Drupal core - Moderately critical - Information Disclosure - SA-CORE-2023-003
Project: Drupal core Date: 2023-March-15 Security risk: Moderately critical 13∕25 Vulnerability: Information Disclosure Affected versions: >=8.0.0 <9.4.12 || >=9.5.0 <9.5.5 || >=10.0.0 <10.0.5
The language module provides a Language switcher block which can be placed to provide links to quickly switch between different languages.
The URL of unpublished translations may be disclosed. When used in conjunction with a module like Pathauto, this may reveal the title of unpublished content.
Install the latest version:
All versions of Drupal 9 prior to 9.4.x are end-of-life and do not receive security coverage. Note that Drupal 8 has reached its end of life.
Drupal 7 core does not include the Language module and therefore is not affected. The contributed modules for translation do not have the same code for language-switching links, so they are not affected, either.