Vulnerability from drupal
Published
2025-04-09 17:04
Modified
2025-04-09 17:04
Summary
Details

Gif Player Field creates a simple file field types that allows you to upload the GIF files and configure the output for this using the Field Formatters.

The module uses GifPlayer jQuery library to render the GIF according to configured setups for the Field Formatter. The external Gif Player Library doesn't satinize the attributes properly when rendering the widget, allowing a malicious user to run XSS attacks.

This vulnerability is mitigated by the fact that an attacker would need to have an account on the website and be able to create an image tag with a data-label element. There are no fields that allow that element on a default Drupal site for a user with user-level permissions.

Credits
Pierre Rudloff (prudloff) www.drupal.org/u/prudloff
To clipboard 

{
  "affected": [
    {
      "database_specific": {
        "affected_versions": "\u003c1.5.0 || \u003e=2.0.1 \u003c2.0.4",
        "patched": true
      },
      "package": {
        "ecosystem": "Packagist:https://packages.drupal.org/8",
        "name": "drupal/gifplayer"
      },
      "ranges": [
        {
          "database_specific": {
            "constraint": "\u003c1.5.0"
          },
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.5.0"
            }
          ],
          "type": "ECOSYSTEM"
        },
        {
          "database_specific": {
            "constraint": "\u003e=2.0.1 \u003c2.0.4"
          },
          "events": [
            {
              "introduced": "2.0.1"
            },
            {
              "fixed": "2.0.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "severity": []
    }
  ],
  "aliases": [
    "CVE-2025-31128"
  ],
  "credits": [
    {
      "contact": [
        "https://www.drupal.org/u/prudloff"
      ],
      "name": "Pierre Rudloff (prudloff)"
    }
  ],
  "details": "Gif Player Field creates a simple file field types that allows you to upload the GIF files and configure the output for this using the Field Formatters.\n\nThe module uses [GifPlayer jQuery library](https://github.com/rubentd/gifplayer) to render the GIF according to configured setups for the Field Formatter. The external Gif Player Library doesn\u0027t satinize the attributes properly when rendering the widget, allowing a malicious user to run XSS attacks.\n\nThis vulnerability is mitigated by the fact that an attacker would need to have an account on the website and be able to create an image tag with a data-label element. There are no fields that allow that element on a default Drupal site for a user with user-level permissions.",
  "id": "DRUPAL-CONTRIB-2025-032",
  "modified": "2025-04-09T17:04:46.000Z",
  "published": "2025-04-09T17:04:46.000Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://www.drupal.org/sa-contrib-2025-032"
    }
  ],
  "schema_version": "1.7.0"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.