DRUPAL-CONTRIB-2023-019

Import Source

https://github.com/DrupalSecurityTeam/drupal-advisory-database/blob/main/advisories/addtoany/DRUPAL-CONTRIB-2023-019.json

JSON Data

https://api.osv.dev/v1/vulns/DRUPAL-CONTRIB-2023-019

Published

2023-05-31T13:22:44Z

Modified

2025-12-10T23:33:30.074707Z

Summary

[none]

Details

This module provides social media share & follow buttons.

The module doesn't sufficiently restrict AddToAny block settings to users who have permission to administer AddToAny. This allows users with lower permission to configure malicious code leading to a Cross Site Scripting (XSS) vulnerability.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer blocks".

References

https://www.drupal.org/sa-contrib-2023-019

Credits

- Mitch Portier
- - https://www.drupal.org/user/2284182

Affected packages

Packagist:https://packages.drupal.org/8 / drupal/addtoany

Package

Name: drupal/addtoany
Purl: pkg:composer/drupal/addtoany

Affected ranges

Type

ECOSYSTEM

Events

Introduced

Fixed

1.21.0

Database specific

{
    "constraint": "<1.21.0"
}

Type

ECOSYSTEM

Events

Introduced

2.0.0

Fixed

2.0.4

Database specific

{
    "constraint": ">=2.0.0 <2.0.4"
}

Database specific

affected_versions

"<1.21.0 || >=2.0.0 <2.0.4"

source

"https://github.com/DrupalSecurityTeam/drupal-advisory-database/blob/main/advisories/addtoany/DRUPAL-CONTRIB-2023-019.json"