Moderately Critical XSS Vulnerability in GOV.UK Theme
The Drupal Security Team announced on February 23rd 2022, a moderately critical Cross-Site Scripting (XSS) vulnerability in the GOV.UK Theme SA-CONTRIB-2022-027. The vulnerability is classified as moderately critical because of the 14∕25 [AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:All] status
The GOV.UK Theme (govuk_theme) is a Drupal theme for the GOV.UK Design System. This theme utilizes the GOV.UK Design System Frontend node module and has Twig template files for the majority of the GOV.UK styles, components, and patterns.
The theme doesn't sanitize user input in certain cases, which leads to Cross-Site-Scripting (XSS) vulnerabilities. Certain entities or configuration can be created or edited to exploit one or more Cross-Site-Scripting (XSS) vulnerabilities targeting visitors to the site, including site admins with privileged access.
The vulnerability is mitigated by the facts, that:
- An attacker must have one of several permissions, of which at least some are commonly only assigned to either editors, site builders or administrators.
- For some of the vulnerabilities, certain contributed modules must be enabled.
Solution: If you use the govuk_theme for Drupal 9.x, upgrade to govuk_theme 8.x-1.9 https://www.drupal.org/project/govuk_theme/releases/8.x-1.9
The vulnerability was reported by Patrick Fey and fixed by Andrew Hughes-Onslow and Patrick Fey. This security fix was coordinated by Chris McCafferty and Damien McKenna of the Drupal Security Team.
Source:
ASK: Drupal Community Needs Your Support
View all →
Note: The vision of this web portal is to help promote news and stories around the Drupal community and promote and celebrate the people and organizations in the community. We strive to create and distribute our content based on these content policy. If you see any omission/variation on this please reach out to us at #thedroptimes channel on Drupal Slack and we will try to address the issue as best we can.
