DRUPAL-CONTRIB-2025-121

See a problem?

Import Source

https://github.com/DrupalSecurityTeam/drupal-advisory-database/blob/main/advisories/tagify/DRUPAL-CONTRIB-2025-121.json

JSON Data

https://api.osv.dev/v1/vulns/DRUPAL-CONTRIB-2025-121

Aliases

CVE-2025-13983

Published

2025-12-03T18:48:57Z

Modified

2025-12-10T23:41:29.619511Z

Summary

[none]

Details

This module enables you to use the Tagify library to enhance text input fields with tag-style UI elements.

The module does not sufficiently sanitize the infoLabel value under certain configurations, which can result in a cross-site scripting (XSS) vulnerability.

This vulnerability is mitigated by the fact that only uncommon module configurations expose the affected infoLabel output, and an attacker must have user-level access to supply or manipulate this value.

References

https://www.drupal.org/sa-contrib-2025-121

Credits

- Drew Webber (mcdruid)
- - https://www.drupal.org/u/mcdruid

Affected packages

Packagist:https://packages.drupal.org/8 / drupal/tagify

Package

Name: drupal/tagify
Purl: pkg:composer/drupal/tagify

Affected ranges

Type

ECOSYSTEM

Events

Introduced

Fixed

1.2.44

Database specific

{
    "constraint": "<1.2.44"
}

Database specific

affected_versions

"<1.2.44"