[Security-news] Link field display mode formatter - Moderately critical - Cross site scripting - SA-CONTRIB-2025-024
security-news at drupal.org
security-news at drupal.org
Wed Mar 19 18:52:54 UTC 2025
View online: https://www.drupal.org/sa-contrib-2025-024
Project: Link field display mode formatter [1]
Date: 2025-March-19
Security risk: *Moderately critical* 13 ∕ 25
AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:Default [2]
Vulnerability: Cross site scripting
Affected versions: <1.6.0
Description:
This module adds a formatter for link fields that displays the current entity
with another view mode inside the link.
Drupal core does not sufficiently sanitize link element attributes, which can
lead to a Cross Site Scripting vulnerability (XSS).
A separate fix for Drupal core has been released but this module requires a
concurrent release to make use of the Drupal core fix.
This vulnerability is mitigated by that fact that an attacker would need to
have the ability to add specific attributes to a Link field, which typically
requires edit access via core web services, or a contrib or custom module.
Solution:
Install the latest version:
* If you use the Link field display mode formatter module for Drupal 10 or
11, upgrade to Link field display mode formatter 8.x-1.6 [3]
* Upgrade to Drupal 10.3.14, 10.4.5, 11.0.13, or 11.1.5
Reported By:
* Daniel Wehner (dawehner) [4]
* Joseph Zhao (pandaski) [5] Provisional Member of the Drupal Security Team
Fixed By:
* Benji Fisher (benjifisher) [6] of the Drupal Security Team
* Joseph Zhao (pandaski) [7] Provisional Member of the Drupal Security Team
* Rodrigo Aguilera (rodrigoaguilera) [8]
Coordinated By:
* Bram Driesen (bramdriesen) [9] Provisional Member of the Drupal Security
Team
* Greg Knaddison (greggles) [10] of the Drupal Security Team
* Drew Webber (mcdruid) [11] of the Drupal Security Team
* Juraj Nemec (poker10) [12] of the Drupal Security Team
[1] https://www.drupal.org/project/link_field_display_mode_formatter
[2] https://www.drupal.org/security-team/risk-levels
[3]
https://www.drupal.org/project/link_field_display_mode_formatter/releases/8.x-1.6
[4] https://www.drupal.org/u/dawehner
[5] https://www.drupal.org/u/pandaski
[6] https://www.drupal.org/u/benjifisher
[7] https://www.drupal.org/u/pandaski
[8] https://www.drupal.org/u/rodrigoaguilera
[9] https://www.drupal.org/u/bramdriesen
[10] https://www.drupal.org/u/greggles
[11] https://www.drupal.org/u/mcdruid
[12] https://www.drupal.org/u/poker10
More information about the Security-news
mailing list