View online: https://www.drupal.org/sa-contrib-2025-043
Project: Block Class [1] Date: 2025-April-23 Security risk: *Moderately critical* 12 ∕ 25 AC:Basic/A:Admin/CI:Some/II:Some/E:Theoretical/TD:Default [2] Vulnerability: Cross Site Scripting
Affected versions: >=4.0.0 <4.0.1 CVE IDs: CVE-2025-3902 Description: Block Class enables you to add custom attributes to blocks.
The module did not sufficiently sanitize custom attribute input, allowing for potential XSS attacks when malicious JavaScript was injected as a custom attribute.
This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer block classes".
Solution: Install the latest version:
* If you use the Block Class on 4.0.x upgrade to Block Class 4.0.1 [3]
Reported By: * Ivo Van Geertruyen (mr.baileys) [4] of the Drupal Security Team
Fixed By: * renatog [5]
Coordinated By: * Greg Knaddison (greggles) [6] of the Drupal Security Team * Juraj Nemec (poker10) [7] of the Drupal Security Team
[1] https://www.drupal.org/project/block_class [2] https://www.drupal.org/security-team/risk-levels [3] https://www.drupal.org/project/block_class/releases/4.0.1 [4] https://www.drupal.org/u/mrbaileys [5] https://www.drupal.org/u/renatog [6] https://www.drupal.org/u/greggles [7] https://www.drupal.org/u/poker10