Drupal Pattern Lab Unified Twig Extensions Cross-Site Scripting Vulnerability

A cross-site scripting (XSS) vulnerability has been identified in the Drupal Pattern Lab Unified Twig Extensions package, specifically in versions 0.0.0 prior to 1.1.1. The vulnerability arises from inadequate data filtering, allowing for the injection of malicious scripts. This issue is only exploitable when the code is run outside of Drupal, as the affected function is meant to be used by both Drupal and Pattern Lab.

Impact

Exploitation of this vulnerability allows for cross-site scripting, where injected scripts are executed in the context of the user's browser, potentially leading to session hijacking or other malicious actions.

Reproduction

To reproduce this vulnerability, use the Unified Twig Extensions module in a Drupal environment. The vulnerability can be demonstrated by creating a Twig link function that includes unescaped HTML, such as a script tag. When this link is processed by the Twig engine, the script will be executed, demonstrating the cross-site scripting vulnerability.

Remediation

Users are advised to upgrade to version 1.1.1 of the Unified Twig Extensions package. Instructions for updating can be found on the Drupal.org project page for Unified Twig Extensions.