it-securitynotifies AT lists.piratenpartei.de
Betreff: Sicherheitsankündigungen
Listenarchiv
[IT-SecNots] [Security-news] Gif Player Field - Moderately critical - Cross site scripting - SA-CONTRIB-2025-032
Chronologisch Thread
- From: security-news AT drupal.org
- To: security-news AT drupal.org
- Subject: [IT-SecNots] [Security-news] Gif Player Field - Moderately critical - Cross site scripting - SA-CONTRIB-2025-032
- Date: Wed, 9 Apr 2025 17:04:47 +0000 (UTC)
- Authentication-results: lists.piratenpartei.de; dkim=pass header.d=drupal.org header.s=default header.b="ERS6hn/k"; spf=pass (lists.piratenpartei.de: domain of security-news-bounces AT drupal.org designates 140.211.166.136 as permitted sender) smtp.mailfrom=security-news-bounces AT drupal.org; dmarc=pass (policy=none) header.from=drupal.org
- Dkim-filter: OpenDKIM Filter v2.11.0 smtp3.osuosl.org CAE8F6FB7E
- Dkim-filter: OpenDKIM Filter v2.11.0 smtp2.osuosl.org AB5C94047D
- List-archive: <http://lists.drupal.org/pipermail/security-news/>
- List-id: <security-news.drupal.org>
View online: https://www.drupal.org/sa-contrib-2025-032
Project: Gif Player Field [1]
Date: 2025-April-09
Security risk: *Moderately critical* 12 ∕ 25
AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:Uncommon [2]
Vulnerability: Cross site scripting
Affected versions: <1.5.0 || >=2.0.0 <2.0.4
CVE IDs: CVE-2025-31128
Description:
Gif Player Field creates a simple file field types that allows you to upload
the GIF files and configure the output for this using the Field Formatters.
The module uses GifPlayer jQuery library [3] to render the GIF according to
configured setups for the Field Formatter. The external Gif Player Library
doesn't satinize the attributes properly when rendering the widget, allowing
a malicious user to run XSS attacks.
This vulnerability is mitigated by the fact that an attacker would need to
have an account on the website and be able to create an image tag with a
data-label element. There are no fields that allow that element on a default
Drupal site for a user with user-level permissions.
Solution:
There are multiple steps. First, install the latest version. Second, download
and install the library. See details below.
* If you use the Gif Player module for Drupal ^10.3 || ^11, upgrade to Gif
Player 2.0.4 [4]
* If you are still using the old Gif Player 8.x-1.4 module for Drupal 9/10,
upgrade to Gif Player 8.x-1.5 [5] (but it is suggested to to upgrade to
the 2.0.4 version if possible, as the 8.x-1.x branch will be phased out
soon)
Please notice that the GifPlayer library is not included in the module
anymore (file js/gifplayer.js) and needs to be downloaded separately in the
/libraries directory (see the README.md for more details).
Reported By:
* Pierre Rudloff (prudloff) [6]
Fixed By:
* Daniel Rodriguez (danrod) [7]
Coordinated By:
* Greg Knaddison (greggles) [8] of the Drupal Security Team
* Juraj Nemec (poker10) [9] of the Drupal Security Team
[1] https://www.drupal.org/project/gifplayer
[2] https://www.drupal.org/security-team/risk-levels
[3] https://github.com/rubentd/gifplayer
[4] https://www.drupal.org/project/gifplayer/releases/2.0.4
[5] https://www.drupal.org/project/gifplayer/releases/8.x-1.5
[6] https://www.drupal.org/u/prudloff
[7] https://www.drupal.org/u/danrod
[8] https://www.drupal.org/u/greggles
[9] https://www.drupal.org/u/poker10
_______________________________________________
Security-news mailing list
Security-news AT drupal.org
Unsubscribe at https://lists.drupal.org/mailman/listinfo/security-news
- [IT-SecNots] [Security-news] Gif Player Field - Moderately critical - Cross site scripting - SA-CONTRIB-2025-032, security-news, 09.04.2025
Archiv bereitgestellt durch MHonArc 2.6.19+.