DRUPAL-CONTRIB-2025-090

Import Source

https://github.com/DrupalSecurityTeam/drupal-advisory-database/blob/main/advisories/block_attributes/DRUPAL-CONTRIB-2025-090.json

JSON Data

https://api.osv.dev/v1/vulns/DRUPAL-CONTRIB-2025-090

Aliases

CVE-2025-7715

Published

2025-07-16T16:46:26Z

Modified

2025-12-10T23:41:28.543454Z

Summary

[none]

Details

This module allows you to define custom attributes for a block. You can specify an attribute name to be added to the block in a predefined format.

The module does not sufficiently validate the provided attributes, which makes it possible to insert JavaScript event attributes such as onmouseover, onkeyup, etc. These attributes can execute JavaScript code when the page is rendered, leading to cross-site scripting (XSS) vulnerabilities.

This vulnerability is partially mitigated by the requirement to manually add the specific attributes and corresponding JavaScript code to the form after the attribute has been created.

References

https://www.drupal.org/sa-contrib-2025-090

Credits

- Pierre Rudloff (prudloff)
- - https://www.drupal.org/u/prudloff

Affected packages

Packagist:https://packages.drupal.org/8 / drupal/block_attributes

Package

Name: drupal/block_attributes
Purl: pkg:composer/drupal/block_attributes

Affected ranges

Type

ECOSYSTEM

Events

Introduced

Fixed

1.1.0

Database specific

{
    "constraint": "<1.1.0"
}

Type

ECOSYSTEM

Events

Introduced

2.0.0

Fixed

2.0.1

Database specific

{
    "constraint": ">=2.0.0 <2.0.1"
}

Database specific

source

"https://github.com/DrupalSecurityTeam/drupal-advisory-database/blob/main/advisories/block_attributes/DRUPAL-CONTRIB-2025-090.json"

affected_versions

"<1.1.0 || >=2.0.0 <2.0.1"