DRUPAL-CONTRIB-2024-026

See a problem?
Import Source
https://github.com/DrupalSecurityTeam/drupal-advisory-database/blob/main/advisories/view_password/DRUPAL-CONTRIB-2024-026.json
JSON Data
https://api.osv.dev/v1/vulns/DRUPAL-CONTRIB-2024-026
Aliases
  • CVE-2024-13262
Published
2024-07-31T15:59:06Z
Modified
2025-12-10T23:41:28.271304Z
Summary
[none]
Details

The View Password module enables you to add a help icon button next to the password input field to toggle the password visibility. The administrative user is allowed to add classes to this icon for styling purposes.

The module doesn't validate the content of classes. A malicious user with access to the View Password Settings Form could add malicious code in the classes field.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer view password".

References
Credits

Affected packages

Packagist:https://packages.drupal.org/8 / drupal/view_password

Package

Name
drupal/view_password
Purl
pkg:composer/drupal/view_password

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
6.0.4
Database specific 
{
    "constraint": "<6.0.4"
}

Database specific

affected_versions 
"<6.0.4"
source 
"https://github.com/DrupalSecurityTeam/drupal-advisory-database/blob/main/advisories/view_password/DRUPAL-CONTRIB-2024-026.json"