Ricochet super-team Stephen Pope and Rick Destree were invaluable in upgrading the functionalities of the MarketTools corporate website, helping us implement new design elements and site structure, and launching a new website on very short notice when our business unit was acquired by Confirmit. Along the way, they taught me a lot about Drupal! Stephen’s help was critical in dealing with some difficult pre-existing server environment issues, and he went the extra mile many times to get us past the crunch points. I absolutely recommend Stephen and his team!
—Laura Newton

Ignition Error Pages - Critical - Cross Site Scripting - SA-CONTRIB-2025-007

Wed, 2025-01-22 09:01 — Anonymous (not verified)

Project: Ignition Error PagesDate: 2025-January-22Security risk: Critical 16 ∕ 25 AC:Basic/A:None/CI:Some/II:Some/E:Theoretical/TD:AllVulnerability: Cross Site ScriptingAffected versions: <1.0.4Description: This module enables you to render error pages using the Ignition package.
The module disables certain Drupal core code and does not perform sufficient filtering, allowing HTML to be injected in certain situations leading to a Cross Site Scripting (XSS) vulnerability.
This vulnerability is mitigated by the fact that this module is for development purposes and is not intended to be installed on production environments.Solution: Install the latest version:

If you use the Ignition Error Pages module for Drupal 10/11, upgrade to Ignition Error Pages 1.0.4

Reported By:

Dieter Holvoet

Fixed By:

catch of the Drupal Security Team
Dieter Holvoet
Heine Deelstra of the Drupal Security Team

Coordinated By:

Greg Knaddison of the Drupal Security Team
Juraj Nemec of the Drupal Security Team
James Gilliland of the Drupal Security Team

Path to article https://www.drupal.org/sa-contrib-2025-007

Search form

Ignition Error Pages - Critical - Cross Site Scripting - SA-CONTRIB-2025-007