Zum Inhalt springen.
Sympa Menü

it-securitynotifies - [IT-SecNots] [Security-news] Obfuscate - Moderately critical - Cross Site Scripting - SA-CONTRIB-2025-029

it-securitynotifies AT lists.piratenpartei.de

Betreff: Sicherheitsankündigungen

Listenarchiv

[IT-SecNots] [Security-news] Obfuscate - Moderately critical - Cross Site Scripting - SA-CONTRIB-2025-029


Chronologisch Thread  
    < Chronologisch >       < Thread >
  • From: security-news AT drupal.org
  • To: security-news AT drupal.org
  • Subject: [IT-SecNots] [Security-news] Obfuscate - Moderately critical - Cross Site Scripting - SA-CONTRIB-2025-029
  • Date: Wed, 2 Apr 2025 17:03:16 +0000 (UTC)
  • Authentication-results: lists.piratenpartei.de; dkim=pass header.d=drupal.org header.s=default header.b=H7+TP1r5; spf=pass (lists.piratenpartei.de: domain of security-news-bounces AT drupal.org designates 140.211.166.138 as permitted sender) smtp.mailfrom=security-news-bounces AT drupal.org; dmarc=pass (policy=none) header.from=drupal.org
  • Dkim-filter: OpenDKIM Filter v2.11.0 smtp1.osuosl.org D184783F7D
  • Dkim-filter: OpenDKIM Filter v2.11.0 smtp3.osuosl.org D6ED06070A
  • List-archive: <http://lists.drupal.org/pipermail/security-news/>
  • List-id: <security-news.drupal.org>
View online: https://www.drupal.org/sa-contrib-2025-029

Project: Obfuscate [1]
Date: 2025-April-02
Security risk: *Moderately critical* 12 ∕ 25
AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:Uncommon [2]
Vulnerability: Cross Site Scripting

Affected versions: <2.0.1
CVE IDs: CVE-2025-3130
Description: 
This module enables you to obfuscate email addresses, to avoid them being
easily available to spammers.

The module doesn't sufficiently sanitise input when ROT13 encoding is used.
This vulnerability is mitigated by the fact that an attacker must have a role
with the ability to enter specific HTML tag attributes. In a default Drupal
installation this would require the administrator role and use of the Full
HTML text format. It also requires that the ROT13 encoding be enabled in
Obfuscate settings.

Solution: 
Install the latest version:

* Upgrade to Obfuscate 2.0.1 [3]

Reported By: 
* Pierre Rudloff (prudloff) [4]

Fixed By: 
* Nigel Cunningham (nigelcunningham) [5]
* Pierre Rudloff (prudloff) [6]

Coordinated By: 
* Greg Knaddison (greggles) [7] of the Drupal Security Team
* Drew Webber (mcdruid) [8] of the Drupal Security Team


[1] https://www.drupal.org/project/obfuscate
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/obfuscate/releases/2.0.1
[4] https://www.drupal.org/u/prudloff
[5] https://www.drupal.org/u/nigelcunningham
[6] https://www.drupal.org/u/prudloff
[7] https://www.drupal.org/u/greggles
[8] https://www.drupal.org/u/mcdruid

_______________________________________________
Security-news mailing list
Security-news AT drupal.org
Unsubscribe at https://lists.drupal.org/mailman/listinfo/security-news

  • [IT-SecNots] [Security-news] Obfuscate - Moderately critical - Cross Site Scripting - SA-CONTRIB-2025-029, security-news, 02.04.2025

Archiv bereitgestellt durch MHonArc 2.6.19+.

Seitenanfang