DRUPAL-CORE-2025-004

See a problem?

Import Source

https://github.com/DrupalSecurityTeam/drupal-advisory-database/blob/main/advisories/core/DRUPAL-CORE-2025-004.json

JSON Data

https://api.osv.dev/v1/vulns/DRUPAL-CORE-2025-004

Aliases

Published

2025-03-19T18:54:35Z

Modified

2025-12-10T23:41:14.883365Z

Summary

[none]

Details

Drupal core Link field attributes are not sufficiently sanitized, which can lead to a Cross Site Scripting vulnerability (XSS).

This vulnerability is mitigated by that fact that an attacker would need to have the ability to add specific attributes to a Link field, which typically requires edit access via core web services, or a contrib or custom module.

Sites with the Link module disabled or that do not use any link fields are not affected.

References

https://www.drupal.org/sa-core-2025-004

Credits

- Samuel Mortenson (samuel.mortenson)
- - https://www.drupal.org/u/samuelmortenson

Affected packages

Packagist / drupal/core

Package

Name: drupal/core
Purl: pkg:composer/drupal/core

Affected ranges

Type

ECOSYSTEM

Events

Introduced

8.0.0

Fixed

10.3.14

Database specific

{
    "constraint": ">= 8.0.0 < 10.3.14"
}

Type

ECOSYSTEM

Events

Introduced

10.4.0

Fixed

10.4.5

Database specific

{
    "constraint": ">= 10.4.0 < 10.4.5"
}

Type

ECOSYSTEM

Events

Introduced

11.0.0

Fixed

11.0.13

Database specific

{
    "constraint": ">= 11.0.0 < 11.0.13"
}

Type

ECOSYSTEM

Events

Introduced

11.1.0

Fixed

11.1.5

Database specific

{
    "constraint": ">= 11.1.0 < 11.1.5"
}

Affected versions

8.*

8.0.0

8.0.1

8.0.2

8.0.3

8.0.4

8.0.5

8.0.6

8.1.0-beta1

8.1.0-beta2

8.1.0-rc1

8.1.0

8.1.1

8.1.2

8.1.3

8.1.4

8.1.5

8.1.6

8.1.7

8.1.8

8.1.9

8.1.10

8.2.0-beta1

8.2.0-beta2

8.2.0-beta3

8.2.0-rc1

8.2.0-rc2

8.2.0

8.2.1

8.2.2

8.2.3

8.2.4

8.2.5

8.2.6

8.2.7

8.2.8

8.3.0-alpha1

8.3.0-beta1

8.3.0-rc1

8.3.0-rc2

8.3.0

8.3.1

8.3.2

8.3.3

8.3.4

8.3.5

8.3.6

8.3.7

8.3.8

8.3.9

8.4.0-alpha1

8.4.0-beta1

8.4.0-rc1

8.4.0-rc2

8.4.0

8.4.1

8.4.2

8.4.3

8.4.4

8.4.5

8.4.6

8.4.7

8.4.8

8.5.0-alpha1

8.5.0-beta1

8.5.0-rc1

8.5.0

8.5.1

8.5.2

8.5.3

8.5.4

8.5.5

8.5.6

8.5.7

8.5.8

8.5.9

8.5.10

8.5.11

8.5.12

8.5.13

8.5.14

8.5.15

8.6.0-alpha1

8.6.0-beta1

8.6.0-beta2

8.6.0-rc1

8.6.0

8.6.1

8.6.2

8.6.3

8.6.4

8.6.5

8.6.6

8.6.7

8.6.8

8.6.9

8.6.10

8.6.11

8.6.12

8.6.13

8.6.14

8.6.15

8.6.16

8.6.17

8.6.18

8.7.0-alpha1

8.7.0-alpha2

8.7.0-beta1

8.7.0-beta2

8.7.0-rc1

8.7.0

8.7.1

8.7.2

8.7.3

8.7.4

8.7.5

8.7.6

8.7.7

8.7.8

8.7.9

8.7.10

8.7.11

8.7.12

8.7.13

