DRUPAL-CONTRIB-2025-117

Import Source

https://github.com/DrupalSecurityTeam/drupal-advisory-database/blob/main/advisories/minisite/DRUPAL-CONTRIB-2025-117.json

JSON Data

https://api.osv.dev/v1/vulns/DRUPAL-CONTRIB-2025-117

Aliases

CVE-2025-13979

Published

2025-12-03T18:47:37Z

Modified

2025-12-10T23:41:30.119019Z

Summary

[none]

Details

This module allows uploading a zip file and extracting its content in the public file directory to serve this content from a Drupal website.

These zip files may contain arbitrary HTML or SVG content that could allow cross-site scripting vulnerabilities. While this is an expected feature, the module does not sufficiently restrict this functionality to trusted users with a "restricted access" permission. Users without a restricted permission should not be able to inject arbitrary JavaScript.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission create [bundle] content permission.

References

https://www.drupal.org/sa-contrib-2025-117

Credits

- Pierre Rudloff (prudloff)
- - https://www.drupal.org/u/prudloff

Affected packages

Packagist:https://packages.drupal.org/8 / drupal/minisite

Package

Name: drupal/minisite
Purl: pkg:composer/drupal/minisite

Affected ranges

Type

ECOSYSTEM

Events

Introduced

Fixed

3.0.2

Database specific

{
    "constraint": "<3.0.2"
}

Database specific

affected_versions

"<3.0.2"