DRUPAL-CONTRIB-2022-027

Import Source

https://github.com/DrupalSecurityTeam/drupal-advisory-database/blob/main/advisories/govuk_theme/DRUPAL-CONTRIB-2022-027.json

JSON Data

https://api.osv.dev/v1/vulns/DRUPAL-CONTRIB-2022-027

Published

2022-02-23T17:18:07Z

Modified

2025-12-10T23:31:07.835810Z

Summary

[none]

Details

The GOV.UK Theme (govuk_theme) is a Drupal theme for the GOV.UK Design System.

The theme doesn't sanitize user input in certain cases, which leads to Cross-Site-Scripting (XSS) vulnerabilities. An attacker that can create or edit certain entities or configuration may be able to exploit one or more Cross-Site-Scripting (XSS) vulnerabilities to target visitors of the site, including site admins with privileged access.

The vulnerability is mitigated by the facts, that:

An attacker must have one of several permissions, of which at least some are commonly only assigned to either editors, site builders or administrators.
For some of the vulnerabilities, certain contributed modules must be enabled.

References

https://www.drupal.org/sa-contrib-2022-027

Credits

- Patrick Fey
- - https://www.drupal.org/user/998680

Affected packages

Packagist:https://packages.drupal.org/8 / drupal/govuk_theme

Package

Name: drupal/govuk_theme
Purl: pkg:composer/drupal/govuk_theme

Affected ranges

Type

ECOSYSTEM

Events

Introduced

Fixed

1.9.0

Database specific

{
    "constraint": "<1.9.0"
}

Database specific

affected_versions

"<1.9.0"

source

"https://github.com/DrupalSecurityTeam/drupal-advisory-database/blob/main/advisories/govuk_theme/DRUPAL-CONTRIB-2022-027.json"