"We run a non-profit summer camp and hired Ricochet to design our camper and staff database from scratch. Their initial design was custom fit to suit our needs and as those needs have evolved the helpful staff at Ricochet have insured that timely changes keep our database up to date and running smoothly. Thanks for the fantastic service and personal attention, it's made a huge difference for our camp!"
—Chrissie Endler, Camp del Corazon

Lightgallery - Moderately critical - Cross Site Scripting - SA-CONTRIB-2025-069

Wed, 2025-05-21 10:29 — Anonymous (not verified)

Project: LightgalleryDate: 2025-May-21Security risk: Moderately critical 13 ∕ 25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:DefaultVulnerability: Cross Site ScriptingAffected versions: <1.6.0CVE IDs: CVE-2025-48447Description: This module integrates Drupal with LightGallery, enabling the use of the LightGallery library with any image field or view.
The module does not adequately sanitize user input in the image field’s "alt" attribute, potentially allowing cross-site scripting (XSS) attacks when tags or scripts are inserted.
This vulnerability is partially mitigated by the requirement that an attacker must have permission to create content containing an image field configured to use the LightGallery format.Solution: Install the latest version:

If you use the Lightgallery module, upgrade to Lightgallery 8.x-1.6

Reported By:

Pierre Rudloff (prudloff)

Fixed By:

Murilo Henrique Pucci (murilohp)

Coordinated By:

Greg Knaddison (greggles) of the Drupal Security Team
Juraj Nemec (poker10) of the Drupal Security Team
Pierre Rudloff (prudloff)

Path to article https://www.drupal.org/sa-contrib-2025-069

Search form

Lightgallery - Moderately critical - Cross Site Scripting - SA-CONTRIB-2025-069