"Ricochet has proven to be a partner that we can depend on to create and maintain a successful drupal-based CMS system. Their deep experience in drupal has allowed them to identify existing plugins and to quickly implement custom logic when required to efficiently implement our international content management workflow and site. Ricochet has shown their commitment to our success again and again, working collaboratively across our team to make it happen, and putting in the extra effort when needed to meet our business goals."
—David Saffren, Blurb.com

Simple XML sitemap - Moderately critical - Cross-site Scripting - SA-CONTRIB-2025-083

Wed, 2025-06-25 11:42 — Anonymous (not verified)

Project: Simple XML sitemapDate: 2025-June-25Security risk: Moderately critical 13 ∕ 25 AC:Basic/A:Admin/CI:Some/II:Some/E:Theoretical/TD:AllVulnerability: Cross-site ScriptingAffected versions: < 4.2.2CVE IDs: CVE-2025-6676Description: Simple XML sitemap is a SEO module that allows creating various XML sitemaps of the site's content and submitting them to search engines.
The module doesn't sufficiently sanitize input when administering it, which leads to a Cross-site scripting (XSS) attack vector.
This vulnerability is mitigated by the fact that an attacker must have the administrative permission 'administer sitemap settings'.Solution: This vulnerability requires 2 steps:

If you use simple_sitemap upgrade to at least 4.2.2 or a later, supported version.
For all versions, ensure your permissions are assigned to appropriate roles and users with "administer sitemap settings" permission are trusted.

Reported By:

Nick Vanpraet (grayle)

Fixed By:

Coordinated By:

Greg Knaddison (greggles) of the Drupal Security Team
Michael Hess (mlhess) of the Drupal Security Team
Juraj Nemec (poker10) of the Drupal Security Team

Path to article https://www.drupal.org/sa-contrib-2025-083

Search form

Simple XML sitemap - Moderately critical - Cross-site Scripting - SA-CONTRIB-2025-083