Drupal core - Moderately critical - Information Disclosure - SA-CORE-2023-003
Project: Drupal coreDate: 2023-March-15Security risk: Moderately critical 13∕25 AC:None/A:None/CI:Some/II:None/E:Theoretical/TD:UncommonVulnerability: Information DisclosureAffected versions: >=8.0.0 <9.4.12 || >=9.5.0 <9.5.5 || >=10.0.0 <10.0.5Description: The language module provides a Language switcher block which can be placed to provide links to quickly switch between different languages.
The URL of unpublished translations may be disclosed. When used in conjunction with a module like Pathauto, this may reveal the title of unpublished content.
This advisory is not covered by Drupal Steward.Solution: Install the latest version:
- If you are using Drupal 10.0, update to Drupal 10.0.5.
- If you are using Drupal 9.5, update to Drupal 9.5.5.
- If you are using Drupal 9.4, update to Drupal 9.4.12.
All versions of Drupal 9 prior to 9.4.x are end-of-life and do not receive security coverage. Note that Drupal 8 has reached its end of life.
Drupal 7 core does not include the Language module and therefore is not affected. The contributed modules for translation do not have the same code for language-switching links, so they are not affected, either.Reported By:
Fixed By:
- Jan Kellermann
- Lee Rowlands of the Drupal Security Team
- Greg Knaddison of the Drupal Security Team
- Benji Fisher of the Drupal Security Team
- Jess of the Drupal Security Team
- Sascha Grossenbacher
- Neil Drumm of the Drupal Security Team
- Dave Long of the Drupal Security Team
