DRUPAL-CONTRIB-2023-020

Import Source

https://github.com/DrupalSecurityTeam/drupal-advisory-database/blob/main/advisories/office_hours/DRUPAL-CONTRIB-2023-020.json

JSON Data

https://api.osv.dev/v1/vulns/DRUPAL-CONTRIB-2023-020

Published

2023-06-14T14:52:36Z

Modified

2025-12-10T23:33:20.629122Z

Summary

[none]

Details

This module enables you to define a 'weekly office hours' field type, and add a field to any Content type, in order to display the weekly opening hours for a location.

The module doesn't sufficiently filter user-supplied text leading to a Cross Site Scripting (XSS) vulnerability.

This vulnerability is mitigated by the fact that an attacker needs additional permissions. The vulnerability can be exploited by an attacker with a role with the permission "administer display" regardless of other configurations. In some scenarios, the vulnerability can be exploited by a user with "Create content" or "Edit content" for a relevant Content type.

References

https://www.drupal.org/sa-contrib-2023-020

Credits

- John Voskuilen
- - https://www.drupal.org/user/591042
- Mitch Portier
- - https://www.drupal.org/user/2284182

Affected packages

Packagist:https://packages.drupal.org/8 / drupal/office_hours

Package

Name: drupal/office_hours
Purl: pkg:composer/drupal/office_hours

Affected ranges

Type

ECOSYSTEM

Events

Introduced

Fixed

1.11.0

Database specific

{
    "constraint": "<1.11"
}

Database specific

affected_versions

"<1.11"

source

"https://github.com/DrupalSecurityTeam/drupal-advisory-database/blob/main/advisories/office_hours/DRUPAL-CONTRIB-2023-020.json"