DRUPAL-CONTRIB-2021-038

See a problem?
Import Source
https://github.com/DrupalSecurityTeam/drupal-advisory-database/blob/main/advisories/tb_megamenu/DRUPAL-CONTRIB-2021-038.json
JSON Data
https://api.osv.dev/v1/vulns/DRUPAL-CONTRIB-2021-038
Published
2021-09-22T17:25:50Z
Modified
2025-12-10T23:33:03.481247Z
Summary
[none]
Details

This module provides an admin interface for creating drop down menus that combine Drupal menu items with rich media content.

The module does not sanitize values for CSS properties that are added by admins and rendered on the front-end, allowing attackers to inject malicious code into the front-end markup.

This vulnerability is mitigated by the fact that it can only be exploited by an attacker with permissions to administer TB Mega Menu, or a sophisticated anonymous user using a site-specific attack that exploits the Cross Site Request Forgery vulnerability that is fixed by this same release.

References
Credits

Affected packages

Packagist:https://packages.drupal.org/8 / drupal/tb_megamenu

Package

Name
drupal/tb_megamenu
Purl
pkg:composer/drupal/tb_megamenu

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.4.0
Database specific
{
    "constraint": "<1.4.0"
}

Database specific

affected_versions
"<1.4.0"
source
"https://github.com/DrupalSecurityTeam/drupal-advisory-database/blob/main/advisories/tb_megamenu/DRUPAL-CONTRIB-2021-038.json"