DRUPAL-CONTRIB-2025-113

Import Source

https://github.com/DrupalSecurityTeam/drupal-advisory-database/blob/main/advisories/civictheme/DRUPAL-CONTRIB-2025-113.json

JSON Data

https://api.osv.dev/v1/vulns/DRUPAL-CONTRIB-2025-113

Aliases

CVE-2025-12083
GHSA-h72q-cq3w-h3wc

Published

2025-10-22T16:35:12Z

Modified

2025-12-10T23:41:00.574838Z

Summary

[none]

Details

CivicTheme is a design system and theme framework used to build content-rich Drupal websites. It includes editorial workflows, structured content types, and flexible theming components.

CivicTheme does not sufficiently filter field data before rendering them in Twig templates. This combined with multiple instances of the Twig raw filter throughout CivicTheme components, allows for the injection of malicious scripts in browser contexts.

Additionally, CivicTheme fails to filter markup from SVGs embedded within the web page allowing potentially malicious scripts to be injected.

This vulnerability is mitigated by an attacker needing permission to create or edit content within a CivicTheme site.

CivicTheme with its default permissions restricts the creation of content to content author and content approver roles.

References

https://www.drupal.org/sa-contrib-2025-113

Credits

- Adam Bramley (acbramley)
- - https://www.drupal.org/u/acbramley
- Lee Rowlands (larowlan)
- - https://www.drupal.org/u/larowlan

Affected packages

Packagist:https://packages.drupal.org/8 / drupal/civictheme

Package

Name: drupal/civictheme
Purl: pkg:composer/drupal/civictheme

Affected ranges

Type

ECOSYSTEM

Events

Introduced

Fixed

1.12.0

Database specific

{
    "constraint": "<1.12.0"
}

Database specific

affected_versions

"<1.12.0"