View online: https://www.drupal.org/sa-contrib-2023-016
Project: Iubenda Integration [1] Date: 2023-May-31 Security risk: *Moderately critical* 14∕25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:All [2] Vulnerability: Cross Site Scripting
Description: The Iubenda Integration module provides a custom block to provide a link to the Iubenda privacy policy. On this block, a custom prefix and suffix text can be entered.
The module does not sufficiently filter the block text fields on output, resulting in a Cross-Site Scripting (XSS) vulnerability.
This vulnerability is mitigated by the fact that an attacker must have a role with permission to use the layout builder on content, edit the layout, or with the "Administer blocks" permission.
Solution: Install the latest version:
* If you use the Iubenda Integration module for Drupal 9+, upgrade to Iubenda Integration 4.0.1 [3] * If you use the Iubenda Integration module for Drupal 7, upgrade to Iubenda Integration 7.x-2.5 [4]
Reported By: * Mitch Portier [5]
Fixed By: * Roberto Peruzzo [6] * Mitch Portier [7]
Coordinated By: * Damien McKenna [8] of the Drupal Security Team * Greg Knaddison [9] of the Drupal Security Team
[1] https://www.drupal.org/project/iubenda_integration [2] https://www.drupal.org/security-team/risk-levels [3] https://www.drupal.org/project/iubenda_integration/releases/4.0.1 [4] https://www.drupal.org/project/iubenda_integration/releases/7.x-2.5 [5] https://www.drupal.org/user/2284182 [6] https://www.drupal.org/user/2661375 [7] https://www.drupal.org/user/2284182 [8] https://www.drupal.org/user/108450 [9] https://www.drupal.org/user/36762