Vulnerability from drupal
Published
2025-03-19 18:52
Modified
2025-03-31 22:07
Summary
Details

This module adds a formatter for link fields that displays the current entity with another view mode inside the link.

Drupal core does not sufficiently sanitize link element attributes, which can lead to a Cross Site Scripting vulnerability (XSS).

A separate fix for Drupal core has been released but this module requires a concurrent release to make use of the Drupal core fix.

This vulnerability is mitigated by that fact that an attacker would need to have the ability to add specific attributes to a Link field, which typically requires edit access via core web services, or a contrib or custom module.

Credits
Daniel Wehner (dawehner) www.drupal.org/u/dawehner
Joseph Zhao (pandaski) www.drupal.org/u/pandaski
To clipboard 

{
  "affected": [
    {
      "database_specific": {
        "affected_versions": "\u003c1.6.0"
      },
      "package": {
        "ecosystem": "Packagist:https://packages.drupal.org/8",
        "name": "drupal/link_field_display_mode_formatter"
      },
      "ranges": [
        {
          "database_specific": {
            "constraint": "\u003c1.6.0"
          },
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.6.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "severity": []
    }
  ],
  "aliases": [
    "CVE-2025-31695"
  ],
  "credits": [
    {
      "contact": [
        "https://www.drupal.org/u/dawehner"
      ],
      "name": "Daniel Wehner (dawehner)"
    },
    {
      "contact": [
        "https://www.drupal.org/u/pandaski"
      ],
      "name": "Joseph Zhao (pandaski)"
    }
  ],
  "details": "This module adds a formatter for link fields that displays the current entity with another view mode inside the link.\n\nDrupal core does not sufficiently sanitize link element attributes, which can lead to a Cross Site Scripting vulnerability (XSS).\n\nA separate fix for Drupal core has been released but this module requires a concurrent release to make use of the Drupal core fix.\n\nThis vulnerability is mitigated by that fact that an attacker would need to have the ability to add specific attributes to a Link field, which typically requires edit access via core web services, or a contrib or custom module.",
  "id": "DRUPAL-CONTRIB-2025-024",
  "modified": "2025-03-31T22:07:08.000Z",
  "published": "2025-03-19T18:52:53.000Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://www.drupal.org/sa-contrib-2025-024"
    }
  ],
  "schema_version": "1.7.0"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.