DRUPAL-CONTRIB-2025-078

Import Source

https://github.com/DrupalSecurityTeam/drupal-advisory-database/blob/main/advisories/glightbox/DRUPAL-CONTRIB-2025-078.json

JSON Data

https://api.osv.dev/v1/vulns/DRUPAL-CONTRIB-2025-078

Aliases

CVE-2025-48922

Published

2025-06-25T18:41:20Z

Modified

2025-12-10T23:41:26.021669Z

Summary

[none]

Details

GLightbox module is a pure Javascript lightbox for CKEditor.

The module doesn't sufficiently filter user-supplied text for the GLightbox Javascript library leading to a Cross Site Scripting (XSS) vulnerability.

This vulnerability is mitigated by the fact that an attacker must have a role with the permissions to edit content that is configured to support the Glightbox module.

References

https://www.drupal.org/sa-contrib-2025-078

Credits

- Pierre Rudloff (prudloff)
- - https://www.drupal.org/u/prudloff

Affected packages

Packagist:https://packages.drupal.org/8 / drupal/glightbox

Package

Name: drupal/glightbox
Purl: pkg:composer/drupal/glightbox

Affected ranges

Type

ECOSYSTEM

Events

Introduced

Fixed

1.0.16

Database specific

{
    "constraint": "<1.0.16"
}

Database specific

source

"https://github.com/DrupalSecurityTeam/drupal-advisory-database/blob/main/advisories/glightbox/DRUPAL-CONTRIB-2025-078.json"

affected_versions

"<1.0.16"