- Mail Disguise module, all versions prior to 1.x-1.0.5
The Mail Disguise module enables a Backdrop website to obfuscate email addresses, and should prevent spambots from collecting them. The module doesn't sufficiently validate the data attribute value on links, potentially leading to a Cross Site Scripting (XSS) vulnerability.
This is mitigated by the fact an attacker must be able to insert link (<a>) HTML elements containing data attributes into the page.
Upgrade to the most recent version of the Mail Disguise module. Download available on the Mail Disguise module page.
- Jen Lampton of the Backdrop CMS Security Team