affected Versions** Acquia DAM versions 0.0.0 through 1.1.4 **Description** A missing authorization issue exists in Drupal Acquia DAM, allowing for forceful browsing. This allows unauthorized access to resources. **Recommendations** Update Acquia DAM to version 1.1.5 or later.

Name of the Vulnerable Software and Affected Versions: Drupal Two-factor Authentication (TFA) versions 0.0.0 through 1.10.0 Description: The issue affects the two-factor authentication (TFA) mechanism, allowing exploitation of incorrectly configured access control security levels due to a privilege defined with unsafe actions. Recommendations: For versions 0.0.0 through 1.10.0, update to version 1.11.0 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Drupal OAuth2 Client versions 0.0.0 through 4.1.2 **Description** A Cross-Site Request Forgery (CSRF) issue affects the Drupal OAuth2 Client, allowing unauthorized actions to be performed on behalf of the user. This issue may be exploited by an attacker to perform actions without the user's knowledge or consent. **Recommendations** For Drupal OAuth2 Client versions 0.0.0 through 4.1.2, update to version 4.1.3 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** CKEditor 4 LTS - WYSIWYG HTML editor versions 1.0.0 through 1.0.0 **Description** The issue is related to improper neutralization of input during web page generation, allowing Cross-Site Scripting (XSS). This enables attackers to inject malicious scripts into websites, potentially leading to unauthorized access or control. **Recommendations** For CKEditor 4 LTS - WYSIWYG HTML editor version 1.0.0, update to version 1.0.1 to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Tarte au Citron versions 2.0.0 through 2.0.5 **Description** The issue is related to improper neutralization of input during web page generation, allowing Cross-Site Scripting (XSS) attacks. This can enable a remote attacker to conduct XSS attacks. **Recommendations** For versions 2.0.0 through 2.0.5, consider disabling the vulnerable module until a patch is available. Restrict access to the affected API endpoints to minimize the risk of exploitation. Avoid using vulnerable parameters in the affected web page generation functions until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: Drupal Core versions 8.0.0 through 10.2.11 Drupal Core versions 10.3.0 through 10.3.9 Drupal Core versions 11.0.0 through 11.0.8 Description: A vulnerability in Drupal Core allows privilege escalation. This issue is related to inconsistencies in uniqueness checking for certain user fields, depending on the database engine and its collation, which may lead to data integrity issues. Recommendations: For Drupal Core versions 8.0.0 through 10.2.11, update to a version after 10.2.11. For Drupal Core versions 10.3.0 through 10.3.9, update to a version after 10.3.9. For Drupal Core versions 11.0.0 through 11.0.8, update to a version after 11.0.8.

**Name of the Vulnerable Software and Affected Versions** Drupal Advanced PWA inc Push Notifications versions 0.0.0 through 1.5.0 **Description** The issue is related to an incorrect authorization vulnerability in the Drupal Advanced PWA inc Push Notifications module, which allows for forceful browsing. This means that an attacker can bypass security restrictions and perform unauthorized actions. The vulnerability can be exploited remotely. **Recommendations** For versions 0.0.0 through 1.5.0, update to version 1.5.0 or later to resolve the issue. As a temporary workaround, consider restricting access to the module to minimize the risk of exploitation.