DRUPAL-CONTRIB-2025-069

Import Source

https://github.com/DrupalSecurityTeam/drupal-advisory-database/blob/main/advisories/lightgallery/DRUPAL-CONTRIB-2025-069.json

JSON Data

https://api.osv.dev/v1/vulns/DRUPAL-CONTRIB-2025-069

Aliases

CVE-2025-48447
GHSA-w5px-5878-m9x4

Published

2025-05-21T17:29:25Z

Modified

2025-12-10T23:41:10.570779Z

Summary

[none]

Details

This module integrates Drupal with LightGallery, enabling the use of the LightGallery library with any image field or view.

The module does not adequately sanitize user input in the image field’s "alt" attribute, potentially allowing cross-site scripting (XSS) attacks when tags or scripts are inserted.

This vulnerability is partially mitigated by the requirement that an attacker must have permission to create content containing an image field configured to use the LightGallery format.

References

https://www.drupal.org/sa-contrib-2025-069

Credits

- Pierre Rudloff (prudloff)
- - https://www.drupal.org/u/prudloff

Affected packages

Packagist:https://packages.drupal.org/8 / drupal/lightgallery

Package

Name: drupal/lightgallery
Purl: pkg:composer/drupal/lightgallery

Affected ranges

Type

ECOSYSTEM

Events

Introduced

Fixed

1.6.0

Database specific

{
    "constraint": "<1.6.0"
}

Database specific

affected_versions

"<1.6.0"

source

"https://github.com/DrupalSecurityTeam/drupal-advisory-database/blob/main/advisories/lightgallery/DRUPAL-CONTRIB-2025-069.json"