DRUPAL-CONTRIB-2023-055

See a problem?
Import Source
https://github.com/DrupalSecurityTeam/drupal-advisory-database/blob/main/advisories/dvf/DRUPAL-CONTRIB-2023-055.json
JSON Data
https://api.osv.dev/v1/vulns/DRUPAL-CONTRIB-2023-055
Published
2023-12-20T17:02:51Z
Modified
2025-12-10T23:33:51.497561Z
Summary
[none]
Details

This module allows you to turn various data sources (Eg CSV or JSON file) into interactive visualisation. The DVF module provides a field (storage, widget & formatter) that can be added to any entity.

This module uses two third-party JS libraries having from low to medium vulnerabilities. One of the vulnerabilities is a Cross Site Scripting vulnerability that may affect Drupal sites as a Persistent Cross Site Scripting vulnerability (i.e. not reflected). This release updates the libraries.

The issue is mitigated by the fact an attacker needs the permission to create or edit content that is displayed using the Data Visualization Framework.

References
Credits

Affected packages

Packagist:https://packages.drupal.org/8 / drupal/dvf

Package

Name
drupal/dvf
Purl
pkg:composer/drupal/dvf

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2.0.2
Database specific
{
    "constraint": "< 2.0.2"
}

Database specific

affected_versions
"< 2.0.2"
source
"https://github.com/DrupalSecurityTeam/drupal-advisory-database/blob/main/advisories/dvf/DRUPAL-CONTRIB-2023-055.json"