"We run a non-profit summer camp and hired Ricochet to design our camper and staff database from scratch. Their initial design was custom fit to suit our needs and as those needs have evolved the helpful staff at Ricochet have insured that timely changes keep our database up to date and running smoothly. Thanks for the fantastic service and personal attention, it's made a huge difference for our camp!"
—Chrissie Endler, Camp del Corazon

Toc.js - Moderately critical - Cross-site Scripting - SA-CONTRIB-2025-077

Wed, 2025-06-25 11:41 — Anonymous (not verified)

Project: Toc.jsDate: 2025-June-25Security risk: Moderately critical 12 ∕ 25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:UncommonVulnerability: Cross-site ScriptingAffected versions: <3.2.1CVE IDs: CVE-2025-48923Description: This module enables you to generate Table of content of your pages given a configuration.
The module doesn't sufficiently sanitise data attributes allowing persistent Cross-site Scripting (XSS) attacks.
This vulnerability is mitigated by the fact that an attacker must have a role with permission to enter HTML tags containing specific data attributes using other modules.Solution: Install the latest version:

If you use the Toc JS module, upgrade to Toc Js 3.2.1

Reported By:

Pierre Rudloff (prudloff) provisional member of the Drupal Security Team

Fixed By:

Flocon de toile (flocondetoile)
Frank Mably (mably)
Pierre Rudloff (prudloff) provisional member of the Drupal Security Team

Coordinated By:

Greg Knaddison (greggles) of the Drupal Security Team
Juraj Nemec (poker10) of the Drupal Security Team
Pierre Rudloff (prudloff) provisional member of the Drupal Security Team

Path to article https://www.drupal.org/sa-contrib-2025-077

Search form

Toc.js - Moderately critical - Cross-site Scripting - SA-CONTRIB-2025-077