DRUPAL-CONTRIB-2025-077

See a problem?

Import Source

https://github.com/DrupalSecurityTeam/drupal-advisory-database/blob/main/advisories/toc_js/DRUPAL-CONTRIB-2025-077.json

JSON Data

https://api.osv.dev/v1/vulns/DRUPAL-CONTRIB-2025-077

Aliases

CVE-2025-48923

Published

2025-06-25T18:41:06Z

Modified

2025-12-10T23:41:33.022502Z

Summary

[none]

Details

This module enables you to generate Table of content of your pages given a configuration.

The module doesn't sufficiently sanitise data attributes allowing persistent Cross-site Scripting (XSS) attacks.

This vulnerability is mitigated by the fact that an attacker must have a role with permission to enter HTML tags containing specific data attributes using other modules.

References

https://www.drupal.org/sa-contrib-2025-077

Credits

- Pierre Rudloff (prudloff)
- - https://www.drupal.org/u/prudloff

Affected packages

Packagist:https://packages.drupal.org/8 / drupal/toc_js

Package

Name: drupal/toc_js
Purl: pkg:composer/drupal/toc_js

Affected ranges

Type

ECOSYSTEM

Events

Introduced

Fixed

3.2.1

Database specific

{
    "constraint": "<3.2.1"
}

Database specific

source

"https://github.com/DrupalSecurityTeam/drupal-advisory-database/blob/main/advisories/toc_js/DRUPAL-CONTRIB-2025-077.json"

affected_versions

"<3.2.1"