View online: https://www.drupal.org/sa-contrib-2025-083 Project: Simple XML sitemap [1] Date: 2025-June-25 Security risk: *Moderately critical* 13 ∕ 25 AC:Basic/A:Admin/CI:Some/II:Some/E:Theoretical/TD:All [2] Vulnerability: Cross-site Scripting Affected versions: < 4.2.2 CVE IDs: CVE-2025-6676 Description:  Simple XML sitemap [3] is a SEO module that allows creating various XML sitemaps of the site's content and submitting them to search engines. The module doesn't sufficiently sanitize input when administering it, which leads to a Cross-site scripting (XSS) attack vector. This vulnerability is mitigated by the fact that an attacker must have the administrative permission 'administer sitemap settings'. Solution:  This vulnerability requires 2 steps: * If you use simple_sitemap upgrade to at least 4.2.2 [4] or a later, supported version. * For all versions, ensure your permissions are assigned to appropriate roles and users with "administer sitemap settings" permission are trusted. Reported By:  * Nick Vanpraet (grayle) [5] Fixed By:  * David Rothstein (David_Rothstein) [6] * Pawel Ginalski (gbyte) [7] Coordinated By:  * Greg Knaddison (greggles) [8] of the Drupal Security Team * Michael Hess (mlhess) [9] of the Drupal Security Team * Juraj Nemec (poker10) [10] of the Drupal Security Team [1] https://www.drupal.org/project/simple_sitemap [2] https://www.drupal.org/security-team/risk-levels [3] https://www.drupal.org/project/simple_sitemap [4] https://www.drupal.org/project/simple_sitemap/releases/4.2.2 [5] https://www.drupal.org/u/grayle [6] https://www.drupal.org/u/david_rothstein [7] https://www.drupal.org/u/gbyte [8] https://www.drupal.org/u/greggles [9] https://www.drupal.org/u/mlhess [10] https://www.drupal.org/u/poker10