Cross-site scripting through Existing content link text field.

Created on 19 February 2025, about 1 month ago

Problem/Motivation

Content entered in the "Existing content link text"-field is not filtered, allowing malicious users to embed scripts. Public hardening issue since the required permission to edit a content type is an advanced permissions listed in https://www.drupal.org/drupal-security-team/security-advisory-process-an...

Steps to reproduce

  • Enable Type Tray
  • Edit a content type, under third-party settings, add "<script>alert('xss');</script>" as "Existing content link text"
  • Visit /node/add, the script will be executed.
🐛 Bug report
Status

Active

Version

1.3

Component

Code

Created by

🇧🇪Belgium mr.baileys 🇧🇪 (Ghent)

Live updates comments and jobs are added and updated live.
  • Security improvements

    It makes Drupal less vulnerable to abuse or misuse. Note, this is the preferred tag, though the Security tag has a large body of issues tagged to it. Do NOT publicly disclose security vulnerabilities; contact the security team instead. Anyone (whether security team or not) can apply this tag to security improvements that do not directly present a vulnerability e.g. hardening an API to add filtering to reduce a common mistake in contributed modules.

Sign in to follow issues

Merge Requests

Comments & Activities

Production build 0.71.5 2024