GHSA-9f5h-mmq6-2x78

Summary

A stored XSS vulnerability exists in the Number field type settings. The Prefix and Suffix fields are rendered using the |md|raw Twig filter without proper escaping, allowing script execution when the Number field is displayed on users' profiles.

Proof of Concept

Required Permissions

• Administrator access
• allowAdminChanges is enabled in production, which is against our security recommendations.

Steps to Reproduce

1. Log in with an admin account
2. Navigate to Settings → Fields → New field
3. Choose Number as the field type
4. Set the Prefix/Suffix Text field to: <img width="611" height="908" alt="image" src="https://github.com/user-attachments/assets/63766ca4-4fa9-490b-8bea-37364137527d" />

<img src=x onerror="alert('Number Prefix/Suffix XSS')" hidden>

5. Save the field
6. Add this field to any element (e.g., User Profile fields via Settings → Users → User Fields)
7. Navigate to your account (/admin/myaccount) or any user profile (/admin/users/{id})
8. XSS executes when viewing the form <img width="1246" height="677" alt="image-1" src="https://github.com/user-attachments/assets/dafeb2b7-905f-4a4b-b3d6-1c16a905498f" />

Mitigation

Sanitize prefix/suffix before rendering or use |e filter instead of |raw.