Drupal core - Moderately critical - Information Disclosure - SA-CORE-2023-003

Read Time:1 Minute, 21 Second

Project:

Drupal core

Date:

2023-March-15

Security risk:

Moderately critical 13∕25 AC:None/A:None/CI:Some/II:None/E:Theoretical/TD:Uncommon

Vulnerability:

Information Disclosure

Affected versions:

>=8.0.0 <9.4.12 || >=9.5.0 <9.5.5 || >=10.0.0 <10.0.5

Description:

The language module provides a Language switcher block which can be placed to provide links to quickly switch between different languages.

The URL of unpublished translations may be disclosed. When used in conjunction with a module like Pathauto, this may reveal the title of unpublished content.

This advisory is not covered by Drupal Steward.

Solution:

Install the latest version:

If you are using Drupal 10.0, update to Drupal 10.0.5.
If you are using Drupal 9.5, update to Drupal 9.5.5.
If you are using Drupal 9.4, update to Drupal 9.4.12.

All versions of Drupal 9 prior to 9.4.x are end-of-life and do not receive security coverage. Note that Drupal 8 has reached its end of life.

Drupal 7 core does not include the Language module and therefore is not affected. The contributed modules for translation do not have the same code for language-switching links, so they are not affected, either.

Reported By:

Jan Kellermann

Fixed By:

Jan Kellermann
Lee Rowlands of the Drupal Security Team
Greg Knaddison of the Drupal Security Team
Benji Fisher of the Drupal Security Team
Jess of the Drupal Security Team
Sascha Grossenbacher
Neil Drumm of the Drupal Security Team
Dave Long of the Drupal Security Team

Cyber Security News

Drupal core – Moderately critical – Information Disclosure – SA-CORE-2023-003

News, Advisories and much more