it-securitynotifies AT lists.piratenpartei.de
Betreff: Sicherheitsankündigungen
Listenarchiv
[IT-SecNots] [Security-news] Anti-Spam by CleanTalk - Moderately critical - Cross site scripting - SA-CONTRIB-2026-042
Chronologisch Thread
- From: security-news AT drupal.org
- To: security-news AT drupal.org
- Subject: [IT-SecNots] [Security-news] Anti-Spam by CleanTalk - Moderately critical - Cross site scripting - SA-CONTRIB-2026-042
- Date: Wed, 3 Jun 2026 16:14:57 +0000
- Archived-at: <>
- Authentication-results: lists.piratenpartei.de; dkim=pass header.d=drupal.org header.s=default header.b=Yna24OZ8; dkim=fail ("body hash did not verify") header.d=drupal.org header.s=f34odw3mfzgsrgyn3evjayysxxl6jizn header.b=h0Kp+o0V; dkim=fail ("body hash did not verify") header.d=amazonses.com header.s=hsbnp7p3ensaochzwyq5wwmceodymuwv header.b=YIbAYhZx; dmarc=pass (policy=none) header.from=drupal.org; spf=pass (lists.piratenpartei.de: domain of security-news-bounces AT drupal.org designates 2605:bc80:3010::137 as permitted sender) smtp.mailfrom=security-news-bounces AT drupal.org
- Dkim-filter: OpenDKIM Filter v2.11.0 smtp4.osuosl.org 70AA64EC69
- Dkim-filter: OpenDKIM Filter v2.11.0 smtp4.osuosl.org A12C440665
- Dmarc-filter: OpenDMARC Filter v1.4.2 smtp4.osuosl.org A12C440665
- Feedback-id: ::1.us-west-2.eaokZ1GT8utLqfMHQoyOsEFVrSIzzS6R+14LP6WIIUY=:AmazonSES
- List-archive: <>
- List-id: <security-news.drupal.org>
View online: https://www.drupal.org/sa-contrib-2026-042
Project: Anti-Spam by CleanTalk [1]
Date: 2026-June-03
Security risk: *Moderately critical* 10 ∕ 25
AC:Complex/A:Admin/CI:Some/II:Some/E:Theoretical/TD:Uncommon [2]
Vulnerability: Cross site scripting
Affected versions: <9.7.1
CVE IDs: CVE-2026-10770
Description:
This module provides spam protection using the CleanTalk cloud service.
The module doesn't sufficiently sanitize API response messages before
rendering them in HTML output. The _cleantalk_die() and ct_die() functions
output the CleanTalk API response message directly into HTML without proper
sanitization, allowing potential injection of arbitrary HTML or JavaScript.
This vulnerability is mitigated by the fact that an attacker must be able to
influence the CleanTalk cloud API response (e.g., through a man-in-the-middle
attack or a compromised API server).
Solution:
Install the latest version:
* If you use the Anti-Spam by CleanTalk module for Drupal upgrade to
Anti-Spam by CleanTalk 9.7.1 [3]
Reported By:
* Ra Mänd (ram4nd) [4] provisional member of the Drupal Security Team
Fixed By:
* alexandergull [5]
* anton1211 [6]
* Ra Mänd (ram4nd) [7] provisional member of the Drupal Security Team
Coordinated By:
* Neil Drumm (drumm) [8] of the Drupal Security Team
* Greg Knaddison (greggles) [9] of the Drupal Security Team
* Juraj Nemec (poker10) [10] of the Drupal Security Team
Security
issue:
https://git.drupalcode.org/security/185105-cleantalk-security/-/work_items/1
[11]
------------------------------------------------------------------------------
Contribution record [12]
[1] https://www.drupal.org/project/cleantalk
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/cleantalk/releases/9.7.1
[4] https://www.drupal.org/u/ram4nd
[5] https://www.drupal.org/u/alexandergull
[6] https://www.drupal.org/u/anton1211
[7] https://www.drupal.org/u/ram4nd
[8] https://www.drupal.org/u/drumm
[9] https://www.drupal.org/u/greggles
[10] https://www.drupal.org/u/poker10
[11] https://git.drupalcode.org/security/185105-cleantalk-security/-/work_items/1
[12] https://new.drupal.org/contribution-record?source_link=https%3A//www.drupal.org/node/3590085
_______________________________________________
Security-news mailing list -- security-news AT drupal.org
To unsubscribe send an email to security-news-leave AT drupal.org
Unsubscribe at
- [IT-SecNots] [Security-news] Anti-Spam by CleanTalk - Moderately critical - Cross site scripting - SA-CONTRIB-2026-042, security-news, 03.06.2026
Archiv bereitgestellt durch MHonArc 2.6.19+.