Drupal Translate with GTranslate Resource Location Spoofing Vulnerability

A vulnerability allowing resource location spoofing has been identified in the Translate Drupal with GTranslate module, affecting versions prior to 3.0.5. This issue arises from the module's JavaScript not properly validating the 'document.currentScript' reference, which could enable a user to manipulate language-switcher links to point to an unintended domain. The vulnerability is limited to sites using the paid versions of the GTranslate widget JavaScript, in configurations where the generated language links rely on script-provided values.

Impact

Exploitation of this vulnerability could lead to DOM clobbering and unauthorized manipulation of link destinations, potentially causing users to be directed to malicious or unintended websites.

Remediation

Users of the GTranslate module version 3.0.x should upgrade to GTranslate 3.0.5.