View online: https://www.drupal.org/sa-contrib-2025-084

Project: Paragraphs table [1] Date: 2025-June-25 Security risk: *Moderately critical* 13 ∕ 25 AC:None/A:Admin/CI:Some/II:Some/E:Theoretical/TD:Uncommon [2] Vulnerability: Cross Site Scripting

Affected versions: >=2.0.0 <2.0.5 CVE IDs: CVE-2025-6677 Description:  Project Paragraphs table provides a field for a collection table.

The module doesn't sufficiently sanitise certain data attributes allowing Cross Site Scripting (XSS) attacks.

This vulnerability is mitigated by the fact that an attacker must have a role with permission to enter HTML tags containing specific data attributes.

Solution:  Install the latest version:

* If you use the Paragraphs table module 2.x for Drupal 10 or above, please upgrade to paragraphs table 2.0.5 [3]

Reported By:  * Pierre Rudloff (prudloff) [4]

Fixed By:  * Joseph Olstad (joseph.olstad) [5] * NGUYEN Bao (lazzyvn) [6]

Coordinated By:  * Greg Knaddison (greggles) [7] of the Drupal Security Team * Juraj Nemec (poker10) [8] of the Drupal Security Team

[1] https://www.drupal.org/project/paragraphs_table [2] https://www.drupal.org/security-team/risk-levels [3] https://www.drupal.org/project/paragraphs_table/releases/2.0.5 [4] https://www.drupal.org/u/prudloff [5] https://www.drupal.org/u/josepholstad [6] https://www.drupal.org/u/lazzyvn [7] https://www.drupal.org/u/greggles [8] https://www.drupal.org/u/poker10