Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.Project:
Date:
2023-May-31
Vulnerability:
Cross Site Scripting
Affected versions:
<4.0.1
Description:
The Iubenda Integration module provides a custom block to provide a link to the Iubenda privacy policy. On this block, a custom prefix and suffix text can be entered.
The module does not sufficiently filter the block text fields on output, resulting in a Cross-Site Scripting (XSS) vulnerability.
This vulnerability is mitigated by the fact that an attacker must have a role with permission to use the layout builder on content, edit the layout, or with the "Administer blocks" permission.
Solution:
Install the latest version:
- If you use the Iubenda Integration module for Drupal 9+, upgrade to Iubenda Integration 4.0.1
- If you use the Iubenda Integration module for Drupal 7, upgrade to Iubenda Integration 7.x-2.5
Reported By:
Fixed By:
Coordinated By:
- Damien McKenna of the Drupal Security Team
- Greg Knaddison of the Drupal Security Team
