DRUPAL-CONTRIB-2025-024

Import Source

https://github.com/DrupalSecurityTeam/drupal-advisory-database/blob/main/advisories/link_field_display_mode_formatter/DRUPAL-CONTRIB-2025-024.json

JSON Data

https://api.osv.dev/v1/vulns/DRUPAL-CONTRIB-2025-024

Aliases

CVE-2025-31695
GHSA-p2wg-8h29-874v

Published

2025-03-19T18:52:53Z

Modified

2025-12-10T23:41:13.495955Z

Summary

[none]

Details

This module adds a formatter for link fields that displays the current entity with another view mode inside the link.

Drupal core does not sufficiently sanitize link element attributes, which can lead to a Cross Site Scripting vulnerability (XSS).

A separate fix for Drupal core has been released but this module requires a concurrent release to make use of the Drupal core fix.

This vulnerability is mitigated by that fact that an attacker would need to have the ability to add specific attributes to a Link field, which typically requires edit access via core web services, or a contrib or custom module.

References

https://www.drupal.org/sa-contrib-2025-024

Credits

- Daniel Wehner (dawehner)
- - https://www.drupal.org/u/dawehner
- Joseph Zhao (pandaski)
- - https://www.drupal.org/u/pandaski

Affected packages

Packagist:https://packages.drupal.org/8 / drupal/link_field_display_mode_formatter

Package

Name: drupal/link_field_display_mode_formatter
Purl: pkg:composer/drupal/link_field_display_mode_formatter

Affected ranges

Type

ECOSYSTEM

Events

Introduced

Fixed

1.6.0

Database specific

{
    "constraint": "<1.6.0"
}

Database specific

affected_versions

"<1.6.0"

source

"https://github.com/DrupalSecurityTeam/drupal-advisory-database/blob/main/advisories/link_field_display_mode_formatter/DRUPAL-CONTRIB-2025-024.json"