DRUPAL-CONTRIB-2025-016

Import Source

https://github.com/DrupalSecurityTeam/drupal-advisory-database/blob/main/advisories/spamspan/DRUPAL-CONTRIB-2025-016.json

JSON Data

https://api.osv.dev/v1/vulns/DRUPAL-CONTRIB-2025-016

Aliases

CVE-2025-31687
GHSA-8r2q-865v-wm8j

Published

2025-02-12T17:38:09Z

Modified

2025-12-10T23:41:11.245251Z

Summary

[none]

Details

This module enables your site to obfuscate Email addresses and prevent spambots to collect them.

The module doesn't sanitize HTML data attributes when an email address link is transformed to separate span HTML elements and then transformed back by JavaScript leading to a Cross Site Scripting (XSS) vulnerability.

This is mitigated by the fact an attacker must be able to insert span HTML elements with data attributes in the page.

References

https://www.drupal.org/sa-contrib-2025-016

Credits

- Pierre Rudloff (prudloff)
- - https://www.drupal.org/u/prudloff

Affected packages

Packagist:https://packages.drupal.org/8 / drupal/spamspan

Package

Name: drupal/spamspan
Purl: pkg:composer/drupal/spamspan

Affected ranges

Type

ECOSYSTEM

Events

Introduced

Fixed

3.2.1

Database specific

{
    "constraint": "<3.2.1"
}

Database specific

affected_versions

"<3.2.1"

source

"https://github.com/DrupalSecurityTeam/drupal-advisory-database/blob/main/advisories/spamspan/DRUPAL-CONTRIB-2025-016.json"