Vulnerability in Drupal's Unified Twig Module Raises Cross-Site Scripting Concerns

Staff Reporter

Unified Twig module for Drupal has recently been identified with a moderately critical vulnerability, raising concerns about cross-site scripting attacks. Specifically, this security flaw exists in version 1.1.0 of the Drupal Unified Twig module. The Drupal Security team marked it as Moderately critical 13∕25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:Default .

This module allows PatternLab's custom Twig functions to be used in Drupal themes. However, the included examples in the module lack proper data filtering. Despite this vulnerability, the risk is reduced because the examples need to be manually added to a site's theme for the vulnerability to be relevant.

A updated version of the module has been released with the fix. If you have copied the examples of 1.1.0 of this module to your theme, please remove those. Or update the code to the one that comes in the security-fixed version of the module.

This disclosure comes courtesy of Drupal.org Security Team

Click here to follow us on LinkedIn

Comment

Note: The vision of this web portal is to help promote news and stories around the Drupal community and promote and celebrate the people and organizations in the community. We strive to create and distribute our content based on these content policy. If you see any omission/variation on this please let us know in the comments below and we will try to address the issue as best we can.

Security