Date:
Thursday, Jun 26th, 2025
Advisory ID:
BACKDROP-SA-CONTRIB-2025-014
Security risk:
Moderately Critical
Vulnerability:
Cross Site Scripting
CVE ID:
Versions affected:
- GLightbox all versions prior to 1.x-1.0.3
Description:
GLightbox module provides integration with the GLightbox library, a JavaScript lightbox for images.
The module doesn't sufficiently sanitize text provided to the GLightbox JavaScript library, leading to a Cross Site Scripting (XSS) vulnerability.
This vulnerability is mitigated by the fact that an attacker must have a role with the permissions to edit content that is configured to support the Glightbox library.
Solution:
Upgrade your site to the most recent version of the GLightbox module. Download available on the GLightbox project page.
Reported By:
- Olaf Grabienski
- Pierre Rudloff (prudloff) provisional member of the Drupal Security Team
Fixed By:
- Pavel (korontari), module maintainer
- Jen Lampton of the Backdrop CMS Security Team
- Ivan Abramenko (levmyshkin) for Drupal
Coordinated By:
- Jen Lampton of the Backdrop CMS Security Team
- Greg Knaddison (greggles) of the Drupal Security Team
- Pierre Rudloff (prudloff) provisional member of the Drupal Security Team