As an academic group, we wanted to improve the look and feel of our website on a tight budget. The team at Project Ricochet was consistently responsive to our concerns and willing to help us meet our goals. They were transparent with their costs, which allowed us to pick and choose which features and changes we deemed most important. Thanks to this transparency, our new website is a substantial improvement over the old that we were able to achieve in a cost-effective fashion.
—Justin Inman, UCSF

GLightbox - Moderately critical - Cross-site Scripting - SA-CONTRIB-2025-078

Wed, 2025-06-25 11:41 — Anonymous (not verified)

Project: GLightboxDate: 2025-June-25Security risk: Moderately critical 13 ∕ 25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:DefaultVulnerability: Cross-site ScriptingAffected versions: <1.0.16CVE IDs: CVE-2025-48922Description: GLightbox module is a pure Javascript lightbox for CKEditor.
The module doesn't sufficiently filter user-supplied text for the GLightbox Javascript library leading to a Cross Site Scripting (XSS) vulnerability.
This vulnerability is mitigated by the fact that an attacker must have a role with the permissions to edit content that is configured to support the Glightbox module.Solution: Install the latest version:

If you use the GLightbox module, upgrade to GLightbox 1.0.16

Reported By:

Pierre Rudloff (prudloff) provisional member of the Drupal Security Team

Fixed By:

Ivan Abramenko (levmyshkin)

Coordinated By:

Greg Knaddison (greggles) of the Drupal Security Team
Pierre Rudloff (prudloff) provisional member of the Drupal Security Team

Path to article https://www.drupal.org/sa-contrib-2025-078

Search form

GLightbox - Moderately critical - Cross-site Scripting - SA-CONTRIB-2025-078