Paragraphs table - Moderately critical - Cross Site Scripting - SA-CONTRIB-2025-084

Project: Paragraphs tableDate: 2025-June-25Security risk: Moderately critical 13 ∕ 25 AC:None/A:Admin/CI:Some/II:Some/E:Theoretical/TD:UncommonVulnerability: Cross Site ScriptingAffected versions: >=2.0.0 <2.0.5CVE IDs: CVE-2025-6677Description: Project Paragraphs table provides a field for a collection table.
The module doesn't sufficiently sanitise certain data attributes allowing Cross Site Scripting (XSS) attacks.
This vulnerability is mitigated by the fact that an attacker must have a role with permission to enter HTML tags containing specific data attributes.Solution: Install the latest version:

• If you use the Paragraphs table module 2.x for Drupal 10 or above, please upgrade to paragraphs table 2.0.5

Reported By: 

• Pierre Rudloff (prudloff)

Fixed By: 

• Joseph Olstad (joseph.olstad)
• NGUYEN Bao (lazzyvn)

Coordinated By: 

• Greg Knaddison (greggles) of the Drupal Security Team
• Juraj Nemec (poker10) of the Drupal Security Team