it-securitynotifies AT lists.piratenpartei.de
Betreff: Sicherheitsankündigungen
Listenarchiv
[IT-SecNots] [Security-news] Lightgallery - Moderately critical - Cross Site Scripting - SA-CONTRIB-2025-069
Chronologisch Thread
- From: security-news AT drupal.org
- To: security-news AT drupal.org
- Subject: [IT-SecNots] [Security-news] Lightgallery - Moderately critical - Cross Site Scripting - SA-CONTRIB-2025-069
- Date: Wed, 21 May 2025 17:29:27 +0000 (UTC)
- Authentication-results: lists.piratenpartei.de; dkim=pass header.d=drupal.org header.s=default header.b=ZFm2eVN6; spf=pass (lists.piratenpartei.de: domain of security-news-bounces AT drupal.org designates 140.211.166.136 as permitted sender) smtp.mailfrom=security-news-bounces AT drupal.org; dmarc=pass (policy=none) header.from=drupal.org
- Dkim-filter: OpenDKIM Filter v2.11.0 smtp3.osuosl.org 2F7EB6165B
- Dkim-filter: OpenDKIM Filter v2.11.0 smtp2.osuosl.org A243B401AF
- List-archive: <http://lists.drupal.org/pipermail/security-news/>
- List-id: <security-news.drupal.org>
View online: https://www.drupal.org/sa-contrib-2025-069
Project: Lightgallery [1]
Date: 2025-May-21
Security risk: *Moderately critical* 13 ∕ 25
AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:Default [2]
Vulnerability: Cross Site Scripting
Affected versions: <1.6.0
CVE IDs: CVE-2025-48447
Description:
This module integrates Drupal with LightGallery, enabling the use of the
LightGallery library with any image field or view.
The module does not adequately sanitize user input in the image field’s
"alt" attribute, potentially allowing cross-site scripting (XSS) attacks when
tags or scripts are inserted.
This vulnerability is partially mitigated by the requirement that an attacker
must have permission to create content containing an image field configured
to use the LightGallery format.
Solution:
Install the latest version:
* If you use the Lightgallery module, upgrade to Lightgallery 8.x-1.6 [3]
Reported By:
* Pierre Rudloff (prudloff) [4]
Fixed By:
* Murilo Henrique Pucci (murilohp) [5]
Coordinated By:
* Greg Knaddison (greggles) [6] of the Drupal Security Team
* Juraj Nemec (poker10) [7] of the Drupal Security Team
* Pierre Rudloff (prudloff) [8]
[1] https://www.drupal.org/project/lightgallery
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/lightgallery/releases/8.x-1.6
[4] https://www.drupal.org/u/prudloff
[5] https://www.drupal.org/u/murilohp
[6] https://www.drupal.org/u/greggles
[7] https://www.drupal.org/u/poker10
[8] https://www.drupal.org/u/prudloff
_______________________________________________
Security-news mailing list
Security-news AT drupal.org
Unsubscribe at https://lists.drupal.org/mailman/listinfo/security-news
- [IT-SecNots] [Security-news] Lightgallery - Moderately critical - Cross Site Scripting - SA-CONTRIB-2025-069, security-news, 21.05.2025
Archiv bereitgestellt durch MHonArc 2.6.19+.