SpamSpan filter - Moderately critical - Cross Site Scripting - SA-CONTRIB-2025-016

Project

SpamSpan filter

Date

April 09, 2025

Severity

Moderately Critical

Risk Score

13 ∕ 25 AC:Complex/A:User/CI:Some/II:Some/E:Theoretical/TD:All

Vulnerability

Cross Site Scripting

Affected versions

7.x-1.4

Description

This module enables your site to obfuscate Email addresses and prevent spambots to collect them.

The module doesn't sanitize HTML data attributes when an email address link is transformed to separate span HTML elements and then transformed back by JavaScript leading to a Cross Site Scripting (XSS) vulnerability.

This is mitigated by the fact an attacker must be able to insert span HTML elements with data attributes in the page.

Solution

Install the latest version.

If you use the SpamSpan filter module for Drupal 7, upgrade to SpamSpan 7.x-1.5:

spamspan-7.x-1.5-IeX7j4rTy9NvVgh0.tar.gz
spamspan-7.x-1.5-IeX7j4rTy9NvVgh0.zip

Reported by

Pierre Rudloff (prudloff)

Fixed by

Julian Pustkuchen (anybody)
Joshua Sedler (grevil)
Adam Nagy (joevagyok)
Pierre Rudloff (prudloff)
Tag1 D7ES

Coordinated by

Tag1 D7ES