Zum Inhalt springen.
Sympa Menü

it-securitynotifies - [IT-SecNots] [Security-news] Obfuscate - Moderately critical - Cross-site scripting - SA-CONTRIB-2026-033

it-securitynotifies AT lists.piratenpartei.de

Betreff: Sicherheitsankündigungen

Listenarchiv

[IT-SecNots] [Security-news] Obfuscate - Moderately critical - Cross-site scripting - SA-CONTRIB-2026-033


Chronologisch Thread  
    < Chronologisch >       < Thread >
  • From: security-news AT drupal.org
  • To: security-news AT drupal.org
  • Subject: [IT-SecNots] [Security-news] Obfuscate - Moderately critical - Cross-site scripting - SA-CONTRIB-2026-033
  • Date: Wed, 22 Apr 2026 17:47:44 +0000
  • Archived-at: <https://lists.drupal.org/mailman3/hyperkitty/list/security-news AT drupal.org/message/EU32AHVFXNACHKVKWPHAIIGRU3RXXZYI/>
  • Authentication-results: lists.piratenpartei.de; dkim=pass header.d=drupal.org header.s=default header.b=NP8Ch+xn; dkim=fail ("body hash did not verify") header.d=drupal.org header.s=f34odw3mfzgsrgyn3evjayysxxl6jizn header.b=RgDMdiur; dkim=fail ("body hash did not verify") header.d=amazonses.com header.s=hsbnp7p3ensaochzwyq5wwmceodymuwv header.b=RJAvQpFj; dmarc=pass (policy=none) header.from=drupal.org; spf=pass (lists.piratenpartei.de: domain of security-news-bounces AT drupal.org designates 140.211.166.137 as permitted sender) smtp.mailfrom=security-news-bounces AT drupal.org
  • Dkim-filter: OpenDKIM Filter v2.11.0 smtp4.osuosl.org 12026428B1
  • Dkim-filter: OpenDKIM Filter v2.11.0 smtp1.osuosl.org 8BC7C84AE3
  • Dmarc-filter: OpenDMARC Filter v1.4.2 smtp1.osuosl.org 8BC7C84AE3
  • Feedback-id: ::1.us-west-2.eaokZ1GT8utLqfMHQoyOsEFVrSIzzS6R+14LP6WIIUY=:AmazonSES
  • List-archive: <https://lists.drupal.org/mailman3/hyperkitty/list/security-news AT drupal.org/>
  • List-id: <security-news.drupal.org>
View online: https://www.drupal.org/sa-contrib-2026-033

Project: Obfuscate [1]
Date: 2026-April-22
Security risk: *Moderately critical* 12 ∕ 25
AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:Uncommon [2]
Vulnerability: Cross-site scripting

Affected versions: <2.0.2
CVE IDs: CVE-2026-6871
Description: 
This module enables you to obfuscate email addresses in content.

The module doesn't sufficiently sanitize user input via the Twig filter.

This vulnerability is mitigated by the fact that it only affects sites using
the ROT13 encoding and where an attacker can enter content that is filtered
using the module's Twig filter.

Solution: 
Install the latest version:

* If you use the Obfuscate module, upgrade to Obfuscate 2.0.2 [3]

Reported By: 
* Pierre Rudloff (prudloff) [4] of the Drupal Security Team

Fixed By: 
* Christophe Jossart (colorfield) [5]
* Nigel Cunningham (nigelcunningham) [6]

Coordinated By: 
* Greg Knaddison (greggles) [7] of the Drupal Security Team
* Juraj Nemec (poker10) [8] of the Drupal Security Team
* Pierre Rudloff (prudloff) [9] of the Drupal Security Team

------------------------------------------------------------------------------
Contribution record [10]

[1] https://www.drupal.org/project/obfuscate
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/obfuscate/releases/2.0.2
[4] https://www.drupal.org/u/prudloff
[5] https://www.drupal.org/u/colorfield
[6] https://www.drupal.org/u/nigelcunningham
[7] https://www.drupal.org/u/greggles
[8] https://www.drupal.org/u/poker10
[9] https://www.drupal.org/u/prudloff
[10] https://new.drupal.org/contribution-record?source_link=https%3A//www.drupal.org/node/3586329

_______________________________________________
Security-news mailing list -- security-news AT drupal.org
To unsubscribe send an email to security-news-leave AT drupal.org
Unsubscribe at
  • [IT-SecNots] [Security-news] Obfuscate - Moderately critical - Cross-site scripting - SA-CONTRIB-2026-033, security-news, 22.04.2026

Archiv bereitgestellt durch MHonArc 2.6.19+.

Seitenanfang