Come together with the global Drupal community in Rotterdam, 28 Sept – 1 Oct 2026. Sessions, contribution, connection, and Early Bird savings until 8 June.Project:
Date:
2025-December-03
Vulnerability:
Cross-Site Scripting
Affected versions:
<3.0.2
CVE IDs:
CVE-2025-13979
Description:
This module allows uploading a zip file and extracting its content in the public file directory to serve this content from a Drupal website.
These zip files may contain arbitrary HTML or SVG content that could allow cross-site scripting vulnerabilities. While this is an expected feature, the module does not sufficiently restrict this functionality to trusted users with a "restricted access" permission. Users without a restricted permission should not be able to inject arbitrary JavaScript.
This vulnerability is mitigated by the fact that an attacker must have a role with the permission create [bundle] content permission.
Solution:
Two steps are required. Install the latest version and adjust configuration:
- If you use Mini site 2.x or 3.x versions, upgrade to the Mini site 3.0.2.
-
A new manage minisites permission has been added. This new permission will need to be assigned to a trusted role for the user to be able to upload the zip file.
Reported By:
- Pierre Rudloff (prudloff) provisional member of the Drupal Security Team
Fixed By:
Coordinated By:
- Greg Knaddison (greggles) of the Drupal Security Team
- Juraj Nemec (poker10) of the Drupal Security Team
- Pierre Rudloff (prudloff) provisional member of the Drupal Security Team
- Jess (xjm) of the Drupal Security Team
