View online: https://www.drupal.org/sa-contrib-2023-041

Project: Unified Twig Extensions [1] Date: 2023-August-30 Security risk: *Moderately critical* 13∕25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:Default [2] Vulnerability: Cross Site Scripting

Affected versions: <1.1.1 Description:  This module makes PatternLab's custom Twig functions available to Drupal theming.

The module's included examples don't sufficiently filter data.

This vulnerability is mitigated by the fact that the included examples must have been copied to a site's theme.

Solution:  Install the latest version:

* If you use the Unified Twig Extensions module, upgrade to Unified Twig Extensions 1.1.1 [3]

Reported By:  * Pierre Rudloff [4]

Fixed By:  * Oleksandr Kuzava [5] * Pierre Rudloff [6]

Coordinated By:  * Damien McKenna [7] of the Drupal Security Team * Greg Knaddison [8] of the Drupal Security Team

[1] https://www.drupal.org/project/unified_twig_ext [2] https://www.drupal.org/security-team/risk-levels [3] https://www.drupal.org/project/unified_twig_ext/releases/1.1.1 [4] https://www.drupal.org/user/3611858 [5] https://www.drupal.org/user/2822325 [6] https://www.drupal.org/user/3611858 [7] https://www.drupal.org/user/108450 [8] https://www.drupal.org/user/36762