Zum Inhalt springen.
Sympa Menü

it-securitynotifies - [IT-SecNots] [Security-news] Plausible tracking - Moderately critical - Cross Site Scripting - SA-CONTRIB-2025-107

it-securitynotifies AT lists.piratenpartei.de

Betreff: Sicherheitsankündigungen

Listenarchiv

[IT-SecNots] [Security-news] Plausible tracking - Moderately critical - Cross Site Scripting - SA-CONTRIB-2025-107


Chronologisch Thread  
    < Chronologisch >       < Thread >
  • From: security-news AT drupal.org
  • To: security-news AT drupal.org
  • Subject: [IT-SecNots] [Security-news] Plausible tracking - Moderately critical - Cross Site Scripting - SA-CONTRIB-2025-107
  • Date: Wed, 24 Sep 2025 17:18:09 +0000 (UTC)
  • Authentication-results: lists.piratenpartei.de; dkim=pass header.d=drupal.org header.s=default header.b=HfTbutjM; spf=pass (lists.piratenpartei.de: domain of security-news-bounces AT drupal.org designates 140.211.166.133 as permitted sender) smtp.mailfrom=security-news-bounces AT drupal.org; dmarc=pass (policy=none) header.from=drupal.org
  • Dkim-filter: OpenDKIM Filter v2.11.0 smtp2.osuosl.org 85341410BB
  • Dkim-filter: OpenDKIM Filter v2.11.0 smtp1.osuosl.org 6A12181F43
  • List-archive: <http://lists.drupal.org/pipermail/security-news/>
  • List-id: <security-news.drupal.org>
View online: https://www.drupal.org/sa-contrib-2025-107

Project: Plausible tracking [1]
Date: 2025-September-24
Security risk: *Moderately critical* 13 ∕ 25
AC:Basic/A:Admin/CI:Some/II:Some/E:Theoretical/TD:All [2]
Vulnerability: Cross Site Scripting

Affected versions: <1.0.2
CVE IDs: CVE-2025-10927
Description: 
This module integrates Plausible Analytics on a site.

The module did not properly filter output in certain cases.

This vulnerability is mitigated by the fact that an attacker must have
permission to add raw HTML to the website, such as an unfiltered WYSIWYG
field on a public-facing comment.

Solution: 
Install the latest version:

* If you use the Plausible Analytics module for Drupal, upgrade to Plausible
Analytics v1.0.2 [3]

Reported By: 
* Pierre Rudloff (prudloff) [4]

Fixed By: 
* Pierre Rudloff (prudloff) [5]
* Benjamin Rasmussen (ras-ben) [6]

Coordinated By: 
* Damien McKenna (damienmckenna) [7] of the Drupal Security Team

------------------------------------------------------------------------------
Contribution record [8]

[1] https://www.drupal.org/project/plausible_tracking
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/plausible_tracking/releases/1.0.2
[4] https://www.drupal.org/u/prudloff
[5] https://www.drupal.org/u/prudloff
[6] https://www.drupal.org/u/ras-ben
[7] https://www.drupal.org/u/damienmckenna
[8] https://new.drupal.org/contribution-record?source_link=https%3A//www.drupal.org/node/3548502

_______________________________________________
Security-news mailing list
Security-news AT drupal.org
Unsubscribe at https://lists.drupal.org/mailman/listinfo/security-news

  • [IT-SecNots] [Security-news] Plausible tracking - Moderately critical - Cross Site Scripting - SA-CONTRIB-2025-107, security-news, 24.09.2025

Archiv bereitgestellt durch MHonArc 2.6.19+.

Seitenanfang