Browser Back Button - Moderately critical - Cross site scripting - SA-CONTRIB-2024-072

Project:

Date:

2024-December-11

Security risk:

Moderately critical 13 ∕ 25 AC:Basic/A:Admin/CI:Some/II:Some/E:Theoretical/TD:All

Vulnerability:

Cross site scripting

Affected versions:

>=1.0.0 <2.0.2

CVE IDs:

CVE-2024-13308

Description:

This module provides a block that renders a link providing the functionality of a browser's back button.

The module does not sufficiently escape text entered by an administrator, resulting in a cross scripting vulnerability.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer blocks".

Solution:

Install the latest version:

If you use the Browser Back Button module for Drupal 9.x/10.x, upgrade to Browser Back Button 2.0.2

Reported By:

Fixed By:

Coordinated By:

Contact and more information

The Drupal security team can be reached by email at security at drupal.org or via the contact form.

Follow the Drupal Security Team on Bluesky, or Mastodon or Linkedin.

The security team is made up of volunteers around the world. The companies above have sponsored time on this release.