Summary
A stored XSS vulnerability exists in the Number field type settings. The Prefix and Suffix fields are rendered using the |md|raw Twig filter without proper escaping, allowing script execution when the Number field is displayed on users' profiles.
Proof of Concept
Required Permissions
Steps to Reproduce
- Log in with an admin account
- Navigate to Settings → Fields → New field
- Choose Number as the field type
- Set the Prefix/Suffix Text field to:
<img src=x onerror="alert('Number Prefix/Suffix XSS')" hidden>
- Save the field
- Add this field to any element (e.g., User Profile fields via Settings → Users → User Fields)
- Navigate to your account (
/admin/myaccount) or any user profile (/admin/users/{id})
- XSS executes when viewing the form
Mitigation
Sanitize prefix/suffix before rendering or use |e filter instead of |raw.
References
cb5fb0e
Summary
A stored XSS vulnerability exists in the Number field type settings. The Prefix and Suffix fields are rendered using the
|md|rawTwig filter without proper escaping, allowing script execution when the Number field is displayed on users' profiles.Proof of Concept
Required Permissions
allowAdminChangesis enabled in production, which is against our security recommendations.Steps to Reproduce
/admin/myaccount) or any user profile (/admin/users/{id})Mitigation
Sanitize prefix/suffix before rendering or use
|efilter instead of|raw.References
cb5fb0e