Simple XML sitemap - Moderately critical - Cross-site Scripting - SA-CONTRIB-2025-083

Wed, 2025-06-25 11:42 — Anonymous (not verified)

Project: Simple XML sitemapDate: 2025-June-25Security risk: Moderately critical 13 ∕ 25 AC:Basic/A:Admin/CI:Some/II:Some/E:Theoretical/TD:AllVulnerability: Cross-site ScriptingAffected versions: < 4.2.2CVE IDs: CVE-2025-6676Description: Simple XML sitemap is a SEO module that allows creating various XML sitemaps of the site's content and submitting them to search engines.
The module doesn't sufficiently sanitize input when administering it, which leads to a Cross-site scripting (XSS) attack vector.
This vulnerability is mitigated by the fact that an attacker must have the administrative permission 'administer sitemap settings'.Solution: This vulnerability requires 2 steps:

If you use simple_sitemap upgrade to at least 4.2.2 or a later, supported version.
For all versions, ensure your permissions are assigned to appropriate roles and users with "administer sitemap settings" permission are trusted.

Reported By:

Nick Vanpraet (grayle)

Fixed By:

Coordinated By:

Greg Knaddison (greggles) of the Drupal Security Team
Michael Hess (mlhess) of the Drupal Security Team
Juraj Nemec (poker10) of the Drupal Security Team

Path to article https://www.drupal.org/sa-contrib-2025-083

Search form

Simple XML sitemap - Moderately critical - Cross-site Scripting - SA-CONTRIB-2025-083