Heine Deelstra

**Name of the Vulnerable Software and Affected Versions** Drupal core versions 8.9.0 through 10.4.9 Drupal core versions 10.5.0 through 10.5.9 Drupal core versions 10.6.0 through 10.6.8 Drupal core versions 11.0.0 through 11.1.9 Drupal core versions 11.2.0 through 11.2.11 Drupal core versions 11.3.0 through 11.3.9 **Description** An unauthenticated SQL injection flaw exists in the database abstraction API of Drupal core, specifically within the PostgreSQL `EntityQuery` condition handler. The issue occurs because attacker-controlled PHP associative array keys, such as those used in JSON:API URLs (e.g., `filter[...][condition][value][malicious key]`), are concatenated directly into SQL identifiers without proper sanitization or escaping. This vulnerability exclusively affects sites using PostgreSQL databases. Successful exploitation allows remote anonymous users to execute arbitrary SQL commands, potentially leading to full database access, exfiltration of sensitive data like session tokens and password hashes, and privilege escalation to Administrator. In environments where database permissions are misconfigured (e.g., allowing `COPY FROM PROGRAM`), it can lead to remote code execution (RCE). Real-world exploitation has been detected globally, with over 15,000 attack probes targeting approximately 6,000 sites, particularly within the gaming and financial services sectors. **Recommendations** Update to version 10.4.10 for versions 8.9.0 through 10.4.9. Update to version 10.5.10 for versions 10.5.0 through 10.5.9. Update to version 10.6.9 for versions 10.6.0 through 10.6.8. Update to version 11.1.10 for versions 11.0.0 through 11.1.9. Update to version 11.2.12 for versions 11.2.0 through 11.2.11. Update to version 11.3.10 for versions 11.3.0 through 11.3.9. Restrict user roles that have the ability to update Twig templates via Views or contributed modules. Route production traffic through a Web Application Firewall (WAF) to filter malicious nested array payload signatures as a temporary mitigation. Review PostgreSQL and WAF logs for unusual anonymous user queries or structural query modifications.

Name of the Vulnerable Software and Affected Versions: Drupal Config Pages versions 0.0.0 through 2.17.9 Description: Missing authorization allows forceful browsing of Config Pages. Recommendations: Update to version 2.18.0 or later.

**Name of the Vulnerable Software and Affected Versions** Ignition Error Pages versions 0.0.0 through 1.0.3 **Description** The issue is related to Improper Neutralization of Input During Web Page Generation, also known as Cross-site Scripting (XSS), in Drupal Ignition Error Pages. This allows for Cross-Site Scripting (XSS) attacks. **Recommendations** For Ignition Error Pages versions 0.0.0 through 1.0.3, update to version 1.0.4 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Drupal Security Kit versions 0.0.0 through 2.0.2 **Description** The issue is related to a 'Type Confusion' vulnerability, which allows an attacker to cause a denial of service via HTTP. This vulnerability can be exploited by a remote attacker. **Recommendations** For versions 0.0.0 through 2.0.2, update to version 2.0.3 or later to resolve the issue. As a temporary workaround, consider restricting access to resources that may be affected by the 'Type Confusion' vulnerability until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Open Social versions 0.0.0 through 12.3.8 Open Social versions 12.4.0 through 12.4.5 **Description** The issue is related to insufficient control over interaction frequency in the Open Social module of the Drupal CMS system. This can be exploited by a remote attacker to cause a denial of service. The problem allows for misuse of functionality due to improper control of interaction frequency. **Recommendations** For Open Social versions 0.0.0 through 12.3.8, update to a version after 12.3.8 to resolve the issue. For Open Social versions 12.4.0 through 12.4.5, update to a version after 12.4.5 to resolve the issue. As a temporary workaround, consider restricting access to the password reset form to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Advanced Varnish versions 0.0.0 through 4.0.10 **Description** The issue is related to the insertion of sensitive information into sent data, which can allow forceful browsing. This can be exploited by a remote attacker to bypass security restrictions. The vulnerability is associated with insufficient protection of service data. **Recommendations** For Advanced Varnish versions 0.0.0 through 4.0.10, update to version 4.0.11 or later to resolve the issue.

Name of the Vulnerable Software and Affected Versions: AES encryption project versions 7.x through 8.x Description: The AES encryption project for Drupal does not sufficiently prevent attackers from decrypting data. This issue is not covered by Drupal's security advisory policy. Recommendations: For versions 7.x through 8.x, update to a version that includes the necessary security patches to prevent data decryption by attackers.

**Name of the Vulnerable Software and Affected Versions** Drupal core versions prior to 8.3.4 **Description** The issue allows remote attackers to execute arbitrary code due to the PECL YAML parser not handling PHP objects safely during certain operations. **Recommendations** For versions prior to 8.3.4, update to version 8.3.4 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Drupal Aggregation module versions prior to 5.x-4.4 **Description** The issue allows remote attackers to execute arbitrary SQL commands. **Recommendations** For versions prior to 5.x-4.4, update to version 5.x-4.4 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Drupal Aggregation module versions prior to 5.x-4.4 **Description** The issue allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, potentially leading to cross-site scripting (XSS) attacks. **Recommendations** For versions prior to 5.x-4.4, update to version 5.x-4.4 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Drupal versions 4.6 and 4.7 before July 8, 2006 **Description** A cross-site scripting (XSS) issue allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. **Recommendations** For Drupal versions 4.6 and 4.7 before July 8, 2006, update to a version released after July 8, 2006 to resolve the issue.