Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.Install
Works with Drupal: 7.xUsing Composer to manage Drupal site dependencies
Downloads
Download favicon-7.x-1.0-rc2.tar.gztar.gz
9.99 KB
MD5: 51653caf4f19b4a43bfb95d68b9e2433
SHA-1: 0bf468df87ca3c65ae0e79108aa9c5a77cd61e7f
SHA-256: 12fb9d22039dbb953cc97e36b6a534dc4c668b7c44e52d89c3ede1241c30110e
Download favicon-7.x-1.0-rc2.zipzip
11.32 KB
MD5: b67e282ca2ca48ed5ae7857d8eee1d49
SHA-1: b219cf9f9a6064fe999c7be3de1f53da93c97042
SHA-256: 45777878fa7356617c34fbd720d1679518b5298596f83123d55b0541a7cc0fcc
Release notes
Fixes access bypass XSS vulnerability
The 7.x version of the module does not adequately check that the favicon path provided by the theme is actually a favicon and should be readable by the site. This can allow an attacker to access arbitrary system files by specifying them as the sites's favicon file.
This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer theme".
Note that since this is a pre release version, no security advisory was issued by the Drupal security team.
Security update
