Drupal core - Moderately critical - Information Disclosure - SA-CORE-2023-003

Project: Drupal core
Date: 2023-March-15
Security risk: Moderately critical 13∕25
Vulnerability: Information Disclosure
Affected versions: >=8.0.0 <9.4.12 || >=9.5.0 <9.5.5 || >=10.0.0 <10.0.5

Description

The language module provides a Language switcher block which can be placed to provide links to quickly switch between different languages.

The URL of unpublished translations may be disclosed. When used in conjunction with a module like Pathauto, this may reveal the title of unpublished content.

Solution

Install the latest version:

If you are using Drupal 10.0, update to Drupal 10.0.5.
If you are using Drupal 9.5, update to Drupal 9.5.5.
If you are using Drupal 9.4, update to Drupal 9.4.12.

All versions of Drupal 9 prior to 9.4.x are end-of-life and do not receive security coverage. Note that Drupal 8 has reached its end of life.

Drupal 7 core does not include the Language module and therefore is not affected. The contributed modules for translation do not have the same code for language-switching links, so they are not affected, either.