it-securitynotifies AT lists.piratenpartei.de
Betreff: Sicherheitsankündigungen
Listenarchiv
[IT-SecNots] [Security-news] Facets - Moderately critical - Information Disclosure - SA-CONTRIB-2025-099
Chronologisch Thread
- From: security-news AT drupal.org
- To: security-news AT drupal.org
- Subject: [IT-SecNots] [Security-news] Facets - Moderately critical - Information Disclosure - SA-CONTRIB-2025-099
- Date: Wed, 27 Aug 2025 17:19:25 +0000 (UTC)
- Authentication-results: lists.piratenpartei.de; dkim=pass header.d=drupal.org header.s=default header.b=KlS853zu; spf=pass (lists.piratenpartei.de: domain of security-news-bounces AT drupal.org designates 2605:bc80:3010::133 as permitted sender) smtp.mailfrom=security-news-bounces AT drupal.org; dmarc=pass (policy=none) header.from=drupal.org
- Dkim-filter: OpenDKIM Filter v2.11.0 smtp2.osuosl.org DEB1040E21
- Dkim-filter: OpenDKIM Filter v2.11.0 smtp3.osuosl.org 8320060A8A
- List-archive: <http://lists.drupal.org/pipermail/security-news/>
- List-id: <security-news.drupal.org>
View online: https://www.drupal.org/sa-contrib-2025-099
Project: Facets [1]
Date: 2025-August-27
Security risk: *Moderately critical* 11 ∕ 25
AC:Complex/A:None/CI:Some/II:None/E:Theoretical/TD:Default [2]
Vulnerability: Information Disclosure
Affected versions: <2.0.10 || >=3.0.0 <3.0.1
CVE IDs: CVE-2025-9549
Description:
This module enables you to to easily create and manage faceted search
interfaces.
The module doesn't sufficiently check access to entities when they are
displayed as facets.
This vulnerability is mitigated by the fact that only sites that show facets
with entity labels (like taxonomy terms) are affected, and only if some of
those entities are unpublished or have other access restrictions.
*CVSS risk score (experimental [3]) 6.9 / Medium*
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N [4]
Solution:
Install the latest version:
* If you use the Facets module for Drupal 8.x or higher, upgrade to Facets
2.0.10 [5] or Facets 3.0.1 [6]
Reported By:
* Damien McKenna (damienmckenna) [7] of the Drupal Security Team
Fixed By:
* Benji Fisher (benjifisher) [8] of the Drupal Security Team
* Joris Vercammen (borisson_) [9]
* Damien McKenna (damienmckenna) [10] of the Drupal Security Team
* Thomas Seidl (drunken monkey) [11]
* Jimmy Henderickx (strykaizer) [12]
Coordinated By:
* Benji Fisher (benjifisher) [13] of the Drupal Security Team
* Damien McKenna (damienmckenna) [14] of the Drupal Security Team
* Greg Knaddison (greggles) [15] of the Drupal Security Team
* Drew Webber (mcdruid) [16] of the Drupal Security Team
* Cathy Theys (yesct) [17] of the Drupal Security Team
[1] https://www.drupal.org/project/facets
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/securitydrupalorg/issues/3442181
[4] https://www.first.org/cvss/calculator/4-0#CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
[5] https://www.drupal.org/project/facets/releases/2.0.10
[6] https://www.drupal.org/project/facets/releases/3.0.1
[7] https://www.drupal.org/u/damienmckenna
[8] https://www.drupal.org/u/benjifisher
[9] https://www.drupal.org/u/borisson_
[10] https://www.drupal.org/u/damienmckenna
[11] https://www.drupal.org/u/drunken-monkey
[12] https://www.drupal.org/u/strykaizer
[13] https://www.drupal.org/u/benjifisher
[14] https://www.drupal.org/u/damienmckenna
[15] https://www.drupal.org/u/greggles
[16] https://www.drupal.org/u/mcdruid
[17] https://www.drupal.org/u/yesct
_______________________________________________
Security-news mailing list
Security-news AT drupal.org
Unsubscribe at https://lists.drupal.org/mailman/listinfo/security-news
- [IT-SecNots] [Security-news] Facets - Moderately critical - Information Disclosure - SA-CONTRIB-2025-099, security-news, 27.08.2025
Archiv bereitgestellt durch MHonArc 2.6.19+.