Paragraphs table - Moderately critical - Cross Site Scripting - SA-CONTRIB-2025-084
Project: Paragraphs tableDate: 2025-June-25Security risk: Moderately critical 13 ∕ 25 AC:None/A:Admin/CI:Some/II:Some/E:Theoretical/TD:UncommonVulnerability: Cross Site ScriptingAffected versions: >=2.0.0 <2.0.5CVE IDs: CVE-2025-6677Description: Project Paragraphs table provides a field for a collection table.
The module doesn't sufficiently sanitise certain data attributes allowing Cross Site Scripting (XSS) attacks.
This vulnerability is mitigated by the fact that an attacker must have a role with permission to enter HTML tags containing specific data attributes.Solution: Install the latest version:
- If you use the Paragraphs table module 2.x for Drupal 10 or above, please upgrade to paragraphs table 2.0.5
Reported By:
Fixed By:
Coordinated By:
- Greg Knaddison (greggles) of the Drupal Security Team
- Juraj Nemec (poker10) of the Drupal Security Team