Zum Inhalt springen.
Sympa Menü

it-securitynotifies - [IT-SecNots] [Security-news] Ignition Error Pages - Critical - Cross Site Scripting - SA-CONTRIB-2025-007

it-securitynotifies AT lists.piratenpartei.de

Betreff: Sicherheitsankündigungen

Listenarchiv

[IT-SecNots] [Security-news] Ignition Error Pages - Critical - Cross Site Scripting - SA-CONTRIB-2025-007


Chronologisch Thread  
    < Chronologisch >       < Thread >
  • From: security-news AT drupal.org
  • To: security-news AT drupal.org
  • Subject: [IT-SecNots] [Security-news] Ignition Error Pages - Critical - Cross Site Scripting - SA-CONTRIB-2025-007
  • Date: Wed, 22 Jan 2025 17:31:24 +0000 (UTC)
  • Authentication-results: lists.piratenpartei.de; dkim=pass header.d=drupal.org header.s=default header.b=CxzmaqvA; spf=pass (lists.piratenpartei.de: domain of security-news-bounces AT drupal.org designates 2605:bc80:3010::133 as permitted sender) smtp.mailfrom=security-news-bounces AT drupal.org; dmarc=pass (policy=none) header.from=drupal.org
  • Dkim-filter: OpenDKIM Filter v2.11.0 smtp2.osuosl.org 3B81C41B40
  • Dkim-filter: OpenDKIM Filter v2.11.0 smtp4.osuosl.org 09F63413DA
  • List-archive: <http://lists.drupal.org/pipermail/security-news/>
  • List-id: <security-news.drupal.org>
View online: https://www.drupal.org/sa-contrib-2025-007

Project: Ignition Error Pages [1]
Date: 2025-January-22
Security risk: *Critical* 16 ∕ 25
AC:Basic/A:None/CI:Some/II:Some/E:Theoretical/TD:All [2]
Vulnerability: Cross Site Scripting

Affected versions: <1.0.4
Description: 
This module enables you to render error pages using the Ignition package.

The module disables certain Drupal core code and does not perform sufficient
filtering, allowing HTML to be injected in certain situations leading to a
Cross Site Scripting (XSS) vulnerability.

This vulnerability is mitigated by the fact that this module is for
development purposes and is not intended to be installed on production
environments.

Solution: 
Install the latest version:

* If you use the Ignition Error Pages module for Drupal 10/11, upgrade to
Ignition Error Pages 1.0.4 [3]

Reported By: 
* Dieter Holvoet [4]

Fixed By: 
* catch [5] of the Drupal Security Team
* Dieter Holvoet [6]
* Heine Deelstra [7] of the Drupal Security Team

Coordinated By: 
* Greg Knaddison [8] of the Drupal Security Team
* Juraj Nemec [9] of the Drupal Security Team
* James Gilliland [10] of the Drupal Security Team


[1] https://www.drupal.org/project/ignition
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/ignition/releases/1.0.4
[4] https://www.drupal.org/user/3567222
[5] https://www.drupal.org/user/35733
[6] https://www.drupal.org/user/3567222
[7] https://www.drupal.org/user/17943
[8] https://www.drupal.org/user/36762
[9] https://www.drupal.org/user/272316
[10] https://www.drupal.org/u/neclimdul

_______________________________________________
Security-news mailing list
Security-news AT drupal.org
Unsubscribe at https://lists.drupal.org/mailman/listinfo/security-news

  • [IT-SecNots] [Security-news] Ignition Error Pages - Critical - Cross Site Scripting - SA-CONTRIB-2025-007, security-news, 22.01.2025

Archiv bereitgestellt durch MHonArc 2.6.19+.

Seitenanfang