View online: https://www.drupal.org/sa-contrib-2025-032
Project: Gif Player Field [1] Date: 2025-April-09 Security risk: *Moderately critical* 12 ∕ 25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:Uncommon [2] Vulnerability: Cross site scripting
Affected versions: <1.5.0 || >=2.0.0 <2.0.4 CVE IDs: CVE-2025-31128 Description: Gif Player Field creates a simple file field types that allows you to upload the GIF files and configure the output for this using the Field Formatters.
The module uses GifPlayer jQuery library [3] to render the GIF according to configured setups for the Field Formatter. The external Gif Player Library doesn't satinize the attributes properly when rendering the widget, allowing a malicious user to run XSS attacks.
This vulnerability is mitigated by the fact that an attacker would need to have an account on the website and be able to create an image tag with a data-label element. There are no fields that allow that element on a default Drupal site for a user with user-level permissions.
Solution: There are multiple steps. First, install the latest version. Second, download and install the library. See details below.
* If you use the Gif Player module for Drupal ^10.3 || ^11, upgrade to Gif Player 2.0.4 [4] * If you are still using the old Gif Player 8.x-1.4 module for Drupal 9/10, upgrade to Gif Player 8.x-1.5 [5] (but it is suggested to to upgrade to the 2.0.4 version if possible, as the 8.x-1.x branch will be phased out soon)
Please notice that the GifPlayer library is not included in the module anymore (file js/gifplayer.js) and needs to be downloaded separately in the /libraries directory (see the README.md for more details).
Reported By: * Pierre Rudloff (prudloff) [6]
Fixed By: * Daniel Rodriguez (danrod) [7]
Coordinated By: * Greg Knaddison (greggles) [8] of the Drupal Security Team * Juraj Nemec (poker10) [9] of the Drupal Security Team
[1] https://www.drupal.org/project/gifplayer [2] https://www.drupal.org/security-team/risk-levels [3] https://github.com/rubentd/gifplayer [4] https://www.drupal.org/project/gifplayer/releases/2.0.4 [5] https://www.drupal.org/project/gifplayer/releases/8.x-1.5 [6] https://www.drupal.org/u/prudloff [7] https://www.drupal.org/u/danrod [8] https://www.drupal.org/u/greggles [9] https://www.drupal.org/u/poker10