[Security-news] Ignition Error Pages - Critical - Cross Site Scripting - SA-CONTRIB-2025-007
security-news at drupal.org
security-news at drupal.org
Wed Jan 22 17:31:24 UTC 2025
View online: https://www.drupal.org/sa-contrib-2025-007
Project: Ignition Error Pages [1]
Date: 2025-January-22
Security risk: *Critical* 16 ∕ 25
AC:Basic/A:None/CI:Some/II:Some/E:Theoretical/TD:All [2]
Vulnerability: Cross Site Scripting
Affected versions: <1.0.4
Description:
This module enables you to render error pages using the Ignition package.
The module disables certain Drupal core code and does not perform sufficient
filtering, allowing HTML to be injected in certain situations leading to a
Cross Site Scripting (XSS) vulnerability.
This vulnerability is mitigated by the fact that this module is for
development purposes and is not intended to be installed on production
environments.
Solution:
Install the latest version:
* If you use the Ignition Error Pages module for Drupal 10/11, upgrade to
Ignition Error Pages 1.0.4 [3]
Reported By:
* Dieter Holvoet [4]
Fixed By:
* catch [5] of the Drupal Security Team
* Dieter Holvoet [6]
* Heine Deelstra [7] of the Drupal Security Team
Coordinated By:
* Greg Knaddison [8] of the Drupal Security Team
* Juraj Nemec [9] of the Drupal Security Team
* James Gilliland [10] of the Drupal Security Team
[1] https://www.drupal.org/project/ignition
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/ignition/releases/1.0.4
[4] https://www.drupal.org/user/3567222
[5] https://www.drupal.org/user/35733
[6] https://www.drupal.org/user/3567222
[7] https://www.drupal.org/user/17943
[8] https://www.drupal.org/user/36762
[9] https://www.drupal.org/user/272316
[10] https://www.drupal.org/u/neclimdul
More information about the Security-news
mailing list