-
CVSS Score
-Basic Information
CVE ID
-
GHSA ID
-
EPSS Score
-
CWE
-
Published
-
Updated
-
KEV Status
-
Technology
-
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AIMiggo AIRoot Cause AnalysisThe vulnerability is a stored Cross-Site Scripting (XSS) issue within the 'Plausible tracking' Drupal module. The root cause is the improper handling of user-supplied data in the module's block configuration.
The blockSubmit function in the PlausibleTracking class directly saves the input for the 'Domains' field without any sanitization. An attacker with permissions to configure this block can therefore inject a malicious script into this field. Later, when the block is rendered on a page, the build function retrieves this stored value and inserts it into the data-domain attribute of a <script> tag. This results in the execution of the malicious script in the browser of any user visiting the page where the block is displayed. The patch resolves this by applying Html::escape() to the 'domains' input within the blockSubmit function, preventing the script from being rendered as executable code.
Drupal\plausible_tracking\Plugin\Block\PlausibleTracking::blockSubmitsrc/Plugin/Block/PlausibleTracking.php
Drupal\plausible_tracking\Plugin\Block\PlausibleTracking::buildsrc/Plugin/Block/PlausibleTracking.php
PHPPHP| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| drupal/plausible_tracking | composer | < 1.0.2 | 1.0.2 |
Ongoing coverage of React2Shell