Full Report
Drupal security advisory (AV26-198)
Analysis Summary
# Vulnerability: Multiple Vulnerabilities in Drupal Contributed Modules (AV26-198)
## CVE Details
- **CVE ID:** Pending/Not explicitly listed in summary (Refer to individual SA links)
- **CVSS Score:** Variable (Ranging from "Moderately Critical" to "Critical")
- **CWE:** CWE-264 (Permissions, Privileges, and Access Controls), CWE-79 (Cross-site Scripting)
## Affected Systems
- **Products:** Drupal Contributed Modules
- **Versions:**
- **File Access Fix (deprecated):** Versions prior to 1.2.0
- **AJAX Dashboard:** Versions prior to 3.1.0
- **Calculation Fields:** Versions prior to 1.0.4
- **Google Analytics GA4:** Versions prior to 1.1.13
- **Configurations:** Systems running the specific contributed modules listed above.
## Vulnerability Description
Four distinct vulnerabilities have been identified across various Drupal contributed modules:
1. **File Access Fix:** An **Access Bypass** vulnerability exists where the module fails to properly restrict access to files, potentially allowing unauthorized users to view or manipulate protected data.
2. **AJAX Dashboard:** A **Critical Access Bypass** flaw allows users without proper permissions to access dashboard functionalities or data via AJAX requests.
3. **Calculation Fields:** A **Cross-site Scripting (XSS)** vulnerability where input is not properly sanitized before being rendered, potentially allowing an attacker to inject malicious scripts into the browser of other users.
4. **Google Analytics GA4:** A **Cross-site Scripting (XSS)** vulnerability exists within the module's handling of analytics data or configuration, leading to potential script injection.
## Exploitation
- **Status:** No reports of exploitation in the wild at the time of advisory; PoC status unconfirmed.
- **Complexity:** Low to Medium (standard web exploitation techniques).
- **Attack Vector:** Network (Remote)
## Impact
- **Confidentiality:** High (Access bypass may expose sensitive data; XSS can steal session cookies).
- **Integrity:** High (Unauthorized access and script execution).
- **Availability:** Medium (Dependent on the specific module’s function).
## Remediation
### Patches
Users are urged to update to the following versions immediately:
- **File Access Fix:** Update to **v1.2.0**
- **AJAX Dashboard:** Update to **v3.1.0**
- **Calculation Fields:** Update to **v1.0.4**
- **Google Analytics GA4:** Update to **v1.1.13**
### Workarounds
- For deprecated modules like **File Access Fix**, it is recommended to uninstall the module if it is no longer required for business operations.
- Disable affected modules temporarily until patches can be applied.
## Detection
- Review web server access logs for unusual AJAX requests targeting the `AJAX Dashboard` module.
- Audit Drupal user permissions to ensure no unexpected access has been granted via the `File Access Fix` module.
- Use vulnerability scanners to detect outdated Drupal module versions.
## References
- [Canadian Centre for Cyber Security Advisory] hxxps[://]www[.]cyber[.]gc[.]ca/en/alerts-advisories/drupal-security-advisory-av26-198
- [Drupal Security Advisory SA-CONTRIB-2026-021] hxxps[://]www[.]drupal[.]org/sa-contrib-2026-021
- [Drupal Security Advisory SA-CONTRIB-2026-022] hxxps[://]www[.]drupal[.]org/sa-contrib-2026-022
- [Drupal Security Advisory SA-CONTRIB-2026-023] hxxps[://]www[.]drupal[.]org/sa-contrib-2026-023
- [Drupal Security Advisory SA-CONTRIB-2026-024] hxxps[://]www[.]drupal[.]org/sa-contrib-2026-024
- [Drupal Security Main Page] hxxps[://]www[.]drupal[.]org/security