Come together with the global Drupal community in Rotterdam, 28 Sept – 1 Oct 2026. Sessions, contribution, connection, and Early Bird savings until 8 June.Project:
Date:
2025-April-23
Vulnerability:
Cross Site Scripting
Affected versions:
<2.1.3
CVE IDs:
CVE-2025-3900
Description:
Colorbox is a module that allows Images, and iframed or inline content to be displayed in a modal above the current page.
The Colorbox module doesn't sufficiently sanitize data attributes before opening modals.
This vulnerability is mitigated by the fact that an attacker must have a role with permission to enter HTML tags containing specific data attributes.
Solution:
Install the latest version:
- If you use the Colorbox module 2.1.x for Drupal 10 or above, upgrade to Colorbox 2.1.3
- If you use the Colorbox module 2.0.x, upgrade to Colorbox 2.1.3, as the 2.0.x branch becomes unsupported.
Reported By:
- Pierre Rudloff (prudloff) Provisional Member of the Drupal Security Team
Fixed By:
- Jen Lampton (jenlampton) Provisional Member of the Drupal Security Team
- Paul McKibben (paulmckibben)
Coordinated By:
- Greg Knaddison (greggles) of the Drupal Security Team
- Juraj Nemec (poker10) of the Drupal Security Team
