[Security-news] RapiDoc OAS Field Formatter - Moderately critical - Cross site scripting - SA-CONTRIB-2025-025

security-news at drupal.org security-news at drupal.org
Wed Mar 19 18:53:23 UTC 2025 

View online: https://www.drupal.org/sa-contrib-2025-025

Project: RapiDoc OAS Field Formatter [1]
Date: 2025-March-19
Security risk: *Moderately critical* 13 ∕ 25
AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:Default [2]
Vulnerability: Cross site scripting

Affected versions: <1.0.1
Description: 
This module can be used to render Open API Documentation using the RapiDoc
library. The module provides a custom formatter for link fields.

Drupal core does not sufficiently sanitize link element attributes, which can
lead to a Cross Site Scripting vulnerability (XSS).

A separate fix for Drupal core has been released but this module requires a
concurrent release to make use of the Drupal core fix.

This vulnerability is mitigated by that fact that an attacker would need to
have the ability to add specific attributes to a Link field, which typically
requires edit access via core web services, or a contrib or custom module.

Solution: 
Install the latest version:

  * If you use the RapiDoc OAS Field Formatter module for Drupal 10, upgrade
    to RapiDoc OAS Field Formatter 1.0.1 [3]
  * Upgrade to Drupal 10.3.14, 10.4.5, 11.0.13, or 11.1.5

Reported By: 
  * Joseph Zhao (pandaski) [4] Provisional Member of the Drupal Security Team

Fixed By: 
  * Arlina Espinoza Rhoton (arlina) [5]
  * Benji Fisher (benjifisher) [6] of the Drupal Security Team
  * Lee Rowlands (larowlan) [7] of the Drupal Security Team

Coordinated By: 
  * Bram Driesen (bramdriesen) [8] Provisional Member of the Drupal Security
    Team
  * Greg Knaddison (greggles) [9] of the Drupal Security Team
  * Drew Webber (mcdruid) [10] of the Drupal Security Team
  * Juraj Nemec (poker10) [11] of the Drupal Security Team


[1] https://www.drupal.org/project/rapidoc_elements_field_formatter
[2] https://www.drupal.org/security-team/risk-levels
[3]  
https://www.drupal.org/project/rapidoc_elements_field_formatter/releases/1.0.1
[4] https://www.drupal.org/u/pandaski
[5] https://www.drupal.org/u/arlina
[6] https://www.drupal.org/u/benjifisher
[7] https://www.drupal.org/u/larowlan
[8] https://www.drupal.org/u/bramdriesen
[9] https://www.drupal.org/u/greggles
[10] https://www.drupal.org/u/mcdruid
[11] https://www.drupal.org/u/poker10

More information about the Security-news mailing list