Responsive Favicons - Moderately critical - Cross-site scripting - SA-CONTRIB-2026-019

Description

The Responsive Favicons module adds the favicons generated by realfavicongenerator.net to your Drupal site.

The module does not filter administrator-entered text, leading to a persistent Cross-site scripting (XSS) vulnerability.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer responsive favicons".

Solution

Install the latest version, then confirm the permissions associated with the module are assigned to appropriate roles.

If you use the Responsive Favicons module for Drupal 7, upgrade to Responsive Favicons 7.x-1.4:

• responsive_favicons-7.x-1.4.tar.gz
• responsive_favicons-7.x-1.4.zip

Reported by

• Simon Bäse (simonbaese)

Fixed by

• Frank Mably (mably)
• Sean Hamlin (wiifm)
• Tag1 D7ES Security Team

Coordinated by

• Greg Knaddison (greggles) of the Drupal Security Team
• Juraj Nemec (poker10) of the Drupal Security Team
• Jess (xjm) of the Drupal Security Team
• Tag1 D7ES Security Team