Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.Marked as normal since this is a security update marked "Less Critical" and colorbox isn't enabled by default.
The module allows unprivileged users to add unexpected content to a Colorbox, including content from external sites. This allows an unprivileged user to deface a site.
This vulnerability is mitigated by the fact that an attacker must have permission to post comments with a text format that allows links.
Though also see #2426715: Remove Colorbox from build.
Comments
Comment #2
lsolesen CreditAttribution: lsolesen commentedWe should probably remove this, when it is not enabled by default #2426715: Remove Colorbox from build. @mglaman What is your take on this?
Comment #3
mglamanIf we have modules with dependencies.. then let's update it. For now. I'm nervous about just removing modules that people might have enabled.
Comment #4
rolfmeijer CreditAttribution: rolfmeijer at Dutch Open Projects commentedTo be honest, I don’t think a security update from a module should be open for so long, it should not depend on a decision whether this particular module should be removed from the project.
I would really like it if the update was included in the next release of Commerce Kickstart.
Comment #5
mglamanPR: https://github.com/commerceguys/commerce_kickstart/pull/207
Going into next release.
Comment #6
rolfmeijer CreditAttribution: rolfmeijer at Dutch Open Projects commentedWow, thank you! What a quick action. I will try to test it as soon as possible.
Comment #8
mglaman