GOV.UK Theme - Moderately critical - Cross site scripting - SA-CONTRIB-2022-027

Project: GOV.UK Theme
Date: 2022-February-23
Security risk: Moderately critical 14∕25
Vulnerability: Cross site scripting

Description

The GOV.UK Theme (govuk_theme) is a Drupal theme for the GOV.UK Design System.

The theme doesn't sanitize user input in certain cases, which leads to Cross-Site-Scripting (XSS) vulnerabilities. An attacker that can create or edit certain entities or configuration may be able to exploit one or more Cross-Site-Scripting (XSS) vulnerabilities to target visitors of the site, including site admins with privileged access.

The vulnerability is mitigated by the facts, that:

An attacker must have one of several permissions, of which at least some are commonly only assigned to either editors, site builders or administrators.
For some of the vulnerabilities, certain contributed modules must be enabled.

Solution

Install the latest version:

• If you use the govuk_theme for Drupal 9.x, upgrade to govuk_theme 8.x-1.9