[Security-news] Unified Twig Extensions - Moderately critical - Cross Site Scripting - SA-CONTRIB-2023-041
security-news at drupal.org
security-news at drupal.org
Wed Aug 30 18:51:12 UTC 2023
View online: https://www.drupal.org/sa-contrib-2023-041
Project: Unified Twig Extensions [1]
Date: 2023-August-30
Security risk: *Moderately critical* 13∕25
AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:Default [2]
Vulnerability: Cross Site Scripting
Affected versions: <1.1.1
Description:
This module makes PatternLab's custom Twig functions available to Drupal
theming.
The module's included examples don't sufficiently filter data.
This vulnerability is mitigated by the fact that the included examples must
have been copied to a site's theme.
Solution:
Install the latest version:
* If you use the Unified Twig Extensions module, upgrade to Unified Twig
Extensions 1.1.1 [3]
Reported By:
* Pierre Rudloff [4]
Fixed By:
* Oleksandr Kuzava [5]
* Pierre Rudloff [6]
Coordinated By:
* Damien McKenna [7] of the Drupal Security Team
* Greg Knaddison [8] of the Drupal Security Team
[1] https://www.drupal.org/project/unified_twig_ext
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/unified_twig_ext/releases/1.1.1
[4] https://www.drupal.org/user/3611858
[5] https://www.drupal.org/user/2822325
[6] https://www.drupal.org/user/3611858
[7] https://www.drupal.org/user/108450
[8] https://www.drupal.org/user/36762
More information about the Security-news
mailing list