Drupal core - Moderately critical - Information Disclosure - SA-CORE-2023-003
Project:
Date:
2023-March-15
Security risk:
Moderately critical 13∕25 AC:None/A:None/CI:Some/II:None/E:Theoretical/TD:Uncommon
Vulnerability:
Information Disclosure
Affected versions:
>=8.0.0 <9.4.12 || >=9.5.0 <9.5.5 || >=10.0.0 <10.0.5
Description:
The language module provides a Language switcher block which can be placed to provide links to quickly switch between different languages.
The URL of unpublished translations may be disclosed. When used in conjunction with a module like Pathauto, this may reveal the title of unpublished content.
This advisory is not covered by Drupal Steward.
Solution:
Install the latest version:
- If you are using Drupal 10.0, update to Drupal 10.0.5.
- If you are using Drupal 9.5, update to Drupal 9.5.5.
- If you are using Drupal 9.4, update to Drupal 9.4.12.
All versions of Drupal 9 prior to 9.4.x are end-of-life and do not receive security coverage. Note that Drupal 8 has reached its end of life.
Drupal 7 core does not include the Language module and therefore is not affected. The contributed modules for translation do not have the same code for language-switching links, so they are not affected, either.
Reported By:
Fixed By:
- Jan Kellermann
- Lee Rowlands of the Drupal Security Team
- Greg Knaddison of the Drupal Security Team
- Benji Fisher of the Drupal Security Team
- xjm of the Drupal Security Team
- Sascha Grossenbacher
- Neil Drumm of the Drupal Security Team
- Dave Long of the Drupal Security Team