DRUPAL-CONTRIB-2025-007

Import Source

https://github.com/DrupalSecurityTeam/drupal-advisory-database/blob/main/advisories/ignition/DRUPAL-CONTRIB-2025-007.json

JSON Data

https://api.osv.dev/v1/vulns/DRUPAL-CONTRIB-2025-007

Aliases

CVE-2025-31679
GHSA-rhxm-r44m-4325

Published

2025-01-22T17:01:38Z

Modified

2025-12-10T23:41:14.412536Z

Summary

[none]

Details

This module enables you to render error pages using the Ignition package.

The module disables certain Drupal core code and does not perform sufficient filtering, allowing HTML to be injected in certain situations leading to a Cross Site Scripting (XSS) vulnerability.

This vulnerability is mitigated by the fact that this module is for development purposes and is not intended to be installed on production environments.

References

https://www.drupal.org/sa-contrib-2025-007

Credits

- Dieter Holvoet
- - https://www.drupal.org/user/3567222

Affected packages

Packagist:https://packages.drupal.org/8 / drupal/ignition

Package

Name: drupal/ignition
Purl: pkg:composer/drupal/ignition

Affected ranges

Type

ECOSYSTEM

Events

Introduced

Fixed

1.0.4

Database specific

{
    "constraint": "<1.0.4"
}

Database specific

affected_versions

"<1.0.4"

source

"https://github.com/DrupalSecurityTeam/drupal-advisory-database/blob/main/advisories/ignition/DRUPAL-CONTRIB-2025-007.json"