Security updates: Websites created with Drupal are vulnerable
Security gaps in various modules of the CMS Drupal endanger websites created with it.
(Image: Alfa Photo/Shutterstock.com)
Drupal admins should ensure that the content management system (CMS) modules they use are up-to-date. If this is not done, attackers can compromise websites in the worst case.
Preventing attacks
In the security section of the CMS website, the developers list seven software vulnerabilities that were closed in April. They classify two vulnerabilities as “critical”. One affects the Panels module (CVE-2025-3474), which admins can use to create user-defined pages. Because permissions are not sufficiently controlled, attackers can manipulate this module.
To do this, however, they need certain page information that is not available in the source code of a website. Panels 8.x-4.9 are secured.
The second critical vulnerability (CVE-2025-3131) impacts the ECA: Event module, which is used to define automations. At this point, a CSRF attack can be used to access information that is actually sealed off. ECA 1.1.12, 2.0.16 and 2.1.7 have been provided with security updates.
Videos by heise
There are also patches for the Access Code, Gif Player Field, Obfuscate, TacJS and WEB-T modules. It is currently unknown whether there are already attacks.
(des)
