Unified Twig Extensions - Moderately critical - Cross Site Scripting - SA-CONTRIB-2023-041

Project:

Date:

2023-August-30

Security risk:

Moderately critical 13 ∕ 25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:Default

Vulnerability:

Cross Site Scripting

Affected versions:

<1.1.1

Description:

This module makes PatternLab's custom Twig functions available to Drupal theming.

The module's included examples don't sufficiently filter data.

This vulnerability is mitigated by the fact that the included examples must have been copied to a site's theme.

Solution:

Install the latest version:

If you use the Unified Twig Extensions module, upgrade to Unified Twig Extensions 1.1.1

Reported By:

Fixed By:

Coordinated By:

Contact and more information

The Drupal security team can be reached by email at security at drupal.org or via the contact form.

Follow the Drupal Security Team on Bluesky, or Mastodon or Linkedin.

The security team is made up of volunteers around the world. The companies above have sponsored time on this release.