Newsfeed-Generator

Beginn:  2025-11-19 18:30 Europa/Berlin Organizers:  martinalewis mlkstff rogerpfaff Event type:  User group meeting

https://drupal-usergroup-muenchen.de/events/dugmuc-meetup-november-2025-...

Beim November-Meetup blicken wir auf die vom 14. bis 17. Oktober stattfindende DrupalCon Vienna zurück. Im Mittelpunkt stehen die wichtigsten Impulse aus Keynotes, Sessions und Workshops – von Drupal Canvas und KI-gestützten Workflows bis hin zu Performance und Security sowie Praxis-Cases. Wir diskutieren, welche dieser Entwicklungen und Trends für unsere eigenen Projekte relevant sind und wie wir die neuen Ideen in unserem Alltag als Entwickler:innen, Site-Builder:innen oder Projektverantwortliche:innen nutzen können.

Call for Speakers

Wenn Du in Wien dabei bist und Lust hast, einen kurzen Impuls beizusteuern, melde Dich bitte vorab bei uns – jeder Beitrag zählt!

Was erwartet euch?

DrupalCon Vienna verspricht ein dichtes Programm mit Keynotes, Tracks, Workshops, BoFs und Contribution-Sessions.

Ein paar Highlights, die wir gemeinsam reflektieren können:

• Driesnote & strategische Ausrichtung — neue Impulse für Drupal, Einblicke in die Roadmap, Diskussionen über die Rolle von KI, Plattformentwicklung und Open Web.
• Drupal Canvas – die neue Richtung für komponentenbasiertes Site Building, mit Demonstrationen und Diskussionen zur Einbettung von UI-basierten Bausteinen.
• KI-gestützte Workflows & Automatisierung – von Übersetzungen über Content Generierung bis zu smarten Modulen zur Unterstützung redaktioneller Prozesse.
• Performance, Netzoptimierung & Security – Sessions wie „TCP Fast Open & HTTP/3: Network-Level Optimizations“ oder „Secure by Design“ stehen auf dem Plan.

Ziel des Abends ist es, nicht nur zu berichten, sondern gemeinsam zu diskutieren:

• Was nehmen wir mit für unsere eigenen Drupal-Projekte (technisch, organisatorisch, strategisch)?
• Welche Themen sind für uns besonders relevant und sollten weiter verfolgt werden?
• Welche Impulse können wir in die lokale Community tragen?

Ablauf

• 18:30 Uhr — Ankommen
• 19:00 Uhr — Impulsvorträge: Rückblick auf Highlights
• 20:30 Uhr — Offene Diskussion & Austausch
• 21:00 Uhr — Ausklang

Project: Reverse Proxy HeaderDate: 2025-September-24Security risk: Less critical 8 ∕ 25 AC:Basic/A:None/CI:None/II:None/E:Theoretical/TD:UncommonVulnerability: Access bypassAffected versions: <1.1.2CVE IDs: CVE-2025-10929Description: 

This module allows you to specify an HTTP header name to determine the client's IP address.

The module doesn't sufficiently handle all cases under the scenario if Drupal Core settings $settings['reverse_proxy'] is set to TRUE and $settings['reverse_proxy_addresses'] is configured.

This vulnerability allows an attacker to spoof a request IP address (as Drupal sees it), potentially bypassing a variety of controls.

Solution: 

To resolve this issue, sites must both upgrade and confirm their settings.

Install the latest 1.1.2 version.

Check your settings:
- $settings['reverse_proxy'] (Drupal Core setting);
- $settings['reverse_proxy_addresses'] (Drupal Core setting);
- $settings['reverse_proxy_header'] (this module setting);
- $settings['reverse_proxy_header_trusted_addresses_ignore'] (this module setting introduced in this release).

This security release does not affect your Drupal instance if:
- or $settings['reverse_proxy'] is not set or set to FALSE;
- or $settings['reverse_proxy_header'] is not set or set to FALSE;
- or $settings['reverse_proxy_addresses'] is not set or set to an empty array.

This security release may affect your Drupal instance if:
- and $settings['reverse_proxy'] is set to TRUE;
- and $settings['reverse_proxy_header'] is set;
- and $settings['reverse_proxy_addresses'] is configured.
If your configuration meets all three criteria simultaneously, you need to verify how Drupal determines the client IP address.

