Project
Date
Severity
Moderately Critical
Vulnerability
Cross Site Scripting
Affected versions
<7.x-2.20
Description
The Colorbox module allows images, iframed, or inline content to be displayed in a modal above the current page.
The Colorbox module doesn't sufficiently sanitize data attributes before opening modals.
This vulnerability is mitigated by the fact that an attacker must have a role with permission to enter HTML tags containing specific data attributes.
This is a backport of https://www.drupal.org/sa-contrib-2025-041.
Solution
Install the latest version.
If you use the Colorbox module for Drupal 7, upgrade to Colorbox 7.x-2.20
Reported By:
Fixed By:
Coordinated By:
- Greg Knaddison (greggles) of the Drupal Security Team
- Juraj Nemec (poker10) of the Drupal Security Team
- Tag1 D7ES