View online: https://www.drupal.org/sa-contrib-2025-090
Project: Block Attributes [1] Date: 2025-July-16 Security risk: *Moderately critical* 14 ∕ 25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:All [2] Vulnerability: Cross-site Scripting
Affected versions: <1.1.0 || >=2.0.0 <2.0.1 CVE IDs: CVE-2025-7715 Description: This module allows you to define custom attributes for a block. You can specify an attribute name to be added to the block in a predefined format.
The module does not sufficiently validate the provided attributes, which makes it possible to insert JavaScript event attributes such as onmouseover, onkeyup, etc. These attributes can execute JavaScript code when the page is rendered, leading to cross-site scripting (XSS) vulnerabilities.
This vulnerability is partially mitigated by the requirement to manually add the specific attributes and corresponding JavaScript code to the form after the attribute has been created.
Solution: Install the latest version:
* If you use the Block Attributes module for Drupal, upgrade to Block Attributes 8.x-1.1 [3] or Block Attributes 2.0.1 [4].
Reported By: * Pierre Rudloff (prudloff) [5] provisional member of the Drupal Security Team
Fixed By: * Kostia Bohach (_shy) [6]
Coordinated By: * Greg Knaddison (greggles) [7] of the Drupal Security Team * Juraj Nemec (poker10) [8] of the Drupal Security Team * Pierre Rudloff (prudloff), provisional member of the Drupal Security Team [9] * Jess (xjm) [10] of the Drupal Security Team
[1] https://www.drupal.org/project/block_attributes [2] https://www.drupal.org/security-team/risk-levels [3] https://www.drupal.org/project/block_attributes/releases/8.x-1.1 [4] https://www.drupal.org/project/block_attributes/releases/2.0.1 [5] https://www.drupal.org/u/prudloff [6] https://www.drupal.org/u/_shy [7] https://www.drupal.org/u/greggles [8] https://www.drupal.org/u/poker10 [9] https://www.drupal.org/u/prudloff [10] https://www.drupal.org/u/xjm