How to verify:

It can be checked by sending a request from a non-trusted proxy/server like:
curl -I -H "X-REVERSE-PROXY-HEADER-NAME:8.8.8.8" your-hostname/some-path`

If Drupal detects the client IP address (for example, at the dblog report), everything works as expected.

If Drupal detects the client IP address as 8.8.8.8, you may need to check your $settings['reverse_proxy_addresses'] and/or review the documentation in the README file about $settings['reverse_proxy_header_trusted_addresses_ignore'].

Reccomendation:

Although it is not required to have $settings['reverse_proxy_addresses'] (Drupal Core setting) configured, it's always preferred to do so to improve security.

Reported By: 

• Pierre Rudloff (prudloff) provisional member of the Drupal Security Team

Fixed By: 

• Bohdan Artemchuk (bohart)
• Drew Webber (mcdruid) of the Drupal Security Team
• Pierre Rudloff (prudloff) provisional member of the Drupal Security Team

Coordinated By: 

• Greg Knaddison (greggles) of the Drupal Security Team
• Juraj Nemec (poker10) of the Drupal Security Team
• Pierre Rudloff (prudloff) provisional member of the Drupal Security Team

Project: CurrencyDate: 2025-September-24Security risk: Moderately critical 13 ∕ 25 AC:Basic/A:None/CI:None/II:Some/E:Theoretical/TD:AllVulnerability: Cross Site Request ForgeryAffected versions: <3.5.0CVE IDs: CVE-2025-10930Description: 

This module allows you to use different currencies on your website and do currency conversion.

The module doesn't sufficiently protect routes used to enable and disable currencies from Cross-Site Request Forgery (CSRF) attacks, potentially allowing an attacker to trick an admin into changing settings.

Solution: 

Install the latest version:

• If you use the Currency module for Drupal, upgrade to Currency 8.x-3.5

Reported By: 

• Juraj Nemec (poker10) of the Drupal Security Team

Fixed By: 

• Sascha Grossenbacher (berdir)
• Pieter Frenssen (pfrenssen)

Coordinated By: 

• Juraj Nemec (poker10) of the Drupal Security Team

Project: Umami AnalyticsDate: 2025-September-24Security risk: Moderately critical 13 ∕ 25 AC:Basic/A:Admin/CI:Some/II:Some/E:Theoretical/TD:AllVulnerability: Cross Site ScriptingAffected versions: <1.0.1CVE IDs: CVE-2025-10931Description: 

This module enables you to add Umami Analytics web statistics tracking system to your website.

The "administer umami analytics" permission allows inserting an arbitrary JavaScript file on every page. While this is an expected feature, the permission lacks the "restrict access" flag, which should alert administrators that this permission is potentially dangerous and can lead to cross-site scripting (XSS) vulnerabilities.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission “administer umami analytics”.

Solution: 

Install the latest version:

• If you use the Umami Analytics module upgrade to Umami Analytics 1.0.1 or 2.0.-beta3

Sites are encouraged to review which roles have that permission and which users have that role, to ensure that only trusted users have that permission.

Reported By: 

• Pierre Rudloff (prudloff)

Fixed By: 

• Ivica Puljic (pivica)

Coordinated By: 

• Damien McKenna (damienmckenna) of the Drupal Security Team
• Juraj Nemec (poker10) of the Drupal Security Team
• Pierre Rudloff (prudloff) provisional member of Drupal Security Team

Project: Access codeDate: 2025-September-24Security risk: Moderately critical 14 ∕ 25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:AllVulnerability: Access bypassAffected versions: <2.0.5CVE IDs: CVE-2025-10928Description: 

This module enables users to sign in with an access code instead of entering user names and passwords. When users are allowed to pick their own access codes, they can guess other users' access codes based on the fact that access codes need to be unique and the system warns if the code of their choice is taken.

This vulnerability is mitigated by the fact that an attacker must have a role with the "change own access code" permission.

