it-securitynotifies AT lists.piratenpartei.de
Betreff: Sicherheitsankündigungen
Listenarchiv
[IT-SecNots] [Security-news] Translate Drupal with GTranslate - Less critical - DOM clobbering / link manipulation - SA-CONTRIB-2026-035
Chronologisch Thread
- From: security-news AT drupal.org
- To: security-news AT drupal.org
- Subject: [IT-SecNots] [Security-news] Translate Drupal with GTranslate - Less critical - DOM clobbering / link manipulation - SA-CONTRIB-2026-035
- Date: Wed, 13 May 2026 17:17:43 +0000
- Archived-at: <>
- Authentication-results: lists.piratenpartei.de; dkim=pass header.d=drupal.org header.s=default header.b=HvUq0dKY; dkim=fail ("body hash did not verify") header.d=drupal.org header.s=f34odw3mfzgsrgyn3evjayysxxl6jizn header.b=lCMXrm57; dkim=fail ("body hash did not verify") header.d=amazonses.com header.s=hsbnp7p3ensaochzwyq5wwmceodymuwv header.b=dBokXtRk; dmarc=pass (policy=none) header.from=drupal.org; spf=pass (lists.piratenpartei.de: domain of security-news-bounces AT drupal.org designates 2605:bc80:3010::133 as permitted sender) smtp.mailfrom=security-news-bounces AT drupal.org
- Dkim-filter: OpenDKIM Filter v2.11.0 smtp2.osuosl.org 3D16841102
- Dkim-filter: OpenDKIM Filter v2.11.0 smtp4.osuosl.org 4B57A41A39
- Dmarc-filter: OpenDMARC Filter v1.4.2 smtp4.osuosl.org 4B57A41A39
- Feedback-id: ::1.us-west-2.eaokZ1GT8utLqfMHQoyOsEFVrSIzzS6R+14LP6WIIUY=:AmazonSES
- List-archive: <>
- List-id: <security-news.drupal.org>
View online: https://www.drupal.org/sa-contrib-2026-035
Project: Translate Drupal with GTranslate [1]
Date: 2026-May-13
Security risk: *Less critical* 8 ∕ 25
AC:Basic/A:Admin/CI:None/II:Some/E:Theoretical/TD:Uncommon [2]
Vulnerability: DOM clobbering / link manipulation
Affected versions: <3.0.5
CVE IDs: CVE-2026-8492
Description:
The GTranslate module provides a language switcher widget for Drupal sites.
The module’s widget JavaScript did not sufficiently validate that
document.currentScript referred to the executing script element. A user who
can add HTML to a page could cause the generated language-switcher links to
point to an unintended domain.
This vulnerability is mitigated by the fact that an attacker must be able to
add HTML with attributes that are not allowed by Drupal’s default CKEditor
configuration. It is also limited to sites using the paid versions of
GTranslate widget JavaScript and configurations where the generated language
links use script-provided values.
Solution:
Install the latest version.
If you use the GTranslate module 3.0.x, upgrade to GTranslate 3.0.5 [3].
Reported By:
* Pierre Rudloff (prudloff) [4] of the Drupal Security Team
Fixed By:
* Edvard Ananyan (edo888) [5]
Coordinated By:
* Greg Knaddison (greggles) [6] of the Drupal Security Team
* Juraj Nemec (poker10) [7] of the Drupal Security Team
Security
issue:
https://git.drupalcode.org/security/185008-gtranslate-security/-/work_items/1
[8]
------------------------------------------------------------------------------
Contribution record [9]
[1] https://www.drupal.org/project/gtranslate
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/gtranslate/releases/3.0.5
[4] https://www.drupal.org/u/prudloff
[5] https://www.drupal.org/u/edo888
[6] https://www.drupal.org/u/greggles
[7] https://www.drupal.org/u/poker10
[8] https://git.drupalcode.org/security/185008-gtranslate-security/-/work_items/1
[9] https://new.drupal.org/contribution-record?source_link=https%3A//www.drupal.org/node/3589034
_______________________________________________
Security-news mailing list -- security-news AT drupal.org
To unsubscribe send an email to security-news-leave AT drupal.org
Unsubscribe at
- [IT-SecNots] [Security-news] Translate Drupal with GTranslate - Less critical - DOM clobbering / link manipulation - SA-CONTRIB-2026-035, security-news, 13.05.2026
Archiv bereitgestellt durch MHonArc 2.6.19+.