DRUPAL-CONTRIB-2023-016

Import Source

https://github.com/DrupalSecurityTeam/drupal-advisory-database/blob/main/advisories/iubenda_integration/DRUPAL-CONTRIB-2023-016.json

JSON Data

https://api.osv.dev/v1/vulns/DRUPAL-CONTRIB-2023-016

Published

2023-05-31T13:14:25Z

Modified

2025-12-10T23:32:59.123436Z

Summary

[none]

Details

The Iubenda Integration module provides a custom block to provide a link to the Iubenda privacy policy. On this block, a custom prefix and suffix text can be entered.

The module does not sufficiently filter the block text fields on output, resulting in a Cross-Site Scripting (XSS) vulnerability.

This vulnerability is mitigated by the fact that an attacker must have a role with permission to use the layout builder on content, edit the layout, or with the "Administer blocks" permission.

References

https://www.drupal.org/sa-contrib-2023-016

Credits

- Mitch Portier
- - https://www.drupal.org/user/2284182

Affected packages

Packagist:https://packages.drupal.org/8 / drupal/iubenda_integration

Package

Name: drupal/iubenda_integration
Purl: pkg:composer/drupal/iubenda_integration

Affected ranges

Type

ECOSYSTEM

Events

Introduced

Fixed

4.0.1

Database specific

{
    "constraint": "<4.0.1"
}

Database specific

affected_versions

"<4.0.1"

source

"https://github.com/DrupalSecurityTeam/drupal-advisory-database/blob/main/advisories/iubenda_integration/DRUPAL-CONTRIB-2023-016.json"