DRUPAL-CONTRIB-2021-028

Import Source

https://github.com/DrupalSecurityTeam/drupal-advisory-database/blob/main/advisories/entity_embed/DRUPAL-CONTRIB-2021-028.json

JSON Data

https://api.osv.dev/v1/vulns/DRUPAL-CONTRIB-2021-028

Aliases

Published

2021-09-15T15:28:04Z

Modified

2025-12-10T23:41:31.114382Z

Summary

[none]

Details

This advisory addresses a similar issue to Drupal core - Moderately critical - Cross Site Request Forgery - SA-CORE-2021-006.

The Entity Embed module provides a filter to allow embedding entities in content fields. In certain circumstances, the filter could allow an unprivileged user to inject HTML into a page when it is accessed by a trusted user with permission to embed entities. In some cases, this could lead to cross-site scripting.

References

https://www.drupal.org/sa-contrib-2021-028

Credits

- Aaron Zinck
- - https://www.drupal.org/user/518662

Affected packages

Packagist:https://packages.drupal.org/8 / drupal/entity_embed

Package

Name: drupal/entity_embed
Purl: pkg:composer/drupal/entity_embed

Affected ranges

Type

ECOSYSTEM

Events

Introduced

Fixed

1.2.0

Database specific

{
    "constraint": "<1.2.0"
}

Database specific

affected_versions

"<1.2.0"

source

"https://github.com/DrupalSecurityTeam/drupal-advisory-database/blob/main/advisories/entity_embed/DRUPAL-CONTRIB-2021-028.json"