Come together with the global Drupal community in Rotterdam, 28 Sept – 1 Oct 2026. Sessions, contribution, connection, and Early Bird savings until 8 June.Project:
Date:
2025-December-03
Security risk:
Vulnerability:
Cross-site Scripting
Affected versions:
<1.2.44
CVE IDs:
CVE-2025-13983
Description:
This module enables you to use the Tagify library to enhance text input fields with tag-style UI elements.
The module does not sufficiently sanitize the infoLabel value under certain configurations, which can result in a cross-site scripting (XSS) vulnerability.
This vulnerability is mitigated by the fact that only uncommon module configurations expose the affected infoLabel output, and an attacker must have user-level access to supply or manipulate this value.
Solution:
Install the latest version:
- If you use the Tagify module for Drupal, upgrade to Tagify 1.2.44.
Reported By:
- Drew Webber (mcdruid) of the Drupal Security Team
Fixed By:
- Bram Driesen (bramdriesen) provisional member of the Drupal Security Team
- David Galeano (gxleano)
- Lee Rowlands (larowlan) of the Drupal Security Team
- Drew Webber (mcdruid) of the Drupal Security Team
Coordinated By:
- Bram Driesen (bramdriesen) provisional member of the Drupal Security Team
- Greg Knaddison (greggles) of the Drupal Security Team
- Drew Webber (mcdruid) of the Drupal Security Team
- Jess (xjm) of the Drupal Security Team
