Zum Inhalt springen.
Sympa Menü

it-securitynotifies - [IT-SecNots] [Security-news] Geolocation Field - Critical - SQL Injection - SA-CONTRIB-2026-062

it-securitynotifies AT lists.piratenpartei.de

Betreff: Sicherheitsankündigungen

Listenarchiv

[IT-SecNots] [Security-news] Geolocation Field - Critical - SQL Injection - SA-CONTRIB-2026-062


Chronologisch Thread  
  • From: security-news AT drupal.org
  • To: security-news AT drupal.org
  • Subject: [IT-SecNots] [Security-news] Geolocation Field - Critical - SQL Injection - SA-CONTRIB-2026-062
  • Date: Wed, 24 Jun 2026 18:46:13 +0000
  • Archived-at: <>
  • Authentication-results: lists.piratenpartei.de; dkim=pass header.d=drupal.org header.s=default header.b=KElLEVFn; dkim=fail ("body hash did not verify") header.d=drupal.org header.s=f34odw3mfzgsrgyn3evjayysxxl6jizn header.b=NguwqY4y; dkim=fail ("body hash did not verify") header.d=amazonses.com header.s=hsbnp7p3ensaochzwyq5wwmceodymuwv header.b=MI29fVpA; dmarc=pass (policy=none) header.from=drupal.org; spf=pass (lists.piratenpartei.de: domain of security-news-bounces AT drupal.org designates 2605:bc80:3010::137 as permitted sender) smtp.mailfrom=security-news-bounces AT drupal.org
  • Dkim-filter: OpenDKIM Filter v2.11.0 smtp4.osuosl.org 7ED8342EC9
  • Dkim-filter: OpenDKIM Filter v2.11.0 smtp3.osuosl.org 01DB2606B1
  • Dmarc-filter: OpenDMARC Filter v1.4.2 smtp3.osuosl.org 01DB2606B1
  • Feedback-id: ::1.us-west-2.eaokZ1GT8utLqfMHQoyOsEFVrSIzzS6R+14LP6WIIUY=:AmazonSES
  • List-archive: <>
  • List-id: <security-news.drupal.org>

View online: https://www.drupal.org/sa-contrib-2026-062

Project: Geolocation Field [1]
Date: 2026-June-24
Security risk: *Critical* 19 ∕ 25
AC:Basic/A:None/CI:All/II:All/E:Theoretical/TD:Default [2]
Vulnerability: SQL Injection

Affected versions: <3.15.0
CVE IDs: CVE-2026-13242
Description: 
Geolocation modules adds a field to store coordinates and provides supporting
plumbing for views and other modules.

One of the provided views filters does not sufficiently sanitize values if
exposed to user input resulting in a SQL injection vulnerability.

This vulnerability is mitigated by the fact that a view must exist, that uses
the aforementioned filter and it is set to accept user input.

Solution: 
Install the latest version:

* If you use the Geolocation Field module for Drupal, upgrade to Geolocation
Field 8.x-3.15 [3]

Reported By: 
* Michael Maturi (michaelmaturi) [4]

Fixed By: 
* Michael Maturi (michaelmaturi) [5]
* Christian Adamski (christianadamski) [6]

Coordinated By: 
* cilefen (cilefen) [7] of the Drupal Security Team
* Neil Drumm (drumm) [8] of the Drupal Security Team
* Greg Knaddison (greggles) [9] of the Drupal Security Team
* Drew Webber (mcdruid) [10] of the Drupal Security Team
* Juraj Nemec (poker10) [11] of the Drupal Security Team

Security
issue: 
https://git.drupalcode.org/security/185170-geolocation-security/-/work_items/1
[12]
------------------------------------------------------------------------------
Contribution record [13]

[1] https://www.drupal.org/project/geolocation
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/geolocation/releases/8.x-3.15
[4] https://www.drupal.org/u/michaelmaturi
[5] https://www.drupal.org/u/michaelmaturi
[6] https://www.drupal.org/u/christianadamski
[7] https://www.drupal.org/u/cilefen
[8] https://www.drupal.org/u/drumm
[9] https://www.drupal.org/u/greggles
[10] https://www.drupal.org/u/mcdruid
[11] https://www.drupal.org/u/poker10
[12] https://git.drupalcode.org/security/185170-geolocation-security/-/work_items/1
[13] https://new.drupal.org/contribution-record?source_link=https%3A//www.drupal.org/node/3600881

_______________________________________________
Security-news mailing list -- security-news AT drupal.org
To unsubscribe send an email to security-news-leave AT drupal.org
Unsubscribe at

  • [IT-SecNots] [Security-news] Geolocation Field - Critical - SQL Injection - SA-CONTRIB-2026-062, security-news, 24.06.2026

Archiv bereitgestellt durch MHonArc 2.6.19+.

Seitenanfang