Ignition Error Pages - Critical - Cross Site Scripting - SA-CONTRIB-2025-007 - Security-news

22 Jan 2025


      View online: https://www.drupal.org/sa-contrib-2025-007
Project: Ignition Error Pages [1]
Date: 2025-January-22
Security risk: *Critical* 16 ∕ 25
AC:Basic/A:None/CI:Some/II:Some/E:Theoretical/TD:All [2]
Vulnerability: Cross Site Scripting
Affected versions: <1.0.4
Description: 
This module enables you to render error pages using the Ignition package.
The module disables certain Drupal core code and does not perform sufficient
filtering, allowing HTML to be injected in certain situations leading to a
Cross Site Scripting (XSS) vulnerability.
This vulnerability is mitigated by the fact that this module is for
development purposes and is not intended to be installed on production
environments.
Solution: 
Install the latest version:
* If you use the Ignition Error Pages module for Drupal 10/11, upgrade to
     Ignition Error Pages 1.0.4 [3]
Reported By: 
   * Dieter Holvoet [4]
Fixed By: 
   * catch [5] of the Drupal Security Team
   * Dieter Holvoet [6]
   * Heine Deelstra [7] of the Drupal Security Team
Coordinated By: 
   * Greg Knaddison [8] of the Drupal Security Team
   * Juraj Nemec [9] of the Drupal Security Team
   * James Gilliland [10] of the Drupal Security Team
[1] https://www.drupal.org/project/ignition
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/ignition/releases/1.0.4
[4] https://www.drupal.org/user/3567222
[5] https://www.drupal.org/user/35733
[6] https://www.drupal.org/user/3567222
[7] https://www.drupal.org/user/17943
[8] https://www.drupal.org/user/36762
[9] https://www.drupal.org/user/272316
[10] https://www.drupal.org/u/neclimdul