[Security-news] Gif Player Field - Moderately critical - Cross site scripting - SA-CONTRIB-2025-032
security-news at drupal.org
security-news at drupal.org
Wed Apr 9 17:04:47 UTC 2025
View online: https://www.drupal.org/sa-contrib-2025-032
Project: Gif Player Field [1]
Date: 2025-April-09
Security risk: *Moderately critical* 12 ∕ 25
AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:Uncommon [2]
Vulnerability: Cross site scripting
Affected versions: <1.5.0 || >=2.0.0 <2.0.4
CVE IDs: CVE-2025-31128
Description:
Gif Player Field creates a simple file field types that allows you to upload
the GIF files and configure the output for this using the Field Formatters.
The module uses GifPlayer jQuery library [3] to render the GIF according to
configured setups for the Field Formatter. The external Gif Player Library
doesn't satinize the attributes properly when rendering the widget, allowing
a malicious user to run XSS attacks.
This vulnerability is mitigated by the fact that an attacker would need to
have an account on the website and be able to create an image tag with a
data-label element. There are no fields that allow that element on a default
Drupal site for a user with user-level permissions.
Solution:
There are multiple steps. First, install the latest version. Second, download
and install the library. See details below.
* If you use the Gif Player module for Drupal ^10.3 || ^11, upgrade to Gif
Player 2.0.4 [4]
* If you are still using the old Gif Player 8.x-1.4 module for Drupal 9/10,
upgrade to Gif Player 8.x-1.5 [5] (but it is suggested to to upgrade to
the 2.0.4 version if possible, as the 8.x-1.x branch will be phased out
soon)
Please notice that the GifPlayer library is not included in the module
anymore (file js/gifplayer.js) and needs to be downloaded separately in the
/libraries directory (see the README.md for more details).
Reported By:
* Pierre Rudloff (prudloff) [6]
Fixed By:
* Daniel Rodriguez (danrod) [7]
Coordinated By:
* Greg Knaddison (greggles) [8] of the Drupal Security Team
* Juraj Nemec (poker10) [9] of the Drupal Security Team
[1] https://www.drupal.org/project/gifplayer
[2] https://www.drupal.org/security-team/risk-levels
[3] https://github.com/rubentd/gifplayer
[4] https://www.drupal.org/project/gifplayer/releases/2.0.4
[5] https://www.drupal.org/project/gifplayer/releases/8.x-1.5
[6] https://www.drupal.org/u/prudloff
[7] https://www.drupal.org/u/danrod
[8] https://www.drupal.org/u/greggles
[9] https://www.drupal.org/u/poker10
More information about the Security-news
mailing list