Solution: 

Install the latest version:

• If you use access_code module for Drupal, upgrade to access_code 2.0.5

Reported By: 

• Pierre Rudloff (prudloff)

Fixed By: 

• Gergely Lekli (glekli)
• Pierre Rudloff (prudloff)

Coordinated By: 

• Greg Knaddison (greggles) of the Drupal Security Team
• Pierre Rudloff (prudloff) provisional member of the Drupal Security Team

Project: Plausible trackingDate: 2025-September-24Security risk: Moderately critical 13 ∕ 25 AC:Basic/A:Admin/CI:Some/II:Some/E:Theoretical/TD:AllVulnerability: Cross Site ScriptingAffected versions: <1.0.2CVE IDs: CVE-2025-10927Description: 

This module integrates Plausible Analytics on a site.

The module did not properly filter output in certain cases.

This vulnerability is mitigated by the fact that an attacker must have permission to add raw HTML to the website, such as an unfiltered WYSIWYG field on a public-facing comment.

Solution: 

Install the latest version:

• If you use the Plausible Analytics module for Drupal, upgrade to Plausible Analytics v1.0.2

Reported By: 

• Pierre Rudloff (prudloff)

Fixed By: 

• Pierre Rudloff (prudloff)
• Benjamin Rasmussen (ras-ben)

Coordinated By: 

• Damien McKenna (damienmckenna) of the Drupal Security Team

Project: JSON FieldDate: 2025-September-24Security risk: Critical 15 ∕ 25 AC:Basic/A:None/CI:Some/II:Some/E:Theoretical/TD:DefaultVulnerability: Cross Site ScriptingAffected versions: <1.5CVE IDs: CVE-2025-10926Description: 

This module enables you to store and display JSON data using optional 3rd party libraries.

The module doesn't sufficiently filter data using some of the included field formatters leading to a Cross-site Scripting (XSS) vulnerability.

Solution: 

Install the latest version:

• If you use the JSON Field module for Drupal 8.x, upgrade to JSON Field 8.x-1.5.

Reported By: 

• Ivan (chi)

Fixed By: 

• Ivan (chi)
• Damien McKenna (damienmckenna) of the Drupal Security Team

Coordinated By: 

• Damien McKenna (damienmckenna) of the Drupal Security Team
• Greg Knaddison (greggles) of the Drupal Security Team

Date: 2025-September-17Description: Supply-chain attack via maintainer account takeover

NPM packages have been targeted in maintainer account takeover attacks. Attackers have deployed an automatic credential scanning tool. The scanning tool tries to find secret keys that may have been published to public systems like build automation and continuous integration (CI) systems and sends such credentials back to the attacker. From there, the vulnerable NPM packages are downloaded, modified to insert a trojan-like script bundle, and then republished. These maliciously modified packages can then be used to exploit any application that has installed these packages.

Coverage and advice on remediation:

• The Hacker News - 40 NPM Packages Compromised
• Socket.dev - Supply Chain Attack
• Aikido - S1ngularity/nx attackers strike again
• Aikido - npm debug and chalk packages compromised
• Wiz.io - Shai-Hulud npm supply chain attack

While this attack has targeted NPM packages, the same strategy could be used to exploit other packages as well.

Managing supply-chain security

Website owners should actively manage their dependencies, potentially leveraging a Software Bill of Materials (SBOM) or scanner services. Other relevant tools include CSP and SRI.

It is the policy of the Drupal Security Team that site owners are responsible for monitoring and maintaining the security of third-party libraries and any non-Drupal components of the stack. In rare cases, the Drupal Security Team will post an informational public service announcement (PSA) such as this one, but the remit of the Drupal Security Team remains limited to code hosted on Drupal.org’s systems. Previous PSAs on third-party code in the Drupal ecosystem include:

• External libraries and plugins - PSA-2011-002
• Various Third-Party Vulnerabilities - PSA-2019-09-04
• Third-Party Libraries and Supply Chains - PSA-2024-06-26

Impact to the Drupal project itself

Drupal's infrastructure maintainers, the Drupal Security Team, and Drupal core maintainers have received tips about this situation from several sources. Individuals in those groups have evaluated their exposure and we believe the Drupal project itself is not affected by this issue. If you have information about concerns that Drupal is affected please reach out to us.

This post is likely to be be updated as the situation evolves and more information is available.

Reported By: 

• nicxvan

Coordinated By: 

• Greg Knaddison (greggles) of the Drupal Security Team
• Tim Hestenes Lehnen (hestenet)
• Dave Long (longwave) of the Drupal Security Team
• Drew Webber (mcdruid) of the Drupal Security Team
• Jess (xjm) of the Drupal Security Team
• cilefen of the Drupal Security Team

Beginn:  2025-09-04 19:30 - 21:30 Europa/Berlin Organizers:  akoe norman.lol stolzenhain Event type:  User group meeting

https://drupal.berlin/

Liebe Berliner Drupal-Community / Dear Berlin Drupal community!

