Block Class - Moderately critical - Cross Site Scripting - SA-CONTRIB-2025-043

Project:

Block Class

Date:

2025-April-23

Security risk:

Moderately critical 12 ∕ 25 AC:Basic/A:Admin/CI:Some/II:Some/E:Theoretical/TD:Default

Vulnerability:

Cross Site Scripting

Affected versions:

>=4.0.0 <4.0.1

CVE IDs:

CVE-2025-3902

Description:

Block Class enables you to add custom attributes to blocks.

The module did not sufficiently sanitize custom attribute input, allowing for potential XSS attacks when malicious JavaScript was injected as a custom attribute.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer block classes".

Solution:

Install the latest version:

If you use the Block Class on 4.0.x upgrade to Block Class 4.0.1

Reported By:

Ivo Van Geertruyen (mr.baileys) of the Drupal Security Team

Fixed By:

renatog

Coordinated By:

Greg Knaddison (greggles) of the Drupal Security Team
Juraj Nemec (poker10) of the Drupal Security Team

Contribution record

Block Class - Moderately critical - Cross Site Scripting - SA-CONTRIB-2025-043

Contact and more information

Contributing organizations for this advisory

News items

Our community

Documentation

Drupal code base

Governance of community