"Ricochet has proven to be a partner that we can depend on to create and maintain a successful drupal-based CMS system. Their deep experience in drupal has allowed them to identify existing plugins and to quickly implement custom logic when required to efficiently implement our international content management workflow and site. Ricochet has shown their commitment to our success again and again, working collaboratively across our team to make it happen, and putting in the extra effort when needed to meet our business goals."
—David Saffren, Blurb.com

WebProfiler - Moderately critical - Cross Site Scripting - SA-CONTRIB-2023-044

Wed, 2023-09-06 09:33 — Anonymous (not verified)

Project: WebProfilerDate: 2023-September-06Security risk: Moderately critical 10∕25 AC:Complex/A:Admin/CI:Some/II:Some/E:Theoretical/TD:UncommonVulnerability: Cross Site ScriptingAffected versions: > 10.1.0 < 10.1.1Description: The Webprofiler module provides a way of displaying the Symfony profile debugging tool at the bottom of each page.
The abbr_class Twig filter can be used to bypass the Twig auto-escape feature.
This vulnerability is mitigated by the fact that it is only exposed when the filter is specifically used in a theme to render content that contains an attack vector.Solution: Install the latest version:

If you use the WebProfiler module for Drupal 10x, upgrade to WebProfiler 10.1.1

Reported By:

Pierre Rudloff

Fixed By:

Coordinated By:

Damien McKenna of the Drupal Security Team
Greg Knaddison of the Drupal Security Team

Path to article https://www.drupal.org/sa-contrib-2023-044

Search form

WebProfiler - Moderately critical - Cross Site Scripting - SA-CONTRIB-2023-044