Project Ricochet's top notch developers, designers and PM’s allowed us to bring our vision of an e-commerce style class search to life. We had a tight budget and a lot of unexpected problems on the Berkeley side. Utilizing Ricochet's state of the art tracking tools and disciplined scrum approach allowed us to surmount every challenge and end up with a fantastic application. We loved the creative collaboration that allowed us to remake a boring campus class schedule into a high-octane search tool that our students and faculty love! Thank you Casey and the whole PR team!
—Johanna Metzgar

GLightbox - Moderately critical - Cross-site Scripting - SA-CONTRIB-2025-078

Wed, 2025-06-25 11:41 — Anonymous (not verified)

Project: GLightboxDate: 2025-June-25Security risk: Moderately critical 13 ∕ 25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:DefaultVulnerability: Cross-site ScriptingAffected versions: <1.0.16CVE IDs: CVE-2025-48922Description: GLightbox module is a pure Javascript lightbox for CKEditor.
The module doesn't sufficiently filter user-supplied text for the GLightbox Javascript library leading to a Cross Site Scripting (XSS) vulnerability.
This vulnerability is mitigated by the fact that an attacker must have a role with the permissions to edit content that is configured to support the Glightbox module.Solution: Install the latest version:

If you use the GLightbox module, upgrade to GLightbox 1.0.16

Reported By:

Pierre Rudloff (prudloff) provisional member of the Drupal Security Team

Fixed By:

Ivan Abramenko (levmyshkin)

Coordinated By:

Greg Knaddison (greggles) of the Drupal Security Team
Pierre Rudloff (prudloff) provisional member of the Drupal Security Team

Path to article https://www.drupal.org/sa-contrib-2025-078

Search form

GLightbox - Moderately critical - Cross-site Scripting - SA-CONTRIB-2025-078