DRUPAL-CONTRIB-2025-029

See a problem?
Import Source
https://github.com/DrupalSecurityTeam/drupal-advisory-database/blob/main/advisories/obfuscate/DRUPAL-CONTRIB-2025-029.json
JSON Data
https://api.osv.dev/v1/vulns/DRUPAL-CONTRIB-2025-029
Aliases
Published
2025-04-02T17:03:15Z
Modified
2025-12-10T23:41:12.643375Z
Summary
[none]
Details

This module enables you to obfuscate email addresses, to avoid them being easily available to spammers.

The module doesn't sufficiently sanitise input when ROT13 encoding is used.
This vulnerability is mitigated by the fact that an attacker must have a role with the ability to enter specific HTML tag attributes. In a default Drupal installation this would require the administrator role and use of the Full HTML text format. It also requires that the ROT13 encoding be enabled in Obfuscate settings.

References
Credits

Affected packages

Packagist:https://packages.drupal.org/8 / drupal/obfuscate

Package

Name
drupal/obfuscate
Purl
pkg:composer/drupal/obfuscate

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2.0.1
Database specific
{
    "constraint": "<2.0.1"
}

Database specific

affected_versions
"<2.0.1"
source
"https://github.com/DrupalSecurityTeam/drupal-advisory-database/blob/main/advisories/obfuscate/DRUPAL-CONTRIB-2025-029.json"