Zum Inhalt springen.
Sympa Menü

it-securitynotifies - [IT-SecNots] [Security-news] Colorbox - Moderately critical - Cross-site scripting - SA-CONTRIB-2026-069

it-securitynotifies AT lists.piratenpartei.de

Betreff: Sicherheitsankündigungen

Listenarchiv

[IT-SecNots] [Security-news] Colorbox - Moderately critical - Cross-site scripting - SA-CONTRIB-2026-069


Chronologisch Thread  
  • From: security-news AT drupal.org
  • To: security-news AT drupal.org
  • Subject: [IT-SecNots] [Security-news] Colorbox - Moderately critical - Cross-site scripting - SA-CONTRIB-2026-069
  • Date: Wed, 1 Jul 2026 18:36:45 +0000
  • Archived-at: <https://lists.drupal.org/mailman3/hyperkitty/list/security-news AT drupal.org/message/O72JUW76RFLOJQHB4BFTKQL3BYY4OZFH/>
  • Authentication-results: lists.piratenpartei.de; dkim=pass header.d=drupal.org header.s=default header.b=RZQw9DJJ; dkim=fail ("body hash did not verify") header.d=drupal.org header.s=f34odw3mfzgsrgyn3evjayysxxl6jizn header.b=ZnUHZ7aa; dkim=fail ("body hash did not verify") header.d=amazonses.com header.s=hsbnp7p3ensaochzwyq5wwmceodymuwv header.b=dTiEsHwv; dmarc=pass (policy=none) header.from=drupal.org; spf=pass (lists.piratenpartei.de: domain of security-news-bounces AT drupal.org designates 2605:bc80:3010::138 as permitted sender) smtp.mailfrom=security-news-bounces AT drupal.org
  • Dkim-filter: OpenDKIM Filter v2.11.0 smtp1.osuosl.org ED18C8447C
  • Dkim-filter: OpenDKIM Filter v2.11.0 smtp1.osuosl.org 11B9B80E1F
  • Dmarc-filter: OpenDMARC Filter v1.4.2 smtp1.osuosl.org 11B9B80E1F
  • Feedback-id: ::1.us-west-2.eaokZ1GT8utLqfMHQoyOsEFVrSIzzS6R+14LP6WIIUY=:AmazonSES
  • List-archive: <https://lists.drupal.org/mailman3/hyperkitty/list/security-news AT drupal.org/>
  • List-id: <security-news.drupal.org>

View online: https://www.drupal.org/sa-contrib-2026-069

Project: Colorbox [1]
Date: 2026-July-01
Security risk: *Moderately critical* 12 ∕ 25
AC:Complex/A:User/CI:Some/II:Some/E:Theoretical/TD:Default [2]
Vulnerability: Cross-site scripting

Affected versions: < 2.1.5 || 2.2.0
CVE IDs: CVE-2026-58591
Description: 
The Colorbox module integrates with the Colorbox JavaScript library to
display content in an overlay above the page.

The module doesn't sufficiently protect against injection of malicious
JavaScript under certain scenarios.

This vulnerability is mitigated by the fact that an attacker must have a role
that permits them to enter HTML content.

Solution: 
Install the latest version:

* If you use Colorbox 2.1.x, upgrade to: Colorbox 2.1.5 [3]
* If you use Colorbox 2.2.x, upgrade to: Colorbox 2.2.1 [4]

Reported By: 
* Pierre Rudloff (prudloff) [5] of the Drupal Security Team

Fixed By: 
* Paul McKibben (paulmckibben) [6]

Coordinated By: 
* Pierre Rudloff (prudloff) [7] of the Drupal Security Team

Security
issue: 
https://git.drupalcode.org/security/185155-colorbox-security/-/work_items/1
[8]
------------------------------------------------------------------------------
Contribution record [9]

[1] https://www.drupal.org/project/colorbox
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/colorbox/releases/2.1.5
[4] https://www.drupal.org/project/colorbox/releases/2.2.1
[5] https://www.drupal.org/u/prudloff
[6] https://www.drupal.org/u/paulmckibben
[7] https://www.drupal.org/u/prudloff
[8] https://git.drupalcode.org/security/185155-colorbox-security/-/work_items/1
[9] https://new.drupal.org/contribution-record?source_link=https%3A//www.drupal.org/node/3606622

_______________________________________________
Security-news mailing list -- security-news AT drupal.org
To unsubscribe send an email to security-news-leave AT drupal.org
Unsubscribe at

  • [IT-SecNots] [Security-news] Colorbox - Moderately critical - Cross-site scripting - SA-CONTRIB-2026-069, security-news, 01.07.2026

Archiv bereitgestellt durch MHonArc 2.6.19+.

Seitenanfang