Lucene search

K
drupalDrupal Security TeamDRUPAL-SA-CONTRIB-2023-016
HistoryMay 31, 2023 - 12:00 a.m.

Iubenda Integration - Moderately critical - Cross Site Scripting - SA-CONTRIB-2023-016

2023-05-3100:00:00
Drupal Security Team
www.drupal.org
8
iubenda integration
cross site scripting
sa-contrib-2023-016
privacy policy
block
layout builder
administer blocks

The Iubenda Integration module provides a custom block to provide a link to the Iubenda privacy policy. On this block, a custom prefix and suffix text can be entered. The module does not sufficiently filter the block text fields on output, resulting in a Cross-Site Scripting (XSS) vulnerability. This vulnerability is mitigated by the fact that an attacker must have a role with permission to use the layout builder on content, edit the layout, or with the β€œAdminister blocks” permission.

Affected configurations

Vulners
Node
drupaliubenda_integrationRange<4.0.1
VendorProductVersionCPE
drupaliubenda_integration*cpe:2.3:a:drupal:iubenda_integration:*:*:*:*:*:*:*:*