DRUPAL-CONTRIB-2025-100

See a problem?
Import Source
https://github.com/DrupalSecurityTeam/drupal-advisory-database/blob/main/advisories/facets/DRUPAL-CONTRIB-2025-100.json
JSON Data
https://api.osv.dev/v1/vulns/DRUPAL-CONTRIB-2025-100
Aliases
  • CVE-2025-9550
Published
2025-08-27T17:19:45Z
Modified
2025-12-10T23:41:31.176427Z
Summary
[none]
Details

This module enables you to to easily create and manage faceted search interfaces.

The module doesn’t sufficiently filter certain user-provided text leading to a cross site scripting (XSS) vulnerability.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission “administer facets”.

CVSS risk score (experimental) 4.8 / Medium

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:L/SI:N/SA:N

References
Credits

Affected packages

Packagist:https://packages.drupal.org/8 / drupal/facets

Package

Name
drupal/facets
Purl
pkg:composer/drupal/facets

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2.0.10
Database specific 
{
    "constraint": "<2.0.10"
}
Type
ECOSYSTEM
Events
Introduced
3.0.0
Fixed
3.0.1
Database specific 
{
    "constraint": ">=3.0.0 <3.0.1"
}

Database specific

source 
"https://github.com/DrupalSecurityTeam/drupal-advisory-database/blob/main/advisories/facets/DRUPAL-CONTRIB-2025-100.json"
affected_versions 
"<2.0.10 || >=3.0.0 <3.0.1"