Newsfeed-Generator

Project: Mini siteDate: 2025-December-03Security risk: Moderately critical 14 ∕ 25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:AllVulnerability: Cross-Site ScriptingAffected versions: <3.0.2CVE IDs: CVE-2025-13979Description: 

This module allows uploading a zip file and extracting its content in the public file directory to serve this content from a Drupal website.

These zip files may contain arbitrary HTML or SVG content that could allow cross-site scripting vulnerabilities. While this is an expected feature, the module does not sufficiently restrict this functionality to trusted users with a "restricted access" permission. Users without a restricted permission should not be able to inject arbitrary JavaScript.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission create [bundle] content permission.

Solution: 

Two steps are required. Install the latest version and adjust configuration:

1. If you use Mini site 2.x or 3.x versions, upgrade to the Mini site 3.0.2.

2. A new manage minisites permission has been added. This new permission will need to be assigned to a trusted role for the user to be able to upload the zip file.

Reported By: 

• Pierre Rudloff (prudloff) provisional member of the Drupal Security Team

Fixed By: 

• cb_govcms

Coordinated By: 

• Greg Knaddison (greggles) of the Drupal Security Team
• Juraj Nemec (poker10) of the Drupal Security Team
• Pierre Rudloff (prudloff) provisional member of the Drupal Security Team
• Jess (xjm) of the Drupal Security Team