Block Attributes - Moderately critical - Cross-site Scripting - SA-CONTRIB-2025-090
Project: Block AttributesDate: 2025-July-16Security risk: Moderately critical 14 ∕ 25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:AllVulnerability: Cross-site ScriptingAffected versions: <1.1.0 || >=2.0.0 <2.0.1CVE IDs: CVE-2025-7715Description: This module allows you to define custom attributes for a block. You can specify an attribute name to be added to the block in a predefined format.
The module does not sufficiently validate the provided attributes, which makes it possible to insert JavaScript event attributes such as onmouseover
, onkeyup
, etc. These attributes can execute JavaScript code when the page is rendered, leading to cross-site scripting (XSS) vulnerabilities.
This vulnerability is partially mitigated by the requirement to manually add the specific attributes and corresponding JavaScript code to the form after the attribute has been created.Solution: Install the latest version:
- If you use the Block Attributes module for Drupal, upgrade to Block Attributes 8.x-1.1 or Block Attributes 2.0.1.
Reported By:
- Pierre Rudloff (prudloff) provisional member of the Drupal Security Team
Fixed By:
Coordinated By:
- Greg Knaddison (greggles) of the Drupal Security Team
- Juraj Nemec (poker10) of the Drupal Security Team
- Pierre Rudloff (prudloff), provisional member of the Drupal Security Team
- Jess (xjm) of the Drupal Security Team