it-securitynotifies AT lists.piratenpartei.de
Betreff: Sicherheitsankündigungen
Listenarchiv
[IT-SecNots] [Security-news] Block Attributes - Moderately critical - Cross-site Scripting - SA-CONTRIB-2025-090
Chronologisch Thread
- From: security-news AT drupal.org
- To: security-news AT drupal.org
- Subject: [IT-SecNots] [Security-news] Block Attributes - Moderately critical - Cross-site Scripting - SA-CONTRIB-2025-090
- Date: Wed, 16 Jul 2025 16:46:27 +0000 (UTC)
- Authentication-results: lists.piratenpartei.de; dkim=pass header.d=drupal.org header.s=default header.b=RO0klhSd; spf=pass (lists.piratenpartei.de: domain of security-news-bounces AT drupal.org designates 2605:bc80:3010::136 as permitted sender) smtp.mailfrom=security-news-bounces AT drupal.org; dmarc=pass (policy=none) header.from=drupal.org
- Dkim-filter: OpenDKIM Filter v2.11.0 smtp3.osuosl.org 4273961779
- Dkim-filter: OpenDKIM Filter v2.11.0 smtp2.osuosl.org 442414012B
- List-archive: <http://lists.drupal.org/pipermail/security-news/>
- List-id: <security-news.drupal.org>
View online: https://www.drupal.org/sa-contrib-2025-090
Project: Block Attributes [1]
Date: 2025-July-16
Security risk: *Moderately critical* 14 ∕ 25
AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:All [2]
Vulnerability: Cross-site Scripting
Affected versions: <1.1.0 || >=2.0.0 <2.0.1
CVE IDs: CVE-2025-7715
Description:
This module allows you to define custom attributes for a block. You can
specify an attribute name to be added to the block in a predefined format.
The module does not sufficiently validate the provided attributes, which
makes it possible to insert JavaScript event attributes such as onmouseover,
onkeyup, etc. These attributes can execute JavaScript code when the page is
rendered, leading to cross-site scripting (XSS) vulnerabilities.
This vulnerability is partially mitigated by the requirement to manually add
the specific attributes and corresponding JavaScript code to the form after
the attribute has been created.
Solution:
Install the latest version:
* If you use the Block Attributes module for Drupal, upgrade to Block
Attributes 8.x-1.1 [3] or Block Attributes 2.0.1 [4].
Reported By:
* Pierre Rudloff (prudloff) [5] provisional member of the Drupal Security
Team
Fixed By:
* Kostia Bohach (_shy) [6]
Coordinated By:
* Greg Knaddison (greggles) [7] of the Drupal Security Team
* Juraj Nemec (poker10) [8] of the Drupal Security Team
* Pierre Rudloff (prudloff), provisional member of the Drupal Security Team
[9]
* Jess (xjm) [10] of the Drupal Security Team
[1] https://www.drupal.org/project/block_attributes
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/block_attributes/releases/8.x-1.1
[4] https://www.drupal.org/project/block_attributes/releases/2.0.1
[5] https://www.drupal.org/u/prudloff
[6] https://www.drupal.org/u/_shy
[7] https://www.drupal.org/u/greggles
[8] https://www.drupal.org/u/poker10
[9] https://www.drupal.org/u/prudloff
[10] https://www.drupal.org/u/xjm
_______________________________________________
Security-news mailing list
Security-news AT drupal.org
Unsubscribe at https://lists.drupal.org/mailman/listinfo/security-news
- [IT-SecNots] [Security-news] Block Attributes - Moderately critical - Cross-site Scripting - SA-CONTRIB-2025-090, security-news, 16.07.2025
Archiv bereitgestellt durch MHonArc 2.6.19+.