CVE-2025-31128
gifplayer XSS vulnerability
描述
Gif Player Field creates a simple file field types that allows you to upload the GIF files and configure the output for this using the Field Formatters. The module uses [GifPlayer jQuery library](https://github.com/rubentd/gifplayer) to render the GIF according to configured setups for the Field Formatter. The external Gif Player Library doesn't satinize the attributes properly when rendering the widget, allowing a malicious user to run XSS attacks. This vulnerability is mitigated by the fact that an attacker would need to have an account on the website and be able to create an image tag with a data-label element. There are no fields that allow that element on a default Drupal site for a user with user-level permissions.
如何修補 CVE-2025-31128
要修補 CVE-2025-31128,請將受影響套件升級到下列已修補版本。
- —升級至 0.3.7 或更新版本
- —升級至 1.5.0 或更新版本
CVE-2025-31128 正在被利用嗎?
低 — EPSS 為 0.5%,目前沒有觀察到大規模利用活動。
受影響套件(2)
- from 0, < 0.3.7
- from 0, < 1.5.0 | >= 2.0.1, < 2.0.4
CVSS 分數
| 來源 | 版本 | 嚴重程度 | 向量 |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X |