logo

Database

Server side cross-site scripting In drupal/minisite

Description

This module allows uploading a zip file and extracting its content in the public file directory to serve this content from a Drupal website.

These zip files may contain arbitrary HTML or SVG content that could allow cross-site scripting vulnerabilities. While this is an expected feature, the module does not sufficiently restrict this functionality to trusted users with a "restricted access" permission. Users without a restricted permission should not be able to inject arbitrary JavaScript.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission create [bundle] content permission.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version
Patched versions

Aliases

1. CVE-2025-139792. NVD-2025-139793. OSV-DRUPAL-CONTRIB-2025-1174. OSV-2025-139795. GCVE-2025-139796. drupal.org

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.