Come together with the global Drupal community in Rotterdam, 28 Sept – 1 Oct 2026. Sessions, contribution, connection, and Early Bird savings until 8 June.Project:
Date:
2025-June-25
Security risk:
Vulnerability:
Cross-site Scripting
Affected versions:
<3.2.1
CVE IDs:
CVE-2025-48923
Description:
This module enables you to generate Table of content of your pages given a configuration.
The module doesn't sufficiently sanitise data attributes allowing persistent Cross-site Scripting (XSS) attacks.
This vulnerability is mitigated by the fact that an attacker must have a role with permission to enter HTML tags containing specific data attributes using other modules.
Solution:
Install the latest version:
- If you use the Toc JS module, upgrade to Toc Js 3.2.1
Reported By:
- Pierre Rudloff (prudloff) provisional member of the Drupal Security Team
Fixed By:
- Flocon de toile (flocondetoile)
- Frank Mably (mably)
- Pierre Rudloff (prudloff) provisional member of the Drupal Security Team
Coordinated By:
- Greg Knaddison (greggles) of the Drupal Security Team
- Juraj Nemec (poker10) of the Drupal Security Team
- Pierre Rudloff (prudloff) provisional member of the Drupal Security Team
