Toc.js - Moderately critical - Cross-site Scripting - SA-CONTRIB-2025-077

Wed, 2025-06-25 11:41 — Anonymous (not verified)

Project: Toc.jsDate: 2025-June-25Security risk: Moderately critical 12 ∕ 25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:UncommonVulnerability: Cross-site ScriptingAffected versions: <3.2.1CVE IDs: CVE-2025-48923Description: This module enables you to generate Table of content of your pages given a configuration.
The module doesn't sufficiently sanitise data attributes allowing persistent Cross-site Scripting (XSS) attacks.
This vulnerability is mitigated by the fact that an attacker must have a role with permission to enter HTML tags containing specific data attributes using other modules.Solution: Install the latest version:

If you use the Toc JS module, upgrade to Toc Js 3.2.1

Reported By:

Pierre Rudloff (prudloff) provisional member of the Drupal Security Team

Fixed By:

Flocon de toile (flocondetoile)
Frank Mably (mably)
Pierre Rudloff (prudloff) provisional member of the Drupal Security Team

Coordinated By:

Greg Knaddison (greggles) of the Drupal Security Team
Juraj Nemec (poker10) of the Drupal Security Team
Pierre Rudloff (prudloff) provisional member of the Drupal Security Team

Path to article https://www.drupal.org/sa-contrib-2025-077

Search form

Toc.js - Moderately critical - Cross-site Scripting - SA-CONTRIB-2025-077