The Iubenda Integration module provides a custom block to provide a link to the Iubenda privacy policy. On this block, a custom prefix and suffix text can be entered.
The module does not sufficiently filter the block text fields on output, resulting in a Cross-Site Scripting (XSS) vulnerability.
This vulnerability is mitigated by the fact that an attacker must have a role with permission to use the layout builder on content, edit the layout, or with the "Administer blocks" permission.
Install the latest version:
- If you use the Iubenda Integration module for Drupal 9+, upgrade to Iubenda Integration 4.0.1
- If you use the Iubenda Integration module for Drupal 7, upgrade to Iubenda Integration 7.x-2.5
- Damien McKenna of the Drupal Security Team
- Greg Knaddison of the Drupal Security Team