[Security-news] Block Class - Moderately critical - Cross Site Scripting - SA-CONTRIB-2025-043
security-news at drupal.org
security-news at drupal.org
Wed Apr 23 16:59:02 UTC 2025
View online: https://www.drupal.org/sa-contrib-2025-043
Project: Block Class [1]
Date: 2025-April-23
Security risk: *Moderately critical* 12 ∕ 25
AC:Basic/A:Admin/CI:Some/II:Some/E:Theoretical/TD:Default [2]
Vulnerability: Cross Site Scripting
Affected versions: >=4.0.0 <4.0.1
CVE IDs: CVE-2025-3902
Description:
Block Class enables you to add custom attributes to blocks.
The module did not sufficiently sanitize custom attribute input, allowing for
potential XSS attacks when malicious JavaScript was injected as a custom
attribute.
This vulnerability is mitigated by the fact that an attacker must have a role
with the permission "administer block classes".
Solution:
Install the latest version:
* If you use the Block Class on 4.0.x upgrade to Block Class 4.0.1 [3]
Reported By:
* Ivo Van Geertruyen (mr.baileys) [4] of the Drupal Security Team
Fixed By:
* renatog [5]
Coordinated By:
* Greg Knaddison (greggles) [6] of the Drupal Security Team
* Juraj Nemec (poker10) [7] of the Drupal Security Team
[1] https://www.drupal.org/project/block_class
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/block_class/releases/4.0.1
[4] https://www.drupal.org/u/mrbaileys
[5] https://www.drupal.org/u/renatog
[6] https://www.drupal.org/u/greggles
[7] https://www.drupal.org/u/poker10
More information about the Security-news
mailing list