Zum Inhalt springen.
Sympa Menü

it-securitynotifies - [IT-SecNots] [Security-news] Date iCal - Critical - Information disclosure - SA-CONTRIB-2026-037

it-securitynotifies AT lists.piratenpartei.de

Betreff: Sicherheitsankündigungen

Listenarchiv

[IT-SecNots] [Security-news] Date iCal - Critical - Information disclosure - SA-CONTRIB-2026-037


Chronologisch Thread  
    < Chronologisch >       < Thread >
  • From: security-news AT drupal.org
  • To: security-news AT drupal.org
  • Subject: [IT-SecNots] [Security-news] Date iCal - Critical - Information disclosure - SA-CONTRIB-2026-037
  • Date: Wed, 13 May 2026 17:19:25 +0000
  • Archived-at: <>
  • Authentication-results: lists.piratenpartei.de; dkim=pass header.d=drupal.org header.s=default header.b=YXBFjCpj; dkim=fail ("body hash did not verify") header.d=drupal.org header.s=f34odw3mfzgsrgyn3evjayysxxl6jizn header.b=lOr1Mp2s; dkim=fail ("body hash did not verify") header.d=amazonses.com header.s=hsbnp7p3ensaochzwyq5wwmceodymuwv header.b="APls3/+6"; dmarc=pass (policy=none) header.from=drupal.org; spf=pass (lists.piratenpartei.de: domain of security-news-bounces AT drupal.org designates 2605:bc80:3010::138 as permitted sender) smtp.mailfrom=security-news-bounces AT drupal.org
  • Dkim-filter: OpenDKIM Filter v2.11.0 smtp1.osuosl.org 9DA4F85279
  • Dkim-filter: OpenDKIM Filter v2.11.0 smtp2.osuosl.org A669040C7A
  • Dmarc-filter: OpenDMARC Filter v1.4.2 smtp2.osuosl.org A669040C7A
  • Feedback-id: ::1.us-west-2.eaokZ1GT8utLqfMHQoyOsEFVrSIzzS6R+14LP6WIIUY=:AmazonSES
  • List-archive: <>
  • List-id: <security-news.drupal.org>
View online: https://www.drupal.org/sa-contrib-2026-037

Project: Date iCal [1]
Date: 2026-May-13
Security risk: *Critical* 17 ∕ 25
AC:None/A:None/CI:All/II:None/E:Theoretical/TD:All [2]
Vulnerability: Information disclosure

Affected versions: <4.0.15
CVE IDs: CVE-2026-8495
Description: 
This module enables you to export entity date fields as iCal feeds.

The module doesn't sufficiently check entity or field access or sanitize user
inputs when generating iCal feeds.

This vulnerability is not mitigated by any permission, the routes are
accessible to all anonymous users with no configuration required.

Solution: 
Install the latest version:

* If you use the Date iCal module for Drupal 10/11, upgrade to Date iCal
4.0.15 [3]

Reported By: 
* Drew Webber (mcdruid) [4] of the Drupal Security Team

Fixed By: 
* Joël Pittet (joelpittet) [5]

Coordinated By: 
* Greg Knaddison (greggles) [6] of the Drupal Security Team
* Dave Long (longwave) [7] of the Drupal Security Team
* Juraj Nemec (poker10) [8] of the Drupal Security Team
* Drew Webber (mcdruid) [9] of the Drupal Security Team

Security
issue: 
https://git.drupalcode.org/security/38-date_ical-security/-/work_items/1
[10]
------------------------------------------------------------------------------
Contribution record [11]

[1] https://www.drupal.org/project/date_ical
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/date_ical/releases/4.0.15
[4] https://www.drupal.org/u/mcdruid
[5] https://www.drupal.org/u/joelpittet
[6] https://www.drupal.org/u/greggles
[7] https://www.drupal.org/u/longwave
[8] https://www.drupal.org/u/poker10
[9] https://www.drupal.org/u/mcdruid
[10] https://git.drupalcode.org/security/38-date_ical-security/-/work_items/1
[11] https://new.drupal.org/contribution-record?source_link=https%3A//www.drupal.org/node/3589652

_______________________________________________
Security-news mailing list -- security-news AT drupal.org
To unsubscribe send an email to security-news-leave AT drupal.org
Unsubscribe at
  • [IT-SecNots] [Security-news] Date iCal - Critical - Information disclosure - SA-CONTRIB-2026-037, security-news, 13.05.2026

Archiv bereitgestellt durch MHonArc 2.6.19+.

Seitenanfang