Block Attributes - Moderately critical - Cross-site Scripting - SA-CONTRIB-2025-090

Project: Block AttributesDate: 2025-July-16Security risk: Moderately critical 14 ∕ 25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:AllVulnerability: Cross-site ScriptingAffected versions: <1.1.0 || >=2.0.0 <2.0.1CVE IDs: CVE-2025-7715Description: This module allows you to define custom attributes for a block. You can specify an attribute name to be added to the block in a predefined format.
The module does not sufficiently validate the provided attributes, which makes it possible to insert JavaScript event attributes such as onmouseover, onkeyup, etc. These attributes can execute JavaScript code when the page is rendered, leading to cross-site scripting (XSS) vulnerabilities.
This vulnerability is partially mitigated by the requirement to manually add the specific attributes and corresponding JavaScript code to the form after the attribute has been created.Solution: Install the latest version:

Reported By: 

Fixed By: 

Coordinated By: 

Path to article https://www.drupal.org/sa-contrib-2025-090