it-securitynotifies AT lists.piratenpartei.de
Betreff: Sicherheitsankündigungen
Listenarchiv
[IT-SecNots] [Security-news] Formatter Suite - Moderately critical - Cross site scripting - SA-CONTRIB-2025-026
Chronologisch Thread
- From: security-news AT drupal.org
- To: security-news AT drupal.org
- Subject: [IT-SecNots] [Security-news] Formatter Suite - Moderately critical - Cross site scripting - SA-CONTRIB-2025-026
- Date: Wed, 19 Mar 2025 18:53:44 +0000 (UTC)
- Authentication-results: lists.piratenpartei.de; dkim=pass header.d=drupal.org header.s=default header.b="jm/I9I2j"; spf=pass (lists.piratenpartei.de: domain of security-news-bounces AT drupal.org designates 140.211.166.136 as permitted sender) smtp.mailfrom=security-news-bounces AT drupal.org; dmarc=pass (policy=none) header.from=drupal.org
- Dkim-filter: OpenDKIM Filter v2.11.0 smtp3.osuosl.org 7640461B05
- Dkim-filter: OpenDKIM Filter v2.11.0 smtp2.osuosl.org 8B20F40114
- List-archive: <http://lists.drupal.org/pipermail/security-news/>
- List-id: <security-news.drupal.org>
View online: https://www.drupal.org/sa-contrib-2025-026
Project: Formatter Suite [1]
Date: 2025-March-19
Security risk: *Moderately critical* 13 ∕ 25
AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:Default [2]
Vulnerability: Cross site scripting
Affected versions: <2.1.0
Description:
Formatter Suite provides a suite of field formatters to help present numbers,
dates, times, text, links, entity references, files, and images. The module
provides a custom formatter for link fields.
Drupal core does not sufficiently sanitize link element attributes, which can
lead to a Cross Site Scripting vulnerability (XSS).
A separate fix for Drupal core has been released but this module requires a
concurrent release to make use of the Drupal core fix.
This vulnerability is mitigated by that fact that an attacker would need to
have the ability to add specific attributes to a Link field, which typically
requires edit access via core web services, or a contrib or custom module.
Solution:
Install the latest version:
* If you use the Formatter Suite module for Drupal 10, upgrade to Formatter
Suite 2.1.0 [3]
* Upgrade to Drupal 10.3.14, 10.4.5, 11.0.13, or 11.1.5
Reported By:
* Daniel Wehner (dawehner) [4]
* Joseph Zhao (pandaski) [5] Provisional Member of the Drupal Security Team
Fixed By:
* Benji Fisher (benjifisher) [6] of the Drupal Security Team
* Bram Driesen (bramdriesen) [7] Provisional Member of the Drupal Security
Team
* cyoun [8]
* Lee Rowlands (larowlan) [9] of the Drupal Security Team
* Joseph Zhao (pandaski) [10] Provisional Member of the Drupal Security Team
Coordinated By:
* Greg Knaddison (greggles) [11] of the Drupal Security Team
* Drew Webber (mcdruid) [12] of the Drupal Security Team
* Juraj Nemec (poker10) [13] of the Drupal Security Team
[1] https://www.drupal.org/project/formatter_suite
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/formatter_suite/releases/2.1.0
[4] https://www.drupal.org/u/dawehner
[5] https://www.drupal.org/u/pandaski
[6] https://www.drupal.org/u/benjifisher
[7] https://www.drupal.org/u/bramdriesen
[8] https://www.drupal.org/u/cyoun
[9] https://www.drupal.org/u/larowlan
[10] https://www.drupal.org/u/pandaski
[11] https://www.drupal.org/u/greggles
[12] https://www.drupal.org/u/mcdruid
[13] https://www.drupal.org/u/poker10
_______________________________________________
Security-news mailing list
Security-news AT drupal.org
Unsubscribe at https://lists.drupal.org/mailman/listinfo/security-news
- [IT-SecNots] [Security-news] Formatter Suite - Moderately critical - Cross site scripting - SA-CONTRIB-2025-026, security-news, 19.03.2025
Archiv bereitgestellt durch MHonArc 2.6.19+.