8.7.14

8.8.0-alpha1

8.8.0-beta1

8.8.0-rc1

8.8.0

8.8.1

8.8.2

8.8.3

8.8.4

8.8.5

8.8.6

8.8.7

8.8.8

8.8.9

8.8.10

8.8.11

8.8.12

8.9.0-beta1

8.9.0-beta2

8.9.0-beta3

8.9.0-rc1

8.9.0

8.9.1

8.9.2

8.9.3

8.9.4

8.9.5

8.9.6

8.9.7

8.9.8

8.9.9

8.9.10

8.9.11

8.9.12

8.9.13

8.9.14

8.9.15

8.9.16

8.9.17

8.9.18

8.9.19

8.9.20

9.*

9.0.0-alpha1

9.0.0-alpha2

9.0.0-beta1

9.0.0-beta2

9.0.0-beta3

9.0.0-rc1

9.0.0

9.0.1

9.0.2

9.0.3

9.0.4

9.0.5

9.0.6

9.0.7

9.0.8

9.0.9

9.0.10

9.0.11

9.0.12

9.0.13

9.0.14

9.1.0-alpha1

9.1.0-beta1

9.1.0-rc1

9.1.0-rc2

9.1.0-rc3

9.1.0

9.1.1

9.1.2

9.1.3

9.1.4

9.1.5

9.1.6

9.1.7

9.1.8

9.1.9

9.1.10

9.1.11

9.1.12

9.1.13

9.1.14

9.1.15

9.2.0-alpha1

9.2.0-beta1

9.2.0-beta2

9.2.0-beta3

9.2.0-rc1

9.2.0

9.2.1

9.2.2

9.2.3

9.2.4

9.2.5

9.2.6

9.2.7

9.2.8

9.2.9

9.2.10

9.2.11

9.2.12

9.2.13

9.2.14

9.2.15

9.2.16

9.2.17

9.2.18

9.2.19

9.2.20

9.2.21

9.3.0-alpha1

9.3.0-beta1

9.3.0-beta2

9.3.0-beta3

9.3.0-rc1

9.3.0

9.3.1

9.3.2

9.3.3

9.3.4

9.3.5

9.3.6

9.3.7

9.3.8

9.3.9

9.3.10

9.3.11

9.3.12

9.3.13

9.3.14

9.3.15

9.3.16

9.3.17

9.3.18

9.3.19

9.3.20

9.3.21

9.3.22

9.4.0-alpha1

9.4.0-beta1

9.4.0-rc1

9.4.0-rc2

9.4.0

9.4.1

9.4.2

9.4.3

9.4.4

9.4.5

9.4.6

9.4.7

9.4.8

9.4.9

9.4.10

9.4.11

9.4.12

9.4.13

9.4.14

9.4.15

9.5.0-beta1

9.5.0-beta2

9.5.0-rc1

9.5.0-rc2

9.5.0

9.5.1

9.5.2

9.5.3

9.5.4

9.5.5

9.5.6

9.5.7

9.5.8

9.5.9

9.5.10

9.5.11

10.*

10.0.0-alpha1

10.0.0-alpha2

10.0.0-alpha3

10.0.0-alpha4

10.0.0-alpha5

10.0.0-alpha6

10.0.0-alpha7

10.0.0-beta1

10.0.0-beta2

10.0.0-rc1

10.0.0-rc2

10.0.0-rc3

10.0.0

10.0.1

10.0.2

10.0.3

10.0.4

10.0.5

10.0.6

10.0.7

10.0.8

10.0.9

10.0.10

10.0.11

10.1.0-alpha1

10.1.0-beta1

10.1.0-rc1

10.1.0

10.1.1

10.1.2

10.1.3

10.1.4

10.1.5

10.1.6

10.1.7

10.1.8

10.2.0-alpha1

10.2.0-beta1

10.2.0-rc1

10.2.0

10.2.1

10.2.2

10.2.3

10.2.4

10.2.5

10.2.6

10.2.7

10.2.8

10.2.9

10.2.10

10.2.11

10.2.12

10.3.0-beta1

10.3.0-rc1

10.3.0

10.3.1

10.3.2

10.3.3

10.3.4

10.3.5

10.3.6

10.3.7

10.3.8

10.3.9

10.3.10

10.3.11

10.3.12

10.3.13

10.4.0

10.4.1

10.4.2

10.4.3

10.4.4

11.*

11.0.0

11.0.1

11.0.2

11.0.3

11.0.4

11.0.5

11.0.6

11.0.7

11.0.8

11.0.9

11.0.10

11.0.11

11.0.12

11.1.0

11.1.1

11.1.2

11.1.3

11.1.4

Database specific

source

"https://github.com/DrupalSecurityTeam/drupal-advisory-database/blob/main/advisories/core/DRUPAL-CORE-2025-004.json"

affected_versions

">= 8.0.0 < 10.3.14 || >= 10.4.0 < 10.4.5 || >= 11.0.0 < 11.0.13 || >= 11.1.0 < 11.1.5"