[English version below]

Am kommenden Do, 04.09.2025 laden wir um 19:30 wie gewohnt in den Seminarraum der zum Jubiläum umgebauten c-base, Rungestraße 20 (S/U Jannowitzbrücke) – oder – gleichzeitig zum Live-Stream für die monatliche Drupal-Usergroup ein.

Wir sprechen über Dinge wie:

• Den Drupal Developer Survey 2025
• CKEditor-Erfahrungen vs Markdown?
• Wie administriert Ihr in der Ferienzeit?
• Kommende Drupal-Veranstaltungen

Gebt uns gern Bescheid, wenn Ihr weitere Themen habt: Sorgen, Fragen oder eigene Projekte. Ihr erreicht uns kommenden Donnerstag:

• in der c-base, Rungestraße 20: https://www.c-base.org
• in der Online-Veranstaltung: https://talks.drupal.de/nor-508-xdo-ihf
• davor schon im Drupalchat und Drupal-Slack

Kommt vorbei, schaut online rein, meldet Euch an oder schreibt uns!

--

EN:

Dear Berlin Drupal community!

Next Thursday, Sept 4th 2025 at 19:30 we're inviting you to c-base, Rungestr. 20 (seminar room, S/U Jannowitzbrücke): revamped for it's anniversary – or – a simultaneous livestream (as usual).

We'll be talking about:

• The Drupal Developer Survey 2025
• CKEditor experience vs Markdown?
• How are you administrating projects on holidays?
• Upcoming Drupal events

You're welcome to give us a short note should you bring along own topics: problems, questions or examples of own projects. Next thursday, you'll find us:

• at c-base, Rungestraße 20: https://www.c-base.org
• at the online stream: https://talks.drupal.de/nor-508-xdo-ihf
• for questions + contact at Drupalchat and Drupal Slack

Pass along, show up online, RSVP or contact us.

Project: Acquia DAMDate: 2025-September-03Security risk: Moderately critical 12 ∕ 25 AC:Basic/A:None/CI:Some/II:None/E:Theoretical/TD:DefaultVulnerability: Access bypass, Information DisclosureAffected versions: <1.1.5CVE IDs: CVE-2025-9954Description: 

This module enables you to connect a Drupal site to the Acquia DAM service, which syncs media from the third party service to the site.

The module doesn't sufficiently validate authorization to a list of DAM assets currently synced to the website creating an access bypass vulnerability.

This vulnerability is mitigated by the fact that it only impacts sites where users having the “view media” permission accessing any DAM asset is undesirable.

CVSS risk score (experimental) 6.9 / Medium

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Solution: 

Install the latest version which will automatically reset three views to have permission-based access control based on the "access media overview" permission. If you have modified the view access in some other way you will need to redo that modification after upgrading the module.

• If you use the acquia_dam module for Drupal 8.x, upgrade to acquia_dam 1.1.5

Sites that cannot update to this code can mitigate the issue by modifying three views to be restricted to that permission: Acquia DAM Asset Library, Acquia DAM links, DAM Content Overview.

Reported By: 

• Brandon Goodwin (bgoodie)
• Chris Burge (chris burge)
• Todd Woofenden (toddwoof)

Fixed By: 

• Chris Burge (chris burge)
• Damien McKenna (damienmckenna) of the Drupal Security Team
• Jakob P (japerry)
• Todd Woofenden (toddwoof)

Coordinated By: 

• cilefen (cilefen) of the Drupal Security Team
• Greg Knaddison (greggles) of the Drupal Security Team
• Cathy Theys (yesct) of the Drupal Security Team

Start:  2025-10-06 16:00 - 18:00 UTC Organizers:  figover Event type:  User group meeting

https://applyatjob.com/de/contact

In dieser Schulung können Sie die Entwicklung von Drupal-Websites erlernen. Wenn Sie an dieser Schulung interessiert sind, senden Sie bitte eine Nachricht an https://applyatjob.com/de/contact und teilen Sie uns mit, dass Sie an den Veranstaltungen teilnehmen möchten.