Vulnerability-Lookup

Vulnerability from drupal

Published

2025-12-03 18:48

Modified

2025-12-03 18:48

Summary

Details

This module enables you to use the Tagify library to enhance text input fields with tag-style UI elements.

The module does not sufficiently sanitize the infoLabel value under certain configurations, which can result in a cross-site scripting (XSS) vulnerability.

This vulnerability is mitigated by the fact that only uncommon module configurations expose the affected infoLabel output, and an attacker must have user-level access to supply or manipulate this value.

Credits

Drew Webber (mcdruid) www.drupal.org/u/mcdruid

JSON

To clipboard

{
  "affected": [
    {
      "database_specific": {
        "affected_versions": "\u003c1.2.44"
      },
      "package": {
        "ecosystem": "Packagist:https://packages.drupal.org/8",
        "name": "drupal/tagify"
      },
      "ranges": [
        {
          "database_specific": {
            "constraint": "\u003c1.2.44"
          },
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.2.44"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "severity": []
    }
  ],
  "aliases": [
    "CVE-2025-13983"
  ],
  "credits": [
    {
      "contact": [
        "https://www.drupal.org/u/mcdruid"
      ],
      "name": "Drew Webber (mcdruid)"
    }
  ],
  "details": "This module enables you to use the Tagify library to enhance text input fields with tag-style UI elements.\n\nThe module does not sufficiently sanitize the `infoLabel` value under certain configurations, which can result in a cross-site scripting (XSS) vulnerability.\n\nThis vulnerability is mitigated by the fact that only uncommon module configurations expose the affected `infoLabel` output, and an attacker must have user-level access to supply or manipulate this value.",
  "id": "DRUPAL-CONTRIB-2025-121",
  "modified": "2025-12-03T18:48:57.000Z",
  "published": "2025-12-03T18:48:57.000Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://www.drupal.org/sa-contrib-2025-121"
    }
  ],
  "schema_version": "1.7.0"
}

CVE-2025-13983 (GCVE-0-2025-13983)

Vulnerability from cvelistv5 – Published: 2026-01-28 20:02 – Updated: 2026-01-29 17:52

Title

Tagify - Moderately critical - Cross-site Scripting - SA-CONTRIB-2025-121

Summary

Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") vulnerability in Drupal Tagify allows Cross-Site Scripting (XSS).This issue affects Tagify: from 0.0.0 before 1.2.44.

Severity ?

5.4 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

CWE

CWE-79 - Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting")

Assigner

drupal

References

URL

Tags

https://www.drupal.org/sa-contrib-2025-121

Impacted products

	Vendor	Product	Version
	Drupal	Tagify	Affected: 0.0.0 , < 1.2.44 (semver)

Credits

Drew Webber (mcdruid) Bram Driesen (bramdriesen) David Galeano (gxleano) Lee Rowlands (larowlan) Drew Webber (mcdruid) Bram Driesen (bramdriesen) Greg Knaddison (greggles) Drew Webber (mcdruid) Jess (xjm)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "NONE",
              "baseScore": 5.4,
              "baseSeverity": "MEDIUM",
              "confidentialityImpact": "LOW",
              "integrityImpact": "LOW",
              "privilegesRequired": "LOW",
              "scope": "CHANGED",
              "userInteraction": "REQUIRED",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2025-13983",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-01-29T17:52:20.904164Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-01-29T17:52:24.726Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://www.drupal.org/project/tagify",
          "defaultStatus": "unaffected",
          "product": "Tagify",
          "repo": "https://git.drupalcode.org/project/tagify",
          "vendor": "Drupal",
          "versions": [
            {
              "lessThan": "1.2.44",
              "status": "affected",
              "version": "0.0.0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Drew Webber (mcdruid)"
        },
        {
          "lang": "en",
          "type": "remediation developer",
          "value": "Bram Driesen (bramdriesen)"
        },
        {
          "lang": "en",
          "type": "remediation developer",
          "value": "David Galeano (gxleano)"
        },
        {
          "lang": "en",
          "type": "remediation developer",
          "value": "Lee Rowlands (larowlan)"
        },
        {
          "lang": "en",
          "type": "remediation developer",
          "value": "Drew Webber (mcdruid)"
        },
        {
          "lang": "en",
          "type": "coordinator",
          "value": "Bram Driesen (bramdriesen)"
        },
        {
          "lang": "en",
          "type": "coordinator",
          "value": "Greg Knaddison (greggles)"
        },
        {
          "lang": "en",
          "type": "coordinator",
          "value": "Drew Webber (mcdruid)"
        },
        {
          "lang": "en",
          "type": "coordinator",
          "value": "Jess  (xjm)"
        }
      ],
      "datePublic": "2025-12-03T18:48:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Improper Neutralization of Input During Web Page Generation (\"Cross-site Scripting\") vulnerability in Drupal Tagify allows Cross-Site Scripting (XSS).\u003cp\u003eThis issue affects Tagify: from 0.0.0 before 1.2.44.\u003c/p\u003e"
            }
          ],
          "value": "Improper Neutralization of Input During Web Page Generation (\"Cross-site Scripting\") vulnerability in Drupal Tagify allows Cross-Site Scripting (XSS).This issue affects Tagify: from 0.0.0 before 1.2.44."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-63",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-63 Cross-Site Scripting (XSS)"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-79",
              "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\"Cross-site Scripting\")",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-01-28T20:02:09.110Z",
        "orgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
        "shortName": "drupal"
      },
      "references": [
        {
          "url": "https://www.drupal.org/sa-contrib-2025-121"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "Tagify - Moderately critical - Cross-site Scripting - SA-CONTRIB-2025-121",
      "x_generator": {
        "engine": "Vulnogram 0.5.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
    "assignerShortName": "drupal",
    "cveId": "CVE-2025-13983",
    "datePublished": "2026-01-28T20:02:09.110Z",
    "dateReserved": "2025-12-03T17:04:24.229Z",
    "dateUpdated": "2026-01-29T17:52:24.726Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

Vulnerability from drupal

CVE-2025-13983 (GCVE-0-2025-13983)

Tags

Sightings

Nomenclature